SG-OSG Transition FAQ
(Describe SG BCA and its motivate)
(Background on BCA)
|Line 86:||Line 86:|
=== What is a bridged certificate authority? ===
=== What is a bridged certificate authority? ===
bridge [http://www.cs.virginia.edu/papers/M_Humphrey_nd_nd_2005.pdf The Case for Using Bridge Certificate Authorities for Grid Computing][http://csrc.nist.gov/groups/ST/crypto_apps_infra/documents/B2B-article.pdf Bridge Certification Authorities: Connecting B2B Public Key Infrastructures].
=== What certificate infrastructure does OSG use? ===
=== What certificate infrastructure does OSG use? ===
Revision as of 11:45, 16 February 2011
Please contribute answers to the questions below, add your own questions if you don't see it listed or add comments on the Talk page if you wish to discuss options or provide details.
What is SURAgrid?
From the SURAgrid web site:
SURAgrid is a consortium of organizations collaborating and combining resources to help bring grid technology to the level of seamless, shared infrastructure. The vision for SURAgrid is to orchestrate access to a rich set of distributed capabilities in order to meet diverse users' needs. Capabilities to be cultivated include locally contributed resources, project-specific tools and environments, highly specialized or HPC access, and gateways to national and international cyberinfrastructure.
What is OSG?
Open Science Grid is a national distributed computing grid for data intensive research. From the learn more about OSG site:
- OSG brings together computing and storage resources from campuses and research communities into a common, shared grid infrastructure over research networks via a common set of middleware.
- OSG offers participating research communities low-threshold access to more resources than they could afford individually,via a combination of dedicated, scheduled and opportunistic alternatives.
- OSG is a consortium of software, service and resource providers and researchers, from universities, national laboratories and computing centers across the U.S., who together build and operate the OSG project. The project is funded by the NSF and DOE, and provides staff for managing various aspects of the OSG.
- OSG Consortium members' independently owned and managed resources make up the distributed facility, agreements between them provide the glue for it, their requirements drive its evolution, and they contribute their effort to make it happen.
- OSG's Virtual Data Toolkit provides packaged, tested and supported collections of software for installation on participating compute and storage nodes and a client package for end-user researchers. Individual research communities, the 'virtual organizations', add services according to their scientists' needs.
- OSG works with an expanding set of research communities to help them evaluate their cyberinfrastructure needs and plan their solutions both locally across the campus and as part of national or international efforts. OSG works jointly with partners to create worldwide interoperable systems for cutting edge-research, for example the World Wide LHC Computing Grid for the upcoming experiments at CERN.
- OSG provides training through hands-on workshops and focused engagement with the community, helping new users to run applications on the infrastructure and resource owners to make their compute and storage resources accessible to the grid.
How does a SURAgrid Virtual Organization (SGVO) improve my life?
The goal of creating a SURAgrid Virtual Organization in OSG (Open Science Grid) is to make it easier to deploy, run, and maintain scientific applications on SURAgrid. Leveraging the OSG VO model will also enable many existing OSG resource provides to add support for SGVO opening the door for a significant increase to the compute platforms available to members of SGVO. Operating as an OSG VO interfaces model aso improves the lives of resource providers by adopating a well-defined and widely deployed grid computing software stack that supports many application domains. This means that resource providers will be part of a larger community of peers for supporting the software stack locally but will also be able to easily add support for existing domain-specific OSG VOs that may be of interest to researchers on their campus.
How does SGVO complicate my life?
The benefits gained from operating an SGVO are many but benefits are rarely cost free. The issues for new members of SGVO are expected to be minimal since these participants will adopt the operating practices common to all OSG VOs as they participate in SGVO.
Existing SURAgrid participants will notice changes, some significant, from traditional SURAgrid operating practices as they move to participate in the SGVO. The impact can be broken down into three areas of interest: 1) resource providers, 2) application users, and 3) community operations. Please see the SG-OSG Transition Document.
Most significantly, the existing SURAgrid certificate infrastructure is not compatible with the wider OSG community. This will require resource providers and users to obtain certificates from recognized OSG certificate authorities in order to access the broadest range of services in OSG.
Organization and Membership Questions
Is OSG a single organization?
