jAliEn client development

Slides:



Advertisements
Similar presentations
Detecting Bugs Using Assertions Ben Scribner. Defining the Problem  Bugs exist  Unexpected errors happen Hardware failures Loss of data Data may exist.
Advertisements

1 CHEP 2000, Roberto Barbera Roberto Barbera (*) Grid monitoring with NAGIOS WP3-INFN Meeting, Naples, (*) Work in collaboration with.
A responsibility based model EDG CA Managers Meeting June 13, 2003.
Haga clic para cambiar el estilo de título Haga clic para modificar el estilo de subtítulo del patrón DIRAC Framework A.Casajus and R.Graciani (Universitat.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.
Reproducible Environment for Scientific Applications (Lab session) Tak-Lon (Stephen) Wu.
Senior Technical Writer
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
© 2012 IBM Corporation Tivoli Workload Automation Informatica Power Center.
Summary of issues and questions raised. FTS workshop for experiment integrators Summary of use  Generally positive response on current state!  Now the.
Session 11: Security with ASP.NET
Checking Network/Port Connectivity using Kaseya Agent Procedures Developed By: Emmanuel Giboyeaux Advisor : Dr. S. Masoud Sadjadi School of Computing and.
WaveMaker Visual AJAX Studio 4.0 Training Authentication.
Alice off-line meeting Alberto Colla Cern, October 3, 2005 AliEn How-To Alice off-line meeting Cern, October 3, 2005 Alberto Colla (Alice off-line Calibration.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Wenjing Wu Andrej Filipčič David Cameron Eric Lancon Claire Adam Bourdarios & others.
TWSd - Security Workshop Part I of III T302 Tuesday, 4/20/2010 TWS Distributed & Mainframe User Education April 18-21, 2010  Carefree Resort  Carefree,
Condor Project Computer Sciences Department University of Wisconsin-Madison Condor-G Operations.
Dr. Mustafa Cem Kasapbaşı Security in ASP.NET. Determining Security Requirements Restricted File Types.
Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.
CS795.Net Impersonation… why & How? Presented by: Vijay Reddy Mara.
Securing Sensitive Information Data Security Dashboards often contain the most important data in the company Securing that information makes business.
2/26/021 Pegasus Security Architecture Author: Nag Boranna Hewlett-Packard Company.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Direct gLExec integration with PanDA Fernando H. Barreiro Megino CERN IT-ES-VOS.
FTP Server API Implementing the FTP Server Registering FTP Command Callbacks Data and Control Port Close Callbacks Other Server Calls.
1 Chapter Overview Defining Operators Creating Jobs Configuring Alerts Creating a Database Maintenance Plan Creating Multiserver Jobs.
OSG AuthZ components Dane Skow Gabriele Carcassi.
Emergency Suspension list Vincent BRILLAULT HEPiX Spring 2014, Annecy.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Access control 2/18/2009. TOMCAT Security Model Declarative Security:  the expression of application security external to the application, and it allows.
Impersonation Bharat Kadia CS-795. What is Impersonation ? Dictionary-: To assume the character or appearance of someone ASP.NET-: Impersonation is the.
ICM – API Server & Forms Gary Ratcliffe.
Database authentication in CORAL and COOL Database authentication in CORAL and COOL Giacomo Govi Giacomo Govi CERN IT/PSS CERN IT/PSS On behalf of the.
1 © 2013 Cisco and/or its affiliates. All rights reserved. Tidal Enterprise Orchestrator Cisco Service Portal Adapter Training October, 2012.
JAliEn Java AliEn middleware A. Grigoras, C. Grigoras, M. Pedreira P Saiz, S. Schreiner ALICE Offline Week – June 2013.
GRID Security & DIRAC A. Casajus R. Graciani A. Tsaregorodtsev.
ECHO A System Monitoring and Management Tool Yitao Duan and Dawey Huang.
SSH/SSL Attacks not on tests, just for fun. SSH/SSL Should Be Secure Cryptographic operations are secure SSL uses certificates to authenticate servers.
Open Science Grid Build a Grid Session Siddhartha E.S University of Florida.
+ AliEn status report Miguel Martinez Pedreira. + Touching the APIs Bug found, not sending site info from ROOT to central side was causing the sites to.
Core and Framework DIRAC Workshop October Marseille.
Overview of the New Security Model Akos Frohner (CERN) WP8 Meeting VI DataGRID Conference Barcelone, May 2003.
Jean-Philippe Baud, IT-GD, CERN November 2007
ASP.NET Programming with C# and SQL Server First Edition
Department of Computer Engineering
Manuel Brugnoli, Elisa Heymann UAB
Single Sign-On Led by Terrice McClain, Jen Paulin, & Leighton Wingerd
Module Overview Installing and Configuring a Network Policy Server
Authentication & .htaccess
Information Security Professionals
CMS Central Version 1.0 Made by Eden Sun Jan 2010.
LCGAA nightlies infrastructure
CRC exercises Not happy with the way the document for testbed architecture is progressing More a collection of contributions from the mware groups rather.
Deploying and Configuring SSIS Packages
SSSD and OpenSSH Integration
Senior Software Engineering Student Robertas Sys
Discussions on group meeting
Solving ETL Bottlenecks with SSIS Scale Out
IIS.
DUCKS – Distributed User-mode Chirp-Knowledgeable Server
The New Virtual Organization Membership Service (VOMS)
Privilege Separation in Condor
Lecture 2 - SQL Injection
X-Road as a Platform to Exchange MyData
Certificates Usage and Simple Job Submission
Global Catalog and Flexible Single Master Operations (FSMO) Roles
Overview Multimedia: The Role of WINS in the Network Infrastructure
Presentation transcript:

jAliEn client development

What is jAliEn client? JCentral JSh

Introducing tokens Central services User machine 1 JCentral 2 Catalogue TQ Transfers LDAP 2 Client 3 4 1. Initial connect with usercert 2. Get token 3. New connection with token (valid for 2 days) 4. Renew manually with token command

