Document Sample
ad-hoc-vo-report Powered By Docstoc
					                            ROCHESTER INSTITUTE OF TECHNOLOGY

    Ad hoc Virtual Organization
                            Master Project Report
                                   Akylbek Zhumabayev
                                             May 2009

The objective of this project is to research, describe and implement an experimental framework of
Virtual Organization (VO) based on ad hoc approach. The idea was given to me by Professor Gregor von
Laszewski who introduced the term and concept of Ad hoc VO. The implementation is a part of the
larger project, Cyberaide, which aims to provide improved collaboration tools for Grid community.
Cyberaide includes subprojects such as job workflow support in connection with MS Project, task
scheduling using Google calendar, fast web client workplace based on Web 2.0 technologies. The ad hoc
VO framework is a central point of the system integrating all Cyberaide modules. The project includes
design and development of administration and runtime functionality.

1 INTRODUCTION                                                     4

1.1 GRID AND VIRTUAL ORGANIZATION                             4
1.2 MOTIVATION                                                6
1.3 AD HOC APPROACH                                           6
1.4 AD HOC VO VS. AD HOC GRID                                 7
1.5 REQUIREMENTS                                              8
1.5.1 FAST DEPLOYMENT                                         8
1.5.2 EASY ADMINISTRATION                                     8
1.5.3 FAST REGISTRATION AND ACCESS                            8
1.5.4 SECURE SOLUTION                                         8

2 RELATED WORK                                                     9

3 DESIGN OF AD HOC VO                                             10

3.1   OVERVIEW                                               10
3.2   AD HOC VO AS A SERVICE                                 11
3.3   AD HOC VO USER MANAGEMENT                              12
3.6   JOB SUBMISSION IN AD HOC VO                            15

4 IMPLEMENTATION OF AD HOC VO                                     15

4.1 OVERVIEW                                                 15
4.2 CYBERAIDE AS PLATFORM FOR AD HOC VO                      16
4.3 AD HOC VO COMPONENTS                                     17
4.3.1 AD HOC VO PORTAL                                       18
4.3.2 AD HOC VO WEB SERVICE                                  18
4.3.3 AD HOC VO SERVER APPLICATION                           18
4.3.4 AD HOC VO DATA LAYER                                   18
4.4 SINGLE SIGN-ON SOLUTIONS IN AD HOC VO                    18
4.4.1 OPENID                                                 18
4.4.2 MYPROXY                                                18
4.5 AD HOC VO SESSION MANAGEMENT                             19
4.6 AD HOC VO COMMAND LINE INTERFACE                         19

4.6.1 USER AND RESOURCE ADMINISTRATION                      19
4.6.2 VO ADMINISTRATION                                     19
4.6.3 JOB SUBMISSION                                        20

5 EVALUATION OF AD HOC VO                                        20

5.1 CONTRIBUTION                                            20
5.2 MEETING REQUIREMENTS                                    21
5.2.1 AD HOC VO DEPLOYMENT                                  21
5.2.2 AD HOC VO ADMINISTRATION                              21
5.2.4 AD HOC VO SECURITY                                    22
5.3 TESTS                                                   22

6 FUTURE WORK                                                    22

6.1 VIRTUAL COLLABORATION SHELL                             22
6.2 COMMUNICATION FEATURES                                  22
6.3 VIRTUAL FILE SYSTEM                                     22

7 CONCLUSION                                                     23

8 REFERENCES                                                     24

     The modern post-information period of human civilization requires the processing of large amounts
of data by business entities that is characterized by team work and using powerful information
technologies. The resources can be provided by grid infrastructure. The goal of this master project work
is to analyze and improve how scientific teams collaborate in grid environment.

1.1 Grid and Virtual Organization
    A grid connects loosely coupled computational resources into a virtual computer to perform large
calculations. The resources are designed as services with decentralized administration. Each resource
has its own security policies. The integration is achieved with special software products, grid
middleware, that provides secure and reliable functioning of heterogeneous grid resources and uniform
access for end users. The most known middleware platforms are Globus Toolkit, gLite and UNICORE.
Resources used to build a grid can vary in processor power. The grid computing project, SETI@home,
uses personal computers of Internet users. High Performance Computing (HPC) grid combines the power
of supercomputers or clusters. The examples of HPC grid systems are Teragrid, Science Grid, NASA
Information Power Grid (IPG) and Enabling Grids for E-sciencE (EGEE). The focus of this paper is the HPC
grid systems.

    Virtual Organization (VO) organizes a research project by incorporating users and grid resources into
an abstract group to achieve a common goal (Figure 1). Grid allows the users share resources, while VO
controls which users of a grid shares which resources. From this point VO can be treated as a grid-
within-a-grid [20]. The users inside VO can use the resources transparently without affecting the
integrity of the enterprise security on the resource nodes.

                                      Figure 1: VO groups grid resources

    VO management is provided by specialized software products that provide the following
functionality [23]:

    -   registration and association of users and user groups with the VO
    -   management of user roles
    -   association of services (resource access) with the VO

    -   associating agreements and policies with the VO and its component services

    There are two main groups of VO management systems: centralized and federated. Both concepts
are adopted by the grid community. Virtual Organization Management System (VOMS) [3] is an example
of a popular centralized platform and Shibboleth [4] is a widely installed federated framework. More
information about classification and comparison of existing VO management tools can be found in [5].

    VOMS represents a server containing information about virtual organizations. A user is
authenticated by VOMS and receives a special file with credentials which then is used to connect to a
grid resource. The resource processes the provided credentials and performs authentication and
authorization decisions (Figure 2). A VOMS administrator registers users, resources and virtual
organizations. A resource administrator configures VO settings on a resource machine.

