Presentation is loading. Please wait.

Presentation is loading. Please wait.

jAliEn client development

Published byBeatrice Carter Modified over 6 years ago

Similar presentations

Presentation on theme: "jAliEn client development"— Presentation transcript:

1 jAliEn client development

2 What is jAliEn client? JCentral JSh

3 Introducing tokens Central services User machine 1 JCentral 2
Catalogue TQ Transfers LDAP 2 Client 3 4 1. Initial connect with usercert 2. Get token 3. New connection with token (valid for 2 days) 4. Renew manually with token command

4 Long living authentication agent on the user machine (JBox)
Central services User machine JCentral 1 3 Catalogue TQ Transfers LDAP Client JBox 2 4 1. Initial connect with usercert 2. Get token 3. Client always uses token 4. Renew automatically every 2 hours

5 Defining priorities for certificates
If $JALIEN_TOKEN is set, use token Client cert from $X509_USER_CERT or $homedir/.globus/usercert.pem Host cert from $homedir/.globus/hostcert.pem Token from $homedir/.globus/tokencert.pem (locations can be configured in config.properties)

6 Switching users gGrid->Command("token -u tutor"); AlienPrincipal
String username = “vyurchen“; String defaultUser = “vyurchen“; Set<String> roles = [“vyurchen“, “tutor“, “...“]; AlienPrincipal String username = “tutor“; String defaultUser = “vyurchen“; Set<String> roles = = [“tutor“]; canBecome(final String role) Account for 0 (/DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=vyurchen/CN=758460/CN=Volodymyr Yurchenko) is: [vyurchen] Successfully switched user from '[vyurchen]' to '[tutor]'.

7 New capabilities mkdir as tutor successful for "/alice/cern.ch/user/t/tutor/testtoken" mkdir as tutor fails for "/alice/cern.ch/user/v/vyurchen/noprivileges"

8 Relying on certificate
Allows to check client‘s certificate again in critical points Old AlienPrincipal String username = “vyurchen“; String defaultUser = “vyurchen“; Set<String> roles = [“vyurchen“, “tutor“, “...“]; New AlienPrincipal String username = “vyurchen“; String defaultUser = “vyurchen“; Set<String> roles = [“vyurchen“, “tutor“, “...“]; X509Certificate[] usercert;

9 Extract information from DN
// Assuming we have user or job token, parse role to switch identity to that user // /C=ch/O=AliEn/CN=Job/CN=username/OU=role/OU=extension // ^ ^ jobID ... // if OU present in DN try to extract role p = getByRole(dn.substring(roleOU + 4, jobOU)); // if second OU is present in DN p.setJob(Long.valueOf(dn.substring(jobOU + 4))); // if getByUsername or getByRole found credentials p.setDefaultUser(dn.substring(nameCN + 4, roleOU));

10 Updated AlienPrincipal Class
Provides a new ability to uniformly interact with central services and isolate jobs and services from executing other commands than what the respective context allows New AlienPrincipal String username = “vyurchen“; String defaultUser = “vyurchen“; Set<String> roles = [“vyurchen“, “tutor“, “...“]; X509Certificate[] usercert; Newer AlienPrincipal String username = “vyurchen“; String defaultUser = “vyurchen“; Set<String> roles = [“vyurchen“, “tutor“, “...“]; X509Certificate[] usercert; Long jobID = null; boolean jobAgentFlag = false;

11 Killing zombies Server disconnects clients with uptime > 2 days, forcing them to reconnect if needed and revalidate the tokens TODO: discover idle clients Clean up connections basing on lastUpdateTime + make it configurable Use monitoring class to build charts and investigate the best interval for cleaning idle connections

12 Reconnecting root [5] gGrid->Ls("/alice/cern.ch/user/v/vyurchen");
Error in <TJAlien::Command>: Connection is broken, retrying... Info in <TJAlien::TJAlien>: Connecting to JBox: host= , port=8097, user=vyurchen, cert=/home/yuw/.globus/tokencert.pem, key=/home/yuw/.globus/tokenkey.pem Info in <TJAlien::Ls>: Ls command successful

13 Bug fixes Authorization bug with Request Dispatcher (allowed clients to execute request on behalf of alienmaster user) Initializing db variables not in central service (slowed down the process of executing certain commands)

14 Authorization Bug Tomcat Dispatch DispatchSSLServer SSLClient
Dispatcher Dispatch SSLClient DispatchSSLServer Client Tomcat Dispatcher Client

15 Polishing the code Put neutral notification in logs when client disconnects (instead of exception stacktraces) Remove unused variables Correctly close websocket session

