Transcript Presentation-AM-SecureWebInterfacex

DIRAC Web User
Interface
A.Casajus (Universitat de Barcelona)
M.Sapunov (CPPM Marseille)
On behalf of the LHCb DIRAC Team
Outline


Goals and features
Framework description
 Architecture
 Security
 Querying the DIRAC services

Web pages examples
 Monitoring pages
 Site map


Current limitations
Conclusions
CHEP 2009, Prague
2
Why a web interface?

DIRAC is the distributed data production and analysis
system for the LHCb experiment

Users need to interact with DIRAC
 Usual solution is command-line or Desktop GUIs

The web provides an interface with lots of benefits
 Operative system independent
 Minimal requirements (browser, internet)
 GUI with no installation
 Familiar to users
CHEP 2009, Prague
3
Required features

Provide a user friendly interface with DIRAC

Not only an information display but a full interactive web
application
 Take advantage of modern web technologies
 Mimic a desktop application

DIRAC users are organized in groups based on privileges
 The web interface has to react to the user’s group
• Really different profiles like production manager, administrator,
analysis user…
 Apply authentication and authorization rules to user requests

Secure interface based on grid certificates
CHEP 2009, Prague
4
DIRAC Web Portal
CHEP 2009, Prague
5
Internals

Each user action triggers a AJAX call to the web server

Each web page is mapped to a Python function

Web pages interact with DIRAC using DISET (DIRAC’s
secure communication framework)

JavaScript is used to create a environment that behaves as
a normal application.
CHEP 2009, Prague
6
Architecture




Apache and mod_ssl
provide the web server,
secure connections and
authentication
mechanism
DIRAC’s web user
interface uses Pylons as
the web framework
mod_python is the
bridge to execute Pylons
under Apache
To give a consistent
“look and feel” to the
web pages, we use ExtJS
as the javascript widget
library
CHEP 2009, Prague
7
Authorization and authentication





DIRAC’s web interface allows secure and insecure
connections
Insecure connections are only allowed to access general
information pages
Users have to load their certificates in the web browser to
access the sensitive parts of the web
Once the user has been authenticated, the same
authorization mechanism DIRAC uses is applied.
Users can belong to more than one group. The web interface
allows to select which group is the active for the session.
CHEP 2009, Prague
8
Authorization and authentication


Different groups have different privileges, and that is
reflected on the web pages
Each group can perform different actions
User
Administrator
CHEP 2009, Prague
9
Service queries

Typically when a user requests a web page, triggers a query
to a DIRAC service.
CHEP 2009, Prague
10
Service queries

Service queries can be originated by:
 The web interface itself in case the connecting user is
anonymous (insecure connection)
 The connecting user if it’s a secure connection

Services need to know who is requesting a query so they
can apply their authorization rules and modify their behavior
accordingly

In case the query was originated by the user, the web server
has to forward the user credentials to the services

How to do that? (next slide)
CHEP 2009, Prague
11
Forwarding credentials

Use DIRAC’s ProxyManager to retrieve a user’s proxy and
use it to contact the final service
 Pros:
• Cannot “invent” credentials
 Cons:
• Users that don’t have a valid proxy in DIRAC can’t use the web
• Need to keep proxies as long as the real certificate for all
user/group combination

Connect to the service using the web service credentials
and “tell” the service who the user is
 Pros:
• Users don’t need to do anything
• Works automatically for all registered users
 Cons:
• Can “invent” any credential. If the web certificate gets stolen…

Both solutions are implemented but the second one is
currently being used
CHEP 2009, Prague
12
Interface example
CHEP 2009, Prague
13
Interface example
main menu
selections
buttons to
open/collapse panels
menu to change
DIRAC setup
actions to perform for job(s)
buttons to submit
or reset the form
Total amount of items
pagination controls
items per page
refresh table
DIRAC Group
current location
CHEP 2009, Prague
certificate DN
14
Monitoring pages
Monitoring pages allows users to:
 Display all available information from objects. They can be
user jobs, productions, data transfer requests…
 Easy access to information associated with an object (e.g.
user jobs):





JDL
Attributes
History
Peek output of jobs while running
Access logs:
•
Log files (if any)
• Standard output and standard error of the pilot that executed the job (if it is
accessible)

Perform actions on an item or on a group:

Reschedule
 Kill
 Delete
CHEP 2009, Prague
15
Site Map
CHEP 2009, Prague
16
Creating views
CHEP 2009, Prague
17
Known limitations
There are several known limitations:

Require a modern browser with JavaScript enabled

DIRAC web portal doesn’t work properly in all browsers.
 Almost every browser has a different Javascript engine and
different debugging tools (if any)

Due to the pages being completely dynamic, display of big
tables (100+ rows) can take time
 Specially in old hardware

DIRAC portal is not yet optimized and initial loading can
take time
CHEP 2009, Prague
18
Conclusions

The web interface allows users to easily interact with DIRAC
in a secure way

Desktop application behavior without extra software
installation

Web pages are aware of groups and react to them

Actions are only allowed following the authorization rules
 Same mechanism as the DIRAC Services

Smooth learning curve for new users
http://lhcbweb.pic.es
CHEP 2009, Prague
19