                                              Figure 2: VOMS

    Shibboleth is a federated system that uses multiple servers, Identity Providers (IP), containing
information about virtual organizations. When a user connects to a resource (actually to a program on a
resource side called Service Provider), the system defines in which IP the user is registered and redirects
the request to that IP. The IP authenticates the user request and sends credentials to the resource which
makes authorization decisions (Figure 3). An Identity Provider administrator registers users and virtual
organizations. A resource administrator configures IP and VO settings on a Service Provider.

                                            Figure 3: Shibboleth

    In both classic VO management systems a two-level authentication method is used. First, a VO
system (or module) authenticates a client usually processing a username and a password. The VO
system then provides the credentials data encoded in a special format that contains user-specific and VO
settings. The resource extracts information from the credentials, authenticates the user and performs
the authorization decision. Storing and processing the user credentials is the most important part of grid

1.2 Motivation
    The complexity of grid middleware challenges the wide use of the technology in the community.
Much research has been carried out to address most of the problems. In the field related to
implementation of virtual organizations, the following areas were elaborated: VO security [6-12], VO
management and grid systems interoperability [13-15] and VO self-configuration [16, 17]. The main
trend is to simplify the way end users work with the grid system. Some solutions are already
implemented; for example, Teragrid portal allows use of grid resources via a web browser without setup
of any additional software.

    However, many ideas cannot be applied right now because they require more or less serious
redesign of existing grid technologies and protocols. One such area of intensive research is
decentralization of virtual organizations administration.

    VO management is centralized by large organizations. There are dedicated administrators who
register users, resources and VO settings in the system. The main drawback of this approach is the slow
deployment of a new VO. The administrators have to register every user, create and configure the VO,
register and assign resources. In addition, administrators spend time for negotiations with VO
consumers and resource owners. The result is a large amount of time required to run the VO. It becomes
a serious problem when grid resources are required for team projects with short lifetimes.

    The centralized system also has other obvious disadvantages. Dedicated administration makes the
VO management less flexible. When the number of users and resources grows, the system is
characterized by low scalability.

1.3 Ad hoc Approach
    The problem of centralized VO management can be addressed by an ad hoc approach. In Latin, ad
hoc literally means for this; further interpretation is for this purpose only. Simple example is a committee
created for the organizing of the Olympic Games. The term usually is used in telecommunication and
describes networks in which new devices, also called peers or nodes, can be quickly added.

    This paper proposes the concept, Ad hoc VO, which is based on an idea of implicit sharing of the
credentials to access grid resources between members inside the VO. Ad hoc VO extends existing grid
infrastructure, requires low efforts to setup and configure, has simple and reliable security mechanisms
and can be quickly deployed.

1.4 Ad hoc VO vs. Ad hoc Grid
     The Ad hoc VO is a technology not related to the Peer-to-Peer (P2P) model. Basically, the first ideas
of decentralized grid solutions use the P2P model. In 2004 two groups of scientists independently
proposed the concept of implementation of P2P infrastructure in a grid environment called Ad hoc Grid
[1, 2, 18]. Ad hoc Grid is a fully distributed system consisting of nodes; each node can represent a user
and a resource. The nodes discover each other and organize related groups to perform a common task
(Figure 4). The main problem, as was mentioned before, is a need for the serious redesign of grid
architecture and technologies.

                                            Figure 4: Ad hoc Grid

    In contrast, Ad hoc VO is based on existing grid infrastructure and integrates static groups of
resources. Actually, it is layered over the classic virtual organization’s level and, thus, creates a new VO
combining existing VOs. The main idea is that users register their credentials in the Ad hoc VO system;
this information then is used to access grid resources. As the credentials contain settings of the VO
where the user is registered, the Ad hoc VO creates a spontaneous group of existing virtual
organizations (Figure 5).

                                             Figure 5: Ad hoc VO

1.5 Requirements
   The goal of the project is to find a solution for VO management that can be easily deployed and
managed by VO members in a decentralized fashion. It should have full VO functionality and meet all
requirements for VO design.

1.5.1 Fast Deployment
     Quick setup, configuration and deployment are key characteristics of the system. Ideally, even less
skilled end user should be able to run the Ad hoc VO management system. Also, the multi-platform
support is an additional requirement. The evaluation parameters are time needed to run a system ready
to work, number of settings to be manually entered by the user, and supported operating system

1.5.2 Easy Administration
    The decentralized nature of Ad hoc VO management supposes easy administration of the system.
The user who runs the system should be able to configure VO in a simple and convenient way. The
system settings have to be clearly structured and support several ways of editing (graphic user interface,
text file based and command line interface). The evaluation parameters are settings structure, interface
features, and time and number of actions needed to perform operations (create user, add resource,

1.5.3 Fast Registration and Access
    There are three sides to a VO-enabled grid environment: a resource node, a VO management
system and a client. As aforementioned, the client authenticates twice to access and use the grid
resource: on the VO system and then on the resource node. In order to successfully authenticate the
client has to be registered in the VO system and configured on the resource node. The Ad hoc VO should
provide a fast and easy way of client registration and login in the system. The evaluation parameters are
time needed for registration and accessing the resource, and easy setup of client software.

1.5.4 Secure Solution
    Security is an important part of grid infrastructure. Existing grid platforms use their own security
technologies that differ from technologies used by commercial vendors of Internet software to provide
more reliable defense mechanisms. The Ad hoc VO solution must comply with security standards used in
the grid. The system has to support the safety of resources, user credentials and communication
channels. At the same time the security measures do not have to significantly slow the overall
performance and scalability. Evaluation parameters are security standards used to build the solution,
and effects on performance and scalability.

