Success stories

Despite of short history of Perun system, we have helped many important organizations to reach their plan to manage user accesses to their resources. Now more than 50 smaller or bigger organizations use our system. All organizations are able to operate with system without necessity of our further intervention. Moreover we provide support to these organization when new service is essential to be developed.

Organizations

MetaCentrum and CERIT-SC

https://metavo.metacentrum.cz
https://www.cerit.cz

is national computational initiative providing thousands CPU and Terabytes storage space to user coming from academic environment. As far as user management is concerned, system Perun manage all machines in MetaCentrum infrastructure. MetaCentrum is tightly connected with even more ambitious project CERIT-SC, planned as a large center providing storage and computational resources in scope of Metacentrum. CERIT-SC is going to have 3500 CPUs and 3.5 PB storage space till the end of 2013. Both MetaCentrum and CERIT-SC solve similar challenges.

Challenge

Manages heterogeneous facilities (clusters, storage elements, SMP machines) containing thousands CPUs with different owners and access rights across infrastructure.

Solution

System of Perun services propagating current state from database to each single machine via to real-time communication.

Result

Convenient system to set, edit services and to manage users in GUI (or CLI). All configuration are propagated directly to machines and stored in their configuration files. In case of Perun's inaccessibility, for example network outage, all machines is still fully functional, just staying on last known configurations. When outage is over, new state is propagated to the machine and overwrites the old one.


Challenge

Manages different roles in system. On the one hand there are a couple of managers, user support, security and other staff who maintain resources. They requires access not only to resources, but also to SVN, Request tracking system and other supportive services. On the other hand there are users with very diverse requirements.

Solution

Different virtual organizations for users and staff. Rights are associated to VO instead of single member.

Result

Simple, convenient administration of employees and users. Possibility to set rights according to particular requirements of each group.


Challenge

Many different types of software licenses across clusters with need to manage access to them.

Solution

User must fill an application form containing license agreement to become member of group with property "to have an access to license". Since application form is accepted and membership is propagated to machines, he gain an access to license.

Result

Easiness in maintaining lists of users and licenses is greatly enhanced.


Challenge

When new staff member comes, all privileges must be set one by one. Usually it is very challenging not to forget any, especially in bigger projects.

Solution

Convenient system of groups when one group in VO staff match with type of his new position.

Result

Manager simply add new member into particular group and he gain everything he needs.


Challenge

Large VO could contain hundreds users who compute their jobs across clusters with different requirements depending on their research. Inner structure of VO could be pretty confusing and obfuscatory.

Solution

Distinguish level of access by group hierarchy when all VO members are separated into groups. Groups and subgroups could refine levels of access to resources to the finest details because of ability to set access rights to each group separately.

Result

VO manager could freely set an access rights to each group and subgroup in scope of his VO in Perun GUI (or CLI) environment. Significant amount of his time is saved, because operating with group, not with every single user, one by one. Inner structure of VO is clear.


CESNET Data Storage

http://du.cesnet.cz

Operates the largest storage space available for general academic use in the Czech Republic, currently exceeding 21 PB of space located in three hierarchical storage systems. User groups may request storage space there according to their needs. The storage is accessible through a plethora of various protocols, ranging from file system access like NFSv4, through tools like scp, rsync, ftp, up to special applications and cloud storage ownCloud.

Challenge

Manage heterogeneous user groups consisting of members with no relationship to the resource provider.

Solution

Virtual organizations are established for user groups. Perun supports empowering users to manage the virtual organisations.

Result

Scalable system where the user group is represented by a manager that negotiates resource usage and configuration with the owner of the resource and manages membership in the group.

Challenge

Many services must be set to allow the user to access infrastructure services in various ways, be informed, and configure it.

Solution

Perun is capable of configuring various services using a single user group, e.g., local Unix user accounts, Kerberos user records, LDAP, mailing lists, folder creation and setup, etc.

Result

Uniform configuration of resources provided to the virtual organisations.


Laboratory of Advanced Network Technologies

http://www.sitola.cz

established by Faculty of Informatics, Masaryk University, utilizing various pieces of equipment from 4k sage to all desktops administered by Perun. International cooperation and research in scope of network technologies.

Challenge

Dynamic organization with great fluctuation of members, every new member must gain an access to resources, where many new students come and leave.

Solution

Unlike any other system, access right are provided to not to member, but to group. New member is added into group and gain all rights automatically without necessity to add him all rights one by one. All changes are reflected in real time.

Result

Research friendly environment. As a result no delay in research caused by new service settings is observed.


Challenge

VO wants to utilize facilities (GPUs in our case) that are owned and utilized by other VO.

Solution

Facility owner must agree with facility utilization by other VO and give a condition of utilization, so called resource for particular VO is created. Resource is a part of facility utilized by particular VO.

Result

VO use defined part of facility. Facility could be used by more than one VO in under predefined conditions. Whole process is very easy without necessity to register to the other VO. On the contrary, Perun could also easily handle situation, when one person is member of both VOs.


Fedcloud.egi.eu

https://www.egi.eu/infrastructure/cloud/

Perun can manage any cloud platform in the domain of human resources due to his unique ability to push data of each Perun user into several cloud platforms, for example OpenStack or OpenNebula. As far as human resources are concerned, Perun is able to manage account creation and account extension. Moreover is greatly customizable in creating, distributing and accepting or rejecting application forms.

Challenge

All users use their personal certificate to authenticate to the fedcloud resources. When old certificate is revoked or even worse is lost, there is literally no way to access the system and assign new one.

Solution

Personal credentials including certificate are stored in Perun and propagated into all resources managed by it. User saves certificate only once in Perun. When certificate is lost, there is a couple more ways of authentication to enter Perun and upload the new one.

Result

Flexible identity management where certificates are safely stored in one place, more comfortable for both users and managers. In addition, situation when user lost his certificate is solvable.

CSIR Meraka Institute – SAGrid

http://www.csir.co.za/meraka/

The Meraka Institute of the CSIR is South Africa's leading ICT research institute and manages several fundamental pillars of the country's e-Infrastructure. These include the Centre for High-Performance Computing (CHPC), the South African National Research Network (SANReN). Meraka is the lead institute of the South African National Grid Joint Research Unit (SAGrid JRU), the coordination of which forms part of the “Cyberinfrastructure Competency Area” within the institute.

SAGrid is a federation of South African universities, national laboratories and research groups, represented in the JRU by their respective directors, which have formed a collaboration in order to promote e-Science in the country and the Sub-Saharan region. This includes site services at each of the 7 fully functional grid sites, as well as the core services maintained by the Universities of the Free State and Cape Town respectively. Description of SAGrid taken from https://www.egi.eu/community/collaborations/CSIR_Meraka.html.

Identity management in SAGrid has since its inception been done exclusively with the use of the Virtual Organisation Membership Service (VOMS). By registering in the VOMS, users with personal x.509 certificates could access a set of “grid” computing and data services in a consistent way. This was a great step forward in consolidating identities in South African e-Infrastructure, however suffered from several well-documented issues, such as erecting somewhat artificial barriers to entry (enforcing ownership of strong credentials, circumventing institutional credentials, only accessing services which supported the VO, etc). An extension to this service was provided by the introduction of science gateways, which through identity federation and robot certificates could reduce the friction between various e-Science environments.

During 2013, the South African NREN developed into full maturity and started to develop a service-oriented network infrastructure. One of these services is the national identity federation, led by SANREN, but with participation at several levels by South African research institutions. The deployment of a catch-all Identity Provider by SAGrid provided a demonstrator functionality and helped to stimulate uptake by users in the country; the South African Identity Federation is now coming to production readiness, and will soon provide an easy way for users to access services in the federation (including science gateways) using their home institute's credentials.

However, a significant problem remained – identity consolidation. Since many users had several digital identities, including the personal certificate and institutional identity, this resulted in a very complicated reporting and accounting situation. Indeed, it was almost impossible to provide accurate figures on usage of individual users or groups, particularly when it comes to mapping their usage from site to site, outside of the virtual organisation. This issue was until recently addressed either by rough estimates or by manually collecting the relevant information, which took up significant time and resources. This is again compounded by the fact certain services require identities from a particular provider, complicating life for the user.

These issues are not unique by any means to South Africa or SAGrid and are being addressed by several initiatives worldwide, including the Perun service developed by a CHAIN-REDS partner, CESNET.

During Spring 2014, though, the Perun service has been piloted by SAGrid in South Africa, in order to address this and other related issues. After significant upgrades were made to the VOMS service in South Africa (precipitated by Perun, as well as demands from relying parties), identities from the existing VO were migrated to Perun, which was then used to propagate them to user interfaces in South Africa. The South African e-Science Certificate Authority (currently in preproduction phase) has also been configured as an identity provider.

We now have all user information kept in a single place, which is greatly easing communication with users and groups. By letting users register in Perun, it is now possible to propagate their identities to facilities owned and operated both by the National Grid, as well as various individual institutes which form part of the federation.