PowerPoint - University of Manchester
Download
Report
Transcript PowerPoint - University of Manchester
Testbed Release in the UK
•
•
•
•
•
•
Integration Team
UK deployment
TB1 Job Lifecycle
VO: Authorisation
VO: GIIS and Resource Broker
What about non-Testbed machines / experiments?
Andrew McNab - Manchester HEP - 31 January 2002
Integration Team
• ~20 people drawn from EDG middleware WP’s and WP6.
• Intensive integration period at CERN during October
– had to have another one in December!
• Testbed farm of ~20 machines at CERN
• Presentations at CERN on 29th October for sysadmins / local experts
– see these talks for technical details: http://marianne.in2p3.fr/
• Everything taking longer than planned
– rollout ongoing (currently CERN, CNAF, Manchester, RAL, Lyon,
NIKHEF, ...) but TB1 still a moving target
• Don’t expect your local sysadmin to be able to do an “off the shelf”
installation yet.
Andrew McNab - Manchester HEP - 31 January 2002
UK Deployment
• Start with UK WP6 people (+ other experts)
• Use [email protected] mailing list
• http://www.gridpp.ac.uk/tb-support/ has:
– mailing list information
– recipe for installing ~1.0 release (ie last week’s) of
Computing Element, Storage Element, User Interface
machine and Worker Node.
– in principle, 1.1 released today
• Once have some WP6 sites up, then encourage more sites
to test installation procedure, docs etc.
Andrew McNab - Manchester HEP - 31 January 2002
Andrew McNab - Manchester HEP - 31 January 2002
Authorisation
• a.k.a “how do I maintain the grid-mapfile list of certificate
names and local user names?”
• WP6 provides a standard way of publishing lists of
certificate names via an LDAP server, and selecting subsets
based on group or “Virtual Organisation” (eg experiment)
affiliation.
• gridmapdir patch to Globus provides dynamic user account
allocation from a pool.
• Each experiment needs to maintain a “VO Server” and
populate it with the DNs of their members
– For LHC experiments, the VO’s are at NIKHEF.
Andrew McNab - Manchester HEP - 31 January 2002
GIIS and Resource Broker
• a.k.a “how do I get on the list of sites and receive jobs?”
• GRIS - local LDAP server on, say, a Computing Element (=
site gateway)
• GIIS - indexing LDAP server, which receives information
from GRIS’s
• Currently use Resource Broker at CERN - it uses local
GIIS to get list of TB1 sites
• For sites to receive jobs, they need to be registered with
the GIIS used by the users’ RB.
• Experiments (or even sites?) might want their own RB
since easily overloaded in current architecture.
Andrew McNab - Manchester HEP - 31 January 2002
Non-Testbed1 machines / expts
• “Being part of Testbed 1” involves committing to using the
right version of RedHat (6.2), the grid software and some
extra packages.
• But, all of this work has been done in a modular way
– some dependencies between modules, but interfaces are spelt out.
• Should be possible to install some or all of TB1 software on
existing farms without matching participation requirements
exactly.
• Would also be possible to use strictly compliant front end
machines along with differently configured back end nodes.
Andrew McNab - Manchester HEP - 31 January 2002
Summary
•
•
•
•
•
TB1 being rolled-out
Basic job submission, brokerage etc working
Ready to deploy 1.0 (and imminent 1.1) in UK
Experiments need to set up VO structures
Non-LHC experiments should be able to use
TB1 components
Andrew McNab - Manchester HEP - 31 January 2002
Grid/Web integration
•
•
•
•
•
•
Common use of SSL
Importing certificates into browsers
GridSite as an example application
Limits to delegation
Possible solutions
Merging Grid / Web / Filesystems
Andrew McNab - Manchester HEP - 31 January 2002
Common use of SSL (“TLS”)
• https URLs based on X509 certificates and SSL protocol
– eg https://secure.amazon.co.uk/
• Globus’s security infrastructure (GSI) based on X509 too
– eg the user and host certificates from the UK HEP CA
• Host certificates (hostkey.pem / hostcert.pem) can be used
directly as Apache mod_ssl credentials.
• Using openssl, you can easily change a PEM key / cert pair
into the pkcs#12 file format used by web browsers.