1.5.5 Integration with Grid and VO Platforms
    One of the goals of this project is the development of a solution that can be immediately used in a
grid environment. This can be achieved by designing and implementing the Ad hoc VO system according
to specifications of existing grid platforms. Another feature of the solution is ability to integrate with
popular VO management systems like VOMS and Shibboleth that will provide powerful and fine-grained

VO functionality. Evaluation parameters are supported specifications of existing grid platforms and
options of integration with popular VO management systems.

    A lot of research has been conducted in the field of ad hoc grid solutions that inspired the creation
of Ad hoc VO concept. These projects can be grouped in three ways: ad hoc grid solutions in a peer-to-
peer network, VO solutions in a distributed environment and VO gateways. Typically, the solutions are
based on a service-oriented architecture that was used for building existing grid systems. Some
examples of related work are presented in this chapter in chronological order.

    As was explained before, two independent projects, representing Ad hoc Grid solutions [2, 18],
implement grid infrastructure in a peer-to-peer environment as a spontaneous cooperation of
computing nodes with no preconfigured infrastructure and minimal administrative requirements.
Special software products, organized as layers, should be installed on each node (Figure 6). JXTA
technology is used to discover and negotiate with other nodes in the network. Framework layer
represents the core functionality (in this role the Globus middleware is used in [18] and CoG Kit in [2]).
Services, running on a framework, provide API for users and applications.

                                         Figure 6: Ad hoc Grid Node

    The Dynamic VO [19] concept extends Ad hoc Grid architecture with VO support by adapting
security mechanisms of existing VO to a decentralized grid environment. Each node, implemented as a
web service, defines its own access policies. The users are authenticated on nodes using Single Sign-On
systems that provide VO specific information (Figure 7).

                                           Figure 7: Dynamic VO

     The Virtual Grid [20] represents a decentralized VO solution for existing grid platforms. The server
called gateway contains information about VO users and resources (Figure 8). Users can create virtual
organizations and add other users to VO; resource administrators create resource accounts inside VO.
The solution supports a file management system for data storage on a gateway: files are uploaded to the
resource node before job submission and the results are downloaded back to the gateway folder. The
Virtual Grid integrates important VO features in grid middleware that provides easy use of the system.

     There is an interesting European project to design and implement a grid operating system,
XtreemOS [21, 22]. It is based on the existing Linux OS, and one of its key features is support for the VO.
The aim of this project is to make VO management and use easy without compromising efficiency,
flexibility and backward compatibility. In XtreemOS, the VO must interoperate with existing grid
solutions and traditional security mechanisms rather than replace them.

                                      Figure 8: VO Gateway in Virtual Grid

    The proposed solution, Ad hoc VO, is being implemented as a part of the Cyberaide project. The
main goal of this project is to develop a mediator service between users and grid resources that is user
friendly, secure, extensible and inherently supports collaboration environment. The Cyberaide has many
powerful features such as a semantically enhanced command syntax, object-oriented data
representation, job scheduling, workflow management and API for developers. The current version
provides the functionality through a Web Service or SSH connection. The web interface is implemented
using Web 2.0 technologies.

3.1 Overview
    Ad hoc VO is a collaboration environment for a project group of scientists that is easy to use and fast
to deploy. The usual case scenario is when team members know each other and some of them have
access to grid resources. They need a solution that allows sharing the resources and quick access for all
project members to these resources without any participation of parties outside of the project group
(Figure 9).

    Ad hoc VO is designed as a gateway solution, mediator, where users and resources must be
registered. First, one of the team members should set up and deploy the Ad hoc VO mediator. Then the
group members can access, configure and use the system. Ad hoc VO consists of four functional blocks:
user management, resource management, authentication module and job submission module.

                                     Figure 9: Ad hoc VO as a team solution

   Ad hoc VO uses classic grid technologies for the best integration with resource providers, and
modern web solutions to provide user-friendly interface. Security measures include the following

        -   in-depth strategy of defense of all levels: data, user actions, channels, software
        -   using proved technologies
        -   avoiding storing passwords in the application
        -   use of credentials only with short lifetime

3.2 Ad hoc VO as a Service
    The Ad hoc VO is designed as a service that can be deployed on any Internet node. According to the
OASIS definition the service is “a mechanism to enable access to one or more capabilities, where the
access is provided using a prescribed interface and is exercised consistent with constraints and policies
as specified by the service description” [xx]. In other words, the service is an autonomous application
providing some set of functionality.

     The service is an element of service-oriented architecture (SOA) that provides an integration of
different applications as interoperable services. The interoperability is achieved by loose coupling of
services with specific software specifications which results in the use of open standards. SOA was
adapted to grid infrastructure as Open Grid Services Architecture (OGSA). The OGSA is widely supported
by grid platforms and applications. Implementing Ad hoc VO as a service provides easy integration with
grid infrastructure.

    Ad hoc VO service provides complete functionality of VO management as application programming
interface (API). External applications can use the service to extend provided functionality or integrate
with other systems (Figure 10).

