Andrew McNab - Manchester HEP - 31 January 2002 Testbed Release in the UK Integration Team UK deployment TB1 Job Lifecycle VO: Authorisation VO: GIIS and Resource Broker What about non-Testbed machines / experiments?
Andrew McNab - Manchester HEP - 31 January 2002 Integration Team ~20 people drawn from EDG middleware WP’s and WP6. Intensive integration period at CERN during October –had to have another one in December! Testbed farm of ~20 machines at CERN Presentations at CERN on 29th October for sysadmins / local experts –see these talks for technical details: Everything taking longer than planned –rollout ongoing (currently CERN, CNAF, Manchester, RAL, Lyon, NIKHEF,...) but TB1 still a moving target Don’t expect your local sysadmin to be able to do an “off the shelf” installation yet.
Andrew McNab - Manchester HEP - 31 January 2002 UK Deployment Start with UK WP6 people (+ other experts) Use mailing list has: –mailing list information –recipe for installing ~1.0 release (ie last week’s) of Computing Element, Storage Element, User Interface machine and Worker Node. –in principle, 1.1 released today Once have some WP6 sites up, then encourage more sites to test installation procedure, docs etc.
Andrew McNab - Manchester HEP - 31 January 2002
Authorisation a.k.a “how do I maintain the grid-mapfile list of certificate names and local user names?” WP6 provides a standard way of publishing lists of certificate names via an LDAP server, and selecting subsets based on group or “Virtual Organisation” (eg experiment) affiliation. gridmapdir patch to Globus provides dynamic user account allocation from a pool. Each experiment needs to maintain a “VO Server” and populate it with the DNs of their members –For LHC experiments, the VO’s are at NIKHEF.
Andrew McNab - Manchester HEP - 31 January 2002 GIIS and Resource Broker a.k.a “how do I get on the list of sites and receive jobs?” GRIS - local LDAP server on, say, a Computing Element (= site gateway) GIIS - indexing LDAP server, which receives information from GRIS’s Currently use Resource Broker at CERN - it uses local GIIS to get list of TB1 sites For sites to receive jobs, they need to be registered with the GIIS used by the users’ RB. Experiments (or even sites?) might want their own RB since easily overloaded in current architecture.
Andrew McNab - Manchester HEP - 31 January 2002 Non-Testbed1 machines / expts “Being part of Testbed 1” involves committing to using the right version of RedHat (6.2), the grid software and some extra packages. But, all of this work has been done in a modular way –some dependencies between modules, but interfaces are spelt out. Should be possible to install some or all of TB1 software on existing farms without matching participation requirements exactly. Would also be possible to use strictly compliant front end machines along with differently configured back end nodes.
Andrew McNab - Manchester HEP - 31 January 2002 Summary TB1 being rolled-out Basic job submission, brokerage etc working Ready to deploy 1.0 (and imminent 1.1) in UK Experiments need to set up VO structures Non-LHC experiments should be able to use TB1 components
Andrew McNab - Manchester HEP - 31 January 2002 Grid/Web integration Common use of SSL Importing certificates into browsers GridSite as an example application Limits to delegation Possible solutions Merging Grid / Web / Filesystems
Andrew McNab - Manchester HEP - 31 January 2002 Common use of SSL (“TLS”) https URLs based on X509 certificates and SSL protocol –eg Globus’s security infrastructure (GSI) based on X509 too –eg the user and host certificates from the UK HEP CA Host certificates (hostkey.pem / hostcert.pem) can be used directly as Apache mod_ssl credentials. Using openssl, you can easily change a PEM key / cert pair into the pkcs#12 file format used by web browsers. This works in all https-aware versions of Netscape and IE.
Andrew McNab - Manchester HEP - 31 January 2002 What does SSL buy you? Server has host certificate, so the browser can verify the server is genuine, and not someone impersonating it or doing a man in the-middle-attack. If browser has a user certificate, the user can prove who they are. –So the server can implement access control, logging etc. –Since the certificate DNs are also used in Grid applications, can share information, authorisation etc between the two. All transfers are encrypted. (Downside is that transfers are slower and impose more computational burden on the web server.)
Andrew McNab - Manchester HEP - 31 January 2002 What you need to do? Get a host certificate for the web server from a CA your users will trust (eg a TB1 CA: UK HEP CA, CERN, ….) Make sure your users have certificates from a CA you trust. Maintain a users database, including their DNs, to specify authorisation levels. –group users and specify access according to those groups? Providing simple administration tools will make things much less painful for you as number of users ramps up. (If you already have a VO authorisation server, might be able to automate a lot of this…)
Andrew McNab - Manchester HEP - 31 January 2002 Example: GridSite Written for http(s):// –also used for WP6/TB1 site: http(s)://marianne.in2p3.fr/ Maintains a database of users and groups –can be administered using a normal web browser Read and write access to directories controlled by ACLs –use same format as SlashGrid filesystem framework Since web browsers’ https and Globus GSI are both based on X509 certificates, can reuse the UK HEP CA user certificates in WWW context. Since have strong user authentification, can allow write access through a web browser.
Andrew McNab - Manchester HEP - 31 January 2002 GridSite: more information GridSite homepage at Mailing lists gridsite-announce and gridsite-discuss at jiscmail Software covered by GPL Open Source License –so you are welcome to use it, modify it, distribute modified copies –but we all share the benefit of anything you distribute Intending to go from monolithic source to LGPL library + minimal main() This will make it easier to reuse GridSite in other Grid / Web applications, portals etc.
Andrew McNab - Manchester HEP - 31 January 2002 Delegation One commonly cited web/grid integration is Job Submission Portal. But (lack of) delegation complicates this. X509 relies on having a private key and public certificate –Web browser has access to both However, this only proves to the web server that we are genuine. The web server does not have a way to then prove this to another server (eg a gatekeeper) on our behalf. Globus gets round this by forwarding temporary proxies signed by private key, but web browsers do not do this.
Andrew McNab - Manchester HEP - 31 January 2002 Delegation: possible solutions Need to have a private key trusted by destination servers, which we can use if we authenticate with the web server. This could be a personal key we have deposited with web server. Or the server may make requests using its own key on our behalf. New solution from Globus: Community Authorisation Server. This intended for non-Web contexts, but may provide a convenient solution here too. –Combine web server and CAS: requests authorised on the basis of authorisation objects/symbols granted by CAS.
Andrew McNab - Manchester HEP - 31 January 2002 Merging Grid/Web/Filesystems Globus GASS library provides read and write access to remote files using https –so already possible to use https web servers like GridSite as file servers within Grid applications –can access them via normal web browser as described above Work now starting to provide distributed filesystems using Grid protocols –SlashGrid framework ( ) –map files on remote servers to local filenames, with caching: => /grid/https/
Andrew McNab - Manchester HEP - 31 January 2002 Summary X509 security protocols common to Web and Grid Possible to use existing Grid certificates in a Web context GridSite is an Open Source demonstration of this –will provide a toolbox for people building Grid/Web applications Delegation of credentials to allow access to “third party” sites an issue –but solutions are possible More Web / Grid / Filesystem integration in the pipeline