831c97fc7e8151d80f8cfbf86b4a1d6b.ppt
- Количество слайдов: 23
User Support in IGI: Related Tools and Services in Italy Giuseppe LA ROCCA (giuseppe. larocca@ct. infn. it) INFN – Sez. di Catania, Italy EGI Technical Forum 2011 19 -23 September 2011, Lyon Conference Centre, France EGI-In. SPIRE RI-261323 www. egi. eu
Outline • Introduction to the RESTful “lightweight” crypto library API: – The Architecture; – SW/HW Requirements; – Success stories. • Investigation of new solutions for the design of a general purpose Grid portal for scientific applications. • Gri. F: a collaborative tool for grid empowered computational applications. EGI-In. SPIRE RI-261323 www. egi. eu
• Introduction to the RESTful “lightweight” crypto library API: – The Architecture; – Software Requirements: • Java™ PKCS#11, Bouncy Castle and Java Co. G Kits; • JAX-RS 1. 2 Java APIs using Jersey implementation; • VOMS-API v. 3. 0; • Apache Tomcat 6. 0. 32 as a Web Container; – Success Stories: • The DECIDE, Viral. Grid and EUMEDGrid-Support use cases. EGI-In. SPIRE RI-261323 www. egi. eu
Why a RESTful “lightweight” crypto library ? • REST (Representational State Transfer) is nowadays a de facto standard to access distributed resources in a web-affine manner. • Every resources is uniquely represented by a global ID’s; – Eg. : https: //infn-lb-01. ct. pi 2 s 2. it: 9000/c. ANG 8 Wt 2 C 8 PYc. L 6 h 8 Yi. LRg • The JAX-RS (Java API for RESTful Web Services) specification presented in JSR 311 defines a standard way to deploy RESTful web services; • Jersey is the open source JAX-RS (JSR 311) Reference Implementation for building RESTful Web services. EGI-In. SPIRE RI-261323 www. egi. eu
Additional SW/HW Requirements … • The Cryptographic Token Interface Standard (PKCS#11) is a standard introduced by RSA Data Security Inc; – It defines native programming interfaces to access cryptographic tokens, (hardware cryptographic accelerators, smart cards, … ); • The Bouncy Castle APIs provide support for creating two kinds of X. 509 certificates (ver. 1 and ver. 3); • Co. G Kits allow users to provide Globus Toolkit functionality within their code without calling scripts, or in some cases without having Globus installed; • VOMS-Admin library (ver. 3. 0), developed in the context of the DILIGENT and D 4 Science projects, were used for interacting the VOMS server and retrieve the list of groups/roles per VO; • e. Token PRO smart cards (32/64 KB) with the pki-client software (ver. 4. 55 -34). EGI-In. SPIRE RI-261323 www. egi. eu
The 4 -tier architecture of the “lightweight” crypto library Users EGI-In. SPIRE RI-261323 Client Applications Grid Portals / Science Gateways www. egi. eu
Main Features • • • Deployed on Tomcat Application Server (ver. 6. 0. 32); Based on PKCS#11 standard; Thread-safe access to the list of smart cards; SSL encryption using a trusted host certificate; Caching of proxy certificates for each valid request. ID = serial + vo + fqan – If lifetime (request. ID) – threshold > 0 the proxy cached will be sent to the Science Gateways – Evaluated performance of the server using Apache Jmeter: • ~ 6 -8 s waiting time for a new proxy; • 20 ms for a cached proxy. EGI-In. SPIRE RI-261323 www. egi. eu
The working scenario (*) ask for a service list/create request e. Token. Server (*) get results execute service retrieve serials/proxy get results ask for VOMS AC attributes and groups/roles VOMS Server EGI-In. SPIRE RI-261323 SSL encryption store long proxy My. Proxy Server www. egi. eu
Success Stories • The new crypto library is currently used by: – The DECIDE Science Gateway (See the DECIDE demonstration at EGI-UF 2011 here); (Abstract [47] – “The DECIDE project Science Gateway”, on Sept. 20 th, 14: 00 – 14: 15, Rhone 3) – The Viral. Grid Science Gateway ( web ); – The EUMEDGRID-Support Service Challenge ( web ) and Science Gateway (Abstract[57] – “The EUMEDGRID-Support User Forum”, on Sept. 23 rd, 09: 00 – 12: 30, Rhone 2) EGI-In. SPIRE RI-261323 www. egi. eu
