Presentation is loading. Please wait.

Presentation is loading. Please wait.

VO Box Issues Summary of concerns expressed following publication of Jeff’s slides Ian Bird GDB, Bologna, 12 Oct 2005 (not necessarily the opinion of)

Published byHannah McBride Modified over 9 years ago

Similar presentations

Presentation on theme: "VO Box Issues Summary of concerns expressed following publication of Jeff’s slides Ian Bird GDB, Bologna, 12 Oct 2005 (not necessarily the opinion of)"— Presentation transcript:

1 VO Box Issues Summary of concerns expressed following publication of Jeff’s slides Ian Bird GDB, Bologna, 12 Oct 2005 (not necessarily the opinion of)

2 GDB Bologna, 12 Oct 2005 2 General concerns  Ops and security documents:  List of questions to help sites understand what is needed  Hard to translate into site policy – IPTables, firewalls, ports, etc.  Questionnaires are more overhead for site admins  Use of host certificates for services is never acceptable  Number of boxes – heavy tax on small sites  Do all sites need to run a VO Box?  Many sites will say NO unless the requirements are minimal  E.g. UK only 1 site willing to provide this for ALICE  Most security concerns addressed by document

3 GDB Bologna, 12 Oct 2005 3 Other concerns  This should be a short term solution  Experiments should ensure that VO specific services get translated into general grid services for the future  This is not a grid solution !  How does the software get certified?  Concerns about allowing interactive logins at all

4 GDB Bologna, 12 Oct 2005 4 LCG VO Box prototype OSG are developing “Edge Service Framework” based on virtual machines to solve the same problem.

5 GDB Bologna, 12 Oct 2005 5 VOBOX: Overview  Basic (common) requirements  Scientific Linux 3 (usually)  Outbound connectivity as a UI  Inbound connectivity as a CE + gsissh port + VO requirements  Access to local user accounts (SGMs) via gsissh  Direct (mounted) access to the site’s experiment SW installation area  LCG’s VO box prototype basic elements  gsissh server  Proxy renewal service (+ user level tool)  For automatic refresh of user credentials  For AFS-based sites with GSI-Kerberos mapping service:  GSSKLOG client to grant Kerberos tokens from X509 proxies  CLIs and APIs for job submission to local CE  Connection open for job lifetime  Not scalable!  Only for few special jobs

6 GDB Bologna, 12 Oct 2005 6 VOBOX: the gsissh server  Allows the experiment SGM to access the VO box  User space (not root access)  Interactive login through gsissh client  Upload/Download files via gsiscp  Usual authentication/authorization schema  GSI. Using the grid-mapfile  Allows credential delegation  Only within the login session  Must be turned on at the client and server side  Done automatically for both by YAIM in LCG 2.6  Running by default on port 1975  Not VOMS-aware

7 GDB Bologna, 12 Oct 2005 7 VOBOX: Proxy renewal service  Automatic SGM’s proxy renewal procedure  The SGM…  Registers a long-living proxy in a MyProxy Server  Logs into the VO box  Registers his delegated user proxy for renewal (VO box specific CLI)  The proxy renewal service renews the user proxy every 2 hours  The MyProxy server has to trust the VO box  The renewal service must present the (trusted) VO box host certificate  A root cronjob runs every hour  Creates the host proxy + "chown"s it to the VO SGM  There can be only one VO per VO box  Or they all would share same copy of host proxy  Traceability issue  Possible solutions to this problem  Run several VO boxes on the same HW, but on different virtual machines  Modify MyProxy to make it accept service certificates (several per machine)

8 GDB Bologna, 12 Oct 2005 8 VOBOX: miscellaneous  User Interface clients should also be installed  Additional functionality at no cost (just clients)  Successfully tested many times and deployed at some sites  A RB can also be installed on top of the VO box (next release)  For job submission to the local CE  (Solved) clash of two versions of the gridftp server (CE and RB)  The old one will be removed from the RPM list  Fully tested and supported in YAIM  BUT… This would need more maintenance effort from the site  Experiment SW area  An env variable points to the experiment SW area of each VO  Not automatically accessible after YAIM installation (duty of the site admin)  Same as in a WN  A gssklog client allows to get kerberos credentials from a X509 proxy  Needed only if the Exp SW area is on AFS  A X509toKRB authentication server needs to be installed at the site

Download ppt "VO Box Issues Summary of concerns expressed following publication of Jeff’s slides Ian Bird GDB, Bologna, 12 Oct 2005 (not necessarily the opinion of)"

Similar presentations

EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
Enabling, facilitating and delivering quality training in the UK and Internationally Mike Mineter Training Outreach and Education, NeSC, Edinburgh

Enabling, facilitating and delivering quality training in the UK and Internationally Mike Mineter Training Outreach and Education, NeSC, Edinburgh
MyProxy Guy Warner NeSC Training.

