A standards‐based Grid resource brokering service supporting advance reservations,coallocation, and cross‐Grid interoperability

The problem of Grid‐middleware interoperability is addressed by the design and analysis of a feature‐rich, standards‐based framework for all‐to‐all cross‐middleware job submission. The architecture is designed with focus on generality and flexibility and builds on extensive use, internally and externally, of (proposed) Web and Grid services standards such as WSRF, JSDL, GLUE, and WS‐Agreement. The external use provides the foundation for easy integration into specific middlewares, which is performed by the design of a small set of plugins for each middleware. Currently, plugins are provided for integration into Globus Toolkit 4 and NorduGrid/ARC. The internal use of standard formats facilitates customization of the job submission service by replacement of custom components for performing specific well‐defined tasks. Most importantly, this enables the easy replacement of resource selection algorithms by algorithms that address the specific needs of a particular Grid environment and job submission scenario. By default, the service implements a decentralized brokering policy, striving to optimize the performance for the individual user by minimizing the response time for each job submitted. The algorithms in our implementation perform resource selection based on performance predictions, and provide support for advance reservations as well as coallocation of multiple resources for coordinated use. The performance of the system is analyzed with focus on overall service throughput (up to over 250 jobs per min) and individual job submission response time (down to under 1 s). Copyright © 2009 John Wiley & Sons, Ltd.     

A standards-based interoperable single sign-on framework in ARC Grid middleware

Security infrastructure is one of the most challenging tasks in the development, integration and deployment of Grid middlewares. Even though the Grid community addresses the security issue through public key infrastructures (PKI) to support mutual authentication using X.509 certificates, maintaining X.509 credentials is not that easy for non-IT-experts, and has proved to be an obstacle for a more wide deployment of Grid technologies. The identity federation is an increasingly popular technology that can facilitate cross-domain single sign-on without requiring the users to maintain any credentials additional to their own institutional accounts. We believe that utilizing identity federation for Grid middlewares is a promising path for the Grid technology to get more widely used. This paper describes a single sign-on infrastructure developed as a part of the NorduGrid ARC (Advanced Resource Connector) Grid middleware. It adopts the identity federation standard (SAML), as well as other Web Service standards. It focuses on a single sign-on solution at the middleware level for users to access Grids by only using their frequently used accounts, without being bothered to maintain X.509 credentials. Users can use their username/password only to access Grids developed in ARC middleware, as well as access Grids developed in other middlewares that requires users to provide X.509 certificates. Moreover, the single sign-on for workflow-like Grid applications (in which intermediate entities act on behalf of users) is also supported. As an important aspect of single sign-on, authorization is also considered by implementing an attribute-based authorization using SAML standard. In addition, the performance of single sign-on solution is measured. We identify performance limitations of security-related services inside this solution, and analyse the ways to avoid the limitations. To our knowledge, the work presented in this paper is the first evaluated implementation that utilizes identity federation for Grid usage on the middleware level.     

Authentication and authorization infrastructure for Grids—issues,technologies, trends and experiences

Authentication and authorization for Grids is a challenging security issue. In this paper, key issues for the establishment of Grid authentication and authorization infrastructures are discussed, and an overview of major Grid authentication and authorization technologies is presented. Related to this, recent developments in Grid authentication and authorization infrastructures suggest adoption of the Shibboleth technology which offers advantages in terms of usability, confidentiality, scalability and manageability. When combined with advanced authorization technologies, Shibboleth-based authentication and authorization infrastructures provide role-based, fine-grained authorization. We share our experience in constructing a Shibboleth-based authentication and authorization infrastructure and believe that such infrastructure provides a promising solution for the security of many application domains.     

