Testbed Release in the UK

Testbed Release in the UK • • • Integration Team UK deployment TB 1 Job Lifecycle VO: Authorisation VO: GIIS and Resource Broker What about non-Testbed machines / experiments? Andrew Mc. Nab - Manchester HEP - 31 January 2002

Integration Team • ~20 people drawn from EDG middleware WP’s and WP 6. • Intensive integration period at CERN during October – had to have another one in December! • Testbed farm of ~20 machines at CERN • Presentations at CERN on 29 th October for sysadmins / local experts – see these talks for technical details: http: //marianne. in 2 p 3. fr/ • Everything taking longer than planned – rollout ongoing (currently CERN, CNAF, Manchester, RAL, Lyon, NIKHEF, . . . ) but TB 1 still a moving target • Don’t expect your local sysadmin to be able to do an “off the shelf” installation yet. Andrew Mc. Nab - Manchester HEP - 31 January 2002

UK Deployment • Start with UK WP 6 people (+ other experts) • Use tb-support@jiscmail. ac. uk mailing list • http: //www. gridpp. ac. uk/tb-support/ has: – mailing list information – recipe for installing ~1. 0 release (ie last week’s) of Computing Element, Storage Element, User Interface machine and Worker Node. – in principle, 1. 1 released today • Once have some WP 6 sites up, then encourage more sites to test installation procedure, docs etc. Andrew Mc. Nab - Manchester HEP - 31 January 2002

Andrew Mc. Nab - Manchester HEP - 31 January 2002

Authorisation • a. k. a “how do I maintain the grid-mapfile list of certificate names and local user names? ” • WP 6 provides a standard way of publishing lists of certificate names via an LDAP server, and selecting subsets based on group or “Virtual Organisation” (eg experiment) affiliation. • gridmapdir patch to Globus provides dynamic user account allocation from a pool. • Each experiment needs to maintain a “VO Server” and populate it with the DNs of their members – For LHC experiments, the VO’s are at NIKHEF. Andrew Mc. Nab - Manchester HEP - 31 January 2002

GIIS and Resource Broker • a. k. a “how do I get on the list of sites and receive jobs? ” • GRIS - local LDAP server on, say, a Computing Element (= site gateway) • GIIS - indexing LDAP server, which receives information from GRIS’s • Currently use Resource Broker at CERN - it uses local GIIS to get list of TB 1 sites • For sites to receive jobs, they need to be registered with the GIIS used by the users’ RB. • Experiments (or even sites? ) might want their own RB since easily overloaded in current architecture. Andrew Mc. Nab - Manchester HEP - 31 January 2002

Non-Testbed 1 machines / expts • “Being part of Testbed 1” involves committing to using the right version of Red. Hat (6. 2), the grid software and some extra packages. • But, all of this work has been done in a modular way – some dependencies between modules, but interfaces are spelt out. • Should be possible to install some or all of TB 1 software on existing farms without matching participation requirements exactly. • Would also be possible to use strictly compliant front end machines along with differently configured back end nodes. Andrew Mc. Nab - Manchester HEP - 31 January 2002

Summary • • • TB 1 being rolled-out Basic job submission, brokerage etc working Ready to deploy 1. 0 (and imminent 1. 1) in UK Experiments need to set up VO structures Non-LHC experiments should be able to use TB 1 components Andrew Mc. Nab - Manchester HEP - 31 January 2002

Grid/Web integration • • • Common use of SSL Importing certificates into browsers Grid. Site as an example application Limits to delegation Possible solutions Merging Grid / Web / Filesystems Andrew Mc. Nab - Manchester HEP - 31 January 2002

Common use of SSL (“TLS”) • https URLs based on X 509 certificates and SSL protocol – eg https: //secure. amazon. co. uk/ • Globus’s security infrastructure (GSI) based on X 509 too – eg the user and host certificates from the UK HEP CA • Host certificates (hostkey. pem / hostcert. pem) can be used directly as Apache mod_ssl credentials. • Using openssl, you can easily change a PEM key / cert pair into the pkcs#12 file format used by web browsers. • This works in all https-aware versions of Netscape and IE. Andrew Mc. Nab - Manchester HEP - 31 January 2002