16 Commands ls: send all information (“-la“) to ROOT clients
Add extra check if lfn exists to the cp command Pass correct fields to ROOT in the submit command Pass correct fields to ROOT in the rmdir command Implement rm command Implement file open/write commands

17 File operations Full read and write from ROOT working
root [1] TFile* myfile = Tfile::Open("alien:///alice/sim/2017/LHC17j8c/245353/001/a od_archive.zip#AliAOD.root"); root [2] TFile::Cp("alien:///alice/cern.ch/user/v/vyurchen/test.root", "alien:///alice/cern.ch/user/v/vyurchen/plain.root"); [TFile::Cp] Total 0.00 MB |====================| % [0.5 MB/s]

18 Next steps Implement writing files to specific SE
Register TJAlien ROOT plugin in AliBuild system Try ROOT6 Custom SSL checks for proxy files(?) Smart detection of idle connections Refactor code to create uniform PrintWriter Rewrite JShell to use websockets

Download ppt "jAliEn client development"

Similar presentations

Detecting Bugs Using Assertions Ben Scribner. Defining the Problem  Bugs exist  Unexpected errors happen Hardware failures Loss of data Data may exist.

Detecting Bugs Using Assertions Ben Scribner. Defining the Problem  Bugs exist  Unexpected errors happen Hardware failures Loss of data Data may exist.
1 CHEP 2000, 10.02.2000Roberto Barbera Roberto Barbera (*) Grid monitoring with NAGIOS WP3-INFN Meeting, Naples, 29.11.2002 (*) Work in collaboration with.

1 CHEP 2000, Roberto Barbera Roberto Barbera (*) Grid monitoring with NAGIOS WP3-INFN Meeting, Naples, (*) Work in collaboration with.
A responsibility based model EDG CA Managers Meeting June 13, 2003.

A responsibility based model EDG CA Managers Meeting June 13, 2003.
Haga clic para cambiar el estilo de título Haga clic para modificar el estilo de subtítulo del patrón DIRAC Framework A.Casajus and R.Graciani (Universitat.

Haga clic para cambiar el estilo de título Haga clic para modificar el estilo de subtítulo del patrón DIRAC Framework A.Casajus and R.Graciani (Universitat.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.

Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.
Reproducible Environment for Scientific Applications (Lab session) Tak-Lon (Stephen) Wu.

Reproducible Environment for Scientific Applications (Lab session) Tak-Lon (Stephen) Wu.
Senior Technical Writer

Senior Technical Writer
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
© 2012 IBM Corporation Tivoli Workload Automation Informatica Power Center.

© 2012 IBM Corporation Tivoli Workload Automation Informatica Power Center.
Summary of issues and questions raised. FTS workshop for experiment integrators Summary of use  Generally positive response on current state!  Now the.

Summary of issues and questions raised. FTS workshop for experiment integrators Summary of use  Generally positive response on current state!  Now the.
Session 11: Security with ASP.NET

Session 11: Security with ASP.NET
Checking Network/Port Connectivity using Kaseya Agent Procedures Developed By: Emmanuel Giboyeaux Advisor : Dr. S. Masoud Sadjadi School of Computing and.

Checking Network/Port Connectivity using Kaseya Agent Procedures Developed By: Emmanuel Giboyeaux Advisor : Dr. S. Masoud Sadjadi School of Computing and.
WaveMaker Visual AJAX Studio 4.0 Training Authentication.

WaveMaker Visual AJAX Studio 4.0 Training Authentication.
Alice off-line meeting Alberto Colla Cern, October 3, 2005 AliEn How-To Alice off-line meeting Cern, October 3, 2005 Alberto Colla (Alice off-line Calibration.

Alice off-line meeting Alberto Colla Cern, October 3, 2005 AliEn How-To Alice off-line meeting Cern, October 3, 2005 Alberto Colla (Alice off-line Calibration.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
2015-10-17 Wenjing Wu Andrej Filipčič David Cameron Eric Lancon Claire Adam Bourdarios & others.

Wenjing Wu Andrej Filipčič David Cameron Eric Lancon Claire Adam Bourdarios & others.
TWSd - Security Workshop Part I of III T302 Tuesday, 4/20/2010 TWS Distributed & Mainframe User Education April 18-21, 2010  Carefree Resort  Carefree,

TWSd - Security Workshop Part I of III T302 Tuesday, 4/20/2010 TWS Distributed & Mainframe User Education April 18-21, 2010  Carefree Resort  Carefree,
Condor Project Computer Sciences Department University of Wisconsin-Madison Condor-G Operations.

Condor Project Computer Sciences Department University of Wisconsin-Madison Condor-G Operations.

Similar presentations

Ads by Google