Long living authentication agent on the user machine (JBox) Central services User machine JCentral 1 3 Catalogue TQ Transfers LDAP Client JBox 2 4 1. Initial connect with usercert 2. Get token 3. Client always uses token 4. Renew automatically every 2 hours

Defining priorities for certificates If $JALIEN_TOKEN is set, use token Client cert from $X509_USER_CERT or $homedir/.globus/usercert.pem Host cert from $homedir/.globus/hostcert.pem Token from $homedir/.globus/tokencert.pem (locations can be configured in config.properties)

Switching users gGrid->Command("token -u tutor"); AlienPrincipal String username = “vyurchen“; String defaultUser = “vyurchen“; Set<String> roles = [“vyurchen“, “tutor“, “...“]; AlienPrincipal String username = “tutor“; String defaultUser = “vyurchen“; Set<String> roles = = [“tutor“]; canBecome(final String role) Account for 0 (/DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=vyurchen/CN=758460/CN=Volodymyr Yurchenko) is: [vyurchen] Successfully switched user from '[vyurchen]' to '[tutor]'.

New capabilities mkdir as tutor successful for "/alice/cern.ch/user/t/tutor/testtoken" mkdir as tutor fails for "/alice/cern.ch/user/v/vyurchen/noprivileges"

Relying on certificate Allows to check client‘s certificate again in critical points Old AlienPrincipal String username = “vyurchen“; String defaultUser = “vyurchen“; Set<String> roles = [“vyurchen“, “tutor“, “...“]; New AlienPrincipal String username = “vyurchen“; String defaultUser = “vyurchen“; Set<String> roles = [“vyurchen“, “tutor“, “...“]; X509Certificate[] usercert;

Extract information from DN // Assuming we have user or job token, parse role to switch identity to that user // /C=ch/O=AliEn/CN=Job/CN=username/OU=role/OU=extension // ^ ^ jobID ... // if OU present in DN try to extract role p = getByRole(dn.substring(roleOU + 4, jobOU)); // if second OU is present in DN p.setJob(Long.valueOf(dn.substring(jobOU + 4))); // if getByUsername or getByRole found credentials p.setDefaultUser(dn.substring(nameCN + 4, roleOU));

Updated AlienPrincipal Class Provides a new ability to uniformly interact with central services and isolate jobs and services from executing other commands than what the respective context allows New AlienPrincipal String username = “vyurchen“; String defaultUser = “vyurchen“; Set<String> roles = [“vyurchen“, “tutor“, “...“]; X509Certificate[] usercert; Newer AlienPrincipal String username = “vyurchen“; String defaultUser = “vyurchen“; Set<String> roles = [“vyurchen“, “tutor“, “...“]; X509Certificate[] usercert; Long jobID = null; boolean jobAgentFlag = false;

Killing zombies Server disconnects clients with uptime > 2 days, forcing them to reconnect if needed and revalidate the tokens TODO: discover idle clients Clean up connections basing on lastUpdateTime + make it configurable Use monitoring class to build charts and investigate the best interval for cleaning idle connections

Reconnecting root [5] gGrid->Ls("/alice/cern.ch/user/v/vyurchen"); Error in <TJAlien::Command>: Connection is broken, retrying... Info in <TJAlien::TJAlien>: Connecting to JBox: host=127.0.0.1, port=8097, user=vyurchen, cert=/home/yuw/.globus/tokencert.pem, key=/home/yuw/.globus/tokenkey.pem Info in <TJAlien::Ls>: Ls command successful

Bug fixes Authorization bug with Request Dispatcher (allowed clients to execute request on behalf of alienmaster user) Initializing db variables not in central service (slowed down the process of executing certain commands)

Authorization Bug Tomcat Dispatch DispatchSSLServer SSLClient Dispatcher Dispatch SSLClient DispatchSSLServer Client Tomcat Dispatcher Client

Polishing the code Put neutral notification in logs when client disconnects (instead of exception stacktraces) Remove unused variables Correctly close websocket session

Commands ls: send all information (“-la“) to ROOT clients Add extra check if lfn exists to the cp command Pass correct fields to ROOT in the submit command Pass correct fields to ROOT in the rmdir command Implement rm command Implement file open/write commands

File operations Full read and write from ROOT working root [1] TFile* myfile = Tfile::Open("alien:///alice/sim/2017/LHC17j8c/245353/001/a od_archive.zip#AliAOD.root"); root [2] TFile::Cp("alien:///alice/cern.ch/user/v/vyurchen/test.root", "alien:///alice/cern.ch/user/v/vyurchen/plain.root"); [TFile::Cp] Total 0.00 MB |====================| 100.00 % [0.5 MB/s]

Next steps Implement writing files to specific SE Register TJAlien ROOT plugin in AliBuild system Try ROOT6 Custom SSL checks for proxy files(?) Smart detection of idle connections Refactor code to create uniform PrintWriter Rewrite JShell to use websockets

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.