What does SSL buy you? • Server has host certificate, so the browser can verify the server is genuine, and not someone impersonating it or doing a man in the-middle-attack. • If browser has a user certificate, the user can prove who they are. – So the server can implement access control, logging etc. – Since the certificate DNs are also used in Grid applications, can share information, authorisation etc between the two. • All transfers are encrypted. • (Downside is that transfers are slower and impose more computational burden on the web server. ) Andrew Mc. Nab - Manchester HEP - 31 January 2002

What you need to do? • Get a host certificate for the web server from a CA your users will trust (eg a TB 1 CA: UK HEP CA, CERN, …. ) • Make sure your users have certificates from a CA you trust. • Maintain a users database, including their DNs, to specify authorisation levels. – group users and specify access according to those groups? • Providing simple administration tools will make things much less painful for you as number of users ramps up. • (If you already have a VO authorisation server, might be able to automate a lot of this…) Andrew Mc. Nab - Manchester HEP - 31 January 2002

Example: Grid. Site • Written for http(s): //www. gridpp. ac. uk/ – also used for WP 6/TB 1 site: http(s): //marianne. in 2 p 3. fr/ • Maintains a database of users and groups – can be administered using a normal web browser • Read and write access to directories controlled by ACLs – use same format as Slash. Grid filesystem framework • Since web browsers’ https and Globus GSI are both based on X 509 certificates, can reuse the UK HEP CA user certificates in WWW context. • Since have strong user authentification, can allow write access through a web browser. Andrew Mc. Nab - Manchester HEP - 31 January 2002

Grid. Site: more information • Grid. Site homepage at http: //www. gridpp. ac. uk/gridsite/ • Mailing lists gridsite-announce and gridsite-discuss at jiscmail • Software covered by GPL Open Source License – so you are welcome to use it, modify it, distribute modified copies – but we all share the benefit of anything you distribute • Intending to go from monolithic source to LGPL library + minimal main() • This will make it easier to reuse Grid. Site in other Grid / Web applications, portals etc. Andrew Mc. Nab - Manchester HEP - 31 January 2002

Delegation • One commonly cited web/grid integration is Job Submission Portal. • But (lack of) delegation complicates this. • X 509 relies on having a private key and public certificate – Web browser has access to both • However, this only proves to the web server that we are genuine. • The web server does not have a way to then prove this to another server (eg a gatekeeper) on our behalf. • Globus gets round this by forwarding temporary proxies signed by private key, but web browsers do not do this. Andrew Mc. Nab - Manchester HEP - 31 January 2002

Delegation: possible solutions • Need to have a private key trusted by destination servers, which we can use if we authenticate with the web server. • This could be a personal key we have deposited with web server. • Or the server may make requests using its own key on our behalf. • New solution from Globus: Community Authorisation Server. This intended for non-Web contexts, but may provide a convenient solution here too. – Combine web server and CAS: requests authorised on the basis of authorisation objects/symbols granted by CAS. Andrew Mc. Nab - Manchester HEP - 31 January 2002

Merging Grid/Web/Filesystems • Globus GASS library provides read and write access to remote files using https – so already possible to use https web servers like Grid. Site as file servers within Grid applications – can access them via normal web browser as described above • Work now starting to provide distributed filesystems using Grid protocols – Slash. Grid framework ( http: //www. gridpp. ac. uk/slashgrid/ ) – map files on remote servers to local filenames, with caching: https: //www. gridpp. ac. uk/file. txt => /grid/https/www. gridpp. ac. uk/file. txt Andrew Mc. Nab - Manchester HEP - 31 January 2002

Summary • X 509 security protocols common to Web and Grid • Possible to use existing Grid certificates in a Web context • Grid. Site is an Open Source demonstration of this – will provide a toolbox for people building Grid/Web applications • Delegation of credentials to allow access to “third party” sites an issue – but solutions are possible • More Web / Grid / Filesystem integration in the pipeline Andrew Mc. Nab - Manchester HEP - 31 January 2002