Packaging installation

1
Packaging / installation

• Ready to take globus-1.1.3-6 from prerelease to
  release.
• Alex has prepared GSI openssh RPMs.
• New UKHEP CA configuration files need to be
  distributed.
• Announce production RPMs next week?

Andrew McNab - Manchester HEP - 11 May 2001
2
Using the Grid in Babar UK

• Babar UK is taking delivery of 6 PC farms
• Theyre keen to evaluate/use Grid tools
• This talk goes through some of the issues in
  actually do it ...

Andrew McNab - Manchester HEP - 11 May 2001
3
Babar UK PC Farms

• Farms at 6 UK Babar institutes
• Each consists of 40 dual-processor back-end
  modules with 800 MHz PIII and 2 100BaseT
• and 2 dual-processor 1 GHz front end machines
  with gigabit interfaces
• Loaded with RH6.2 by vendor

Andrew McNab - Manchester HEP - 11 May 2001
4
Applications

• Centrally managed Monte Carlo.
• This could be done just using adhoc tools.
• User analysis jobs using data on local Sun raid
  arrays.
• Grid tools can really contribute here, since
  Babar data will be distributed across UK sites.
• Want Dr A at B Universtiy to be able access skim
  C at the University of D ...

Andrew McNab - Manchester HEP - 11 May 2001
5
Globus 1.1.3 authorisation

• In Globus 1.1.3, grid identities (certificate
  subjects) are mapped to local Unix usernames via
  grid-mapfile.
• For analysis MC farms, either have to create
  lots of local Unix accounts at each site - lots
  of admin
• Or map everyone to a single user - great
  potential for conflicts over use of /home etc,
  problems with accountability

Andrew McNab - Manchester HEP - 11 May 2001
6
Single execution account

• Auditability problems - who actually did this?
• What if one job script assumes it owns HOME?
• What if we want access to remote AFS or Grid
  resources, especially write access?

Andrew McNab - Manchester HEP - 11 May 2001
7
Dynamic pool of accounts?

• Sysadmin creates a pool of normal Unix accounts,
  with names like gpool001, gpool002, gpool003,
• They can use their normal tools to do this,
  create quotas, Unix group(s) etc.
• Temporarily lease accounts when presented with a
  certificate whose subject is in our grid-mapfile
• Expire the lease when they are finished
  (defined locally)

Andrew McNab - Manchester HEP - 11 May2001
8
Security and auditability

• Authentification still have to provide a valid
  certificate, signed by a CA the local site trusts
• Authorisation certificate subjects must still be
  listed in the local grid-mapfile to get acess
• Auditability mappings of subjects to local Unix
  usernames is logged already, so can still tell
  who a particular pool account was

Andrew McNab - Manchester HEP - 11 May 2001
9
gridmapdir Patch to Globus 1.1.3

• All subject-gtusername mapping already done by
  functions in Security/gss-assist/gridmap.c
• Patch these to map subjects to pool users if
  their username in grid-mapfile is like . or
  .subpool
• Five new functions in gridmap.c implement leasing
  (lease database consists of links in the
  filesystem.)
• Subpools with privileges, quotas etc are
  possible eg .bbr will only be mapped to bbr001,
  bbr002, ...

Andrew McNab - Manchester HEP - 11 May 2001
10
Lease expiration

• To reuse pool accounts, lease must be terminated
  somehow - but mechanics very site dependent
• Probably easiest to run a script from cron to
  expire leases
• Either based on an expiration time (if you can
  guarantee the job will be finished by that time)
• Or by job completion flagging the lease as not
  needed (eg via PBS prologue / epilogue scripts)

Andrew McNab - Manchester HEP - 11 May 2001
11
Making grid-mapfile

• Already proposals from INFN and UK about
  composing grid-mapfiles based on information
  published by LDAP.
• Possible to make a very simple system for Babar
  in the short term.
• If this is done, then we have all the components
  needed to avoid manual intervention by all
  sysadmins every time a new user joins the Grid.

Andrew McNab - Manchester HEP - 11 May 2001
12
AFS and Grid authentification

• How to interface with the existing AFS (kerberos)
  structure used by SLAC and RAL, with new Grid
  security infrastructure?
• Mechanism using ssl -gt k5 -gt AFS/k4 exists
• Simpler solution now from ANL, with new gsiklog
  command and gsiklogd daemon

Andrew McNab - Manchester HEP - 11 May 2001
13
gsiklog

• Have gsiklogd running on AFS authentification
  server machine.
• User runs gsiklog client which contacts gsiklogd
  and authenticates using Grid (proxy) certificate.
• gsiklogd makes an AFS token and returns it to
  gsiklog. AFS password not involved at any stage.
• This means I can get AFS access for a batch job
  at a remote farm purely on the basis of Grid
  credentials.

Andrew McNab - Manchester HEP - 11 May 2001
14
Limiting authorisation

• Currently no mechanism in Globus for limiting
  what a Globus initiated job can do.
• We can make pool accounts with restricted quotas,
  in Unix groups with limited access to local
  resources.
• Ideally want to run farms as isolated, simplified
  environments, with things like user cron jobs
  turned off, and some form of governor killing
  rogue processes.

Andrew McNab - Manchester HEP - 11 May 2001
15
Input and output

• Job parameter files (config, scripts, binaries)
  included in job or fetched via https or accessed
  via AFS, ?
• Data files from local system (NFS, http, https,
  rootd?)
• Execution log file returned by email?
• Detailed log files and output data files returned
  via AFS, https / GASS, rootd?

Andrew McNab - Manchester HEP - 11 May 2001
16
Data access protocols

• NFS - ok for LAN, not WAN optimised, R/W but not
  secure, esp for W.
• AFS - ok for LAN or WAN, secure R/W, on-host
  caching, gsiklog works, no good for streaming
  data.
• Normal http (eg Apache) - little or no
  authorisation (mainly host based), optimised for
  bursts on the WAN. Very solid. TWebFile exists
  for ROOT.
• GASS https - Grid specific, secure, R/W.

Andrew McNab - Manchester HEP - 11 May 2001
17
Data access protocols cont.

• rootd - native support within ROOT, secure, plans
  to add GSI authentification / authorisation and
  use parallel streams etc (possibly on top of
  GridFTP?)
• GridFTP - aims to become the data transfer Swiss
  Army Knife secure R/W, auto-optimising (window
  sizes etc), parallel streams. Exists in alpha
  form at the moment. Will be added to future
  Globus releases.
• GridFTP the protocol to put long term effort into?

Andrew McNab - Manchester HEP - 11 May 2001
18
Summary

• Babar UK has a clear and pressing need for what
  is being provided by the Grid.
• Tools to publish authorisation list from
  central source exist.
• Dynamic accounts possible via gridmapdir patch.
• AFS can now be made Grid-friendly.
• Several other protocols available for moving
  data.
• Babar PC farms are an excellent environment for
  early deployment and evaluation of Grid tools.

Andrew McNab - Manchester HEP - 11 May 2001