The Perun has a rich history, we have helped many important organizations to reach their plan to manage user accesses to their resources. Now more than 400 smaller or bigger organizations use our system. All organizations are able to operate on a system without the necessity of our further intervention. Moreover, we provide support to these organizations when new service is essential to be developed.
Choose the success story:
MetaCentrum and CERIT-SC
https://metavo.metacentrum.cz
https://www.cerit.cz
Is national computational initiative providing thousands CPU and Terabytes storage space to users coming from the academic environment. As far as user management is concerned, system Perun manages all machines in MetaCentrum infrastructure. MetaCentrum is tightly connected with even more ambitious project CERIT-SC, planned as a large center providing storages and computational resources in scope of Metacentrum. CERIT-SC has about 3500 CPUs and 3.5 PB storage space. Both MetaCentrum and CERIT-SC solve similar challenges.
Challenge
Manages heterogeneous facilities (clusters, storage elements, SMP machines) containing thousands of CPUs with different owners and access rights across the infrastructure.
Solution
The system of Perun services propagating current state from database to every single machine via to real-time communication.
Result
Convenient system to set, edit services and to manage users in GUI (or CLI). All configuration is propagated directly to machines and stored in their configuration files. In case of Perun's inaccessibility, for example network outage, all machines are still fully functional, just staying on last known configurations. When the outage is over, a new state is propagated to the machine and overwrites the old one.
Challenge
Manages different roles in system. On the one hand, there are a couple of managers, user support, security and other staff who maintain resources. They requires access not only to resources, but also to SVN, Request tracking system and other supportive services. On the other hand, there are users with very diverse requirements.
Solution
Different virtual organizations for users and staff. Rights are associated with VO instead of single member.
Result
Simple, convenient administration of employees and users. Possibility to set rights according to particular requirements of each group.
Challenge
Many different types of software licenses across clusters with a need to manage access to them.
Solution
The user must fill an application form containing license agreement to become a member of the group with property "to have access to license". Since application form is accepted and membership is propagated to machines, he gains access to the license.
Result
Easiness in maintaining lists of users and licenses is greatly enhanced.
Challenge
When a new staff member comes, all privileges must be set one by one. Usually, it is very challenging not to forget any, especially on bigger projects.
Solution
Convenient system of groups when one group in VO staff match with the type of his new position.
Result
The manager simply adds a new member into the particular group, and he gains everything he needs.
Challenge
Large VO could contain hundreds of users who compute their jobs across clusters with different requirements depending on their research. The inner structure of VO could be pretty confusing and obfuscatory.
Solution
Distinguish level of access by group hierarchy when all VO members are separated into groups. Groups and subgroups could refine levels of access to resources to the finest details because of ability to set access rights to each group separately.
Result
VO manager could freely set access rights to each group and subgroup in the scope of his VO in Perun GUI (or CLI) environment. The significant amount of his time is saved, because operating with the group, not with every single user, one by one. The inner structure of VO is clear.
CESNET Data Storage
Operates the largest storage space available for general academic use in the Czech Republic, currently exceeding 21 PB of space located in three hierarchical storage systems. User groups may request storage space there according to their needs. The storage is accessible through a plethora of various protocols, ranging from file system access like NFSv4, through tools like scp, rsync, ftp, up to special applications and cloud storage ownCloud.
Challenge
Manage heterogeneous user groups consisting of members with no relationship to the resource provider.
Solution
Virtual organizations are established for user groups. Perun supports empowering users to manage the virtual organisations.
Result
Scalable system where the user group is represented by a manager that negotiates resource usage and configuration with the owner of the resource and manages membership in the group.
Challenge
Many services must be set to allow the user to access infrastructure services in various ways, be informed, and configure it.
Solution
Perun is capable of configuring various services using a single user group, e.g., local Unix user accounts, Kerberos user records, LDAP, mailing lists, folder creation and setup, etc.
Result
Uniform configuration of resources provided to the virtual organisations.
Laboratory of Advanced Network Technologies
Established by Faculty of Informatics, Masaryk University, utilizing various pieces of equipment from 4k sage to all desktops administered by Perun. International cooperation and research in the scope of network technologies.
Challenge
Dynamic organization with great fluctuation of members, every new member must gain an access to resources, where many new students come and leave.
Solution
Unlike any other system, access right are provided to not to member, but to group. New member is added into group and gain all rights automatically without necessity to add him all rights one by one. All changes are reflected in real time.
Result
Research friendly environment. As a result no delay in research caused by new service settings is observed.