                                         Figure 10: Ad hoc VO service

3.3 Ad hoc VO User Management
    User management functionality includes registration and removing of users, updating the user
personal profiles, and configuration of user privileges. The set of allowed users in Ad hoc VO can be
divided into four groups:

       -   Administrator. An administrator is the project member who sets up and runs the Ad hoc VO
           service. After running the service, the administrator registers users who can be qualified as
           VO Owners. After these steps, the main duty of the administrator is the technical
           maintenance of the running application. The Ad hoc VO is designed and implemented as a
           system that requires not much administration efforts, and can be maintained by a not highly
           skilled administrator.
       -   VO Member. A user, who is registered in some grid systems and, thus, owns access to grid
           resources, is classified as a VO Member. VO Members can register their resource credentials
           in a virtual organization that automatically enables access to this resource by other VO
           Members or VO Users inside the VO. Any VO Member can create its own virtual
           organization; this way the status is transformed to VO Owner.
       -   VO Owner. A user who creates a virtual organization is the VO Owner. Only a user with VO
           Member status can create a VO and become the VO Owner. This requirement provides
           registration of the resource credentials owned by the VO Owner and allows immediate run
           of the VO. The VO Owner registers VO Members and VO Users in the virtual organization
           and sets up their privileges. The VO Owner cannot modify the resource credentials
           registered in the VO by VO Members.
       -   VO User. A user without own access to a grid resource is qualified as a VO User. The VO User
           can be registered in a virtual organization and use shared resources inside this VO.

    The complete picture of Ad hoc VO user classification and functions is depicted in Figure 11. The
explained classification supposes that a user can have several statuses. For example, one person can
deploy Ad hoc VO, register resource credentials and register other project members.

                      Administrator              VO Member              VO Owner              VO User            VO              Resource



                                                                                                         use          access

                                                                                                          use         access

                                                                                                          use         access

                                       Figure 11: Ad hoc VO user classification and functions

    The user privileges are configured by assigning the permissions that are predefined in the system.
The permissions can be grouped in a role. Also the users inside a virtual organization can be organized in
groups. Thus, the user registration process typically includes the step of defining a group and a role for
the new user. Generally, the user can be associated with more than one group and have several roles in
each group. According to the user privileges Ad hoc VO framework performs authorization checks. After
the user login, the system controls each user action by comparing the user permissions with the access
control list (ACL) of the action or requested object.

    The additional feature of the user management module is that the VO Members and VO Users can
request a membership in a desired virtual organization. The VO Owner makes a decision to approve or
reject the request. The registration process can be improved by collective voting of registered VO
Members and VO users.

3.4 Integration of Grid Resources with Ad hoc VO
    The Ad hoc VO solution conceptually is similar to the Virtual Grid (Figure 8). The main difference is in
the implementation of access mechanism to a grid resource. In the Virtual Grid the access is provided by
account registered by a resource administrator; in Ad hoc VO a user shares the credentials using a proxy
certificate (Figure 12).

                                 Figure 12: Proxy certificate as a resource credential

     The proxy certificate provides the standard mechanism of authentication and authorization on a grid
resource provider. The security standards established in a grid community are specific because of
stringent requirements. The grid provides access to valuable and expensive resources that require
reliable defense. The security procedures are defined in the Grid Security Infrastructure (GSI) [24], the
de-facto standard in grid computing.

     The GSI relies on an X.509 Public Key Infrastructure (PKI) [25]. The X.509 certificate allows the
encoding of information about entity (user, grid resource) and signing of this information to prove the
identity. The certificate can be signed by itself or by another certificate. The certificate in the top level is
called a Root Certificate. Special organizations, Certificate Authorities (CA), hold trusted root certificates.
In the grid community there are several CA organizations such as Teragrid CA and DOEGrid CA.

    The grid environment establishes relationships (mutual authentication) between entities using the
X.509 certificates by proving signatures. There is a mechanism of obtaining the certificate by a user.
Then the user provides the certificate when accessing a resource. The main security threat in this

scheme is when the certificate is stored on a user machine that is weakly defended, which is often the
case. To decrease this security risk the proxy certificate is used. It combines two features of X.509
certificate: delegation and expiration period. The proxy certificate is created from the original certificate
with short lifetime.

    The proxy certificates are managed by special software, credential management systems. The most
popular product in this family is MyProxy [xx]. The users register in MyProxy and store their original
certificates. When they then ask for the certificate, MyProxy asks for the username and passphrase of
the user and creates and sends back a proxy certificate. Some grid systems are closely integrated with
MyProxy. When a user registers in the system the MyProxy account and original certificate is
automatically created. In this case the user never downloads the original certificate from MyProxy which
improves overall security.

     In Ad hoc VO the proxy certificate is uploaded from a credential management system and registered
in a virtual organization by a VO Member. When the VO Member shares the resource credential, access
policies can be configured for this credential. The policies define restrictions of using the credential and
can contain list of groups, roles or users.

3.5 Single Sign-On as Ad hoc VO Authentication Mechanism
   Single Sign-On (SSO) is a technology providing access control that allows the user to log in with the
same credentials (username, password) to different applications. The user does not have to register in
each system and manage multiple accounts. All information required for authentication is stored and
managed by an SSO service.

    Ad hoc VO authentication module is designed to support an SSO mechanism. The solution does not
contain user credentials to authenticate the user but is integrated with external SSO services. The user
provides the credentials and informs which SSO service must be used. Ad hoc VO redirects the request
to the SSO system and receives the confirmation. In order to use an external SSO system, it should be
registered in the list of trusted SSO services.

                                        Figure 13: Single Sign-On services

    After authentication, the Ad hoc VO associates the user with the user account in the system. Each
user has an account with a unique user name. The account has mapping to the SSO username.
Generally, a user can have several mappings to different SSO services (Figure 13).

3.6 Job Submission in Ad hoc VO
    The Ad hoc VO job submission module is designed to provide transparent use of shared resources
inside the VO by project members. Users, registered in a virtual organization, work with a dynamic set of
resources as they would with one virtual resource, and can submit jobs without even knowing what grid
resources are registered in the VO.