• This works in all https-aware versions of Netscape and IE.
Andrew McNab - Manchester HEP - 31 January 2002
What does SSL buy you?
• Server has host certificate, so the browser can verify the
server is genuine, and not someone impersonating it or
doing a man in the-middle-attack.
• If browser has a user certificate, the user can prove who
they are.
– So the server can implement access control, logging etc.
– Since the certificate DNs are also used in Grid applications, can
share information, authorisation etc between the two.
• All transfers are encrypted.
• (Downside is that transfers are slower and impose more
computational burden on the web server.)
Andrew McNab - Manchester HEP - 31 January 2002
What you need to do?
• Get a host certificate for the web server from a CA your
users will trust (eg a TB1 CA: UK HEP CA, CERN, ….)
• Make sure your users have certificates from a CA you trust.
• Maintain a users database, including their DNs, to specify
authorisation levels.
– group users and specify access according to those groups?
• Providing simple administration tools will make things
much less painful for you as number of users ramps up.
• (If you already have a VO authorisation server, might be
able to automate a lot of this…)
Andrew McNab - Manchester HEP - 31 January 2002
Example: GridSite
• Written for http(s)://www.gridpp.ac.uk/
– also used for WP6/TB1 site: http(s)://marianne.in2p3.fr/
• Maintains a database of users and groups
– can be administered using a normal web browser
• Read and write access to directories controlled by ACLs
– use same format as SlashGrid filesystem framework
• Since web browsers’ https and Globus GSI are both based
on X509 certificates, can reuse the UK HEP CA user
certificates in WWW context.
• Since have strong user authentification, can allow write
access through a web browser.
Andrew McNab - Manchester HEP - 31 January 2002
GridSite: more information
• GridSite homepage at http://www.gridpp.ac.uk/gridsite/
• Mailing lists gridsite-announce and gridsite-discuss at
jiscmail
• Software covered by GPL Open Source License
– so you are welcome to use it, modify it, distribute modified copies
– but we all share the benefit of anything you distribute
• Intending to go from monolithic source to LGPL library +
minimal main()
• This will make it easier to reuse GridSite in other Grid /
Web applications, portals etc.
Andrew McNab - Manchester HEP - 31 January 2002
Delegation
• One commonly cited web/grid integration is Job
Submission Portal.
• But (lack of) delegation complicates this.
• X509 relies on having a private key and public certificate
– Web browser has access to both
• However, this only proves to the web server that we are
genuine.
• The web server does not have a way to then prove this to
another server (eg a gatekeeper) on our behalf.
• Globus gets round this by forwarding temporary proxies
signed by private key, but web browsers do not do this.
Andrew McNab - Manchester HEP - 31 January 2002
Delegation: possible solutions
• Need to have a private key trusted by destination servers,
which we can use if we authenticate with the web server.
• This could be a personal key we have deposited with web
server.
• Or the server may make requests using its own key on our
behalf.
• New solution from Globus: Community Authorisation
Server. This intended for non-Web contexts, but may
provide a convenient solution here too.
– Combine web server and CAS: requests authorised on the basis of
authorisation objects/symbols granted by CAS.
Andrew McNab - Manchester HEP - 31 January 2002
Merging Grid/Web/Filesystems
• Globus GASS library provides read and write access to
remote files using https
– so already possible to use https web servers like GridSite as file
servers within Grid applications
– can access them via normal web browser as described above
• Work now starting to provide distributed filesystems using
Grid protocols
– SlashGrid framework ( http://www.gridpp.ac.uk/slashgrid/ )
– map files on remote servers to local filenames, with caching:
https://www.gridpp.ac.uk/file.txt =>
/grid/https/www.gridpp.ac.uk/file.txt
Andrew McNab - Manchester HEP - 31 January 2002
Summary
• X509 security protocols common to Web and Grid
• Possible to use existing Grid certificates in a Web context
• GridSite is an Open Source demonstration of this
– will provide a toolbox for people building Grid/Web
applications
• Delegation of credentials to allow access to “third party”
sites an issue
– but solutions are possible
• More Web / Grid / Filesystem integration in the pipeline
Andrew McNab - Manchester HEP - 31 January 2002