OSG is composed of many participating VOs and each may have a role in the governance of OSG, adhere to an agreed upon standard for inter-VO operations, and defined individual operating practices as needed to support their science communities. You can learn more about OSG at their website.
Does operating an OSG VO mean that SURAgrid is subordinate to OSG?
In OSG terminology, a Virtual Organization (VO) is an abstraction designed to facilitate resource sharing between sites. It is does not define how those organizations operate pursuant to their missions. There are many examples of independent, real-world organizations that leverage OSG conventions to facilitate resource sharing for example LIGO, LHC, and a number of universities.
Is there a SG-OSG roadmap?
Yes and you can help define it further. Original Roadmap concept is outlined in the SURAgrid Strategic Plan, was described in the SG-OSG Statement of Shared Interest and has been further developed via working groups within SURAgrid. The road map is now being expanded via this transition document.
How does this fit with the SURAgrid Starategic Plan?
The SURAgrid Strategic Plan 2008-2012 defines five major goals. The SGVO is seen a key solution to building an operational infrastructure and specifically satisfies:
- GOAL 1: will significantly expand our outreach potential.
- GOAL 5: Strengthen our partnership.
Currently SURAgrid membership is determined by contributing resources. Is this the same?
De facto, by being a supporter of SGVO – i.e. providing a resource that can be used by SGVO – SURAgrid membership is obtained. Perhaps SGC should review/adjust the SURAgrid Membership criteria (http://www.sura.org/programs/docs/SGMembershipOct07.pdf) and consider a shift of emphasis to value the effort in community participation and contribution.NB: Alan Sill: Contribute resource and/or submit SG approved application.
Will SURAgrid still have All-Hands Meetings of its own?
SURAgrid has traditionally held a Spring and Fall All-Hands meeting at the SURA offices in Washington D.C. SURAgrid has always tried to co-schedule our All-Hands meeting with other meetings of interest to our membership, for example Internet2 and CASC. Establishing an SGVO will provide us yet another opportunity to address the interests and travel needs of our members with the opportunity to co-schedule our all hands meetings with OSG All-Hands meetings. The SURAgrid community will continue to schedule meetings that best address our members needs.
What is the SG Membership database?
OSG uses VOMs. Much like the SURAgrid LDAP server, VOMS provides a needed mechanism to manage the user base.
Working Group Questions
How does the Access Management Working Group change?
The AMWG will continue as a technical requirements forum that we think would work well within the OSG working groups; and the AMWG will also continue as a high-level in supporting the access management infrastructure used by SGVO.
What OSG working groups exist?
Many questions have been raised about certificate use in SURAgrid and OSG. This section will attempt to answer the common questions and address the perspective of an existing SURAgrid participant migrating to SGVO.
What are certificates and why do I need one?
A certificate is an identity document that is signed by an authority that is trusted to validate the identity expressed in the document. Certificates are central to how participants in grid computing environments identify each other. Grid computing environment traditionally expect users to work with certificates directly but this is not a strict requirement. Since all popular grids, including OSG and SURAgrid, make this assumption, these FAQ entries will take that perspective too. For more information on grid computing and certificates please see...
What certificate infrastructure does SURAgrid use?
SURAgrid was established to help campus adopt grid computing and share computing resources with other campuses. In order to simplify identity validation for users of SURAgrid and avoid the challenges of operating a centralized certificate authority (CA), a distributed identity trust network was constructed to allow on-campus contacts to verify the identity of SURAgrid users and issue a certificate to those users from an campus-operated CA. This network was constructed using a bridge certificate authority (BCA) to build an identity validation path rooted at the campus CA. This infrastructure allows each campus to run it's own CA and assert identities for which they are authoritative.
A bridge certificate authority (BCA) supports building a federated identity network by establishing trusts between campus-operation CAs. The SURAgrid BCA manages the trusts between campus CAs. Exploration of the BCA fabric used by SURAgrid is documented in The Case for Using Bridge Certificate Authorities for Grid Computing. Addtional background on BCAs is available Bridge Certification Authorities: Connecting B2B Public Key Infrastructures.
What certificate infrastructure does OSG use?
What is the IGTF?
What certificates will SGVO use?
In order to access OSG resources, SG user would need to use an International Grid Trust Federation (IGTF http://www.igtf.net/) accredited certificate.
What does the future hold for campus PKI?
What is CILogon?
What is InCommon Silver?
What about the cert requirement?
At the heart of OSG, you choose to trust the OSG (the DOE?) certificate and with that CERT in your browser, you have access to services.
Does the OSG stack come with installed certs?
Actually, OSG stack comes without any certs, and you can install any certs that you wish. You make the choice. SGC recommends that the SGVO host certs are IGTF-accredited which will enable full accounting/reporting capabilities.
Is there someone looking into these technical details?
Yes. The SURAgrid Access Management Working Group, the SG-OSG Transition Group, and the SGC have been working these details over the last two years. You are welcome to join these technical working group discussions.
Can I use CILogin for my Certificate provider?
What happens to the BridgeCA in the context of SGVO?
How do I get a DOE certificate?
Can I still use may campus CA as part of the SURAgrid Bridge CA?
Service Provider Questions
Can I be a member of SGVO using the original simplified install SURAgrid stack?
It is not an either/or state. Likely, a roadmap statement is wise approach. OSG stack is superset of SURAgrid (by design of SURAgrid requirements defined by SG stack providers). Further, the requirements can be met in several ways (e.g. OSG stack, SG stack, other).
We can use OSG working groups to present, advocate, and help implement features desired.
SURAgrid has documented its sw stack requirements (basically a Web services GRAM, with option pre-WebServices GRAM, with gsi-ssh recommended) and we will engage our SURAgrid community to review and recommend the specific transition requirements.
If you are using the OSG stack currently, you are compatible enough for SURAgrid. If you are using the original SG stack, you are minimally compatible with OSG but would not be able register your resource for discovery services making it difficult to use. We believe the Globus compatibility is technically satisfied, but smooth operation warrants switching resources to the OSG stack.
Is OSG accounting/reporting required for the OSG VDT stack.
OSG stack has reporting tools, extra configuration options, gracia accounting tools… each of which adds functionality. We believe that SURAgrid stack can be enhanced by considering these reporting/accounting functions.
Do I have to run a grid gateway?
Why do I have to run a resource monitor?
What happend to AIX support?
What is the role of a system admin?
Does my resource require an IGTF certificate for registration?
VO Operation Questions
How will services like the VO user database be operated an maintained?
Running an organization, real or virtual, requires a certain amount of technology infrastructure. With the advances in infrastructure service models brought about by cloud computing, it is easier than ever to maintain services as a community on virtual platforms and have them hosted at member sites. Maintaining these services and providing cycles to run them is a key contributions which members will make to the SURAgrid community.
Is VOMS the SGVO membership database?
Yes, in part. The reason for using the term "membership database" is because this is a more accurate description of the service SURAgrid will maintain. As with any organization, a list of members is crucial for effective operations. Knowing the members of your community allows you to identify participates and the roles they fill in your organization. This information can be used to grant access broadly to all members or restrict access to privileged operations based on their responsibilities. A membership database is a core component of any service organization and SURAgrid currently maintains membership in a veriety of places, both electronically in LDAP and in various static web lists. Our operations will improve as we improve the quality and capabilities of our membership database.
The OSG VO Membership Service (VOMS) provides information about a user to the service provider from which they are requesting compute cycles. This allows that site to know more about the user so that they can provide the services at the request about SURAgrid members. Running a VOMS server is the easiest way to package user information from our membership database so that other OSG sites can understand it. Running a VOMS server does not mean we have to use it's user interfaces. It can be used as an externally facing interface for the express purpose of exposing information to other OSG sites.
We can develop what ever user facing tools for our membership database that are practical and meet the operational needs of SURAgrid. In fact, it is reasonable to expect that other interfaces to our membership database would exist in the future. For example, Shibboleth could be used to add a SAML interface to allow communication with service providers in the InCommon Federation.
How do I register an application with SGVO?
How will I run an application on SGVO?
What is an application maintainer?
OSG runs single processor jobs, can I run MPI jobs?
In an era of clouds, do grids matter?
Clouds have greatly enhanced our ability to package services for consumption by a broad spectrum of users. Grid services are a vital component of this framework and provide a proven platform for adding large amounts of compute capacity to your applications. An important goal of the SGVO is to simplify access to these compute resources so they can enhance the performance of applications available to your campus community.