Andrew McNab - Manchester HEP - 11 May 2001 Packaging / installation Ready to take globus-1.1.3-6 from prerelease to release. Alex has prepared GSI openssh.

Slides:



Advertisements
Similar presentations
Security middleware Andrew McNab University of Manchester.
Advertisements

WP2: Data Management Gavin McCance University of Glasgow November 5, 2001.
Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
DataGrid is a project funded by the European Union CHEP 2003 – March 2003 – Grid-based access control – n° 1 Grid-based access control for Unix environments,
Andrew McNab - Manchester HEP - 17 September 2002 Putting Existing Farms on the Testbed Manchester DZero/Atlas and BaBar farms are available via the Testbed.
29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
Andrew McNab - Manchester HEP - 24 May 2001 WorkGroup H: Software Support Both middleware and application support Installation tools and expertise Communication.
Andrew McNab - Manchester HEP - 22 April 2002 EU DataGrid Testbed EU DataGrid Software releases Testbed 1 Job Lifecycle Authorisation at your site More.
Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.
Andrew McNab - Manchester HEP - 31 January 2002 Testbed Release in the UK Integration Team UK deployment TB1 Job Lifecycle VO: Authorisation VO: GIIS and.
Andrew McNab - Manchester HEP - 22 April 2002 EU DataGrid Testbed EU DataGrid Software releases Testbed 1 Job Lifecycle Authorisation at your site More.
4/2/2002HEP Globus Testing Request - Jae Yu x Participating in Globus Test-bed Activity for DØGrid UTA HEP group is playing a leading role in establishing.
CERN LCG Overview & Scaling challenges David Smith For LCG Deployment Group CERN HEPiX 2003, Vancouver.
CMS Applications Towards Requirements for Data Processing and Analysis on the Open Science Grid Greg Graham FNAL CD/CMS for OSG Deployment 16-Dec-2004.
Andrew McNab - Manchester HEP - 29/30 March 2001 gridmapdir patch Overview of the problem Constraints from local systems Outline of how it works How to.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
The GridSite Security Framework Andrew McNab University of Manchester.
Andrew McNab - Manchester HEP - 6 November Old version of website was maintained from Unix command line => needed (gsi)ssh access.
The B A B AR G RID demonstrator Tim Adye, Roger Barlow, Alessandra Forti, Andrew McNab, David Smith What is BaBar? The BaBar detector is a High Energy.
Andrew McNab - Manchester HEP - 22 April 2002 UK Rollout and Support Plan Aim of this talk is to the answer question “As a site admin, what are the steps.
Experiences Deploying Xrootd at RAL Chris Brew (RAL)
Chapter 7: Using Windows Servers to Share Information.
BaBar WEB job submission with Globus authentication and AFS access T. Adye, R. Barlow, A. Forti, A. McNab, S. Salih, D. H. Smith on behalf of the BaBar.
10 May 2007 HTTP - - User data via HTTP(S) Andrew McNab University of Manchester.
3 May 2006 GridSite Andrew McNabwww.gridsite.org Web Services for Grids in Scripts and C using GridSite Andrew McNab University of.
Andrew McNab - Manchester HEP - 26 June 2001 WG-H / Support status Packaging / RPM’s UK + EU DG CA’s central grid-users file grid “ping”
Security Middleware and VOMS service status Andrew McNab Grid Security Research Fellow University of Manchester.
Andrew McNab - GridPP Security - 24 Feb 2003 GridPP Security Middleware Andrew McNab, University of Manchester
Andrew McNab - Manchester HEP - 5 July 2001 WP6/Testbed Status Status by partner –CNRS, Czech R., INFN, NIKHEF, NorduGrid, LIP, Russia, UK Security Integration.
Slide 1 Experiences with NMI R2 Grids Software at Michigan Shawn McKee April 8, 2003 Internet2 Spring Meeting.
Andrew McNab - SlashGrid, HTTPS, fileGridSite SlashGrid, HTTPS and fileGridSite 30 October 2002 Andrew McNab, University of Manchester
October, Scientific Linux INFN/Trieste B.Gobbo – Compass R.Gomezel - T.Macorini - L.Strizzolo INFN - Trieste.
2nd April 2001Tim Adye1 Bulk Data Transfer Tools Tim Adye BaBar / Rutherford Appleton Laboratory UK HEP System Managers’ Meeting 2 nd April 2001.