     As established, resource sharing is performed through the use of a proxy credential. The VO
Member, sharing the resource, downloads an X.509 certificate from a credential management service
and defines the expiration period for the certificate and additional policies. The credential is stored as a
file in the system folder. This certificate is used to authenticate a user on a grid resource in order to
submit a job, providing the GSI standard in communication with the resource provider. In case of
credential expiration, the credential owner is notified by the system.

    The job submission process uses a queue mechanism: from one side users submit jobs to a VO
queue, on another side the VO chooses an available and not expired proxy certificate to submit jobs on
a grid resource. As an option, the user can browse the list of available resources and submit a job to an
explicitly defined resource; in this case the system will select the appropriate proxy credential.

    Policies defined for proxy credentials are used to make authorization decisions. When the user
submits a job, the job object contains user information that is compared with the credentials policies
(Figure 14).

                                      Figure 14: Ad hoc VO job submission

4.1 Overview
    The experimental version of Ad hoc VO is implemented under the larger project, Cyberaide [xx]. The
functionality is developed as new modules of Cyberaide or extends existing code. The implementation is
based on an open-source platforms and languages:

       -   Operating systems. The ability of Ad hoc VO to run on different operating systems is a main
           concern. Modern techniques such as cross-platform languages and web technologies make
           the use of operating systems transparent. However, integration with existing grid
           frameworks can limit the functionality outside Unix/Linux family platforms. Current
           implementation of Ad hoc VO is tested on Linux Ubuntu, Mac OS and Windows Vista under
           Cygwin shell.
       -   Grid middleware. Ad hoc VO is integrated with Globus Toolkit (GT) version 4, a popular grid
           middleware. GT is a service oriented multi layered framework that supports many open
           standards (OGSA, OGSI, WSRF, JSDL etc.) and provides the following services: resource
           management (GRAM), information services (MDS), security services (GSI) and data transfer
           and management (GASS and GridFTP). The Commodity Grid (CoG) Kit is used for rapid
           development. CoG provides functions for easy integration with Globus platform.
       -   Programming environment. Ad hoc VO is coded on the last version 6 for the moment of the
           Java Standard Edition (SE) platform that delivers increased performance, new techniques for
           annotations and improved Web Service support (JAX-WS). Maven is used for the project
           build. Mostly programming is done in the Eclipse Integrated Development Environment
           (IDE) that provides powerful features for coding and plug-in support for integration with
           external applications.

    Implementation is done in a tight cooperation with other members of Cyberaide project using
Subversion, a revision control system. All code is maintained as a part of Cyberaide source codes that
are publicly available.

4.2 Cyberaide as Platform for Ad hoc VO
    Cyberaide is an umbrella name for the projects running in CASCI related to experimenting with new
models and strategies in grid and cloud environment. The projects are supervised by Professor Gregor
von Laszewski and include many areas of research. Some of the projects are listed below:

       -   Shell. The framework provides featured command line interface (CLI) even in a web browser
           to work with a grid environment. The idea is that graphic user interface (GUI) is limited, less
           flexible and require more developer support. Original grid middleware also exploits user
           commands but usually they are complicated. In contrast, the Shell provides simple and
           customizable commands. The additional feature that the commands can be nested in each
           other and form the structured hierarchy which is easy to memorize and use.
       -   Workflow. The goal of the project is to build a solution that allows management of job
           workflows. Jobs that a user submits to a grid resource can be grouped in a workflow. Inside
           the workflow different rules can be configured to define relations and properties of the jobs.
           The feature of this system is an implementation on Microsoft Project platform using .NET
           technology and integration with Globus Toolkit that allows users on a Microsoft platform
           working with grid infrastructure in convenient and effective way.
       -   Scheduling. The project is devoted for the topic of job scheduling. Grid resources can be
           configured to be available for users at specific time periods that brings a problem of
           planning and running the jobs on this resource. The implemented system allows managing

            date and time when a job should run on a desired resource. The feature of the solution is a
            use of Google Calendar, the service that is integrated in a Google Apps platform providing
            fast and easy deployment of web applications.
       -    Web 2.0. This is a wide project that aims to use cutting-edge Internet technologies in grid
            infrastructure that can provide rich, interactive and user-friendly interface based on Ajax or
            implement virtual organizations inside social networks. The approach is also perspective
            because of growing Internet community and wide spread of new generation of web
            development technologies.

    Integration of Cyberaide projects with each other can give multiplied effect resulting in a powerful
framework addressing current problems of grid community. From this perspective, embedding of Ad hoc
VO into Cyberaide gives less development efforts and provides more efficient use.

4.3 Ad hoc VO Components
    Ad hoc VO is implemented as a multi-tier application including presentation, business logic and data
management layers (Figure 15: Ad hoc VO components). Interface for end users or applications are
provided by web components: Portal and Web Service. Ad hoc VO server application provides an API and
processes requests from the web layer. Data layer manages application and user data.

                                      Figure 15: Ad hoc VO components

   The end user can interact with Ad hoc VO in three ways that provide the same functionality but
implements different communication and security options:

       1) web portal using web browser
       2) web service using Ad hoc VO client application
       3) Ad hoc VO server application from the OS command line

4.3.1 Ad hoc VO Portal
    Portal is a popular Internet technology that provides a single point of access to aggregated and
structured data extracted from different sources. Portals provide interface customization, quick and
easy access to information, search and communication features.

    Ad hoc VO portal allows project members work with the system through the web browser. The
portal uses secured HTTPS channel for communication.

4.3.2 Ad hoc VO Web Service
    The main component of Ad hoc VO applications is a Web Service (WS), technology that is widely
accepted by web and grid communities. The WS platform provides a high level of interoperability among
services: the standards are adopted by software vendors. In connection with portal solutions, WS
framework is a popular platform for developing web-based systems. More information about portal and
WS technologies can be found in [26-28].

