Presentation is loading. Please wait.

Presentation is loading. Please wait.

Andrew McNab - Manchester HEP - 31 January 2002 Testbed Release in the UK Integration Team UK deployment TB1 Job Lifecycle VO: Authorisation VO: GIIS and.

Published byAdrien Algood Modified over 9 years ago

Similar presentations

Presentation on theme: "Andrew McNab - Manchester HEP - 31 January 2002 Testbed Release in the UK Integration Team UK deployment TB1 Job Lifecycle VO: Authorisation VO: GIIS and."— Presentation transcript:

1 Andrew McNab - Manchester HEP - 31 January 2002 Testbed Release in the UK Integration Team UK deployment TB1 Job Lifecycle VO: Authorisation VO: GIIS and Resource Broker What about non-Testbed machines / experiments?

2 Andrew McNab - Manchester HEP - 31 January 2002 Integration Team ~20 people drawn from EDG middleware WP’s and WP6. Intensive integration period at CERN during October –had to have another one in December! Testbed farm of ~20 machines at CERN Presentations at CERN on 29th October for sysadmins / local experts –see these talks for technical details: http://marianne.in2p3.fr/ Everything taking longer than planned –rollout ongoing (currently CERN, CNAF, Manchester, RAL, Lyon, NIKHEF,...) but TB1 still a moving target Don’t expect your local sysadmin to be able to do an “off the shelf” installation yet.

3 Andrew McNab - Manchester HEP - 31 January 2002 UK Deployment Start with UK WP6 people (+ other experts) Use tb-support@jiscmail.ac.uk mailing list http://www.gridpp.ac.uk/tb-support/ has: –mailing list information –recipe for installing ~1.0 release (ie last week’s) of Computing Element, Storage Element, User Interface machine and Worker Node. –in principle, 1.1 released today Once have some WP6 sites up, then encourage more sites to test installation procedure, docs etc.

4 Andrew McNab - Manchester HEP - 31 January 2002

5 Authorisation a.k.a “how do I maintain the grid-mapfile list of certificate names and local user names?” WP6 provides a standard way of publishing lists of certificate names via an LDAP server, and selecting subsets based on group or “Virtual Organisation” (eg experiment) affiliation. gridmapdir patch to Globus provides dynamic user account allocation from a pool. Each experiment needs to maintain a “VO Server” and populate it with the DNs of their members –For LHC experiments, the VO’s are at NIKHEF.

6 Andrew McNab - Manchester HEP - 31 January 2002 GIIS and Resource Broker a.k.a “how do I get on the list of sites and receive jobs?” GRIS - local LDAP server on, say, a Computing Element (= site gateway) GIIS - indexing LDAP server, which receives information from GRIS’s Currently use Resource Broker at CERN - it uses local GIIS to get list of TB1 sites For sites to receive jobs, they need to be registered with the GIIS used by the users’ RB. Experiments (or even sites?) might want their own RB since easily overloaded in current architecture.

7 Andrew McNab - Manchester HEP - 31 January 2002 Non-Testbed1 machines / expts “Being part of Testbed 1” involves committing to using the right version of RedHat (6.2), the grid software and some extra packages. But, all of this work has been done in a modular way –some dependencies between modules, but interfaces are spelt out. Should be possible to install some or all of TB1 software on existing farms without matching participation requirements exactly. Would also be possible to use strictly compliant front end machines along with differently configured back end nodes.

8 Andrew McNab - Manchester HEP - 31 January 2002 Summary TB1 being rolled-out Basic job submission, brokerage etc working Ready to deploy 1.0 (and imminent 1.1) in UK Experiments need to set up VO structures Non-LHC experiments should be able to use TB1 components

9 Andrew McNab - Manchester HEP - 31 January 2002 Grid/Web integration Common use of SSL Importing certificates into browsers GridSite as an example application Limits to delegation Possible solutions Merging Grid / Web / Filesystems

10 Andrew McNab - Manchester HEP - 31 January 2002 Common use of SSL (“TLS”) https URLs based on X509 certificates and SSL protocol –eg https://secure.amazon.co.uk/ Globus’s security infrastructure (GSI) based on X509 too –eg the user and host certificates from the UK HEP CA Host certificates (hostkey.pem / hostcert.pem) can be used directly as Apache mod_ssl credentials. Using openssl, you can easily change a PEM key / cert pair into the pkcs#12 file format used by web browsers. This works in all https-aware versions of Netscape and IE.

