150 likes | 158 Views
www.gridpp.ac.uk. Old version of website was maintained from Unix command line => needed (gsi)ssh access. Now replaced this with https based system. Since web browsers’ https and Globus GSI are both based on X509 certificates, can reuse the UK HEP CA user certificates in WWW context.
E N D
www.gridpp.ac.uk • Old version of website was maintained from Unix command line => needed (gsi)ssh access. • Now replaced this with https based system. • Since web browsers’ https and Globus GSI are both based on X509 certificates, can reuse the UK HEP CA user certificates in WWW context. • Since have strong user authentification, can allow write access through a web browser. Andrew McNab - Manchester HEP - 6 November 2001
Getting write access • You need: • A normal UK HEP CA user key and certificate • Access to OpenSSL to convert your key and cert to pkcs12 format (GridPP Globus1.1.3 distribution and EDG Globus2.0 both provide RPM’s of OpenSSL.) • An HTTPS web browser (Netscape, Internet Explorer, …) • To mail me with your certificate name (/O=Grid/…) and the area of the website you need write access to. • Directories on the website each have an access control list, specifying named groups of people (eg ca) with write access. Andrew McNab - Manchester HEP - 6 November 2001
Updating pages • Once you have your certificate working, pages you can edit will have Edit Page and List Directory links in their footer. • Edit Page gives you a form in your web browser window to edit the HTML source of the page. • List Directory allows you to create pages (initialised with some example HTML), create sub directories and upload files. • Upload is especially flexible, since you can use it to upload HTML pages (even if created with Frontpage), binaries, .doc and .ppt files etc from your desktop machine using your web browser. Andrew McNab - Manchester HEP - 6 November 2001
Currently being added... • Automatic date stamping, and logging of who has edited a page (via a history page.) • Viewing / roll back to older versions of a page. • Group admins, able to add new users to their group through the website. • Add optional per-directory read access control. • (All of the above exist in outline form in the code.) Andrew McNab - Manchester HEP - 6 November 2001
Other users • Underlying GridSite program is now also used for the EDG WP6 site: http://marianne.in2p3.fr/ • Intend to release the program under GPL (it uses some third party open source code already.) • More sites using it => more bugs found, more features added. • Also something we could disseminate to other UK grid communities who are providing their users with certificates. Andrew McNab - Manchester HEP - 6 November 2001
Testbed Tools and Release in the UK • Integration Team • Globus 2.0alpha. • Middleware work packages. • Testbed 1 vs Testbed 0. • Authorisation issues. • What about non-Testbed machines / experiments? • Interface with Integration Team work. Andrew McNab - Manchester HEP - 6 November 2001
Integration Team • ~20 people drawn from EDG middleware WP’s and WP6. • Intensive integration period at CERN during October. • Testbed farm of ten machines at CERN • Presentation at CERN on 29th October for sysadmins / local experts • see these talks for technical details: http://marianne.in2p3.fr/ • Extend Testbed 1 to partner sites (eg RAL) ~15th Nov. • Integration Team members will continue supporting roll-out to all sites - will take to end of 2001? Andrew McNab - Manchester HEP - 6 November 2001
Testbed 1 Distribution of Globus 2.0 • The Testbed 1 Distribution of Globus 2.0alpha was contributed by GridPP. • Globus’ own packaging effort makes it much easier to build a binary distribution of RPM’s. • WP4 requirements mean RPM distribution has no post-install scripts. • We hope the 2.0 installation process will be easier to support than 1.1.3 since it’s so much simpler. • But, some outstanding problems in underlying alpha release of Globus 2.0 are still being resolved. Andrew McNab - Manchester HEP - 6 November 2001
Globus related components • Globus RPM’s - very few modifications compared to standard Globus 2.0 of ftp.globus.org • edgconfig RPM’s - provide static config files and “smart” daemon startup scripts • All configuration parameters in /etc/globus.conf • Certificate Authority RPM’s • Modular CA directory now means one RPM per CA that you want to trust (Globus CA not included.) Andrew McNab - Manchester HEP - 6 November 2001
Work packages’ software • WP’s provide their software in RPM packages • again, no postinstall scripts, static config files. • Many of the tools (eg WP1 job submission) potentially very useful to experiments outside EDG. • WP software has been developed in a modular way • should allow installing subsets on non-Testbed machines Andrew McNab - Manchester HEP - 6 November 2001
TB1 vs “TB0” • Globus installation easier if anything • eg no globus user, no need to configure multiple config files. • Need to get UK HEP CA host certs. • But users carry on using UK HEP CA user certs. • Local batch system (eg PBS) still manages local farm. • Now need to configure WP software too. • Need to register with national MDS but also experiment MDS. • Need procedure to add new users to grid-mapfile. Andrew McNab - Manchester HEP - 6 November 2001
Authorisation • a.k.a “how do I maintain the grid-mapfile list of certificate names and local user names?” • WP6 provides a standard way of publishing lists of certificate names via an LDAP server, and selecting subsets based on group (eg experiment) affiliation. • Still leaves the problem of creating new accounts every morning as people “join the Grid” • Either need a formal procedure to do this rigorously at your site • Or use the gridmapdir patch to Globus and dynamic accounts (this is included in the EDG Globus distribution.) Andrew McNab - Manchester HEP - 6 November 2001
Non-Testbed1 machines / expts • “Being part of Testbed 1” involves committing to using the right version of RedHat (6.2), the grid software and some extra packages. • But, all of this work has been done in a modular way • some dependencies between modules, but interfaces are spelt out. • Should be possible to install some or all of TB1 software on existing farms without matching participation requirements exactly. • Would also be possible to use strictly compliant front end machines along with differently configured back end nodes. Andrew McNab - Manchester HEP - 6 November 2001
Integration => Deployment • Part of original idea of EDG Integration Team was that we would help rollout the software in our home country after the integration period. • Some preliminary work for this already happening due to people’s involvement in the Integration (whether formally in the IT or not) • One UK site participated in the IT demo of the WP1 job submission last Monday. • MDS being prototyped between some UK sites. • On going tests of globus-globus job submission, gridftp etc between RPM build machine and CERN testbed machines. • Alpha versions of WP software tested at participants’ sites. • RAL will participate in first wave of rollout to partner sites. • But clearly need some kind of “UK Deployment Team” to help all UK sites get onboard - see John Gordon’s talk / discussion for this. Andrew McNab - Manchester HEP - 6 November 2001
Summary • Testbed 1 Globus Distribution exists • generally better / easier than Globus 1.1.3 • Middleware software exists • being readied for testing outside Integration Team • Testbed 1 has formal requirements for participation • but some scope for using software in other contexts • Need to sort out some kind of UK “deployment team” Andrew McNab - Manchester HEP - 6 November 2001