03/27/2003CHEP20031 Remote Operation of a Monte Carlo Production Farm Using Globus Dirk Hufnagel, Teela Pulliam, Thomas Allmendinger, Klaus Honscheid (Ohio.
3rd June 2004 CDF Grid SAM:Metadata and Middleware Components Mòrag Burgon-Lyon University of Glasgow.
1 Overview of the Application Hosting Environment Stefan Zasada University College London.
Andrew McNab - Access Control - 28 May 2002 Access Control and User Management (ie Local Authorisation and Accounts) Andrew McNab, University of Manchester.
Using NMI Components in MGRID: A Campus Grid Infrastructure Andy Adamson Center for Information Technology Integration University of Michigan, USA.
Andrew McNabETF Firewall Meeting, NeSC, 5 Nov 2002Slide 1 Firewall issues for Globus 2 and EDG Andrew McNab High Energy Physics University of Manchester.
First attempt for validating/testing Testbed 1 Globus and middleware services WP6 Meeting, December 2001 Flavia Donno, Marco Serra for IT and WPs.
Security monitoring boxes Andrew McNab University of Manchester.
3-Nov-00D.P.Kelsey, HEPiX, JLAB1 Certificates for DataGRID David Kelsey CLRC/RAL, UK
Grid Security in a production environment: 4 years of running Andrew McNab University of Manchester.
Andrew McNab - Grid HTTP/HTTPS extensions Grid HTTP/HTTPS extensions 18 November 2002 Andrew McNab, University of Manchester
A Web Server for Basic Grid Services D. Calvet DAPNIA/SEI, CEA Saclay Gif-sur-Yvette Cedex.
GridSite Web Servers for bulk file transfers & storage Andrew McNab Grid Security Research Fellow University of Manchester, UK.
Condor Project Computer Sciences Department University of Wisconsin-Madison Grids and Condor Barcelona,
Andrew McNab - EDG Access Control - 4 Dec 2002 EDG Access Control and User Management (ie Local Authorisation and Accounts) Andrew McNab, University of.
Andrew McNabSecurity Middleware, GridPP8, 23 Sept 2003Slide 1 Security Middleware Andrew McNab High Energy Physics University of Manchester.
UK Grid Meeting Glenn Patrick1 LHCb Grid Activities in UK Grid Prototype and Globus Technical Meeting QMW, 22nd November 2000 Glenn Patrick (RAL)
OSG AuthZ components Dane Skow Gabriele Carcassi.
2-Sep-02Steve Traylen, RAL WP6 Test Bed Report1 RAL and UK WP6 Test Bed Report Steve Traylen, WP6
Andrew McNab - Manchester HEP - 17 September 2002 UK Testbed Deployment Aim of this talk is to the answer the questions: –“How much of the Testbed has.
Andrew McNabGrid in 2002, Manchester HEP, 7 Jan 2003Slide 1 Grid Work in 2002 Andrew McNab High Energy Physics University of Manchester.
Report on the INFN-GRID Globus evaluation Massimo Sgaravatto INFN Padova for the INFN Globus group
Andrew McNab - Security issues - 17 May 2002 WP6 Security Issues (some personal observations from a WP6 and sysadmin perspective) Andrew McNab, University.
Andrew McNab - Security issues - 4 Mar 2002 Security issues for TB1+ (some personal observations from a WP6 and sysadmin perspective) Andrew McNab, University.
Andrew McNab - Globus Distribution for Testbed 1 Globus Distribution for Testbed 1 Andrew McNab, University of Manchester
Security Middleware Andrew McNab University of Manchester.
Andrew McNab - HTTP/HTTPS extensions HTTP/HTTPS as Grid data transport 6 March 2003 Andrew McNab, University of Manchester
Andrew McNab - Dynamic Accounts - 2 July 2002 Dynamic Accounts in TB1.3 What we could do with what we’ve got now... Andrew McNab, University of Manchester.
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
LHCb Grid MeetingLiverpool, UK GRID Activities Glenn Patrick Not particularly knowledgeable-just based on attending 3 meetings.  UK-HEP.
10-May-01D.P.Kelsey, WP6 Security1 Certificates/Authorisation for DataGrid Testbeds David Kelsey CLRC/RAL, UK
11-May-01D.P.Kelsey, Security Update1 GRID Security Update David Kelsey CLRC/RAL, UK
BaBar & Grid Eleonora Luppi for the BaBarGrid Group TB GRID Bologna 15 febbraio 2005.
Dynamic Accounts: Identity Management for Site Operations Kate Keahey R. Ananthakrishnan, T. Freeman, R. Madduri, F. Siebenlist.
Classic Storage Element
Third Party Transfers & Attribute URI ideas
Credential Management in HTCondor
Presentation transcript:

Andrew McNab - Manchester HEP - 11 May 2001 Packaging / installation Ready to take globus from prerelease to release. Alex has prepared GSI openssh RPM’s. New UKHEP CA configuration files need to be distributed. Announce production RPM’s next week?

Andrew McNab - Manchester HEP - 11 May 2001 Using the Grid in Babar UK Babar UK is taking delivery of 6 PC farms They’re keen to evaluate/use Grid tools This talk goes through some of the issues in actually do it...

Andrew McNab - Manchester HEP - 11 May 2001 Babar UK PC Farms Farms at 6 UK Babar institutes Each consists of 40 dual-processor back-end modules with 800 MHz PIII and 2 100BaseT and 2 dual-processor 1 GHz front end machines with gigabit interfaces Loaded with RH6.2 by vendor

Andrew McNab - Manchester HEP - 11 May 2001 Applications Centrally managed Monte Carlo. This could be done just using adhoc tools. User analysis jobs using data on local Sun raid arrays. Grid tools can really contribute here, since Babar data will be distributed across UK sites. Want Dr A at B Universtiy to be able access skim C at the University of D...

Andrew McNab - Manchester HEP - 11 May 2001 Globus authorisation In Globus 1.1.3, grid identities (certificate subjects) are mapped to local Unix usernames via grid- mapfile. For analysis + MC farms, either have to create lots of local Unix accounts at each site - lots of admin Or map everyone to a single user - great potential for conflicts over use of /home etc, problems with accountability

Andrew McNab - Manchester HEP - 11 May 2001 Single execution account Auditability problems - who actually did this? What if one job script assumes it owns $HOME? What if we want access to remote AFS or Grid resources, especially write access?

Andrew McNab - Manchester HEP - 11 May2001 Dynamic pool of accounts? Sysadmin creates a pool of normal Unix accounts, with names like gpool001, gpool002, gpool003, … They can use their normal tools to do this, create quotas, Unix group(s) etc. Temporarily lease accounts when presented with a certificate whose subject is in our grid-mapfile Expire the lease “when they are finished” (defined locally)

Andrew McNab - Manchester HEP - 11 May 2001 Security and auditability Authentification: still have to provide a valid certificate, signed by a CA the local site trusts Authorisation: certificate subjects must still be listed in the local grid-mapfile to get acess Auditability: mappings of subjects to local Unix usernames is logged already, so can still tell “who” a particular pool account was

Andrew McNab - Manchester HEP - 11 May 2001 gridmapdir Patch to Globus All subject->username mapping already done by functions in Security/gss-assist/gridmap.c Patch these to map subjects to pool users if their “username” in grid-mapfile is like “.” or “.subpool” Five new functions in gridmap.c implement leasing (lease database consists of links in the filesystem.) Subpools with privileges, quotas etc are possible: eg.bbr will only be mapped to bbr001, bbr002,...

Andrew McNab - Manchester HEP - 11 May 2001 Lease expiration To reuse pool accounts, lease must be terminated somehow - but mechanics very site dependent Probably easiest to run a script from cron to expire leases: Either based on an expiration time (if you can guarantee the job will be finished by that time) Or by job completion flagging the lease as not needed (eg via PBS prologue / epilogue scripts)

Andrew McNab - Manchester HEP - 11 May 2001 Making grid-mapfile Already proposals from INFN and UK about composing grid-mapfile’s based on information published by LDAP. Possible to make a very simple system for Babar in the short term. If this is done, then we have all the components needed to avoid manual intervention by all sysadmins every time a new user joins the Grid.

Andrew McNab - Manchester HEP - 11 May 2001 AFS and Grid authentification How to interface with the existing AFS (kerberos) structure used by SLAC and RAL, with new Grid security infrastructure? Mechanism using ssl -> k5 -> AFS/k4 exists Simpler solution now from ANL, with new gsiklog command and gsiklogd daemon

Andrew McNab - Manchester HEP - 11 May 2001 gsiklog Have gsiklogd running on AFS authentification server machine. User runs gsiklog client which contacts gsiklogd and authenticates using Grid (proxy) certificate. gsiklogd makes an AFS token and returns it to gsiklog. AFS password not involved at any stage. This means I can get AFS access for a batch job at a remote farm purely on the basis of Grid credentials.

Andrew McNab - Manchester HEP - 11 May 2001 Limiting authorisation Currently no mechanism in Globus for limiting what a Globus initiated job can do. We can make pool accounts with restricted quotas, in Unix groups with limited access to local resources. Ideally want to run farms as isolated, simplified environments, with things like user cron jobs turned off, and some form of governor killing rogue processes.

Andrew McNab - Manchester HEP - 11 May 2001 Input and output Job “parameter” files (config, scripts, binaries) included in job or fetched via https or accessed via AFS, …? Data files from local system (NFS, http, https, rootd?) Execution log file returned by ? Detailed log files and output data files returned via AFS, https / GASS, rootd?

Andrew McNab - Manchester HEP - 11 May 2001 Data access protocols NFS - ok for LAN, not WAN optimised, R/W but not secure, esp for W. AFS - ok for LAN or WAN, secure R/W, on-host caching, gsiklog works, no good for streaming data. Normal http (eg Apache) - little or no authorisation (mainly host based), optimised for bursts on the WAN. Very solid. TWebFile exists for ROOT. GASS https - Grid specific, secure, R/W.

Andrew McNab - Manchester HEP - 11 May 2001 Data access protocols cont. rootd - native support within ROOT, secure, plans to add GSI authentification / authorisation and use parallel streams etc (possibly on top of GridFTP?) GridFTP - aims to become the data transfer Swiss Army Knife: secure R/W, auto-optimising (window sizes etc), parallel streams. Exists in alpha form at the moment. Will be added to future Globus releases. GridFTP the protocol to put long term effort into?

Andrew McNab - Manchester HEP - 11 May 2001 Summary Babar UK has a clear and pressing need for what is being provided by the Grid. Tools to “publish” authorisation list from central source exist. Dynamic accounts possible via gridmapdir patch. AFS can now be made Grid-friendly. Several other protocols available for moving data. Babar PC farms are an excellent environment for early deployment and evaluation of Grid tools.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.