Rucio & objectstores James Perry.

Slides:

Advertisements

Similar presentations

Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.

Advertisements

Chronopolis: Preserving Our Digital Heritage David Minor UC San Diego San Diego Supercomputer Center.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

Computer Science 162 Section 1 CS162 Teaching Staff.

OmStore Cloud API Harshit Agarwal Sohil Habib. About Us ●We are graduate students at CMU ●Currently at CMU Silicon Valley campus ●Working part time with.

Staging to CAF + User groups + fairshare Jan Fiete Grosse-Oetringhaus, CERN PH/ALICE Offline week,

Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.

COMMUNICATION Team 5 ADIL KHAN. COMMUNICATION Team 5 COMMUNICATION PROVIDER Two Modules Comprise the CommunicationProvider SmilTransporter CloudDataProvider.

ATLAS DQ2 Deletion Service D.A. Oleynik, A.S. Petrosyan, V. Garonne, S. Campana (on behalf of the ATLAS Collaboration)

Don Quijote Data Management for the ATLAS Automatic Production System Miguel Branco – CERN ATC

| nectar.org.au NECTAR TRAINING Module 10 Beyond the Dashboard.

Secure Credential Manager Claes Nilsson - Sony Ericsson

Robert Lyon  Design Review  November 11, 2011.

Δ Storage Middleware GridPP10 What’s new since GridPP9? CERN, June 2004.

Placeholder ES 1 CERN IT Experiment Support group Authentication and Authorization (AAI) issues concerning Storage Systems and Data Access Pre-GDB,

Legion - A Grid OS. Object Model Everything is object Core objects - processing resource– host object - stable storage - vault object - definition of.

 Registry itself is easy and straightforward in implementation  The objects of registry are actually complicated to store and manage  Objects of Registry.

Unified Cloud Storage Navneet Joshi, Apoorva Gupta, Gurinder Pal Singh Today there are a number of cloud storage services (Dropbox, Google drive, Box).

WebFTS File Transfer Web Interface for FTS3 Andrea Manzi On behalf of the FTS team Workshop on Cloud Services for File Synchronisation and Sharing.

Web Server Design Week 15 Old Dominion University Department of Computer Science CS 495/595 Spring 2010 Martin Klein 4/21/10.

Google Map Engine Can export images to Map Engine from Earth Engine

ASSIGNMENT 2 Salim Malakouti. Ticketing Website  User submits tickets  Admins answer tickets or take appropriate actions.

AFS/OSD Project R.Belloni, L.Giammarino, A.Maslennikov, G.Palumbo, H.Reuter, R.Toebbicke.

Implementation of Simple Cloud-based Distributed File System Group ID: 4 Baolin Wu, Liushan Yang, Pengyu Ji.

8/29/10 Maven Repository Management with Nexus Jim McMahon.

Dynamic Federation of Grid and Cloud Storage Fabrizio Furano, Oliver Keeble, Laurence Field Speaker: Fabrizio Furano.

Windows Communication Foundation and Web Services

Course: Cluster, grid and cloud computing systems Course author: Prof

BUILD SECURE PRODUCTS AND SERVICES

Amazon Web Services (aws)

3.02H Publishing a Website 3.02 Develop webpages..

OGF PGI – EDGI Security Use Case and Requirements

Oxana Smirnova, Jakob Nielsen (Lund University/CERN)

StoRM: a SRM solution for disk based storage systems

Better RESTFul API – Best Practices

Web Services application that operates over a network

Section 6 Object Storage Gateway (RADOS-GW)

Node.js Express Web Applications

Object Stores for Event Service and Logs

Future of WAN Access in ATLAS

Google App Engine Mandeep Singh (37926)

Data Bridge Solving diverse data access in scientific applications

Amazon Storage- S3 and Glacier

Node.js Express Web Services

ShareApp-Prototype Team05 09/30/2016.

StoRM Architecture and Daemons

dCache Scientific Cloud

Radius, LDAP, Radius used in Authenticating Users

GFAL 2.0 Devresse Adrien CERN lcgutil team

Concurrent Version Control

Data Management cluster summary

A Web-Based Data Grid Chip Watson, Ian Bird, Jie Chen,

Security Vulnerabilities in RPC (csci5931)

X-Road as a Platform to Exchange MyData

4.02 Develop web pages using various layouts and technologies.

Web Server Design Week 16 Old Dominion University

Web Server Design Week 16 Old Dominion University

Storing and Accessing G-OnRamp’s Assembly Hubs outside of Galaxy

Building Serverless Enterprise Applications

Technical Integration Guide

Azure Active Directory

Process flow Kindly note: This presentation is automated – please do not click any of your mouse buttons or keyboard keys.

Preventing Privilege Escalation

Azure Storage Microsoft Research.

Fast-Track UiPath Developer Module 10: Sensitive Data Handling

Talking Between Services with gRPC

Building a Windows Azure Application

Adapting an existing web server to S3

Presentation transcript:

Rucio & objectstores James Perry

Rationale Cloud-style objectstores are becoming increasingly popular for data storage Amazon S3 OpenStack Swift Google Cloud Platform Existing Rucio support for objectstores had limitations: AWS S3 support required clients to store objectstore credentials OpenStack Swift not properly supported at all Google Cloud Platform included URL signing support in Rucio core But only used for downloads Code was untidy with hacks, pseudo-protocols, special casing, etc.

S3 download in Rucio (old method) Client Objectstore Credentials Data file Credentials

Signed URLs Objectstores support signed URLs (TempUrls in Swift) URL, operation (GET, PUT, DELETE) and expiry time are cryptographically signed with a secret key Server checks the URL signature and enforces operation and time restrictions Can be generated offline (at least in Swift and in newest version of S3) Instead of giving objectstore credentials to clients, keep them on the Rucio server and have the server generate signed URLs for the clients

Upload and download: completed Added URL signing for S3 and Swift to Rucio core Alongside existing GCP implementation Downloads worked immediately Rucio already signs the URLs returned by list_replicas when required Added support for uploading to signed URLs Required new Rucio API endpoint to get signed URL for file that does not yet exist More complicated than downloads because (e.g.) checksums and existence checks cannot be performed on signed PUT URL

S3 download in Rucio (new method) Rucio Server Request Credentials Signed URL Credentials Client Objectstore Signed URL Data file

Deletion: completed URL signing code already added to core supported DELETE operation Added a call to sign URL when required to Rucio’s reaper daemon A bug in underlying GFAL2 library prevented this from working It performed a stat on the URL, not allowed on URL signed for DELETE operations Fixed in GFAL 2.16.2

3rd party transfers (delegated to FTS) Rucio uses FTS3 for all 3rd party (RSE-to-RSE) transfers Signed URLS are not used for this Technically possible but undesirable as it could result in leakage of signed URLs Instead, FTS holds the objectstore credentials and performs authentication itself

Code clean up (in progress) Legacy objectstore code is being removed from Rucio Fits well with core Rucio team’s current focus

Future Plans Event Service Auditing Dynafed Check that URL signing performs well enough for heavy usage by the Event Service Auditing Check that the existing Rucio auditing code works with objectstores and make any changes necessary Dynafed Can be used to make objectstores appear more like traditional grid storage systems Check that it works properly with Rucio Already in progress at CERN Take advantage of objectstores fully, don’t just use as file systems Store DUNE events as objects Could implement a QoS prototype using them