First Web Services-Based Implementation of MyProxy Released
released 04.20.04
Contact
Herbert Morgan
NCSA Scientific Computing Division
hmorgan@ncsa.uiuc.edu
217.333.9129
CHAMPAIGN, IL —
On March 17 the MyProxy Project released a new implementation of the MyProxy Online Credential Repository for the Open Grid Services Architecture (OGSA)—the first MyProxy release based on OGSA and Web services. This implementation for Globus Toolkit 3.0 is based on the Open Grid Services Infrastructure (OGSI) standard developed by the Global Grid Forum (GGF).
MyProxy History
In 2000, Jason Novotny and Von Welch, working at NCSA, initially sought to develop a solution for getting grid credentials to grid portals. A grid portal is a Web server that provides an interface to the grid from a regular Web browser. The result of their efforts was MyProxy. It accomplished this by allowing the user to log into the portal with a user name and password, and then the portal used the user name and password to retrieve the user's credential from the MyProxy server—a repository of grid credentials protected by passwords.
The first version of MyProxy was released that year for Globus Toolkit 1.1, and it has since been updated to support Globus Toolkit version 2.x releases. It is written using Globus Toolkit libraries in the C language.
Since then, MyProxy has developed into an application that allows the user to get credentials from different machines. The TeraGrid serves as a prime example of this development. With different TeraGrid clusters available, the user may log on initially to the Argonne cluster, the next day to NCSA's cluster, and another day to San Diego's supercomputer. As a user, you need to have your grid credentials in order to submit jobs at any TeraGrid site. A tedious way to do this is to copy your certificate and private key to all of those places, make sure you get your permissions right, and make sure you put the files in the right places. And if you have any updates, you have to send updates all around. But with MyProxy, you can run a simple command on any TeraGrid machine to retrieve a short-term proxy credential that allows you to access any TeraGrid resource.
MyProxy also allows the user to manage the credentials in a third way. As a user's job is running, if a credential needs to be refreshed because of its imminent expiration or if an additional credential is needed, the job itself can go to the MyProxy repository and retrieve a credential. As a security measure, this means that jobs are not run with very long-lived credentials or given all the credentials they may potentially need or given all the rights they may need in advance. Instead, the jobs are run with limited rights and a limited lifetime credential so that they have to call back to the repository when they need additional rights. The MyProxy repository has a policy that dictates what credentials the jobs can retrieve. It also logs access so the user can view the log to see what actually happened with their credentials.
What's New in MyProxy?
With the announcement of the OGSI, the MyProxy group had to reevaluate how they would run their services in this new model. They looked for a way to implement MyProxy in Globus Toolkit's new OGSA.
"And so we spent the past year," says Jim Basney, a senior research scientist at NCSA and an author of MyProxy, "learning the new model and deciding how to work within it. With our new release we've re-implemented our service in Java in this Webservices, XML-based model that's standardized from the GGF, called the OGSI."
The new version of MyProxy is built on existing open-source Web service software that provides security, plenty of flexibility, and good integration with Java. Using Java will enable MyProxy to run on Windows and other platforms. By using standard XML-based protocols, new features and new capabilities can be added without breaking compatibility because the framework is more flexible, which allows the user to query a service regarding what features it does and does not support. According to Basney, "You can have a more robust, service-based framework rather than one that requires you to upgrade to every new version."
MyProxy is used to manage credentials in other projects, many of which are Web-based portal projects for which grid-portal developers want to provide a user interface to grid computing. Some of these include the PACI Hotpage, the NASA Information Power Grid Launch Pad, and the NEESgrid CHEF portal. As those developers have been moving from the old-style CGI scripts and old-style Web programming to Java portals and XML Web Service programming, they expect a version of MyProxy that meshes with the latest model.
"For other users," says Basney, "I think it [the new version of MyProxy] is a fairly transparent change, but hopefully it will allow us to add more features in the future."
The MyProxy project team will continue to support the MyProxy version that works with Globus Toolkit 2.x. Many users still use it, including those on TeraGrid.
In addition to Basney, the following University of Illinois graduate students in Computer Science co-authored the new version of MyProxy: Shiva Shankar Chetan, Feng Qin, Sumin Song, and Xiao Tu. The MyProxy project is funded by the NSF Middleware Inititative (NMI) and was packaged in NMI R3 and R4. For more information, visit http://myproxy.ncsa.uiuc.edu/.
