Andrew McNab - Manchester HEP - 31 January 2002 Testbed Release in the UK Integration Team UK...

Andrew McNab - Manchester HEP - 31 January 2002

Testbed Release in the UK

• Integration Team• UK deployment• TB1 Job Lifecycle• VO: Authorisation• VO: GIIS and Resource Broker• What about non-Testbed machines / experiments?


Integration Team

• ~20 people drawn from EDG middleware WP’s and WP6.

• Intensive integration period at CERN during October

– had to have another one in December!

• Testbed farm of ~20 machines at CERN

• Presentations at CERN on 29th October for sysadmins / local experts

– see these talks for technical details: http://marianne.in2p3.fr/

• Everything taking longer than planned

– rollout ongoing (currently CERN, CNAF, Manchester, RAL, Lyon, NIKHEF, ...) but TB1 still a moving target

• Don’t expect your local sysadmin to be able to do an “off the shelf” installation yet.


UK Deployment

• Start with UK WP6 people (+ other experts)

• Use [email protected] mailing list

• http://www.gridpp.ac.uk/tb-support/ has:

– mailing list information

– recipe for installing ~1.0 release (ie last week’s) of Computing Element, Storage Element, User Interface machine and Worker Node.

– in principle, 1.1 released today

• Once have some WP6 sites up, then encourage more sites to test installation procedure, docs etc.


Authorisation• a.k.a “how do I maintain the grid-mapfile list of certificate

names and local user names?”

• WP6 provides a standard way of publishing lists of certificate names via an LDAP server, and selecting subsets based on group or “Virtual Organisation” (eg experiment) affiliation.

• gridmapdir patch to Globus provides dynamic user account allocation from a pool.

• Each experiment needs to maintain a “VO Server” and populate it with the DNs of their members– For LHC experiments, the VO’s are at NIKHEF.


GIIS and Resource Broker• a.k.a “how do I get on the list of sites and receive jobs?”

• GRIS - local LDAP server on, say, a Computing Element (= site gateway)

• GIIS - indexing LDAP server, which receives information from GRIS’s

• Currently use Resource Broker at CERN - it uses local GIIS to get list of TB1 sites

• For sites to receive jobs, they need to be registered with the GIIS used by the users’ RB.

• Experiments (or even sites?) might want their own RB since easily overloaded in current architecture.


Non-Testbed1 machines / expts• “Being part of Testbed 1” involves committing to using the

right version of RedHat (6.2), the grid software and some extra packages.

• But, all of this work has been done in a modular way– some dependencies between modules, but interfaces are spelt out.

• Should be possible to install some or all of TB1 software on existing farms without matching participation requirements exactly.

• Would also be possible to use strictly compliant front end machines along with differently configured back end nodes.


Summary

• TB1 being rolled-out• Basic job submission, brokerage etc working• Ready to deploy 1.0 (and imminent 1.1) in UK• Experiments need to set up VO structures• Non-LHC experiments should be able to use

TB1 components


Grid/Web integration

• Common use of SSL• Importing certificates into browsers• GridSite as an example application• Limits to delegation• Possible solutions• Merging Grid / Web / Filesystems


Common use of SSL (“TLS”)

• https URLs based on X509 certificates and SSL protocol– eg https://secure.amazon.co.uk/

• Globus’s security infrastructure (GSI) based on X509 too– eg the user and host certificates from the UK HEP CA

• Host certificates (hostkey.pem / hostcert.pem) can be used directly as Apache mod_ssl credentials.

• Using openssl, you can easily change a PEM key / cert pair into the pkcs#12 file format used by web browsers.

• This works in all https-aware versions of Netscape and IE.


What does SSL buy you?

• Server has host certificate, so the browser can verify the server is genuine, and not someone impersonating it or doing a man in the-middle-attack.

• If browser has a user certificate, the user can prove who they are.– So the server can implement access control, logging etc.

– Since the certificate DNs are also used in Grid applications, can share information, authorisation etc between the two.

• All transfers are encrypted.

• (Downside is that transfers are slower and impose more computational burden on the web server.)


What you need to do?• Get a host certificate for the web server from a CA your

users will trust (eg a TB1 CA: UK HEP CA, CERN, ….)

• Make sure your users have certificates from a CA you trust.

• Maintain a users database, including their DNs, to specify authorisation levels.– group users and specify access according to those groups?

• Providing simple administration tools will make things much less painful for you as number of users ramps up.

• (If you already have a VO authorisation server, might be able to automate a lot of this…)


Example: GridSite• Written for http(s)://www.gridpp.ac.uk/

– also used for WP6/TB1 site: http(s)://marianne.in2p3.fr/

• Maintains a database of users and groups– can be administered using a normal web browser

• Read and write access to directories controlled by ACLs– use same format as SlashGrid filesystem framework

• Since web browsers’ https and Globus GSI are both based on X509 certificates, can reuse the UK HEP CA user certificates in WWW context.

• Since have strong user authentification, can allow write access through a web browser.


GridSite: more information• GridSite homepage at http://www.gridpp.ac.uk/gridsite/

• Mailing lists gridsite-announce and gridsite-discuss at jiscmail

• Software covered by GPL Open Source License– so you are welcome to use it, modify it, distribute modified copies

– but we all share the benefit of anything you distribute

• Intending to go from monolithic source to LGPL library + minimal main()

• This will make it easier to reuse GridSite in other Grid / Web applications, portals etc.


Delegation• One commonly cited web/grid integration is Job Submission

Portal.

• But (lack of) delegation complicates this.

• X509 relies on having a private key and public certificate– Web browser has access to both

• However, this only proves to the web server that we are genuine.

• The web server does not have a way to then prove this to another server (eg a gatekeeper) on our behalf.

• Globus gets round this by forwarding temporary proxies signed by private key, but web browsers do not do this.


Delegation: possible solutions • Need to have a private key trusted by destination servers,

which we can use if we authenticate with the web server.

• This could be a personal key we have deposited with web server.

• Or the server may make requests using its own key on our behalf.

• New solution from Globus: Community Authorisation Server. This intended for non-Web contexts, but may provide a convenient solution here too.– Combine web server and CAS: requests authorised on the basis of

authorisation objects/symbols granted by CAS.


Merging Grid/Web/Filesystems

• Globus GASS library provides read and write access to remote files using https– so already possible to use https web servers like GridSite as file

servers within Grid applications

– can access them via normal web browser as described above

• Work now starting to provide distributed filesystems using Grid protocols– SlashGrid framework ( http://www.gridpp.ac.uk/slashgrid/ )

– map files on remote servers to local filenames, with caching: https://www.gridpp.ac.uk/file.txt => /grid/https/www.gridpp.ac.uk/file.txt


Summary

• X509 security protocols common to Web and Grid

• Possible to use existing Grid certificates in a Web context

• GridSite is an Open Source demonstration of this

– will provide a toolbox for people building Grid/Web applications

• Delegation of credentials to allow access to “third party” sites an issue

– but solutions are possible

• More Web / Grid / Filesystem integration in the pipeline

Andrew McNab - Manchester HEP - 31 January 2002 Testbed Release in the UK Integration Team UK...

Documents

Transcript of Andrew McNab - Manchester HEP - 31 January 2002 Testbed Release in the UK Integration Team UK...