Challenge
VO wants to utilize facilities (GPUs in our case) that are owned and utilized by other VO.
Solution
Facility owner must agree with facility utilization by other VO and give a condition of utilization, so called resource for particular VO is created. Resource is a part of facility utilized by particular VO.
Result
VO use defined part of facility. Facility could be used by more than one VO in under predefined conditions. Whole process is very easy without necessity to register to the other VO. On the contrary, Perun could also easily handle situation, when one person is member of both VOs.
Fedcloud.egi.eu
https://www.egi.eu/infrastructure/cloud/
Perun can manage any cloud platform in the domain of human resources due to his unique ability to push data of each Perun user into several cloud platforms, for example OpenStack or OpenNebula. As far as human resources are concerned, Perun is able to manage account creation and account extension. Moreover is greatly customizable in creating, distributing and accepting or rejecting application forms.
Challenge
All users use their personal certificate to authenticate to the fedcloud resources. When old certificate is revoked or even worse is lost, there is literally no way to access the system and assign new one.
Solution
Personal credentials including certificate are stored in Perun and propagated into all resources managed by it. User saves certificate only once in Perun. When certificate is lost, there is a couple more ways of authentication to enter Perun and upload the new one.
Result
Flexible identity management where certificates are safely stored in one place, more comfortable for both users and managers. In addition, situation when user lost his certificate is solvable.
CSIR Meraka Institute – SAGrid
https://www.csir.co.za/csir-meraka-institute
The Meraka Institute of the CSIR is South Africa's leading ICT research institute and manages several fundamental pillars of the country's e-Infrastructure. These include the Centre for High-Performance Computing (CHPC), the South African National Research Network (SANReN). Meraka is the lead institute of the South African National Grid Joint Research Unit (SAGrid JRU), the coordination of which forms part of the “Cyberinfrastructure Competency Area” within the institute.
SAGrid is a federation of South African universities, national laboratories and research groups, represented in the JRU by their respective directors, which have formed a collaboration in order to promote e-Science in the country and the Sub-Saharan region. This includes site services at each of the 7 fully functional grid sites, as well as the core services maintained by the Universities of the Free State and Cape Town respectively. Description of SAGrid taken from https://www.egi.eu/community/collaborations/CSIR_Meraka.html.
Identity management in SAGrid has since its inception been done exclusively with the use of the Virtual Organisation Membership Service (VOMS). By registering in the VOMS, users with personal x.509 certificates could access a set of “grid” computing and data services in a consistent way. This was a great step forward in consolidating identities in South African e-Infrastructure, however suffered from several well-documented issues, such as erecting somewhat artificial barriers to entry (enforcing ownership of strong credentials, circumventing institutional credentials, only accessing services which supported the VO, etc). An extension to this service was provided by the introduction of science gateways, which through identity federation and robot certificates could reduce the friction between various e-Science environments.
During 2013, the South African NREN developed into full maturity and started to develop a service-oriented network infrastructure. One of these services is the national identity federation, led by SANREN, but with participation at several levels by South African research institutions. The deployment of a catch-all Identity Provider by SAGrid provided a demonstrator functionality and helped to stimulate uptake by users in the country; the South African Identity Federation is now coming to production readiness, and will soon provide an easy way for users to access services in the federation (including science gateways) using their home institute's credentials.
However, a significant problem remained – identity consolidation. Since many users had several digital identities, including the personal certificate and institutional identity, this resulted in a very complicated reporting and accounting situation. Indeed, it was almost impossible to provide accurate figures on usage of individual users or groups, particularly when it comes to mapping their usage from site to site, outside of the virtual organization. This issue was until recently addressed either by rough estimates or by manually collecting the relevant information, which took up significant time and resources. This is again compounded by the fact certain services require identities from a particular provider, complicating life for the user.
These issues are not unique by any means to South Africa or SAGrid and are being addressed by several initiatives worldwide, including the Perun service developed by a CHAIN-REDS partner, CESNET.
During Spring 2014, though, the Perun service has been piloted by SAGrid in South Africa, in order to address this and other related issues. After significant upgrades were made to the VOMS service in South Africa (precipitated by Perun, as well as demands from relying parties), identities from the existing VO were migrated to Perun, which was then used to propagate them to user interfaces in South Africa. The South African e-Science Certificate Authority (currently in pre-production phase) has also been configured as an identity provider.
We now have all user information kept in a single place, which is greatly easing communication with users and groups. By letting users register in Perun, it is now possible to propagate their identities to facilities owned and operated both by the National Grid, as well as various individual institutes which form part of the federation.