11 Andrew McNab - Manchester HEP - 31 January 2002 What does SSL buy you? Server has host certificate, so the browser can verify the server is genuine, and not someone impersonating it or doing a man in the-middle-attack. If browser has a user certificate, the user can prove who they are. –So the server can implement access control, logging etc. –Since the certificate DNs are also used in Grid applications, can share information, authorisation etc between the two. All transfers are encrypted. (Downside is that transfers are slower and impose more computational burden on the web server.)

12 Andrew McNab - Manchester HEP - 31 January 2002 What you need to do? Get a host certificate for the web server from a CA your users will trust (eg a TB1 CA: UK HEP CA, CERN, ….) Make sure your users have certificates from a CA you trust. Maintain a users database, including their DNs, to specify authorisation levels. –group users and specify access according to those groups? Providing simple administration tools will make things much less painful for you as number of users ramps up. (If you already have a VO authorisation server, might be able to automate a lot of this…)

13 Andrew McNab - Manchester HEP - 31 January 2002 Example: GridSite Written for http(s)://www.gridpp.ac.uk/ –also used for WP6/TB1 site: http(s)://marianne.in2p3.fr/ Maintains a database of users and groups –can be administered using a normal web browser Read and write access to directories controlled by ACLs –use same format as SlashGrid filesystem framework Since web browsers’ https and Globus GSI are both based on X509 certificates, can reuse the UK HEP CA user certificates in WWW context. Since have strong user authentification, can allow write access through a web browser.

14 Andrew McNab - Manchester HEP - 31 January 2002 GridSite: more information GridSite homepage at http://www.gridpp.ac.uk/gridsite/ Mailing lists gridsite-announce and gridsite-discuss at jiscmail Software covered by GPL Open Source License –so you are welcome to use it, modify it, distribute modified copies –but we all share the benefit of anything you distribute Intending to go from monolithic source to LGPL library + minimal main() This will make it easier to reuse GridSite in other Grid / Web applications, portals etc.

15 Andrew McNab - Manchester HEP - 31 January 2002 Delegation One commonly cited web/grid integration is Job Submission Portal. But (lack of) delegation complicates this. X509 relies on having a private key and public certificate –Web browser has access to both However, this only proves to the web server that we are genuine. The web server does not have a way to then prove this to another server (eg a gatekeeper) on our behalf. Globus gets round this by forwarding temporary proxies signed by private key, but web browsers do not do this.

16 Andrew McNab - Manchester HEP - 31 January 2002 Delegation: possible solutions Need to have a private key trusted by destination servers, which we can use if we authenticate with the web server. This could be a personal key we have deposited with web server. Or the server may make requests using its own key on our behalf. New solution from Globus: Community Authorisation Server. This intended for non-Web contexts, but may provide a convenient solution here too. –Combine web server and CAS: requests authorised on the basis of authorisation objects/symbols granted by CAS.

17 Andrew McNab - Manchester HEP - 31 January 2002 Merging Grid/Web/Filesystems Globus GASS library provides read and write access to remote files using https –so already possible to use https web servers like GridSite as file servers within Grid applications –can access them via normal web browser as described above Work now starting to provide distributed filesystems using Grid protocols –SlashGrid framework ( http://www.gridpp.ac.uk/slashgrid/ ) –map files on remote servers to local filenames, with caching: https://www.gridpp.ac.uk/file.txt => /grid/https/www.gridpp.ac.uk/file.txt

18 Andrew McNab - Manchester HEP - 31 January 2002 Summary X509 security protocols common to Web and Grid Possible to use existing Grid certificates in a Web context GridSite is an Open Source demonstration of this –will provide a toolbox for people building Grid/Web applications Delegation of credentials to allow access to “third party” sites an issue –but solutions are possible More Web / Grid / Filesystem integration in the pipeline

Download ppt "Andrew McNab - Manchester HEP - 31 January 2002 Testbed Release in the UK Integration Team UK deployment TB1 Job Lifecycle VO: Authorisation VO: GIIS and."

