Presentation is loading. Please wait.

Presentation is loading. Please wait.

Andrew McNab - Manchester HEP - 11 May 2001 Packaging / installation Ready to take globus-1.1.3-6 from prerelease to release. Alex has prepared GSI openssh.

Published byJasper Tucker Modified over 8 years ago

Similar presentations

Presentation on theme: "Andrew McNab - Manchester HEP - 11 May 2001 Packaging / installation Ready to take globus-1.1.3-6 from prerelease to release. Alex has prepared GSI openssh."— Presentation transcript:

1 Andrew McNab - Manchester HEP - 11 May 2001 Packaging / installation Ready to take globus-1.1.3-6 from prerelease to release. Alex has prepared GSI openssh RPM’s. New UKHEP CA configuration files need to be distributed. Announce production RPM’s next week?

2 Andrew McNab - Manchester HEP - 11 May 2001 Using the Grid in Babar UK Babar UK is taking delivery of 6 PC farms They’re keen to evaluate/use Grid tools This talk goes through some of the issues in actually do it...

3 Andrew McNab - Manchester HEP - 11 May 2001 Babar UK PC Farms Farms at 6 UK Babar institutes Each consists of 40 dual-processor back-end modules with 800 MHz PIII and 2 100BaseT and 2 dual-processor 1 GHz front end machines with gigabit interfaces Loaded with RH6.2 by vendor

4 Andrew McNab - Manchester HEP - 11 May 2001 Applications Centrally managed Monte Carlo. This could be done just using adhoc tools. User analysis jobs using data on local Sun raid arrays. Grid tools can really contribute here, since Babar data will be distributed across UK sites. Want Dr A at B Universtiy to be able access skim C at the University of D...

5 Andrew McNab - Manchester HEP - 11 May 2001 Globus 1.1.3 authorisation In Globus 1.1.3, grid identities (certificate subjects) are mapped to local Unix usernames via grid- mapfile. For analysis + MC farms, either have to create lots of local Unix accounts at each site - lots of admin Or map everyone to a single user - great potential for conflicts over use of /home etc, problems with accountability

6 Andrew McNab - Manchester HEP - 11 May 2001 Single execution account Auditability problems - who actually did this? What if one job script assumes it owns $HOME? What if we want access to remote AFS or Grid resources, especially write access?

7 Andrew McNab - Manchester HEP - 11 May2001 Dynamic pool of accounts? Sysadmin creates a pool of normal Unix accounts, with names like gpool001, gpool002, gpool003, … They can use their normal tools to do this, create quotas, Unix group(s) etc. Temporarily lease accounts when presented with a certificate whose subject is in our grid-mapfile Expire the lease “when they are finished” (defined locally)

8 Andrew McNab - Manchester HEP - 11 May 2001 Security and auditability Authentification: still have to provide a valid certificate, signed by a CA the local site trusts Authorisation: certificate subjects must still be listed in the local grid-mapfile to get acess Auditability: mappings of subjects to local Unix usernames is logged already, so can still tell “who” a particular pool account was

9 Andrew McNab - Manchester HEP - 11 May 2001 gridmapdir Patch to Globus 1.1.3 All subject->username mapping already done by functions in Security/gss-assist/gridmap.c Patch these to map subjects to pool users if their “username” in grid-mapfile is like “.” or “.subpool” Five new functions in gridmap.c implement leasing (lease database consists of links in the filesystem.) Subpools with privileges, quotas etc are possible: eg.bbr will only be mapped to bbr001, bbr002,...

10 Andrew McNab - Manchester HEP - 11 May 2001 Lease expiration To reuse pool accounts, lease must be terminated somehow - but mechanics very site dependent Probably easiest to run a script from cron to expire leases: Either based on an expiration time (if you can guarantee the job will be finished by that time) Or by job completion flagging the lease as not needed (eg via PBS prologue / epilogue scripts)

11 Andrew McNab - Manchester HEP - 11 May 2001 Making grid-mapfile Already proposals from INFN and UK about composing grid-mapfile’s based on information published by LDAP. Possible to make a very simple system for Babar in the short term. If this is done, then we have all the components needed to avoid manual intervention by all sysadmins every time a new user joins the Grid.