• Investigation of new solutions for the design of a general purpose Grid portal for scientific applications. EGI-In. SPIRE RI-261323 www. egi. eu
Overview • IGI (Italian Grid Initiative) is developing a web portal to ease the access to grid and cloud services; • The main goal is to hide the “complexity” of X. 509 certificates (request and management); • IGTF policies and guidelines have been taken into account when designing the framework. EGI-In. SPIRE RI-261323 www. egi. eu
Two different scenarios • We distinguish between users with or without a X. 509 certificate. – User with certificate: upload it; – User without certificate: portal asks for a certificate to a CA-online on behalf of the user. EGI-In. SPIRE RI-261323 www. egi. eu
Our Proposal • The portal, using SAML Delegation mechanism, asks for a Member Integrated Credential Services (MICS) certificate to a CA online on behalf of the user; • Why MICS? – The certificate management is easier and more transparent for the user; – Avoid failure for jobs that have been submitted close to the Short Lived Certificates (SLCs) expiration date. EGI-In. SPIRE RI-261323 www. egi. eu
Configuration • During the first login, the user has to set his/her personal settings: – Select the Identity Federation; – Personal Information (First. Name, Last. Name, Institution, …); – Upload a new certificate (if any); • If not, a CA-online certificate will be contacted. – Add a VO membership; – Request a new VO membership; – Specify for each VO a FQAN. EGI-In. SPIRE RI-261323 www. egi. eu
Authentication (1/2) • Strong user identification by means of an Id. P belonging to an accredited identity federation (i. e. IDEM federation); – If a user is not registered in accredited identity federation he/she can’t access the grid and cloud services through the portal. • The portal redirects user to his/her Id. P login page; • Once the proper Id. P has authenticated the user he/she will be automatically logged into the portal; EGI-In. SPIRE RI-261323 www. egi. eu
Authentication (2/2) • The portal asks for a passphrase to retrieve the proxy from the My. Proxy Server; • The VOMS Server is contacted to sign the proxy with the right VOMS extensions. EGI-In. SPIRE RI-261323 www. egi. eu
4. Grid & Cloud Access • For Job Submission and Data Management tasks, the portal uses WS-PGrade (MTA-SZTAKI); – Other solutions are under investigation: • e. g. : JSAGA (IN 2 P 3); • For Cloud resource provisioning the portal is interfaced with WNo. DES (INFN-CNAF); • The accounting portlet provides information for both environment. EGI-In. SPIRE RI-261323 www. egi. eu
The Portal Schema as a whole EGI-In. SPIRE RI-261323 www. egi. eu
• Gri. F: a collaborative tool for grid empowered computational applications. EGI-In. SPIRE RI-261323 www. egi. eu
What is Gri. F ? – Gri. F is a SOA Grid Framework aimed at running on the EGI Grid multi-purpose scientific applications; – Easy submission over the Grid; – Optimized distributions of tasks; – Java based framework; – Support single and multiple job submission; – For further information visit the link EGI-In. SPIRE RI-261323 www. egi. eu
Tools for an E-science environment: Efficient Grid submission EGI-In. SPIRE RI-261323 www. egi. eu
GCre. S: a credit system to reward member activities – Use Grid sensors to evaluate services provided; – Use Grid sensors to evaluate user activities; – Introduce a metric in the VO; – Implement a credit system and cost of services. EGI-In. SPIRE RI-261323 www. egi. eu
Thank you! EGI-In. SPIRE RI-261323 www. egi. eu