Similar presentations

Andrew McNab - Manchester HEP - 15 February 2002 Testbed Release in the UK EDG Testbed 1 GridPP sources of information GridPP VO GIIS and Resource Broker.

Andrew McNab - Manchester HEP - 15 February 2002 Testbed Release in the UK EDG Testbed 1 GridPP sources of information GridPP VO GIIS and Resource Broker.
30-31 Jan 2003J G Jensen, RAL/WP5 Storage Elephant Grid Access to Mass Storage.

30-31 Jan 2003J G Jensen, RAL/WP5 Storage Elephant Grid Access to Mass Storage.
Security middleware Andrew McNab University of Manchester.

Security middleware Andrew McNab University of Manchester.
Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
DataGrid is a project funded by the European Union CHEP 2003 – 24-28 March 2003 – Grid-based access control – n° 1 Grid-based access control for Unix environments,

DataGrid is a project funded by the European Union CHEP 2003 – March 2003 – Grid-based access control – n° 1 Grid-based access control for Unix environments,
Andrew McNab - Manchester HEP - 10 May 2002 UK Testbed Deployment Aim of this talk is to the answer the questions: –What are other sites doing? –What are.

Andrew McNab - Manchester HEP - 10 May 2002 UK Testbed Deployment Aim of this talk is to the answer the questions: –What are other sites doing? –What are.
5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK

5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK
Andrew McNabTestbed / HTTPS, GridPP6, 30 Jan 2003Slide 1 UK Testbed Status Andrew McNab High Energy Physics University of Manchester.

Andrew McNabTestbed / HTTPS, GridPP6, 30 Jan 2003Slide 1 UK Testbed Status Andrew McNab High Energy Physics University of Manchester.
Andrew McNab - Manchester HEP - 17 September 2002 Putting Existing Farms on the Testbed Manchester DZero/Atlas and BaBar farms are available via the Testbed.

Andrew McNab - Manchester HEP - 17 September 2002 Putting Existing Farms on the Testbed Manchester DZero/Atlas and BaBar farms are available via the Testbed.
Partner Logo UK GridPP Testbed Rollout John Gordon GridPP 3rd Collaboration Meeting Cambridge 15th February 2002.

Partner Logo UK GridPP Testbed Rollout John Gordon GridPP 3rd Collaboration Meeting Cambridge 15th February 2002.
29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
Andrew McNab - Manchester HEP - 24 May 2001 WorkGroup H: Software Support Both middleware and application support Installation tools and expertise Communication.

Andrew McNab - Manchester HEP - 24 May 2001 WorkGroup H: Software Support Both middleware and application support Installation tools and expertise Communication.
The National Grid Service and OGSA-DAI Mike Mineter

The National Grid Service and OGSA-DAI Mike Mineter
Andrew McNab - Manchester HEP - 22 April 2002 EU DataGrid Testbed EU DataGrid Software releases Testbed 1 Job Lifecycle Authorisation at your site More.

Andrew McNab - Manchester HEP - 22 April 2002 EU DataGrid Testbed EU DataGrid Software releases Testbed 1 Job Lifecycle Authorisation at your site More.
22-Apr-02D.P.Kelsey, Security, UKHEP Sysman1 Grid Security 22 Apr 2002 UK HEP Sysman Meeting David Kelsey CLRC/RAL, UK

22-Apr-02D.P.Kelsey, Security, UKHEP Sysman1 Grid Security 22 Apr 2002 UK HEP Sysman Meeting David Kelsey CLRC/RAL, UK
Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.

Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.
Andrew McNab - Manchester HEP - 22 April 2002 EU DataGrid Testbed EU DataGrid Software releases Testbed 1 Job Lifecycle Authorisation at your site More.

Andrew McNab - Manchester HEP - 22 April 2002 EU DataGrid Testbed EU DataGrid Software releases Testbed 1 Job Lifecycle Authorisation at your site More.
Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.

Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.
Andrew McNab - Manchester HEP - 29/30 March 2001 gridmapdir patch Overview of the problem Constraints from local systems Outline of how it works How to.

Andrew McNab - Manchester HEP - 29/30 March 2001 gridmapdir patch Overview of the problem Constraints from local systems Outline of how it works How to.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Similar presentations

Ads by Google