About SLATE

SLATE (Service Layer At The Edge) is a system to enable sites to delegate service deployment and configuration to selected application administrators. A SLATE container/virtualization platform (currently based on Kubernetes) is established by sites that wish to participate in the service. This SLATE edge cluster is located within the site and since it is container-based, can support arbitrary service applications. A central SLATE service orchestrates the deployment of containers to participating sites.

The site provides the central SLATE system with credentials for their local cluster and configures to services they wish to allow at their site. Application developers only have permission to create and upload Docker containers and Helm charts, which can then be vetted before release to sites. Sites can limit the ability of the SLATE system to deploy only those specific services desired, or allow a Virtual Organization (VO) to deploy whatever services they require.

User (site administrators and application developers/administrators) interaction with the SLATE central service is authenticated/authorized with standard OIDC (https://openid.net/connect/)e.g. via InCommon, Globus auth, etc. The site-based Kubernetes cluster credentials are the only site access the system has, and they are only used programmatically by the SLATE system, never by users directly.

Although this may seem at first to present novel risks, in cybersecurity terms it is not significantly different from managing application installation via RPM and YUM. In this model the central SLATE service is like a YUM repository, and container developers are like RPM packagers/maintainers. With RPM/YUM, sites trust that the Apache developers have done due diligence when they release a new version of their web server, and site admins normally do YUM updates without hesitation. Moreover, many RPMs actually set services with simple default configurations to ‘on’ upon installation. SLATE simply extends this model to include the configuration of the software.

Benefits:

  • Sites can provide complex services that need to be located close to, or have special access to resources without the site administrators having to understand, deploy, configure, and upgrade the software providing the services.
  • Because service experts create the containerized services, they are less likely to be deployed with insecure settings by accident.
  • Because re-deployment and upgrades can be rolled out as soon as they are available, software vulnerability patches are deployed quickly.

Risks:

  • Sites delegating responsibility for correctly installing, configuring, and protecting service applications to people who do not work for the site.
  • Sites are trusting the VOs to which they grant privileges to properly vet their users (application administrators).

Mitigations: SLATE applications are well-defined within the SLATE information model. Applications must declare what ports and resources they use in advance. In theory this could be used to create IDS profiles to look for anomalous behavior. SLATE application containers are cataloged centrally, and go through a vetting process before being released for deployment.
Inbound connections to the site-based Kubernetes cluster can be limited via firewall to only the central SLATE service IP range. SLATE user and group credentials are handled under a (VO) model, so sites give privileges to VOs/Roles rather than individual accounts. Site administrators are given the option of fine-grained control over service installation and updates. E.g. VO X may install and update whatever service they want. VO Y may only install/update service A automatically. Service B may only be updated with site admin manual approval.

Example services:

  • Perfsonar
  • Squid web cache
  • Data federation storage/cache (e.g. XCache, XRootd transfer node).
  • Grid Compute Element
  • VO Job/pilot factory

Acknowledging SLATE

Papers, presentations, and other publications that feature work that relied on SLATE resources, services or expertise should cite the following publication:

Building the SLATE Platform, Breen, J., McKee, S., Riedel, B., Stidd, J., Truong, L., Vukotic, I., Bryant, L., Carcassi, G., Chen, J., Gardner, R.W., Harden, R., Izdimirski, M., Killen, R., & Kulbertis, B. (2018). Proceedings of the Practice and Experience on Advanced Research Computing. 1 to 7. doi: 10.1145/3219104.3219144.

In addition please include the following acknowledgement:

This work used the SLATE platform, which is supported by National Science Foundation grant number OAC-1724821.

Journal and Conference Papers

Managing Privilege and Access on Federated Edge Platforms, Joe Breen, Lincoln Bryant, Jiahui Chen, Emerson Ford, Robert W. Gardner, Gage Glupker, Skyler Griffith, Ben Kulbertis, Shawn McKee, Rose Pierce, Benedikt Riedel, Mitchell Steinman, Jason Stidd, Luan Truong, Jeremy Van, Ilija Vukotic, and Christopher Weaver. 2019. In Proceedings of the Practice and Experience in Advanced Research Computing on Rise of the Machines (learning) (PEARC '19). ACM, New York, NY, USA, Article 45, 5 pages. DOI: 10.1145/3332186.3332234.

Developing Edge Services for Federated Infrastructure Using MiniSLATE, Joe Breen, Lincoln Bryant, Jiahui Chen, Emerson Ford, Robert W. Gardner, Gage Glupker, Skyler Griffith, Ben Kulbertis, Shawn McKee, Rose Pierce, Benedikt Riedel, Mitchell Steinman, Jason Stidd, Luan Truong, Jeremy Van, Ilija Vukotic, and Christopher Weaver. 2019. In Proceedings of the Practice and Experience in Advanced Research Computing on Rise of the Machines (learning) (PEARC '19). ACM, New York, NY, USA, Article 35, 5 pages. DOI: 10.1145/3332186.3332236.

Building the SLATE Platform, Breen, J., McKee, S., Riedel, B., Stidd, J., Truong, L., Vukotic, I., Bryant, L., Carcassi, G., Chen, J., Gardner, R.W., Harden, R., Izdimirski, M., Killen, R., & Kulbertis, B. (2018). Proceedings of the Practice and Experience on Advanced Research Computing. 1 to 7. doi: 10.1145/3219104.3219144.

SLATE and the Mobility of Capability, Gardner, R., Breen, J., Bryant, L., & McKee, S. in Science Gateways 2017.

Presentations

Chris Weaver (2019). Cybersecurity Challenges for Edge Platforms, 2019 NSF Cybersecurity Summit for Large Facilities and Cyberinfrastructure. Presentation Slides

Stidd, J. (2019). Developing Edge Services for Federated Infrastructure Using MiniSlate. PEARC 2019. Presentation Slides. Chicago, Illinois.

Weaver, C. (2019). Managing Privilege and Access on Federated Edge Platforms. PEARC 2019. Presentation Slides. Chicago, Illinois.

Kulbertis, B. (2019). Developing for a Services Layer at the Edge. HEPiX Spring Meeting. Presentation Slides. San Diego, California.

Bryant, L. (2018). A Service Layer at The Edge. Annual Meeting of the Great Plains Network. Presentation Slides. Kansas City, Missouri.

Breen, J. et. al. (2018). Building the SLATE Platform. PEARC18. Presentation Slides. Pittsburgh, Pennsylvania.

Gardner, R., Breen, J., Bryant, L., & McKee, S. (2017). SLATE and the Mobility of Capability. Gateways 2017. Presentation Slides. Ann Arbor, Michigan.

Gardner, R., McKee, S., & Breen, J. (2017). SLATE: Services Layer at the Edge. First Meeting of the National Research Platform, Montana State University. Bozeman, Montana.

Gardner, R. (2017). SLATE: Services Layer at the Edge. US ATLAS Software and Computing Planning Meeting. Presentation Slides. Boston University.

Gardner, R., McKee, S., & Breen, J. (2018). SLATE: Services Layer at The Edge. Open Science Grid All Hands Meeting. Presentation Slides. University of Utah.

Gardner, R. (2018). SLATE: Services Layer at The Edge. ATLAS Sites Jamboree. Presentation Slides. CERN, Geneva, Switzerland.

McKee, S. (2017). The Machinery of Big Data Science (YouTube Video). Saturday Morning Physics Public Lecture. Ann Arbor, Michigan.

Grant Information

Supported by the National Science Foundation under Grant No. OAC-1724821.