12 Andrew McNab - Manchester HEP - 11 May 2001 AFS and Grid authentification How to interface with the existing AFS (kerberos) structure used by SLAC and RAL, with new Grid security infrastructure? Mechanism using ssl -> k5 -> AFS/k4 exists Simpler solution now from ANL, with new gsiklog command and gsiklogd daemon

13 Andrew McNab - Manchester HEP - 11 May 2001 gsiklog Have gsiklogd running on AFS authentification server machine. User runs gsiklog client which contacts gsiklogd and authenticates using Grid (proxy) certificate. gsiklogd makes an AFS token and returns it to gsiklog. AFS password not involved at any stage. This means I can get AFS access for a batch job at a remote farm purely on the basis of Grid credentials.

14 Andrew McNab - Manchester HEP - 11 May 2001 Limiting authorisation Currently no mechanism in Globus for limiting what a Globus initiated job can do. We can make pool accounts with restricted quotas, in Unix groups with limited access to local resources. Ideally want to run farms as isolated, simplified environments, with things like user cron jobs turned off, and some form of governor killing rogue processes.

15 Andrew McNab - Manchester HEP - 11 May 2001 Input and output Job “parameter” files (config, scripts, binaries) included in job or fetched via https or accessed via AFS, …? Data files from local system (NFS, http, https, rootd?) Execution log file returned by email? Detailed log files and output data files returned via AFS, https / GASS, rootd?

16 Andrew McNab - Manchester HEP - 11 May 2001 Data access protocols NFS - ok for LAN, not WAN optimised, R/W but not secure, esp for W. AFS - ok for LAN or WAN, secure R/W, on-host caching, gsiklog works, no good for streaming data. Normal http (eg Apache) - little or no authorisation (mainly host based), optimised for bursts on the WAN. Very solid. TWebFile exists for ROOT. GASS https - Grid specific, secure, R/W.

17 Andrew McNab - Manchester HEP - 11 May 2001 Data access protocols cont. rootd - native support within ROOT, secure, plans to add GSI authentification / authorisation and use parallel streams etc (possibly on top of GridFTP?) GridFTP - aims to become the data transfer Swiss Army Knife: secure R/W, auto-optimising (window sizes etc), parallel streams. Exists in alpha form at the moment. Will be added to future Globus releases. GridFTP the protocol to put long term effort into?

18 Andrew McNab - Manchester HEP - 11 May 2001 Summary Babar UK has a clear and pressing need for what is being provided by the Grid. Tools to “publish” authorisation list from central source exist. Dynamic accounts possible via gridmapdir patch. AFS can now be made Grid-friendly. Several other protocols available for moving data. Babar PC farms are an excellent environment for early deployment and evaluation of Grid tools.

Download ppt "Andrew McNab - Manchester HEP - 11 May 2001 Packaging / installation Ready to take globus-1.1.3-6 from prerelease to release. Alex has prepared GSI openssh."

Similar presentations

Security middleware Andrew McNab University of Manchester.

Security middleware Andrew McNab University of Manchester.
WP2: Data Management Gavin McCance University of Glasgow November 5, 2001.

WP2: Data Management Gavin McCance University of Glasgow November 5, 2001.
Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
DataGrid is a project funded by the European Union CHEP 2003 – 24-28 March 2003 – Grid-based access control – n° 1 Grid-based access control for Unix environments,

DataGrid is a project funded by the European Union CHEP 2003 – March 2003 – Grid-based access control – n° 1 Grid-based access control for Unix environments,
Andrew McNab - Manchester HEP - 17 September 2002 Putting Existing Farms on the Testbed Manchester DZero/Atlas and BaBar farms are available via the Testbed.