MyProxy Guy Warner NeSC Training.
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) gLite Grid Services Abderrahman El Kharrim

The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) gLite Grid Services Abderrahman El Kharrim
National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.

National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.
1 Deployment of an LCG Infrastructure in Australia How-To Setup the LCG Grid Middleware – A beginner's perspective Marco La Rosa

1 Deployment of an LCG Infrastructure in Australia How-To Setup the LCG Grid Middleware – A beginner's perspective Marco La Rosa
OSG End User Tools Overview OSG Grid school – March 19, 2009 Marco Mambelli - University of Chicago A brief summary about the system.

OSG End User Tools Overview OSG Grid school – March 19, 2009 Marco Mambelli - University of Chicago A brief summary about the system.
VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.

VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.
Ákos FROHNER – DataGrid Security Requirements- 2002-04-09 - n° 1 Security Group D7.5 Document and Open Issues

Ákos FROHNER – DataGrid Security Requirements n° 1 Security Group D7.5 Document and Open Issues
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org SA1: Cookbook (DSA1.7) Ian Bird CERN 18 January 2006.

INFSO-RI Enabling Grids for E-sciencE SA1: Cookbook (DSA1.7) Ian Bird CERN 18 January 2006.
Enabling Grids for E-sciencE www.eu-egee.org ENEA and the EGEE project gLite and interoperability Andrea Santoro, Carlo Sciò Enea Frascati, 22 November.

Enabling Grids for E-sciencE ENEA and the EGEE project gLite and interoperability Andrea Santoro, Carlo Sciò Enea Frascati, 22 November.
PanDA Multi-User Pilot Jobs Maxim Potekhin Brookhaven National Laboratory Open Science Grid WLCG GDB Meeting CERN March 11, 2009.

PanDA Multi-User Pilot Jobs Maxim Potekhin Brookhaven National Laboratory Open Science Grid WLCG GDB Meeting CERN March 11, 2009.
National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.

National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org VO BOX Summary Conclusions from Joint OSG and EGEE Operations Workshop - 3 Abingdon, 27 -

INFSO-RI Enabling Grids for E-sciencE VO BOX Summary Conclusions from Joint OSG and EGEE Operations Workshop - 3 Abingdon, 27 -
Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.

Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.
First attempt for validating/testing Testbed 1 Globus and middleware services WP6 Meeting, 11-12 December 2001 Flavia Donno, Marco Serra for IT and WPs.

First attempt for validating/testing Testbed 1 Globus and middleware services WP6 Meeting, December 2001 Flavia Donno, Marco Serra for IT and WPs.
Architecture and ATLAS Western Tier 2 Wei Yang ATLAS Western Tier 2 User Forum meeting SLAC April 6-7 2009.

Architecture and ATLAS Western Tier 2 Wei Yang ATLAS Western Tier 2 User Forum meeting SLAC April
Maarten Litmaath (CERN), GDB meeting, CERN, 2006/02/08 VOMS deployment Extent of VOMS usage in LCG-2 –Node types gLite 3.0 Issues Conclusions.

Maarten Litmaath (CERN), GDB meeting, CERN, 2006/02/08 VOMS deployment Extent of VOMS usage in LCG-2 –Node types gLite 3.0 Issues Conclusions.
23-Oct-03D.P.Kelsey, LCG Security Update, HEPiX1 LCG Security Update HEPiX-HEPNT, TRIUMF, 23 October 2003 David Kelsey CCLRC/RAL, UK

23-Oct-03D.P.Kelsey, LCG Security Update, HEPiX1 LCG Security Update HEPiX-HEPNT, TRIUMF, 23 October 2003 David Kelsey CCLRC/RAL, UK

Similar presentations

Ads by Google