Post on 18-Jan-2016
Andrew McNab - Manchester HEP - 31 January 2002
Testbed Release in the UK
• Integration Team• UK deployment• TB1 Job Lifecycle• VO: Authorisation• VO: GIIS and Resource Broker• What about non-Testbed machines / experiments?
Andrew McNab - Manchester HEP - 31 January 2002
Integration Team
• ~20 people drawn from EDG middleware WP’s and WP6.
• Intensive integration period at CERN during October
– had to have another one in December!
• Testbed farm of ~20 machines at CERN
• Presentations at CERN on 29th October for sysadmins / local experts
– see these talks for technical details: http://marianne.in2p3.fr/
• Everything taking longer than planned
– rollout ongoing (currently CERN, CNAF, Manchester, RAL, Lyon, NIKHEF, ...) but TB1 still a moving target
• Don’t expect your local sysadmin to be able to do an “off the shelf” installation yet.
Andrew McNab - Manchester HEP - 31 January 2002
UK Deployment
• Start with UK WP6 people (+ other experts)
• Use tb-support@jiscmail.ac.uk mailing list
• http://www.gridpp.ac.uk/tb-support/ has:
– mailing list information
– recipe for installing ~1.0 release (ie last week’s) of Computing Element, Storage Element, User Interface machine and Worker Node.
– in principle, 1.1 released today
• Once have some WP6 sites up, then encourage more sites to test installation procedure, docs etc.
Andrew McNab - Manchester HEP - 31 January 2002
Andrew McNab - Manchester HEP - 31 January 2002
Authorisation• a.k.a “how do I maintain the grid-mapfile list of certificate
names and local user names?”
• WP6 provides a standard way of publishing lists of certificate names via an LDAP server, and selecting subsets based on group or “Virtual Organisation” (eg experiment) affiliation.
• gridmapdir patch to Globus provides dynamic user account allocation from a pool.
• Each experiment needs to maintain a “VO Server” and populate it with the DNs of their members– For LHC experiments, the VO’s are at NIKHEF.
Andrew McNab - Manchester HEP - 31 January 2002
GIIS and Resource Broker• a.k.a “how do I get on the list of sites and receive jobs?”
• GRIS - local LDAP server on, say, a Computing Element (= site gateway)
• GIIS - indexing LDAP server, which receives information from GRIS’s
• Currently use Resource Broker at CERN - it uses local GIIS to get list of TB1 sites
• For sites to receive jobs, they need to be registered with the GIIS used by the users’ RB.
• Experiments (or even sites?) might want their own RB since easily overloaded in current architecture.
Andrew McNab - Manchester HEP - 31 January 2002
Non-Testbed1 machines / expts• “Being part of Testbed 1” involves committing to using the
right version of RedHat (6.2), the grid software and some extra packages.
• But, all of this work has been done in a modular way– some dependencies between modules, but interfaces are spelt out.
• Should be possible to install some or all of TB1 software on existing farms without matching participation requirements exactly.
• Would also be possible to use strictly compliant front end machines along with differently configured back end nodes.
Andrew McNab - Manchester HEP - 31 January 2002
Summary
• TB1 being rolled-out• Basic job submission, brokerage etc working• Ready to deploy 1.0 (and imminent 1.1) in UK• Experiments need to set up VO structures• Non-LHC experiments should be able to use
TB1 components
Andrew McNab - Manchester HEP - 31 January 2002
Grid/Web integration
• Common use of SSL• Importing certificates into browsers• GridSite as an example application• Limits to delegation• Possible solutions• Merging Grid / Web / Filesystems
Andrew McNab - Manchester HEP - 31 January 2002
Common use of SSL (“TLS”)
• https URLs based on X509 certificates and SSL protocol– eg https://secure.amazon.co.uk/
• Globus’s security infrastructure (GSI) based on X509 too– eg the user and host certificates from the UK HEP CA
• Host certificates (hostkey.pem / hostcert.pem) can be used directly as Apache mod_ssl credentials.
• Using openssl, you can easily change a PEM key / cert pair into the pkcs#12 file format used by web browsers.