Grid Economics: A Selective Discussion of Two Research Problems

The last 5 years have seen considerable discussion of various types of Grids—compute Grids, storage Grids, and data Grids. Using the checklist given in Foster (, 2002) to define a Grid, two important problems that arise in the context of resource sharing in Grid computing environments are discussed. First, the well documented problem in compute Grid environments that arises from the inability of consumers to accurately estimate their resource requirements is presented. This results in incorrect scheduling of requests for Grid resources and social welfare loss. To address this problem, two research proposals are briefly described. The first approach argues for the design of decision support tools to help users with resource estimation while the second approach studies the design of resource allocation mechanisms that can work with stochastic specifications of resource requirements. This is in contrast to the traditional point estimates of resource required by extant mechanisms. Next, resource provisioning and pricing problems that arise in data storage and retrieval Grids are described. These Grids differ fundamentally from compute Grids but share some economic characteristics with P2P file sharing networks. Drawing on this connection, pricing mechanisms and resource provisioning research is briefly discussed.     

Designing a resource broker for heterogeneous grids

Grids provide uniform access to aggregations of heterogeneous resources and services such as computers, networks and storage owned by multiple organizations. However, such a dynamic environment poses many challenges for application composition and deployment. In this paper, we present the design of the Gridbus Grid resource broker that allows users to create applications and specify different objectives through different interfaces without having to deal with the complexity of Grid infrastructure. We present the unique requirements that motivated our design and discuss how these provide flexibility in extending the functionality of the broker to support different low‐level middlewares and user interfaces. We evaluate the broker with different job profiles and Grid middleware and conclude with the lessons learnt from our development experience. Copyright © 2007 John Wiley & Sons, Ltd.     

Web服务中身份认证与访问控制模型的研究

Web服务分布式、异构的本质。使得对服务请求者进行身份认证和授权变得复杂,针对这些问题提出了一个基于SAML,XACML,RBAC等关键技术的身份认证与访问控制模型。该模型采用SAML辅件技术实现Web服务的单点登录;用XACML实现RBAC模型,简化授权管理,同时达到对资源的细粒度访问控制的目标;用扩展的SAML语法支持XACML信息的安全有效传输。     

Optimization of Jobs Submission on the EGEE Production Grid: Modeling Faults Using Workload

It is commonly observed that production Grids are inherently unreliable. The aim of this work is to improve Grid application performances by tuning the job submission system. A stochastic model, capturing the behavior of a complex Grid workload management system is proposed. To instantiate the model, detailed statistics are extracted from dense Grid activity traces. The model is exploited for optimizing a simple job resubmission strategy. It provides quantitative inputs to improve job submission performance and it enables the impact of faults and outliers on Grid operations to be quantified.     

A secure information service for monitoring large scale grids

The Grid Information Service (GIS) is a core component in the Grid software infrastructure. It provides diverse information to users or other service components in Grid environments. In this paper, we propose a scalable GIS architecture for information management in a large scale Grid Virtual Organization (VO). This architecture consists of the VO layer, site layer and resource layer: at the resource layer, information agents and pluggable information sensors are deployed on each resource monitored. This information agent and sensor approach provides a flexible framework that enables specific information to be captured; at the site layer, a site information service component with caching capability aggregates and maintains up-to-date information of all the resources monitored within an administrative domain; at the VO layer, a peer-to-peer approach is used to build a virtual network of site information services for information discovery and query in a large scale Grid VO. This decentralized approach makes information management scalable and robust. Furthermore, we propose a security framework for the GIS, which provide security policies for authentication and authorization control of the GIS at both the site and the VO layers. Our GIS has been implemented based on the Globus Toolkit 4 as Web services compliant to Web Services Resource Framework (WSRF) specifications. The experimental results show that the GIS presents satisfactory scalability in handling information for large scale Grids.     

网格服务中基于XACML和SAML的安全访问控制

为了解决网格环境下资源访问控制存在的安全性问题,通过分析可扩展访问标记语言XACML、安全声明标记语言SAML及其相关技术,提出了一个基于XACML和SAML的访问控制模型。模型采用可扩展访问标记语言XACML描述访问控制的授权策略,以SAML声明为载体传递用户认证和授权信息,提供安全、细粒度的访问控制,具有较高的灵活性和可扩展性。     

Grid resource brokering algorithms enabling advance reservations and resource selection based on performance predictions

We present algorithms, methods, and software for a Grid resource manager, that performs resource brokering and job scheduling in production Grids. This decentralized broker selects computational resources based on actual job requirements, job characteristics, and information provided by the resources, with the aim to minimize the total time to delivery for the individual application. The total time to delivery includes the time for program execution, batch queue waiting, and transfer of executable and input/output data to and from the resource. The main features of the resource broker include two alternative approaches to advance reservations, resource selection algorithms based on computer benchmark results and network performance predictions, and a basic adaptation facility. The broker is implemented as a built-in component of a job submission client for the NorduGrid/ARC middleware.     