Andrew McNab - Manchester HEP - 17 September 2002 Putting Existing Farms on the Testbed Manchester DZero/Atlas and BaBar farms are available via the Testbed.
29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
Andrew McNab - Manchester HEP - 24 May 2001 WorkGroup H: Software Support Both middleware and application support Installation tools and expertise Communication.

Andrew McNab - Manchester HEP - 24 May 2001 WorkGroup H: Software Support Both middleware and application support Installation tools and expertise Communication.
Andrew McNab - Manchester HEP - 22 April 2002 EU DataGrid Testbed EU DataGrid Software releases Testbed 1 Job Lifecycle Authorisation at your site More.

Andrew McNab - Manchester HEP - 22 April 2002 EU DataGrid Testbed EU DataGrid Software releases Testbed 1 Job Lifecycle Authorisation at your site More.
Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.

Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.
Andrew McNab - Manchester HEP - 31 January 2002 Testbed Release in the UK Integration Team UK deployment TB1 Job Lifecycle VO: Authorisation VO: GIIS and.

Andrew McNab - Manchester HEP - 31 January 2002 Testbed Release in the UK Integration Team UK deployment TB1 Job Lifecycle VO: Authorisation VO: GIIS and.
Andrew McNab - Manchester HEP - 22 April 2002 EU DataGrid Testbed EU DataGrid Software releases Testbed 1 Job Lifecycle Authorisation at your site More.

Andrew McNab - Manchester HEP - 22 April 2002 EU DataGrid Testbed EU DataGrid Software releases Testbed 1 Job Lifecycle Authorisation at your site More.
4/2/2002HEP Globus Testing Request - Jae Yu x2814 1 Participating in Globus Test-bed Activity for DØGrid UTA HEP group is playing a leading role in establishing.

4/2/2002HEP Globus Testing Request - Jae Yu x Participating in Globus Test-bed Activity for DØGrid UTA HEP group is playing a leading role in establishing.
CERN LCG Overview & Scaling challenges David Smith For LCG Deployment Group CERN HEPiX 2003, Vancouver.

CERN LCG Overview & Scaling challenges David Smith For LCG Deployment Group CERN HEPiX 2003, Vancouver.
CMS Applications Towards Requirements for Data Processing and Analysis on the Open Science Grid Greg Graham FNAL CD/CMS for OSG Deployment 16-Dec-2004.

CMS Applications Towards Requirements for Data Processing and Analysis on the Open Science Grid Greg Graham FNAL CD/CMS for OSG Deployment 16-Dec-2004.
Andrew McNab - Manchester HEP - 29/30 March 2001 gridmapdir patch Overview of the problem Constraints from local systems Outline of how it works How to.

Andrew McNab - Manchester HEP - 29/30 March 2001 gridmapdir patch Overview of the problem Constraints from local systems Outline of how it works How to.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
The GridSite Security Framework Andrew McNab University of Manchester.

The GridSite Security Framework Andrew McNab University of Manchester.
Andrew McNab - Manchester HEP - 6 November 2001 www.gridpp.ac.uk Old version of website was maintained from Unix command line => needed (gsi)ssh access.

Andrew McNab - Manchester HEP - 6 November Old version of website was maintained from Unix command line => needed (gsi)ssh access.
The B A B AR G RID demonstrator Tim Adye, Roger Barlow, Alessandra Forti, Andrew McNab, David Smith What is BaBar? The BaBar detector is a High Energy.

The B A B AR G RID demonstrator Tim Adye, Roger Barlow, Alessandra Forti, Andrew McNab, David Smith What is BaBar? The BaBar detector is a High Energy.
Andrew McNab - Manchester HEP - 22 April 2002 UK Rollout and Support Plan Aim of this talk is to the answer question “As a site admin, what are the steps.

Andrew McNab - Manchester HEP - 22 April 2002 UK Rollout and Support Plan Aim of this talk is to the answer question “As a site admin, what are the steps.

Similar presentations

Ads by Google