• This works in all https-aware versions of Netscape and IE.
Andrew McNab - Manchester HEP - 31 January 2002
What does SSL buy you?
• Server has host certificate, so the browser can verify the server is genuine, and not someone impersonating it or doing a man in the-middle-attack.
• If browser has a user certificate, the user can prove who they are.– So the server can implement access control, logging etc.
– Since the certificate DNs are also used in Grid applications, can share information, authorisation etc between the two.
• All transfers are encrypted.
• (Downside is that transfers are slower and impose more computational burden on the web server.)
Andrew McNab - Manchester HEP - 31 January 2002
What you need to do?• Get a host certificate for the web server from a CA your
users will trust (eg a TB1 CA: UK HEP CA, CERN, ….)
• Make sure your users have certificates from a CA you trust.
• Maintain a users database, including their DNs, to specify authorisation levels.– group users and specify access according to those groups?
• Providing simple administration tools will make things much less painful for you as number of users ramps up.
• (If you already have a VO authorisation server, might be able to automate a lot of this…)
Andrew McNab - Manchester HEP - 31 January 2002
Example: GridSite• Written for http(s)://www.gridpp.ac.uk/
– also used for WP6/TB1 site: http(s)://marianne.in2p3.fr/
• Maintains a database of users and groups– can be administered using a normal web browser
• Read and write access to directories controlled by ACLs– use same format as SlashGrid filesystem framework
• Since web browsers’ https and Globus GSI are both based on X509 certificates, can reuse the UK HEP CA user certificates in WWW context.
• Since have strong user authentification, can allow write access through a web browser.
Andrew McNab - Manchester HEP - 31 January 2002
GridSite: more information• GridSite homepage at http://www.gridpp.ac.uk/gridsite/
• Mailing lists gridsite-announce and gridsite-discuss at jiscmail
• Software covered by GPL Open Source License– so you are welcome to use it, modify it, distribute modified copies
– but we all share the benefit of anything you distribute
• Intending to go from monolithic source to LGPL library + minimal main()
• This will make it easier to reuse GridSite in other Grid / Web applications, portals etc.
Andrew McNab - Manchester HEP - 31 January 2002
Delegation• One commonly cited web/grid integration is Job Submission
Portal.
• But (lack of) delegation complicates this.
• X509 relies on having a private key and public certificate– Web browser has access to both
• However, this only proves to the web server that we are genuine.
• The web server does not have a way to then prove this to another server (eg a gatekeeper) on our behalf.
• Globus gets round this by forwarding temporary proxies signed by private key, but web browsers do not do this.
Andrew McNab - Manchester HEP - 31 January 2002
Delegation: possible solutions • Need to have a private key trusted by destination servers,
which we can use if we authenticate with the web server.
• This could be a personal key we have deposited with web server.
• Or the server may make requests using its own key on our behalf.
• New solution from Globus: Community Authorisation Server. This intended for non-Web contexts, but may provide a convenient solution here too.– Combine web server and CAS: requests authorised on the basis of
authorisation objects/symbols granted by CAS.
Andrew McNab - Manchester HEP - 31 January 2002
Merging Grid/Web/Filesystems
• Globus GASS library provides read and write access to remote files using https– so already possible to use https web servers like GridSite as file
servers within Grid applications
– can access them via normal web browser as described above
• Work now starting to provide distributed filesystems using Grid protocols– SlashGrid framework ( http://www.gridpp.ac.uk/slashgrid/ )
– map files on remote servers to local filenames, with caching: https://www.gridpp.ac.uk/file.txt => /grid/https/www.gridpp.ac.uk/file.txt
Andrew McNab - Manchester HEP - 31 January 2002
Summary
• X509 security protocols common to Web and Grid
• Possible to use existing Grid certificates in a Web context
• GridSite is an Open Source demonstration of this
– will provide a toolbox for people building Grid/Web applications
• Delegation of credentials to allow access to “third party” sites an issue
– but solutions are possible
• More Web / Grid / Filesystem integration in the pipeline