Role-based access control for a Grid system using OGSA-DAI and Shibboleth

In this paper, we propose a new role-based access control (RBAC) system for Grid data resources in the Open Grid Services Architecture Data Access and Integration (OGSA-DAI). OGSA-DAI is a widely used framework for integrating data resources in Grids. However, OGSA-DAI’s identity-based access control causes substantial administration overhead for the resource providers in virtual organizations (VOs) because of the direct mapping between individual Grid users and the privileges on the resources. To solve this problem, we used the Shibboleth, an attribute authorization service, to support RBAC within the OGSA-DAI. In addition, access control policies need to be specified and managed across multiple VOs. For the specification of access control policies, we used the Core and Hierarchical RBAC profile of the eXtensible Access Control Markup Language (XACML); and for distributed administration of those policies and the user-role assignments, we used the Object, Metadata and Artifacts Registry (OMAR). OMAR is based on the e-business eXtensible Markup Language (ebXML) registry specifications developed to achieve interoperable registries and repositories. Our RBAC system provides scalable and fine-grain access control and allows privacy protection. It also supports dynamic delegation of rights and user-role assignments, and reduces the administration overheads for the resource providers because they need to maintain only the mapping information from VO roles to local database roles. Moreover, unnecessary mapping and connections can be avoided by denying invalid requests at the VO level. Performance analysis shows that our RBAC system adds only a small overhead to the existing security infrastructure of OGSA-DAI.     

Web服务中身份认证与访问控制模型的研究

Web服务的分布式与异构性,使得对服务请求者的身份认证和授权复杂化。针对这些问题提出了一个基于SAML、XACML、RBAC等关键技术的身份认证与访问控制模型。该模型采用SAML辅件技术实现Web服务的单点登录;用XACML实现RBAC模型,简化授权管理,同时达到对资源的细粒度访问控制的目标;用扩展的SAML语法保证XACML信息的安全有效传输。     

Performance analysis of allocation policies for interGrid resource provisioning

Several Grids have been established and used for varying science applications during the last years. Most of these Grids, however, work in isolation and with different utilisation levels. Previous work has introduced an architecture and a mechanism to enable resource sharing amongst Grids. It has demonstrated that there can be benefits for a Grid to offload requests or provide spare resources to another Grid. In this work, we address the problem of resource provisioning to Grid applications in multiple-Grid environments. The provisioning is carried out based on availability information obtained from queueing-based resource management systems deployed at the provider sites which are the participants of the Grids. We evaluate the performance of different allocation policies. In contrast to existing work on load sharing across Grids, the policies described here take into account the local load of resource providers, imprecise availability information and the compensation of providers for the resources offered to the Grid. In addition, we evaluate these policies along with a mechanism that allows resource sharing amongst Grids. Experimental results obtained through simulation show that the mechanism and policies are effective in redirecting requests thus improving the applications’ average weighted response time.     

A framework for adaptive execution in grids

Grids offer a dramatic increase in the number of available processing and storing resources that can be delivered to applications. However, efficient job submission and management continue being far from accessible to ordinary scientists and engineers due to their dynamic and complex nature. This paper describes a new Globus based framework that allows an easier and more efficient execution of jobs in a ‘submit and forget’ fashion. The framework automatically performs the steps involved in job submission and also watches over its efficient execution. In order to obtain a reasonable degree of performance, job execution is adapted to dynamic resource conditions and application demands. Adaptation is achieved by supporting automatic application migration following performance degradation, ‘better’ resource discovery, requirement change, owner decision or remote resource failure. The framework is currently functional on any Grid testbed based on Globus because it does not require new system software to be installed in the resources. The paper also includes practical experiences of the behavior of our framework on the TRGP and UCM‐CAB testbeds. Copyright © 2004 John Wiley & Sons, Ltd.     