    The WS implementation is based on Apache CXF platform. The CXF is relatively new but powerful
and contains a lot of useful features such as embedded Jetty HTTP Server, dynamic configuration of WS
URI and transport/message security settings.

     The users can work with the WS via an Ad hoc VO client application. The client keys required for SSL
is stored in Java Key Store (JKS) encrypted file.

4.3.3 Ad hoc VO Server Application
    Ad hoc VO Application is a library developed on a Cyberaide Shell platform. The application provides
an API for VO management and job submission. TODO

4.3.4 Ad hoc VO Data Layer
    The internal representation of data in Ad hoc VO is object-oriented. Data stored in files formatted
similar to JASON standard. TODO

4.4 Single Sign-On Solutions in Ad hoc VO
    Default SSO service used in the framework is MyProxy, the credential management system widely
accepted by Grid community. The project implementation is focused on using the MyProxy service of
the Teragrid. This means that only users that registered in the Teragrid can create and manage virtual
organizations and resources. Integration with MyProxy service is implemented with Java CoG Kit library.

    Another option is OpenID, a popular web SSO platform.

    The system is designed as a secure service: users can access and use it from Web browsers or stand-
alone applications via encrypted communication channels. TODO

4.4.1 OpenID
    Integrated with Ad hoc VO portal because needs an HTTP redirect. TODO

4.4.2 MyProxy
    MyProxy is integrated with WS as a default option. TODO

4.5 Ad hoc VO Session Management
       Sessions are supported to maintain ACL and user context in portal, WS and server application. TODO

4.6 Ad hoc VO Command Line Interface
       The interface with the system is implemented as CLI. TODO

4.6.1      User and Resource Administration

    VERB          TYPE                        OPTIONS                                        Description
List          user         [-attributes ATTRIBUTE...]                   List user objects
              ssoname      [-user USERNAME]
Set           user                                                      Define default value used by –user option
Create        user         [-attributes ATTRIBUTE=VALUE...]             Create a new user object
              ssoname      [-fromfile FILENAME]
              resource     [-user USERNAME]
Info          user         [-id ID]                                     Display information about user object
              ssoname      [-user USERNAME]
Edit          user         [-id ID]                                     Edit a user object
              ssoname      [-user USERNAME]
Delete        user         [-id ID]                                     Delete a user object
              ssoname      [-user USERNAME]
Share         resource     -vo VONAME                                    Share a user resource within VO
                           [-id ID]
                            [-user USERNAME]
Revoke        resource     -vo VONAME                                    Revoke a shared user resource from VO
                           [-id ID]
                            [-user USERNAME]
Update        resource     -proxy FILENAME                               Update resource (proxy credential)
                           [-id ID]
                           [-user USERNAME]
                                     Table 1: User administration command options

4.6.2      VO Administration

    VERB          TYPE                        OPTIONS                                        Description
List          user         [-attributes ATTRIBUTE...]                   List user objects
              ssoname      [-user USERNAME]
Set           user                                                      Define default value used by –user option
Create        user         [-attributes ATTRIBUTE=VALUE...]             Create a new user object
              ssoname      [-fromfile FILENAME]
              resource     [-user USERNAME]
Info          user         [-id ID]                                     Display information about user object
              ssoname      [-user USERNAME]
Edit          user         [-id ID]                                     Edit a user object
              ssoname      [-user USERNAME]

Delete        user         [-id ID]                                     Delete a user object
              ssoname      [-user USERNAME]
Share         resource     -vo VONAME                                    Share a user resource within VO
                           [-id ID]
                            [-user USERNAME]
Revoke        resource     -vo VONAME                                    Revoke a shared user resource from VO
                           [-id ID]
                            [-user USERNAME]
Update        resource     -proxy FILENAME                               Update resource (proxy credential)
                           [-id ID]
                           [-user USERNAME]
                                   Table 2: Ad hoc VO administration command options

4.6.3      Job Submission
submit [OPTIONS...]

    VERB          TYPE                        OPTIONS                                        Description
List          user         [-attributes ATTRIBUTE...]                   List user objects
              ssoname      [-user USERNAME]
Set           user                                                      Define default value used by –user option
Create        user         [-attributes ATTRIBUTE=VALUE...]             Create a new user object
              ssoname      [-fromfile FILENAME]
              resource     [-user USERNAME]
Info          user         [-id ID]                                     Display information about user object
              ssoname      [-user USERNAME]
Edit          user         [-id ID]                                     Edit a user object
              ssoname      [-user USERNAME]
Delete        user         [-id ID]                                     Delete a user object
              ssoname      [-user USERNAME]
Share         resource     -vo VONAME                                   Share a user resource within VO
                           [-id ID]
                            [-user USERNAME]
Revoke        resource     -vo VONAME                                   Revoke a shared user resource from VO
                           [-id ID]
                            [-user USERNAME]
Update        resource     -proxy FILENAME                              Update resource (proxy credential)
                           [-id ID]
                           [-user USERNAME]
                                  Table 3: Ad hoc VO job submission command options


5.1 Contribution
       The following achievements were made in this project:

           1. New way of decentralized virtual organization management was researched. The proposed
              concept, Ad hoc VO, is based on sharing proxy certificates by VO members.

       2. Experimental environment based on Ad hoc VO approach was implemented as a part of
          Cyberaide project.
       3. Web Service security standards and their implementation by vendors were researched. The
          results were used in implementation of Ad hoc VO service.
       4. Integration of Ad hoc VO with external Single Sign-On services was researched. The portal
          module, a part of Ad hoc VO platform, was integrated with OpenID, a popular SSO platform.

