Vol.2 No.1 2009

41/88

Research paper : How Grid enables E-Science? (Y. Tanaka)−38−Synthesiology - English edition Vol.2 No.1 (2009) 4.1 SecurityThe security for the GEO Grid is based on the Grid Security Infrastructure (GSI)[6] and an authorization mechanism at VO level. GSI is a standard authorization infrastructure using the Public Key Infrastructure (PKI) and an X.509 certificate[7], and allows single sign-on and authority transfer through the proxy certificate. GSI is a standard technology for grid security, and considering its compatibility with other systems, and the fact that many grid middleware suits already support GSI, the decision was made to employ GSI for security.For composition of the virtual organization and access control based on a VO, we used the Virtual Organization Membership Service (VOMS)[8]. VOMS is software developed by the Enabling Grid for E-Science in Europe (EGEE), and it manages the members participating in a VO, as well as member registration, formation of groups, and assignment of roles to users. Also, it issues a VOMS proxy certificate, which is the VO user’s proxy certificate embedded with attribute information (name of VO, group name, assigned role, etc.) upon a request by the user. The service provider can adjust various access controls according to its own policy.The authorized user is normally mapped to the UNIX account at the service provider side, and access control is managed by the authority of the UNIX account. However, in this method, all user entries must be managed by the service provider, and this may increase the management cost for the service provider, and it is not scalable to the number of users. Therefore, an authorization mechanism at VO level is introduced to achieve flexible access control to reduce the burden on the service provider and to allow scalability for the number of users, through authorization at the VO, or group to which the user belongs in the VO, or through approval according to authorization already given.Other than VOMS, PERMIS[9] and CAS[10] were also available as middleware that provides access control at VOM level, but VOMS was employed for the following reasons: the implementation where attribute information is embedded in the proxy certificate is compatible with the account management system that will be explained in section 4.5; there are several tools included, such as an interface for user management, and high quality software can be expected since it is more widely diffused, compared to other systems.4.2 Service provision of data and computation resourcesTo abstract and provide the data and computations as a usable service via standard protocols, middleware that wraps the data and computations, and provides them as a service is used. For servicing data, OGSA-DAI (Open Grid Service Architecture - Data Access Integration)[11] that was developed by the UK-eScience project, and its successor project, the Open Middleware Initiative-UK, is used. For servicing computations, Grid Resource Allocation Administrator (GRAM) of the Globus Toolkit[12], developed by the Globus Alliance of the USA, is used. These are compatible with certification using GSI and VOMS. Other methods for providing computation as a service include implementation as a Java service on Apache Axis, but taking its good compatibility with GSI into consideration, the computation service is provided using GRAM.Both OGSA-DAI and Globus Toolkit are widely used as grid middleware compatible with GSI, and it is currently thought that there are no other more appropriate choices.Search results of satellite data and map information are generally provided through web service regulated by the Open Geospatial Consortium (OGC)[13], such as Web Map Service (WMS), Web Feature Service (WFS), or Web Coverage Service (WCS). Software that provides access control using VOMS is available for Apache[14], and is compatible with the security scheme of the GEO Grid.4.3 Heterogeneous database linkage technologyIt is possible to provide an abstracted database as a service using OGSA-DAI via appropriate authorization and approval, but that alone will not enable integration of multiple heterogeneous databases. The function needed by the user is one that allows him/her “to conduct batch query and distributed combination for multiple heterogeneous databases,” and therefore, Extended OGSA-DAI-DQP (Distributed Query Processing)[15][16], developed by AIST, is used as middleware.4.4 Large-scale storage systemIt is necessary to consider a storage system for storing large-scale data of several hundred terabytes to petabytes. In most current systems, satellite data is stored on tape, but considering the real-time demand of data search, and the decreased price of hard disks in recent years, use of tape devices or a commercial Storage Area Network (SAN) is not appropriate. Therefore, we decided to use a cluster file system that enables large-scale storage by connecting nodes equipped with hard disks of multiple terabyte capacities via a network. Cluster file system is a technology in which multiple distributed disks are provided as a virtual file system. Although both commercial and free software are available, we employed the Grid Data Farm (Gfarm)[17], developed at AIST, to achieve high throughput using parallel IO, and highly reliable performance with flexible replica allocation.4.5 Account ManagementGSI is an authorization technology based on PKI, where users are required to manage a secret key and a user certificate. However, installing special software to obtain the certificate

※このページを正しく表示するにはFlashPlayer9以上が必要です