基于SAML标准的信任与授权服务平台设计

在对信任与授权体系的现状进行分析的基础上,针对跨信任域的身份认证和授权问题,引入SAML标准规范,提出基于SAML标准的信任与授权体系架构,并分析了相应的信任与授权平台设计与实现方法。     

Market-oriented Grids and Utility Computing: The State-of-the-art and Future Directions

Traditional resource management techniques (resource allocation, admission control and scheduling) have been found to be inadequate for many shared Grid and distributed systems, that consist of autonomous and dynamic distributed resources contributed by multiple organisations. They provide no incentive for users to request resources judiciously and appropriately, and do not accurately capture the true value, importance and deadline (the utility) of a user’s job. Furthermore, they provide no compensation for resource providers to contribute their computing resources to shared Grids, as traditional approaches have a user-centric focus on maximising throughput and minimising waiting time rather than maximising a providers own benefit. Consequently, researchers and practitioners have been examining the appropriateness of ‘market-inspired’ resource management techniques to address these limitations. Such techniques aim to smooth out access patterns and reduce the chance of transient overload, by providing a framework for users to be truthful about their resource requirements and job deadlines, and offering incentives for service providers to prioritise urgent, high utility jobs over low utility jobs. We examine the recent innovations in these systems (from 2000–2007), looking at the state-of-the-art in price setting and negotiation, Grid economy management and utility-driven scheduling and resource allocation, and identify the advantages and limitations of these systems. We then look to the future of these systems, examining the emerging ‘Catallaxy’ market paradigm. Finally we consider the future directions that need to be pursued to address the limitations of the current generation of market oriented Grids and Utility Computing systems.     

SAML在Web SSO中的应用研究

SAML是由OASIS提出的基于XML规范用于网络应用间用户身份及授权等安全信息描述和交换的一个规范。基于SAML规范,可以在已建立信任关系的不同服务实体间进行认证、授权等信息的传递。该文主要针对以Identity Pmvider（IdP）发起模式实现Web SSO中对SAML的应用进行一定的研究。     

Flexible Grid service management through resource partitioning

In this paper, a distributed and scalable Grid service management architecture is presented. The proposed architecture is capable of monitoring task submission behaviour and deriving Grid service class characteristics, for use in performing automated computational, storage and network resource-to-service partitioning. This partitioning of Grid resources amongst service classes (each service class is assigned exclusive usage of a distinct subset of the available Grid resources), along with the dynamic deployment of Grid management components dedicated and tuned to the requirements of a particular service class introduces the concept of Virtual Private Grids. We present two distinct algorithmic approaches for the resource partitioning problem, the first based on Divisible Load Theory (DLT) and the second built on Genetic Algorithms (GA). The advantages and drawbacks of each approach are discussed and their performance is evaluated on a sample Grid topology using NSGrid, an ns-2 based Grid simulator. Results show that the use of this Service Management Architecture in combination with the proposed algorithms improves computational and network resource efficiency, simplifies schedule making decisions, reduces the overall complexity of managing the Grid system, and at the same time improves Grid QoS support (with regard to job response times) by automatically assigning Grid resources to the different service classes prior to scheduling.     

Web服务消息级安全模型的设计及评价

保证Web服务安全通信的机制有两种：传输级安全机制紧密耦合于下层平台,只能保证点到点的安全通信;而消息级安全机制能够提供异质环境的端到端安全保证.在WS-Security、SAML和XKMS等有关消息级安全的规范基础上,设计了一消息安全模型,并对其进行了安全性评价.该模型能够保证SOAP消息的机密性、完整性、不可否认性、认证和授权,能够保证Web服务的安全.     

基于SAML实现Web服务的单点登录

安全声明标记语言SAML描述认证和授权所需的安全信息,其互操作性为不同系统间提供了共享机制.本文介绍了SAML声明、协议和绑定,提出了基于SAML的Web服务单点登录模型,并用WS-Security规范保证SAML自身的安全.