5.2 Meeting requirements
5.2.1 Ad hoc VO Deployment
    Ad hoc VO distributive is light-weighted (about 10 megabytes on a disk) and requires only make and
maven 2 environments installed on a target machine. Setup process is simple and straight-forward:

       -   default installation is made automatically without user interaction
       -   make file runs the Ad hoc VO service immediately after setup

    Ad hoc VO solution uses Apache CXF platform for service deployment that runs an embedded web
server that does not require setup. When a user needs to change default settings such as web service
address, security mode etc. the user should change only a configuration file in a text format.

    The person who launches the Ad hoc VO service is responsible for securing underlying software
(patching an operating system, running an antivirus program etc.), meeting prerequisites to install the
service (upgrade of hardware if needed, upgrade, setup or configuration of required software products),
and registration of SSO systems and future VO owners. This means he must have elementary system
administration knowledge. Ad hoc VO simplifies the process of system administration because the

       -   can run on a machine with low hardware characteristics
       -   requires only popular, open-source and often already installed software products
       -   provides different ways of administration (running commands from a console, editing a
           settings file)

     Ad hoc VO service can be deployed on any Internet node and used by one or several scientific
teams. Multiple services organize decentralized VO management infrastructure where each VO service
is deployed and supported by a separate team.

    All mentioned characteristics make the Ad hoc VO solution a compact, quick and easy-deployable
virtual organization management tool.

5.2.2 Ad hoc VO Administration
    Ad hoc VO provides easy way of virtual organization management where there are two independent
levels of administration: VO management and resource management. This functional division gives
decentralization of administration inside Ad hoc VO solution that leads to faster performing of
administrative tasks.

    VO and resource administration is done by VO owners and VO members from command line
interface inside Ad hoc VO environment; the commands are simple and intuitively understandable. If
needed, the command description can be called by entering a man command. Users can also use graphic
interface inside the portal module of Ad hoc VO platform.

5.2.3 Ad hoc VO User Registration and Access
    User registration is done by VO owner who creates a user account in the system. The account should
be associated with an SSO system. TODO

5.2.4 Ad hoc VO Security
    Security is provided by SSL, SSO and proxy certificates. TBD

5.2.5 Integration of Ad hoc VO with Grid and VO Platforms
    Ad hoc VO is designed and implemented to integrate with Globus Toolkit 4. TBD

5.3 Tests
    Characteristics of the tested machine:

        -   Processor: TBD
        -   Memory: TBD
        -   Hard Disk: TBD
        -   Operating System: TBD
        -   Installed Software: TBD

    Test results are presented in Table 4: Ad hoc VO test resultsTable 4.

                    PARAMETER                                        UNIT               RESULT
Default setup                                        Time                                       5 min
Deployment                                           Time                                      20 sec
User registration                                    Number of steps                                5

                                        Table 4: Ad hoc VO test results


6.1 Virtual Collaboration Shell

6.2 Communication Features

6.3 Virtual File System


[1] K. Amin, G. von Laszewski, and A. R. Mikler, “Quality Assured Ad Hoc Grids,” in International Conference on
    Autonomic and Autonomous Systems International Conference on Networking and Services. IEEE, 23-28 Oct.
    2005. [Online]. Available:
[2] “Toward an Architecture for Ad Hoc Grids,” in 12th International Conference on Advanced Computing and
    Communications (ADCOM 2004), Ahmedabad Gujarat, India, 15-18 Dec. 2004. [Online]. Available:
[3] R. Alfieri, R. Cecchini, V. Ciaschini, . Frohner, A. Gianoli, K. L?rentey, and F. Spataro, “VOMS, an authorization
    system for virtual organizations,” in In Proceedings of the 1st European Across Grids Conference, Santiago de
    Compostela, 2003, pp. 13–14.
[4] R. Sinnott, J. Jiang, J. Watt, and O. Ajayi, “Shibboleth-based access to and usage of grid resources,” Grid
    Computing, 7th IEEE/ACM International Conference on, vol. 1, pp. 136–143, Sept. 2006.
[5] R. Sinnott, D. Chadwick, T. Doherty, D. Martin, Stell, G. Stewart, L. Su, and J. Watt, “Advanced security for
    virtual organizations: The pros and cons of centralized vs decentralized security models,” Cluster Computing
    and the Grid, 2008. CCGRID ’08. 8 IEEE International Symposium on, vol. 1, pp. 106–113, May 2008.
[6] J. Li, J. Huai, and C. Hu, “Peace-vo: A secure policyenabled collaboration framework for virtual organizations,”
    Reliable Distributed Systems, 2007. SRDS 2007. 26th IEEE International Symposium on, vol. 1, pp. 199–208,
    Oct. 2007.
[7] Q. Zeng, C. Huang, D. Chen, and H. H. Hunan, “Supporting secure collaborative computing in grid
    environments,” Computer Supported Cooperative Work 7 in Design, 2004. Proceedings. The 8th International
    Conference on, vol. 2, pp. 413–418, May 2004.
[8] M. Lorch, D. Kafura, I. Fisk, K. Keahey, G. Carcassi, T. Freeman, T. Peremutov, and A. Rana, “Authorization and
    account management in the open science grid,” Grid Computing, 2005. The 6th IEEE/ACM International
    Workshop on, vol. 1, pp. 17–24, Nov. 2005.
[9] M. Kamel, A. Benzekri, F. Barrere, and R. Laborde, “Evaluating the conformity of an access control architecture
    for virtual organizations with iso/iec 17799,” Global Information Infrastructure Symposium, 2007. GIIS 2007.
    First International, vol. 1, pp. 173–180, July 2007.
[10] A. C. Squicciarini, E. Bertino, and S. Goasguen, “Access control strategies for virtualized environments in grid
     computing systems,” Future Trends of Distributed Computing Systems, 2007. FTDCS ’07. 11th IEEE
     International Workshop on, vol. 1, pp. 48–54, March 2007.
[11] M. Niinimaki, J. White, W. de Cerff, J. Hahkala, T. Niemi, and M. Pitkanen, “Using virtual organizations
     membership system with edg’s grid security and database access,” Database and Expert Systems Applications,
     2004. Proceedings. 15th International Workshop on, vol. 1, pp. 517–522, Aug. 2004.
[12] S. Adabala, A. Matsunaga, M. Tsugawa, R. Figueiredo, and J. Fortes, “Single sign-on in in-vigo: role-based
     access via delegation mechanisms using short-lived user identities,” Parallel and Distributed Processing
     Symposium, 2004. Proceedings. 18th International, vol. 1, pp. 1–7, April 2004.
[13] V. Ciaschini, A. Ferraro, A. Forti, A. Ghiselli, V. Venturi, A. Gianoli, E. Luppi, F. Stagni, and L. Tomassetti,
     “Distributed policy framework across multiple grid domains,” Nuclear Science Symposium Conference Record,
     2007. NSS ’07. IEEE, vol. 1, pp. 892–897, Nov. 2007.
[14] V. Venturi, F. Stagni, A. Gianoli, A. Ceccanti, and V. Ciaschini, “Virtual organization management across
     middleware boundaries,” e-Science and Grid Computing, IEEE International Conference on, vol. 1, pp. 545–
     552, Dec. 2007.
[15] M. Ates, C. Gravier, J. Lardon, J. Fayolle, and B. Sauviac, “Interoperability between heterogeneous federation
     architectures: Illustration with saml and ws-federation,” Signal-Image Technologies and Internet-Based
     System, 2007. SITIS ’07. Third International IEEE Conference on, vol. 1, pp. 1063–1070, Dec. 2007.

