INFSO-RI Enabling Grids for E-sciencE Ákos Frohner, Ricardo Brito Da Rocha (CERN) EGEE Delegation 1.1

Enabling Grids for E-sciencE INFSO-RI Overview 1.1 interface improvements typical use cases storage back-ends: – file system (flat and structured storage) and – database implementations: – Java: gLite delegation-service – C: gridsite services using the components: WMS and FTS Checklist: any other components using the storage directly?

Enabling Grids for E-sciencE INFSO-RI Interface string getProxyReq(string delegationID) throws DelegationException; putProxy(string delegationID, string proxy) throws DelegationException; { string proxyRequest ; string delegationID ; } getNewProxyReq() throws DelegationException; string renewProxyReq(string delegationID) throws DelegationException; dateTime getTerminationTime(string delegationID) throws DelegationException; destroy(string delegationID) throws DelegationException;

Enabling Grids for E-sciencE INFSO-RI use case: new delegation The typical usage scenario for a client is the following: The client calls getNewProxyReq() and receives a new (generated by the server) delegation ID and a proxy certificate request. The private key, associated with the certificate request stays on the server. The client signs the proxy certificate request using the client's private key, associated with the client's certificate. The client uploads the signed proxy certificate using putProxy to the delegation service.

Enabling Grids for E-sciencE INFSO-RI use case: renewal If the client's activities, which require the delegated credentials, last longer than expected, then the client can renew them: The client calls renewProxyReq() using the existing delegation ID, and receives a new proxy certificate request. The private key, associated with the certificate request stays on the server. The client signs the proxy certificate request using the client's private key, associated with the client's certificate. The client uploads the signed proxy certificate using putProxy to the delegation service.

Enabling Grids for E-sciencE INFSO-RI use case: terminate The client may terminate its remote activities by destroying the delegated credentials: The client calls getTerminationTime() using a delegation ID, to check if there is any delegated credential on the server. If there is, the response is its expiration date and time. If there are not expired delegated credentials, then the client calls destroy() using the delegation ID. The delegation service will destroy the credentials on the server.

Enabling Grids for E-sciencE INFSO-RI Storage: File System Structured Storage – proxies stored according to the user DN and delegation id – good for finding proxies in storage by checking only the directory tree  Proxy Storage / / /usercert.pem / / /userkey.pem / / /voms.attributes  Proxy Storage Cache /cache/ / /userreq.pem /cache/ / /userkey.pem /cache/ / /voms.attributes – similar solution mentioned by the italian cluster (optimized?) Flat Storage – all proxies in a single directory – option for software currently looking for proxies in /tmp/...

Enabling Grids for E-sciencE INFSO-RI Storage: DB CREATE TABLE t_credential_cache ( dlg_idVARCHAR(100), dnVARCHAR(255), cert_requestTEXT NOT NULL, priv_keyTEXT NOT NULL, voms_attrsTEXT, PRIMARY KEY (dlg_id, dn) ); CREATE TABLE t_credential ( dlg_idVARCHAR(100), dnVARCHAR(255), certificateTEXT NOT NULL, priv_keyTEXT NOT NULL, voms_attrsTEXT, PRIMARY KEY (dlg_id, dn) );

Enabling Grids for E-sciencE INFSO-RI Conclusion On the TODO list: client integration Globus functionality cross-check components using the storage? – FTS agents (in development – DB back-end) – proxy renewal service? gridsite implementation When will it be in gLite release?