Alessio Rocchi, G. Bracco, S. Migliori, S. Podda, A ...agenda.ct.infn.it/event/87/session/5/contribution/179/material/slides/0.pdfARCO WARC User-aware services JobRama Ticketing System,

Alessio Rocchi, G. Bracco, S. Migliori, S. Podda, A. Santoro, C. Sciò

[email protected]

Three fundamental pillars◦ Andrew File System (information distribution over a

Wide Area Network)‏

◦ Platform® LSF (computing resources management for jobs submission)‏

◦ Kerberos 5 realm (authentication domain)

CRESCO HPC System◦ 17.1 Tflop (HPL)

◦ 2720 Cores

◦ Fully integrated with ENEAGRID

Alessio Rocchi – Catania 2009.02.12

Extended GRID infrastructures are complex tomaintain, administer and use

Pre-packaged applications are difficult to adaptto such a complex context◦ Often they do not even exist!

Challenge: software tailored on whole GRID system needings◦ Integrated

◦ Usable

◦ Effective



Administrator-aware services◦ AMACA

◦ ARCO

◦ WARC

User-aware services◦ JobRama

◦ Ticketing System, Password changer, Grid Account request manager

Security for sensitive data and applications is guaranteed by aUnified Access API (UAA), implemented both in web serversystems and stand-alone www-deployed software.


Unified Access API (UAA)

Administrator-aware services◦ AMACA (AFS Memorize and Check Application)

◦ ARCO (AFS Remote Command Operator)

◦ WARC



Unified Access API (UAA) provide a tool tobuild www-services fully integrated withENEA-GRID

K5: strong user authentication over the entireGRID realm ENEA.IT.

OpenAFS: provides meta-resources forauthorization◦ Access to every service (or feature) is granted on

user/group basis

◦ When required, services have root or AFS adminprivileges


How?◦ Inter Process Communication over HTTP with PAG shell

We need to be sure that every race condition on tokenacquisition is avoided

◦ Request for login and PTS membership are sent, and results are compared with user-defined entries.

◦ If access is granted, an encrypted cookie is generated in order tostore informations

◦ PAG shell and PTS are AFS-specific features


Advantages Security: No need to maintain and share many database

for accounting informations. Let Kerberos do all the dirty work.

Maintainability: One single software piece distributedover a wide application set is easy to maintain.

Granularity: Access validation over groups, not onlyusers.

Limitations

◦ Available only on *nix systems (needs PAG shell)

◦ Needs PHP IPC to be enabled for the site to protect(proc_open())




Administrator-aware services◦ AMACA (AFS Memorize and Check Application)

◦ ARCO (AFS Remote Command Operator)

◦ WARC




AFS administration effort ishigher than the one needed tomanage a standard POSIX filesystem◦ Metadata/data are deployed over a

WAN. It is important to keep track ofwhat (and when!) is happening everywhere to everything

◦ No features like hystorical database

◦ Consistency checks are important

AMACA: two-module applicationfor batch and on-demanddiscovery of AFS corecomponents status

Crawler stores unstructured data in a MySQLbackend◦ fine-grained data mining operations

Differentiation among subsequent crawlerinvocations is done by identifying everyresultset with a unique ID (snapshot)

Explorer implements business logic aboutdata aggregation, visualization and alarmsgeneration◦ Historical analysis on file system variations

◦ Parameterized searching



AFS Remote Command Operator Why?

◦ Visual execution of remote commands over large and sparse machines clusters

◦ Initially bound to Platform® LSF™ clients and serversmanagement (daemons handling). Currently able toperform any operation on any machine.

How?◦ Administrators register target machines and services,

and establish associations among them (many to manyrelationship)

◦ History is maintained about who executes what

◦ Extended UAA for access validation and operation control



Machines

registration

Services definition

Command execution

UA

A

PT

S V

eri

ficati

on

MySql

User I/O

DB transfers

Net transactions

Web management of ENEA-GRID users and project areas for a WAN distributed AFS cell.

Integrated with K5 and OpenAFS Can delegate to selected users

administration privileges (both AFS and K5)◦ Privileges can be restricted to a single site

◦ Limited administration rights can be granted tobasic users when needed for project area administration.

◦ Utility developed in collaboration with ENEA by R. Nepi (CASPUR).





Administrator-aware◦ AMACA

◦ ARCO

◦ WARC

User-aware◦ JobRama


Web application providing visual and auto-updating monitoring of user jobs (onlycommand line tools are available at the moment)

Currently fully interfaced with Platform® LSF™◦ Engineered to be easily ported to other queue systems

Informations about status, timing, output and system load are shown on a unique web page

Increased flexibility and usability◦ Plain and aggregate informations can be selected on the

basis of a user choice



Ticketing◦ Based on Xoops/Xhelp CMS, conveniently patched in

order to support UAA

Password changer ‏◦ Change users password in a visual way, without using

command line◦ Implements expect-and-go mechanism over the web

(libexpect)◦ Users who get their password changed receive a

confirmation by email (kpasswd can’t do it).

Account request manager◦ Centralized account request form for ENEAGRID. Every

account request forces a ticket submission in the helpdesk system


One GRID, One Service Pool: unification ofservices and service access!

Easier for administrators◦ Tracking issues and deploying solutions over a

geographically sparse grid system is less difficult

Easier for users◦ They can benefit of visual tools to keep trace of their

work



Documents

Alessio Rocchi, G. Bracco, S. Migliori, S. Podda, A ...agenda.ct.infn.it/event/87/session/5/contribution/179/material/slides/0.pdfARCO WARC User-aware services JobRama Ticketing System,