What Technology MGRID Uses
Developed at the University of Michigan, the kx509 facility provides a connection between Kerberos and X.509 certificates. Users authenticate via Kerberos, and then use kx509 to generate a short term x509 certificate. A browser security module developed by CITI uses this certificate to authenticate the user and encrypt all network traffic to and from Apache modules (also developed by CITI) on the web server. This takes greatly simplifies deployment by capitalizing on the existing UM Kerberos infrastructure, and is more secure than other schemes that send passwords over the network.
Built by the University of Michigan School of Information, Media Union, and Medical School staff, the CompreHensive collaborativE Framework (CHEF) project is a flexible environment for supporting distributed learning and collaborative work. MGRID uses this framework to provide a powerful web based GUI to facilitate easy grid access.
The Globus software is architecturally central to MGRID by providing a standard interface to users and resources. Globus supports authentication and authorization of users and a command line interface. Many resource interfaces are available to use job schedulers such as PBS, Condor, and SGE. File transfer facilitates are provided, as well as support for monitoring and querying resources.
PBS (Portable Batch System), SGE (Sun Grid Engine), and Condor are job schedulers for parallel applications. These packages queue jobs submitted by users and schedule them for execution on a given cluster of processing nodes. The cluster manager controls which users and jobs have the highest priority, and how much CPU time each is allowed to consume. PBS and Condor allow "cycle scavenging", where an execution node may be an underutilized desktop machine, and the paradigm is the "screen saver" model where, if a user is not using the machine, the job scheduler uses it to run a program.
Apache is a full-featured open source web server, and has the capability to incorporate external modules. MGRID exploits this feature to implement the kx509 interface, which provides authentication and confidentiality.
This module provides strong cryptography for the Apache 1.3 webserver via the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols by the help of the Open Source SSL/TLS toolkit OpenSSL. MGRID uses this module in conjunction with it's own to provide a secure web server.
Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process. MGRID uses Tomcat to run it's web server portlets.
Walden was developed by MGRID to provide authorization (via XACML) and identity mapping. When users connect to MGRID, they are automatically allocated a temporary identity. This simplifies administration by not requiring every potential user of the grid to have an account on every machine. Walden uses policies specified in the XACML language to support flexible authorization.
The eXtensible Access Control Markup Language (XACML) allows users to write a policy describing what actions users are authorized to perform on a given set of resources. Based in XML, it provides a powerful set of tools for defining and combining rules. MGRID used it's capability to be extended to tie into the University of Michigan's LDAP services, which provide the means for defining groups of people, which are in turn used to grant authorization.
The LightWeight Directory Access Protocol (LDAP) was developed at the University of Michigan to provide a network enabled way to locate information. Commonly used for finding names, addresses, and phone numbers, LDAP is capable of making any catalog of information available. MGRID uses LDAP to define which users are authorized to access given resources. This is especially convenient at UM, where there is a university wide LDAP infrastructure.
NFS / Automounter
The Network File System (NFS version 3) and Automounter combine to provide simple data access. NFS allows execution nodes to access files as if they were local. The Automounter minimizes administration by automatically mounting only the file systems that are required.
The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. The project is managed by a worldwide community of volunteers that use the Internet to communicate, plan, and develop the OpenSSL toolkit and its related documentation.
MGRID uses OpenSSL tools throughout it's security facilities, and maintains a certificate authority based on them.