[16] M. R. Nami and A. Malekpour, “Application of selfmanaging properties in virtual organizations,” Computer
     Science and its Applications, 2008. CSA ’08. International Symposium on, vol. 1, pp. 13–16, Oct. 2008.
[17] B. Nasser, F. Barrere, A. Benzekri, R. Laborde, and M. Kamel, “Automated creation of interorganizational grid
     virtual organizations,” Network Operations and Management Symposium, 2006. NOMS 2006. 10th IEEE/IFIP,
     vol. 1, pp. 1–4, 2006.
[18] M. Smith, T. Friese, and B. Freisleben, “Towards a service-oriented ad hoc grid,” Parallel and Distributed
     Computing, 2004. Third International Symposium on/Algorithms, Models and Tools for Parallel Computing on
     Heterogeneous Networks, 2004. Third International Workshop on, vol. 1, pp. 201–208, July 2004.
[19] Y.-J. Lee, “A dynamic virtual organization solution for web-services based grid middleware,” Database and
     Expert Systems Applications, 2005. Proceedings. Sixteenth International Workshop on, vol. 1, pp. 40–44, Aug.
[20] H. H. Karlsen and B. Vinter, “Vgrids as an implementation of virtual organizations in grid computing,” Enabling
     Technologies: Infrastructure for Collaborative Enterprises, 2006. WETICE ’06. 15th IEEE International
     Workshops on, vol. 1, pp. 175–180, June 2006.
[21] C. Morin, “Xtreemos: A grid operating system making your computer ready for participating in virtual
     organizations,” Object and Component-Oriented Real-Time Distributed Computing, 2007. ISORC ’07. 10 IEEE
     International Symposium on, vol. 1, pp. 393–402, May 2007.
[22] M. Coppola, Y. Jegou, B. Matthews, C. Morin, L. Prieto, O. Sanchez, E. Yang, and H. Yu, “Virtual organization
     support within a grid-wide operating system,” Internet Computing, IEEE, vol. 12, no. 2, pp. 20–28, March-April
[23] Y. Demchenko, C. de Laat, and V. Ciaschini, “Vobased dynamic security associations in collaborative grid
     environment,” Collaborative Technologies and Systems, 2006. CTS 2006. International Symposium on, vol. 1,
     pp. 38–47, May 2006.
[24] V. Welch, “Globus toolkit version 4 grid security infrastructure: A standards perspective,” Sep. 2005. [Online].
[25] R. Housley, W. Ford, W. Polk, and D. Solo, “Internet x.509 public key infrastructure certificate and crl profile,”
     United States, 1999. [Online]. Available:
[26] M. Lukicic, V. Sruk, and L. Budin, “Portal technology and web services as platform for process integration in
     virtual organizations,” Information Technology Interfaces, 2006. 28th International Conference on, vol. 1, pp.
     413–418, 2006.
[27] R. Barbera, A. Falzone, V. Ardizzone, and D. Scardaci, “The genius grid portal: Its architecture, improvements of
     features, and new implementations about authentication and authorization,” Enabling Technologies:
     Infrastructure for Collaborative Enterprises, 2007. WETICE 2007. 16th IEEE International Workshops on, vol. 1,
     pp. 279–283, June 2007.
[28] A. Weaver, I. Dwyer, S.J., A. Snyder, J. Van Dyke, J. Hu, X. Chen, T. Mulholland, and A. Marshall, “Federated,
     secure trust networks for distributed healthcare it services,” Industrial Informatics, 2003. INDIN 2003.
     Proceedings. IEEE International Conference on, vol. 1, pp. 162–169, Aug. 2003.


Shared By: