ArticlePDF Available

Extending the Collaborative Online Visualization and Steering Framework for Computational Grids with Attribute-based Authorization


Abstract and Figures

Especially within grid infrastructures driven by high-performance computing (HPC), collaborative online visualization and steering (COVS) has become an important technique to dynamically steer the parameters of a parallel simulation or to just share the outcome of simulations via visualizations with geographically dispersed collaborators. In earlier work, we have presented a COVS framework reference implementation based on the UNICORE grid middleware used within DEISA. This paper lists current limitations of the COVS framework design and implementation related to missing fine-grained authorization capabilities that are required during collaborative COVS sessions. Such capabilities use end-user information about roles, project membership, or participation in a dedicated virtual organization (VO). We outline solutions and present a design and implementation of our architecture extension that uses attribute authorities such as the recently developed virtual organization membership service (VOMS) based on the security assertion markup language (SAML).
Content may be subject to copyright.
Extending the Collaborative Online Visualization
and Steering Framework for Computational Grids
with Attribute-based Authorization
Morris Riedel, Wolfgang Frings, Sonja Habbinga, Thomas Eickermann,
Daniel Mallmann, Achim Streit, Felix Wolf, Thomas Lippert
ulich Supercomputing Centre, Forschungszentrum J¨ulich
D-52425, J¨ulich, Germany
Andreas Ernst, Rainer Spurzem
Astronomisches Rechen-Institut, University of Heidelberg
D-69120 Heidelberg, Germany
Especially within Grid infrastructures driven by high-
performance computing (HPC), collaborative online visual-
ization and steering (COVS) has become an important tech-
nique to dynamically steer the parameters of a parallel sim-
ulation or to just share the outcome of simulations via visu-
alizations with geographically dispersed collaborators. In
earlier work, we have presented a COVS framework refer-
ence implementation based on the UNICORE Grid middle-
ware used within DEISA. This paper lists current limitations
of the COVS framework design and implementation related
to missing fine-grained authorization capabilities that are
required during collaborative COVS sessions. Such capabil-
ities use end-user information about roles, project member-
ship, or participation in a dedicated Virtual Organization
(VO). We outline solutions and present a design and imple-
mentation of our architecture extension that uses attribute
authorities such as the recently developed Virtual Organi-
zation Membership Service (VOMS) based on the Security
Assertion Markup Language (SAML).
1. Introduction
World-wide Grid infrastructures such as DEISA,EGEE,
OSG, or TeraGrid provide a wide variety of Grid services
to enable large-scale resource sharing for e-science. Virtual
Organizations (VOs) allow to share such resources across
organizational boundaries and to make efficient use of the
provisioned computational Grid resources such as super-
computers or clusters. Many scientific applications within
these VOs and underlying Grid infrastructures aim at sim-
ulations of physical, biological, chemical, or other types
of domain-specific processes. While many Grid infrastruc-
tures exist today, infrastructures such as DEISA or TeraGrid,
which are largely driven by high-performance computing
(HPC) needs, run Grid applications with parallel comput-
ing techniques (i.e. MPI [24], OPENMP [10]) to simulate
these processes. The outcome of these simulations is of-
ten analyzed in a separate post-processing step, for instance
by viewing the results in a visualization application. Based
on these intermediate results, a decision is made to change
simulation parameters for another computational period.
In order to increase the efficiency of e-scientists, the col-
laborative online visualization and steering (COVS) tech-
nique emerged that performs simulation and visualization
at the same time. Online visualization refers to e-Scientists
that are able to immediately observe the processing steps
during the simulation. This in turn allows for computational
steering to influence the computation of the simulation dur-
ing runtime on a supercomputer. In this context, we have
shown in earlier work that the efficiency of e-scientists can
be further improved by leveraging strong security environ-
ments and collaborative Web service-based features when
using a COVS framework [22] in UNICORE Grids such as
DEISA. In this paper, we discuss challenges that arise in
geographically dispersed visualization sessions, creating a
demand for fine-grained authorization. Attributes of end-
users such as VO and group membership as well as different
roles and capabilities are available in Grids today, but the
COVS framework is limited to identity-based authorization
(i.e. using X.509 certificates only). In this paper we present
an extension that allows for attribute-based authorization.
978-1-4244-2579-2/08/$20.00 © 2008 IEEE 9th Grid Computing Conference104
This paper is structured as follows. After reviewing vi-
sualization and steering capabilities in computational Grids,
Section 2 introduces the COVS framework implementa-
tion in UNICORE and lists limitations with regard to fine-
grained authorization. Section 3 describes which standard-
compliant attribute-based authorization technologies can be
used within Grid environments today. Based on these tech-
nologies, we present extensions to our COVS architecture in
Section 4, while Section 5 describes two scientific applica-
tions as use cases of this new feature. Finally, after survey-
ing related work in Section 6, we offer our conclusion in
Section 7.
2. Limitations of the Collaborative Online
Visualization and Steering Framework
The collaborative online visualization and computational
steering (COVS) framework enables Grid applications with
interactivity (i.e. computational steering) and visualized
feedback mechanisms. In earlier work [26], we have shown
a prototype COVS technique implementation based on the
visualization interface toolkit (VISIT) [13] and the Grid
middleware of DEISA named as the Uniform Interface to
Computing Resources (UNICORE) [28]. Since then the ap-
proach grew to a broader COVS framework [23] and we
further published at the Grid 2007 conference in [22] that
the approach taken is feasible and provides sophisticated
performance. More recently, we investigated in [21] the
impact of using the computational steering capabilities of
the COVS framework implementation in UNICORE on large-
scale HPC systems of DEISA (e.g. IBM BlueGene/P JUGENE
with 65536 processors).
The current architecture of the COVS framework is il-
lustrated in Figure 1, which shows a collaborative scenario
with two geographically dispersed participants (i.e. client
tier A and B). Both run a scientific visualization, which is
coupled with a COVS GridBean plug-in that extends the GPE
UNICORE Grid Client [25]. The Grid client is used to access
two COVS services that are implemented using the factory
pattern of the Web Services Resource Framework (WS-RF)
[1] implementation of UNICORE. Therefore, the client is
used to call a COVS Factory Service, which creates COVS
Session resources that are in turn accessible via the COVS
Service. An instance of the session resource represents a
collaborative visualization session managing different par-
ticipants by controlling the VISIT Collaboration Server and
the VISIT Multiplexer. While the VISIT collaboration server
is used to exchange information between participants over
dedicated connections secured with SSH,theVISIT Multi-
plexer is responsible to distribute the outcome of one paral-
lel simulation to n participants using the same connections.
These connections are created using the strong security fea-
tures of the UNICORE Grid middleware and is described in
more detail in [26]. To sum up, the scientific data of the
simulation and collaboration data is transferred via secured
dedicated connections with binary wire encoding to achieve
satisfactory performance, while the simulation job submis-
sion and the management of collaborative sessions use Web
service calls that in terms of the overall performance are
Figure 1. COVS Framework implementation in
the UNICORE Grid middleware.
Although our framework implementation is used in pro-
duction, we recently encounter several limitations of the
framework with respect to fine-grained authorization ca-
pabilities, which motivated the approach in this paper re-
spectively. In typically scenarios, the COVS service is used
within a VO, but with different geographically dispersed VO
members that act in different roles and possess multiple ca-
pabilities during one COVS session. In more detail, a person
that use our framework is in the participant role if the per-
son shares the view on one visualization of a parallel sim-
ulation with all other n-1 participants. While some people
only act in the participation role, there are other people that
may represent more than one role. This implies that the
functionality of our framework for one role differs from the
functionality offered to other roles. For instance, only peo-
ple in the master role areabletousetheframeworkforthe
submission and control of a parallel simulation that runs on
a computational Grid resource. Hence, other participants do
not need (and should even not be allowed) to submit a sim-
ulation job, because the outcome of one submitted parallel
simulation is shared with all others participants.
To circumvent that any end-user is able to join a session,
we define the approver role that is responsible to make de-
cisions which participants are allowed to join visualization
sessions. They are making their decisions based on the dif-
ferent roles and pre-defined capabilities of the candidates
that would like to join the session. Furthermore, technical
capabilities to steer a parallel simulation during a collab-
orative session raises the demand for mutual exclusion of
participants during steering. The steering process requires
expertise in the field of the simulation and thus only a sub-
set of participants are able to represent the role and only
this sub-set should be allowed to change the behavior of the
simulation. Therefore only one participant that represent
the steerer role is allowed at the same time to steer a paral-
lel simulation during a COVS session in order to ensure the
consistency of the simulation and its computation. In addi-
tion, only participants in the collaborator role are allowed
to change the view of the visualization. This role typically
also needs expertise to choose, for instance, color codings
of physical phenomena that can be understand by all partic-
ipants and that make sense in the context of simulations.
The overall management of a COVS session therefore re-
quires authorized session management control actions tak-
ing the roles and capabilities of participants into account.
In the current implementation however, the enhanced UNI-
CORE User DataBase (xUUDB) that deals with authoriza-
tion in UNICORE only allows definitions of one defined
role that is strictly bound to one X.509 certificate identity
of the end-user (i.e. identity-based authorization) for any
service within UNICORE. Hence, there is no functionality
how all different roles and capabilities of one end-user can
be mapped to the X.509 certificate identity used within the
Grid middleware for authorization decisions so far.
Another limitation of the currentdesign and implementa-
tion is that anyone who is allowed to use the UNICORE Grid
middleware and its deployed COVS services is also automat-
ically allowed to join any COVS session available at this site.
In our scenarios we would like to restrict the access to COVS
sessions only for certain members of a VO that are actually
part of the respective groups that created the COVS session.
But so far, the authentication and authorization of end-users
using the COVS framework was purely based on full X.509
certificates. This only allowed a raw-grained authorization
approach based on the identity provided via the certificate
used to check whether end-users have access to COVS ser-
vices (and all sessions) or not. All in all, the security in the
COVS framework can be significantly improved for collab-
orative scenarios, while there is already strong security on
the data connection level.
3. SAML-based Attribute Authorities in Grids
Many authentication and authorization infrastructures
(AAI) for Grids are using basic authorization mechanisms
based on the distinguished name (DN) of the end-users
proxy X.509 certificate or the full X.509 certificate (e.g.
within UNICORE). Thus these certificates are not only used
to authenticate end-users, but also to base authorization de-
cisions on them as long as no further information describes
the end-users, his/her roles or capabilities. Experts refer
to this approach as identity-based authorization. But many
frameworks and services in Grids need more information to
achieve fine-granular decisions [30], and, also the previous
section clearly raised a demand for fine-grained authoriza-
tion based on different roles and capabilities (collectively
named as attributes) of end-users.
This demand is not new and thus there are solutions
in Grid environments that deal with these kind of require-
ments named as attribute-based authorization mechanisms.
This approach needs two additional components compared
to the pure identity-based approach. First, an attribute au-
thority (AA), which issues attributes in a trusted way is re-
quired. Second, a so-called policy decision point (PDP)[7]
using these attributes for authorization is the complemen-
tary component often offered via the Grid middleware itself.
The attributes are encoded as fully qualified attribute names
(FQANs) [29] containing VO membership, groups, roles and
capabilities within that VO.
At the time of writing, two major attribute authorities are
available in Grids that are the Virtual Organization Member-
ship Service (VO MS) [7] and Shibboleth [4]. Both Shibbo-
leth and the recently developed new VOMS service [30] are
based on the Security Assertion Markup Language (SAML)
standard [9]. We enable our framework with attribute-based
authorization using VOMS since it is closer to our use case
than Shibboleth and its federation approach [17]. In addi-
tion, VOMS is following the recommendations of the OGF
OGSA-Authorization working group and is thus compliant
with the OGF security standards.
The basic idea of VOM S is illustrated in Figure 2 that
shows that an administrator is able to use the VOMS Ad-
min Client to configure VO information (i.e. attributes) of
end-users. This information is stored in a VO database,
whichisusedbytheVOMS service in order to fulfill re-
quests by providing information. Hence, VOMS represents
an AA while the message exchanges using the SAML proto-
col over Web services. The released FQANs (e.g. roles and
capabilities) are encoded in an XML-based SAML assertion
(i.e. <saml:AttributeStatement> element), which
is signed by VOM S. Every technology that would like to
base its authorization decisions in the PDP on this SAML as-
sertion have to check this signing and thus trust the VOM S
Figure 2. Attribute authority (i.e. SAML-based
VOMS service), which releases signed SAML
assertions with attributes stating the position
and roles of an end-user in the VO.
4. Extending the COVS framework with
Attribute-based Authorization Capabilities
Extending our rather complex framework design with
fine-grained authorization capabilities is not a straightfor-
ward task and implies changes to the client and middleware.
So far, we identified that attribute-based authorization could
improve our framework design to overcome its limitations
described in Section 2. This lead to the design and imple-
mentation of an architecture extension of our framework to
work with attribute authorities that release attributes of end-
users. We also noticed that the VOMS approach fits nicely
into our Grid environment and thus we present our attribute-
based authorization extensions based on VOMS. Neverthe-
less, with little modifications, the whole system should also
be able to work with Shibboleth, because both agree to the
same SAML standard. Figure 2 illustrates that necessary in-
formation (e.g. roles) can be encoded within a standardized
SAML assertion when contacting a VO MS service. These
pieces of information are used to enable fine-grained au-
thorization for COVS session and thus providing answers to
questions like ’which user is authorized in which sessions
and has which roles and capabilities in the context of the
visualization and steering process’.
The VOMS integration work basically starts with pre-
cise definitions of roles as well as VO and group infor-
mation. We mapped the VO concept and attribute ca-
pabilities of VOMS to our specific needs. This is pos-
sible by configuring the VOM S server and we provide
examples of attributes and their FQANs as released by
VOMS in Table 1. In fact, these FQANs are encoded in-
side the <saml:AttributeStatement> element as
an <saml:AttributeValue> element within a SAML
assertion. While each role is represented by one FQAN, it’s
particularly important for our approach that the VOMS ap-
proach allows for multiple <saml:AttributeValue>
elements that enable multiple roles for end-user encoded in
one SAML assertion. To provide an example, we can de-
fine that one end-user represents the master,participant,
and steerer role at the same time and all this information
is encoded in one SAML assertion released from VO MS (cp.
Figure 2).
A further advantage for our extension approach with
VOMS is the possibility to define and work with so called ca-
pabilities. These capabilities are basically ’key-value pairs’
following the format name=value. We did not list all pre-
cise examples in Table 1 since such capabilities are mostly
used to express scientific domain-specific expertise. For in-
stance, we can define an end-user with certain roles of the
VO astro and group viz that has the domain-specific exper-
tise (i.e. capability) of being an expert in n-body problems
within astro-physical phenomena and simulations. This
would be encoded as /expert=n-body and thus under-
lines that the approach with such rather generic attributes
is very much extensible – a further benefit of using the
attribute-based approach within our framework.
Attributes FQAN Desription
VO /astro End-user belongs
to astro VO
Group /astro/viz End-user is
member of
group viz
Role /astro/viz/Role=master End-user can
submit Grid
(creates COVS
Role /astro/viz/Role=participant End-user is able
to join an existing
COVS session
Role /astro/viz/Role=approver End-user is able
to approve group
members for
COVS session
Role /astro/viz/Role=steerer End-user can steer
Grid applications
Role /astro/viz/Role=collaborator End-user is able
to change the view
on scientific
Cap. /astro/viz/Cap=value Additional
capabilities of
expert /astro/viz/expert=n-body Capability of
an end-user
stating being
an expert of
Table 1. Attributes used in the COVS frame-
work and possible capabilities extensions.
So far, the end-users use purely their X.509 certificate
stored and configured within the GPE Grid client. Thus, in
order to use SAML assertions as addition to end-user cer-
tificates, we have extended our COVS GridBean plug-in for
the GPE Grid client as shown in Figure 3. This particular
extension basically represents a VO MS Web service client,
which invokes the samlp:AttributeQuery operation
[9] of VOM S. The connection between the client and VO MS
is based on the X.509 certificate of the user and thus the
VOMS is able to get the identification of the end-user from
the TLS connection [12]. The response of this Web service
call carries a SAML assertion with attribute information that
is temporarily stored at the COVS GridBean plug-in. Af-
terwards it is subsequently used for each COVS service in-
vocation. In more detail, for each COVS service invocation,
the SAML assertion is transported within the SOAP header of
the Web service message exchange using the Web Service
Security Extensions [6] standard.
Obviously, just using these SAML assertions with at-
tribute information for service invocations is not enough
to realize fine-grained authorization. Therefore, we also
have implemented several extensions within the hosting en-
vironment of the Grid middleware UNICORE. Most notably,
we implemented, as being part of the OMII-Europe project
[2], a security handler that is called before any COVS ser-
vice invocation is taking place in the middleware. First,
the handler extracts the SAML assertion from the SOAP
header for further processing. Then the handler checks
whether the SAML assertion is still valid, because lifetime
information is also encoded in the SAML assertion within
asaml:condition element [9]. Finally, the handler
checks whether the SAML assertions is signed from a valid
attribute authority that is being trusted. Only if both steps
are successful, the handler puts the SAML assertion in the
security context of UNICORE that is used for security en-
forcements later.
When all handlers configured for a particular service
such as COVS have been processed, the UNICORE PDP (cp.
Section 3) makes a callout to a policy that is compliant with
the OASIS extensible Access Control Markup Language
(XACML) [20] standard for authorization decisions. That
means the attribute information of the SAML assertion
within the security context is used in conjunction with the
policy to check whether the end-user got the right attributes
to get access. Using this policy we have defined rules
that define which end-users of which VOs and groups are
actually allowed to work with COVS services as a first
step towards a more fine-grained authorization. Whenever
someone is trying to invoke COVS services and would like
to join a session the handler is called and subsequently the
XACML policy is checked whether the correct attributes
have been presented at the Grid middleware (via the SAML
A benefit of the UNICORE design was that the security
context and thus the stored SAML assertion is available in
the COVS session service. That means we extended our ser-
vice to take the different roles of the end-users into account
to check whether certain actions are allowed or not. To pro-
vide an example, only persons that presented a SAML as-
sertion with attributes expressing the steerer role are actu-
ally allowed to steer the application via the VISIT toolkit.
That means the COVS session service implementation of-
fers or restrict certain actions to end-user based on the dif-
ferent roles that an end-user possess. While the same ap-
proach can be basically implemented with the capabilities
(i.e. expert=n-body), we initially just use them to give this
information as trusted additional information about partic-
ipants in a session. Hence, by using the above mentioned
extensions we have been able to overcome the limitations
stated in Section 2 and are thus able to present in this work
a solution for the problems that arise in collaborative sce-
Figure 3. COVS architecture extensions to
leverage SAML-based VOMS and use SAML
assertions for attribute-based authorization.
policies based on information in SAML as-
sertions, later the attributes are used in the
service itself for further authorization of ded-
icated actions.
Before end-users actually can use a deployed COVS
framework in their daily work we have to assume some pre-
conditions that are marked with single alphabetical char-
acters in Figure 3. First, in (A) we have to configure the
VOMS with general information such as VO and group sta-
tus. In addition we have to define the roles and capabilities
about end-users (cp. Table 1). Afterwards we have to setup
XACML policy rules that match the attribute statements of
acceptable users (B). To provide an example, we define that
only end-users in the VO astro and group viz are allowed
to use the COVS factory and COVS session service. Finally,
we assume that one end-user has already submitted a com-
putational job via the Grid middleware (C) by being in the
master role.
We summarize the usage of our framework extensions
in a step-wise fashion (cp. marked numbers in Figure 3)
in the following paragraph. The first step in our approach
is to contact the VOMS with the COVS GridBean plug-in in
order to retrieve a SAML assertion with attribute informa-
tion (1). This SAML assertion is then transmitted during the
COVS service invocation within the SOAP header (2). This
COVS service invocation represents a COVS session join re-
quest. In step (3) the implemented VOMS handler is acti-
vated and checks whether the SAML assertion is still valid
(i.e. lifetime checks) and signed by an attribute authority
that is being trusted. Only if this step is successful, step
(4) checks the provided SAML assertion in conjunction with
the pre-configured XACML rules to enforce first parts of the
fine-grained authorization approach. This checks whether
an end-user is allowed to use the COVS services or not.
The second part of this fine-grained authorization ap-
proach is undertaken in the COVS session service imple-
mentation afterwards. In more detail, within a particular in-
stance of a COVS session resource accessible with the COVS
session service (cp. Figure 3). The state of the COVS session
consists of the joined participants or those that still require
approval from someone that possess the approver role.To
influence the state of the COVS session via Web service op-
erations, we use the role information of the SAML assertions
as a base of authorizing certain actions (5) within this partic-
ular COVS session. This means according to the presented
roles stated in the SAML assertion, the end-user is able, or
not able to influence the behavior of the visualization ses-
sion or change the scientific data stream that is transferred
to all participants (6). To provide an example, only a partic-
ipant in the steerer role is able to influence the application
during its runtime. This is internally realized by forwarding
suitable actions or commands via the multiplexer adapter,
which in turn controls and manage the VISIT multiplexer
[22]. The same approach is implemented in the COVS ses-
sion service in terms of the collaborator role that uses the
collaboration adapter to control and manage the VISIT col-
laboration server [22].
5. Scientific Use Case Applications
We have evaluated our design approach of the extensions
with two scientific scenarios, however, its difficult to show
results since the attribute-based authorization with SAML
assertions is basically only present behind the scene and not
visible to end-users. This can be considered as a feature
since e-Scientists that use the Grid for research typically do
not want to know much about the details of fine-grained au-
thorization. They just would like to use the framework as
Figure 4. Two independent scientific visual-
ization sessions share one computational re-
source accessed via one Grid middleware.
The resource is shared between VO astro and
VO pepc that both use attribute-based autho-
rization taking roles into account.
The two use case applications we describe are both n-
body problems and both have been instrumented with VISIT
in earlier work [13]. Such n-body problems appear in
many scientific areas such as astrophysics, plasma-physics,
molecular dynamics, and fluid dynamics. Therefore we
developed in earlier work the scientific visualization Xn-
body, which visualizes n-body problems [5] and which in-
terfaces the GPE Grid client to get access to the Grid via
Grid middleware. N-body problems are commonly solved
using divide-and-conquer mechanisms or parallel comput-
ing techniques. In this context, the first use case application
of our attribute-based authorization is the Nbody6++ pro-
gram [27] used in the field of astrophysics. Nbody6++ is
a parallel variant of the Aarseth-type N-body code nbody6
suitable for N-body simulations on supercomputers within
HPC-driven Grid infrastructures such as DEISA.ThisGrid
application is typically used to simulate dynamics of star
clusters in galaxies and their centres, respectively, forma-
tion of planetary systems and dynamical evolution of galac-
tic nuclei. In Figure 4, we illustrated one session of the VO
astro that is running this application on a supercomputer and
share the view of it using the recently developed attribute-
based authorization. The attributes of the respective end-
users are also shown as FQANs.
Another use case application of our architecture exten-
sion is also shown in Figure 4 in the context of the plasma
VO.ThisVO with experts from plasma-physics run the
Pretty Efficient Parallel Coulomb Solver (PEPC) code [16],
which is a massively parallel code to perform potential and
force summation of N charged particles in a time O(N log
N) using a hierarchical tree algorithm. While this simula-
tion is running on the supercomputer, e-Scientists are able
to obtain a step-wise visualization of the computational pro-
cess and are able to influence the behavior based on their
attributes such as the roles encoded in the FQANs.
6. Related Work
There is plenty of related work in the field of visualiza-
tion and steering within Grids. Brodlie et al describes in [8]
a high-level framework for distributed and collaborative vi-
sualization and how it can be potentially implemented by
visualization systems, but not considering attribute-based
authorization as it is available in Grids today.
One of the specific research areas of the Japanese Na-
tional Research Grid Initiative (NAR EGI), among Grid mid-
dleware and Grid networking, include visualizations and
limited steering scenarios. Kleijer et al describes in [18] the
an API for Grid-based visualization systems of the NAREGI
Grid infrastructure. The API consists of a visualization li-
brary and a Grid visualization service API. While the li-
brary is used to connect simulations by the provisioning of
visualization functionalities, the visualization service API
wraps the library to provide Web service-based function-
alities. Although this approach is very similar to ours in
terms of the Web service layer, this framework only sup-
ports identity-based authorization mechanisms, while we
extend our scope to attribute-based authorization.
Another interesting work is developed in the Austrian
Grid and Koeckerbauer et al describes in [19] the Grid En-
abled Visualization Pipeline (GVID), which provides high
quality Grid-based visualization of scientific datasets on
thin clients such as SONY Playstations. In this approach, the
data of the scientific visualization are efficiently encoded
with the H262 code into a video stream and transferred to
the thin client afterwards. The client in turn decodes the
video stream and visualized the scientific data. While this
technology is rather decoupled from Grid middleware, we
implemented our services as higher-level services within
the Grid middleware UNICORE to leverage the strong se-
curity infrastructure, which makes it also easier to achieve
the attribute-based authorization of our approach.
A complete different approach was realized by the UK
RealityGrid project [3] that focused on how scientists can
make more effective use of a Grid and its visualization re-
sources. In fact, this approach is similar to our approach,
since more recent prototypes of the RealityGrid steering li-
brary have been renewed to be conform with the Open Grid
Services Architecture (OGSA) [15]. It thus was realized
within the Imperial College e-Science Networked Infras-
tructure (ICENI) [11] that partly based on Globus Toolkit
technologies and the Grid Security Infrastructure (GSI)[14].
To the best of our knowledge their is no work describing
how the RealityGrid steering library approach is used in
conjunction with the GSI and attribute-based authorization.
However, we know that GSI has been enabled with attribute-
based authorization using attribute-certificates that are em-
bedded in X.509 proxies. Since we rely on the HPC-driven
Grid middleware UNICORE, which only supports full X.509
certificates, our approach is also different from the proxy-
based GSI approach that is the security foundation for the
ICENI middleware.
7. Conclusions
The evaluation with two use case applications proved
that our approach is feasible and thus overcomes the lim-
itations identified in the COVS framework with respect to
fine-grained authorization. We have shown how the evo-
lution from identity-based authorization (i.e. using pure
X.509 certificates) towards attribute-based authorization us-
ing roles and capabilities of end-users can be applied to Grid
visualization and steering in general, and the COVS frame-
work in particular. By adding fine-grained authorization to
our framework, we implemented a unique approach of hav-
ing visualization and steering of HPC applications within
Grids massively supported by Grid middleware and SAML-
based attribute authorities. To realize that, we have been
working in the OMII-Europe project as an early use case
driver of SAML-based VOMS adoptions with the VOMS de-
velopers and thus contributed to the UNICORE and SAML-
based VOMS development. Some future work in the field of
attribute-based authorization would be an integration with
SAML-based Shibboleth federations or an approach that al-
lows for more dynamically definitions of attributes, for in-
stance during a run-time of a COVS session. Other inter-
esting work continue the investigation of Grid steering to-
wards computational Grid resources towards peta-scale per-
formance, e.g. soon we expect systems with 1/2 petaflop/s
at our institute. Then computational steering become diffi-
cult to use and new approaches have to be identified using
potentially more hierarchical or tree-based steering mecha-
The work presented in this paper has been supported
by the OMII - Europe project under EC grant RIO31844-
OMII-EUROPE, duration May 2006 – April 2008. We also
would like to thank members of the OGF OGSA - Authoriza-
tion group for their valuable advise and the developers of
the SAML-based VOMS server, in particular Valerio Venturi
(INFN, Italy). Finally, also the work of the EGEE middle-
ware security group (MWSG) was helpful with respect to
attribute-based authorization.
[1] OASIS - WSRF Technical Committee. http://www.oasis-
[2] OMII - Europe.
[3] RealityGrid.
[4] The Shiboleth Proejct, Internet2/MACE.
[6] OASIS - Web Service Security: SAML Token Pro-
file 1.1, 2006.
[7] R. Alfieri et al. From gridmap-file to voms: managing autho-
rization in a grid environment. In Future Generation Comp.
Syst., 21(4):549-558, 2005.
[8] K. Brodlie, D. Duce, J. Gallop, J. Walton, and J. Wood. Dis-
tributed and Collaborative Visualization. In F. Berman, G. C.
Fox,andA.J.G.Hey,editors,Computer Graphics Forum,
Volu m e 23, 2004.
[9] S. Cantor, J. Kemp, R. Philpott, and E. Maler. Assertions
and Protocols for the OASIS Security Assertion Markup
Language. OASIS Standard, 2005. http://docs.oasis-
[10] R. Chandra et al. Parallel Programming in OpenMP.Mor-
gan Kaufmann, 2001. ISBN 1-55860-671-8.
[11] J. Cohen, A. McGough, J. Darlington, N. Furmento,
G. Kong, and A. Mayer. RealityGrid: an integrated approach
to middleware through ICENI. In Philosophical Transac-
tions of The Royal Society A, 363, pages 1817–1827, 2005.
[12] T. Dierks and C. Allen. The TLS protocol version
1.0, Internet Engineering TaskForce, RFC 2246. 1999.
[13] T. Eickermann, W. Frings, P. Gibbon, L. Kirtchakova,
D. Mallmann, and A. Visser. Steering UNICORE
Applications with VISIT. In Philosophical Transac-
tions of The Royal Society Journal, London, 2005.
[14] I. Foster, C. Kesselman, G. Tsudik, and S. Tuecke. A secu-
rity architecture for computational grids. In 5th ACM Con-
ference on Computer and Communications Security, pages
83–91. Assoc. Comput. Mach Press, New York, 1998.
[15] I.Foster, H.Kishimoto,A.Savva, D.Berry, A.Djaoui,
A. Grimshaw, B. Horn, F. Maciel, F. Siebenlist, R. Subra-
maniam, J. Treadwell, and J. Reich. Open Grid Services
Architecture, Version 1.5. Open Grid Forum Draft 80, 2006.
[16] P. Gibbon. Short Pulse Laser Interactions with Matter: An
Introduction. Imperial College Press/World Scientific, Lon-
don/Singapore, 2005. ISBN 1-86094-135-4.
[17] C. Grimm et al. Trust issues in shibboleth-enabled fed-
erated grid authentication and authorization infrastructures
supporting multiple grid middleware. In Proc. of the 1st
International Interoperability and Interoperation Workshop
(IGIIW) at e-Science 2007, Bangalore, 2007.
[18] P. Kleijer, E. Nakano, T. Takei, H. Takahara, and A. Yoshida.
API for Grid Based Visualization Systems. In GGF 12
Workshop on Grid Application Programming Interfaces,
[19] T. K¨ockerbauer, M. Polak, T. St ¨utz, and A. Uhl. GVid -
Video Coding and Encryption for Advanced Grid Visualiza-
tion. In Proceedings of the first Austrian Grid Symposium,
Linz, 2005.
[20] T. Moses et al. eXtensible Access Control Markup Lan-
guage. OASIS Standard, 2005.
[21] M.Riedel et al. Computational steering and online visualiza-
tion of scientific applications on large-scale hpc systems. In
Proc. of the e-Science 2007, Bangalore, India. 2007.
[22] M.Riedel et al. Design and Evaluation of a Collaborative
Online Visualization and Steering Framework Implementa-
tion for Computational Grids. In Proc. of the 8th IEEE/ACM
Int. Conf. on Grid Comp, Austin, USA. 2007.
[23] M.Riedel et al. Requirements and Design of a Col-
laborative Online Visualization and Steering Framework
for Grid and e-Science Infrastructures. In Online
Proc. of German e-Science Conference, Baden-Baden.
[24] P. Pacheco. Parallel Programming with MPI. Morgan Kauf-
mann, 1996. ISBN 1558603395.
[25] R. Ratering et al. GridBeans: Supporting e-Science and Grid
Applications. In 2nd IEEE International Conference on e-
Science and Grid Computing (E-Science 2006), Amsterdam,
The Netherlands, 2006.
[26] M. Riedel et al. Visit/gs: Higher level grid services for sci-
entific collaborative online visualization and steering in uni-
core grids. In Proc. of 6th International Symposium on Par-
allel and Distributed Computing 2007 (ISPDC2007), Linz,
Austria, ISBN 0-7695-2936-4, on CD, 2007.
[27] R. Spurzem and E. Khalisi. Nbody6, features
of the computer-code. 2003. ftp://ftp.ari.uni-
[28] A. Streit et al. UNICORE - From Project Results to Produc-
tion Grids. In L. Grandinetti, editor, Grid Computing: The
New Frontiers of High Performance Processing, Advances
in Parallel Computing 14, pages 357–376. Elsevier.
[29] A. C. V. Ciachini, V. Venturi. The VOMS attribute certificate
format. Technical Report, OGSA Authorization Working
Group, 2005.
[30] V. Venturi et al. Virtual organisation management across
middleware boundaries. In Proc. of the 1st International
Interoperability and Interoperation Workshop (IGIIW) at e-
Science 2007, Bangalore, 2007.
... Nonetheless, these systems are built upon platforms and programming languages which are tailor-made for a particular purpose, not easily extended to support a wider sharing of resources and collaborative work (Li et al., 2007). To overcome such problems, as well as to facilitate the sharing of heterogeneous geospatial data and support real-time collaborative tasks between geographically distributed members, many organizations leverage latest distributed computer technologies based on grid computing and web services (Riedel et al., 2008). Many organizations have sought to converge grid services with web services, which is the pillar of the Service Oriented Architecture (SOA) paradigm. ...
... The Large Hadron Collider at CERN is engaging in one of the largest data-crouching experiments to date (Clery, 2006). In summary, grid services technology is poised to become the essential part for most e-science collaboration platforms (Riedel et al., 2008). ...
Full-text available
Natural resources management policies often entail a complex environmental decision-making process. This process can be greatly enhanced if it is based on an exploratory-envisioning system such as the Spatial Information Exploration and Visualisation Environment (SIEVE). This system integrates Geographical Information Systems, collaborative virtual environments, and other Spatial Data Infrastructures with highly interactive game-engine software. By leveraging these technologies, the system increases the potential for every participant, regardless of his level of involvement to have a better understanding of the issues at hand and to make better informed decisions. In a like manner, current scientific research has taken advantage of e-science platforms that share resources and enhance distributed simulation, analysis and visualization. Many of these infrastructures use one or more collaborative software paradigms like Grid Computing, High Level Architecture (HLA) and Service Oriented Architecture (SOA), which together provide an optimal environment for heterogeneous and distant, real-time collaboration. While significant progress has been made using these collaborative platforms, frequently there is no particular software suite that fulfils all requirements for an entire organization or case study. In these cases, an end-user must cope manually with a collection of tools and its exporting/importing capabilities to obtain the output needed for a particular purpose. This paper proposes a modular, real-time collaborative framework based upon user and tool-wrapping interfaces that are compliant not only with the aforementioned exploratory virtual environment, but also with web service-based Grid and HLA technology guidelines. The framework architecture is divided as follows: • Visualization Layer Services: composed of modules that offer the end visualization outcome, which depends on performance/quality of detail required to visualize the same data provided by the next layer. This layer includes Web Client services, Virtual Collaborative Environment interface services and high definition rendering services. • Management/Orchestration Layer Services: process services that link and sequence services according to existing and potentially new visualization requirements. These automated services further delegate specialized functions such as management, security, batch processing and similar features. This layer includes a Workflow Manager, a Simulation Real Time Infrastructure Manager, a Render Manager and a Grid Middleware Manager. • Data Layer Services: data sources that can be composited to feed spatial and non-spatial information requirements that the orchestration layer needs to fulfil its lifecycle. • Communication Services: encapsulating CityGML information using Web Services protocols (Web Service Description Language -WSDL, Simple Object Access Protocol -SOAP, and Universal Description Discovery and Integration -UDDI), data is transferred from all layers through Wrappers/Interfaces that are implemented by standard contracts on each module. In this manner, this framework orchestrates the use of heterogeneous software tools which collectively support distributed visual spatial analysis and complex environmental decision-making processes. A proof-of-concept prototype will be presented to illustrate a combination of representative commercial and open source software used in the area of spatial visualization, distributed computing and complex environmental simulation.
... The system will utilize distributed computer technologies based on grid computing and web services, which are the pillar of the Service Oriented Architecture (SOA) paradigm. Not only is grid computing poised to become the essential part for most e-science collaboration platforms (Riedel et al. 2008), but the SOA paradigm has become the framework of choice to design complex, enterprise level solutions for most organizations. The SOA paradigm is based on loosely-coupled modules that are orchestrated together by means of standard communication protocols, Web Service Description Language (WSDL), Simple Object Access Protocol (SOAP) and Universal Description Discovery and Integration (UDDI; W3C 2004). ...
The collaborative virtual environment framework SIEVE allows users to automatically build virtual environments and explore them collaboratively in real-time to aid decision making. SIEVE is currently being used in several application areas around landscape visualization and management and security and emergency response. Specific application areas include climate change, future land use exploration, land use productivity analysis and marine security response scenarios. This paper focuses on extensions to SIEVE based on col-laborative data sharing web technologies. SIEVE Builder Web allows users to access remote SDI data via a web-mapping service to create and download 3D environments. Another component currently in development allows the import of ancillary data into SIEVE by creating a data mashup. To integrate online data and shared computing facilities we are building a web-based framework to integrate multiple applications to complement SIEVE. Finally, we allow users to exchange spatially referenced photographs remotely within SIEVE Viewer.
... Some of the most relevant frameworks for distributed simulation and computational steering, for the scope of this paper, may be considered: COVS, RealityGrid, CUMULVS and CSE. COVS, or Collaborative Onlline Visualization and Communication (Riedel et al, 2008) is a framework that encapsulates common visualization frameworks (VTK, AVS/Express), steering technologies (VISIT, gViz, ICENI) as well as communication libraries (VISIT, PV3) that carry out the data transportation and steering commands. This multi-framework integration allows COVS to run simulations independently from visualization and communication tasks. ...
Full-text available
Computational steering aims both to interfere with an otherwise autonomous computational process, to change its outcome, and to enable the discovery of new features of the computational processes through integrated experiments. Traditionally, computational steering has been applied to large, compute-intensive and non-interactive simulations, where it more specifically refers to the practice of guiding a simulation experiment into some region of interest. In this paper, we review the motivations for computational steering and introduce an evolutionary design for a framework that takes into consideration two of its main important aspects, program steering and data steering, together with an approach for static scheduling based on a genetic algorithm. We then outline the capabilities of the framework by simulating the execution for three categories of applications, with low, medium and high communication needs, under two running scenarios – with and without tasks migration (required remote data will always be transferred). The results showed that program steering could bring more benefits in the given setting than data steering, and that there is a reasonable loss of efficiency between 16 and 64 processors, which could be explained correlated to the loss in data transfers gain.
Conference Paper
This paper describes the architectural redesign of a distributed execution framework called State Machine Based Distributed System which uses a state machine-based representation of processes in order to reduce the applications development time while providing safety and reliability. Initially the system has been built on top of the .Net Framework employing static programming techniques and made use of a custom data storage. The new architecture is intended to take advantage of the fast growing technologies like dynamic languages and graph databases for speeding up even more the applications development and improve the dynamism of the execution model.
One evidenced based approach for exploring future agricultural land use change scenarios is Land Use Allocation (LUA). This approach can be used to support medium to long term strategic planning. Specifically, land managers can consider a number of diverse environmental social, economic and physical factors, and explore land use allocation scenarios before choosing to produce one or more commodities in a given region. One of the most successful ways to implement a LUA approach is through the integration of geoprocessing with Multi-Criteria Decision Making methods (MCDM). Leveraging this spatial MCDM modeling approach with the Service Oriented Architecture (SOA) paradigm, we have developed a Spatial Model Steering (SMS) framework that enables users to explore the decision space and thus increase their awareness of the influence of key variables. In this framework a user can visually steer the LUA model key factors, explore and compare “what if” future land use scenarios by changing these factors and visualizing a range of potential LUA outcomes. In doing so, we believe that users can develop increased confidence in their understanding of the key factors governing the underlying models and ultimately obtain greater awareness of the uncertainty in the outcomes.
Full-text available
Large-scale scientific research often relies on the collaborative use of massive computational power, fast networks, and large storage capacities provided by e-science infrastructures (e.g., deisa, egee) since the past several years. Especially within e-science infrastructures driven by high-performance computing (hpc) such as deisa, collaborative online visualization and computational steering (covs) has become an important technique to enable hpc applications with interactivity and visualized feedback mechanisms. In earlier work we have shown a prototype covs technique implementation based on the visualization interface toolkit (visit) and the Grid middleware of deisa named as Uniform Interface to Computing Resources (unicore). Since then the approach grew to a broader covs framework. More recently, we investigated the impact of using the computational steering capabilities of the covs framework implementation in unicore on large-scale hpc systems (i.e., ibm BlueGene/P with 65536 processors) and the use of attribute-based authorization. In this chapter we emphasize on the improved collaborative features of the covs framework and present new insights of how we deal with dynamic management of n participants, transparency of Grid resources, and virtualization of hosts of end-users. We also show that our interactive approach to hpc systems fully supports the necessary single sign-on feature required in Grid and e-science infrastructures. KeywordsScientific visualization-Computational steering-COVS-VISIT-UNICORE
Full-text available
This specification defines the syntax and semantics for XML-encoded assertions about authentication, attributes, and authorization, and for the protocols that convey this information. Status: This is a second Committee Draft approved by the Security Services Technical Committee on 21 September 2004.
Full-text available
Many production e-Science infrastructures (e.g. DEISA, D-Grid) have begun to offer a wide variety of services for end-users during the past several years. Many e-Scientists solve their scientific problems by us-ing parallel computing applications on clusters and collaborative on-line visualization and steering (COVS) is known as a tool for analyz-ing and better understanding of these applications. In absence of a widely accepted COVS framework within Grids, visualizations are often created using proprietary technologies assuming a dedicated scenario. This makes it feasible to analyze the usual requirements to provide a blueprint for a more general COVS framework that can be integrated into Grid middleware systems such as UNICORE, gLite, or Globus Toolkits. These requirements lead to a design that was successfully implemented as a higher-level service in UNICORE and presented at numerous places such as the Open Grid Forum 19 and 20, Europar 2006, Supercomputing 2006 and DEISA trainings.
Full-text available
This specification defines the syntax and semantics for XML-encoded assertions about authentication, attributes, and authorization, and for the protocols that convey this information. Status: This is a working draft produced by the Security Services Technical Committee. See the Revision History for details of changes made in this revision.
However, since short, a new area has seized part of the grid community: grid-computing applications. Without the application layer, the grid computing will have no sense and just be a nice proof of concept. With the focus shifting toward applications, new problems emerge that are not or were not taking in account during the initial development of the core. The requirements may highly differ between each application, but it can always be resumed to a grid-based communication with the middleware medium. The scientific community is since always greedy of simulations. Simulations are most of the time targeted at High Performance Computing systems (HPC), which is exactly what the grid is tackling and proposing. With the grid it is possible to launch large-scale simulations over a virtual environment. Using this power of the grid to just launch or transfer end results is not satisfactory, more is possible. 1. Most simulations in any scientific fields can never accomplish their purpose without visualization (in concurrent or in post-processing), which enables researchers to observe and analyze their unrecognizable numerical results. 2. A solver has not to be static; it can be steered by a simple client on the fly. This enables the researcher to change, alter or rectify the simulation without having to stop and restart it.
Many production Grid infrastructures such as DEISA, EGEE, or TeraGrid have begun to offer services to endusers that include access to computational resources. The major goal of these infrastructures is to facilitate the routine interaction of scientists and their workflows with advanced tools and seamless access to computational resources via Grid middleware systems such as UNICORE, gLite or Globus Toolkits. While UNICORE 5 is used in production Grids since several years, recently an early prototype of the new Web services-based UNICORE 6 became available that will be continously improved in the next months for its use in production. In absence of a widely accepted framework for visualization and steering, the new UNICORE 6 Grid middleware provides not such a higherlevel service by default. This motivates this contribution to support e-Scientists in upcoming WS-based UNICORE Grids with visualization and steering techniques. In this paper we present the augmentation of the early standards-based UNICORE 6 prototype with a higher-level service for collaborative online visualization and steering. It describes the seamless integration of this service within UNICORE Grids by retaining the convenient single sign-on feature.