[gin-data] Re: progress...
Stuart Martin
smartin at mcs.anl.gov
Thu Jul 27 13:41:28 CDT 2006
There is no data protection for GIN VO members on TG. Other GIN
resources might provide access differently. But the GIN VO is not
intended for application runs with sensitive data or large runs that
consume a lot of cpu cycles. It's for testing GIN sites for
interoperability.
For access to GIN resources for a particular application, you should
get authorization outside of the GIN VO. The idea is that we (GIN
participants) have tested that certain levels of interoperability
exist between various GIN resources. That should be helpful to
application folks to decide where to target your efforts for
requesting individual authorization/allocation from the list of GIN
resources.
For example, OSG has an OSG VO that is intended for applications to
try out access throughout OSG resources. OSG will allow you to
consume a relatively small amount of CPU cycles as a member in the
OSG VO. But if your application needs/wants still more OSG cycles,
then you will need to create your own VO for your application and
negotiate access with OSG directly.
At least this is my understand, other can chime in if they see things
differently.
-Stu
On Jul 27, 2006, at Jul 27, 12:33 PM, Mihael Hategan wrote:
> Stu,
>
> What about protection of sensitive data? Can I expect that files
> created
> during job runs cannot be read by somebody else? If yes, what is the
> mechanism?
>
> Mihael
>
> On Thu, 2006-07-27 at 12:01 -0500, Stuart Martin wrote:
>
>> Bill,
>>
>>
>> For TeraGrid, we are taking the DNs and mapping them all to a group
>> account "ginuser". Currently, this is done by hand. We take the GIN
>> VO members from here: http://kuiken.nikhef.nl/gin.ggf.org/grid-
>> mapfile
>>
>>
>> And have a merging process to augment the tg grid resource's gridmap
>> file. The merging process is needed in order for those with multiple
>> mappings like myself to have a default mapping "smartin" and then
>> "secondary" mappings "osgtg,ginuser" e.g.
>> "/DC=org/DC=doegrids/OU=People/CN=Stuart Martin 564728"
>> smartin,osgtg,ginuser
>>
>>
>> Others with just the one mapping are done as you'd expect, e.g.:
>> "/C=CH/O=CERN/OU=GRID/CN=Erwin Laure 0286" ginuser
>>
>>
>> You are right in that we don't know who for sure who actually wrote
>> the 100TB file, but we could probably track it down by looking at the
>> log files for the gridftp server. Similar for the container and
>> gatekeeper log file and job request abuses.
>>
>>
>> Another point is that the GIN VO access should be for simple interop
>> testing/verification, so we should not have too many problems with
>> abuse. I don't think the VO membership list should get so large that
>> we can't stop problems easily if they occur.
>>
>>
>> -Stu
>>
>> On Jul 27, 2006, at Jul 27, 8:48 AM, William E. Allcock wrote:
>>
>>
>>> Ok, so for the immediate issue, Gregor (or his appropriate
>>> designee), simply
>>> needs to use the registration page and after it is pushed out, they
>>> should
>>> be able to make test runs against an installed GridFTP server,
>>> correct? Can
>>> we assume they are all on the standard port (2811) or is there a
>>> page
>>> somewhere that lists the contact strings?
>>>
>>>
>>> For my curiosity sake, all the Grids are using pool accounts,
>>> including the
>>> TeraGrid? How do you do auditing? For instance, if we were to push
>>> a 100TB
>>> file at a site and fill up the available space, how would you know
>>> who did
>>> it?
>>>
>>>
>>> Bill
>>>
>>>
>>>
>>>
>>>> -----Original Message-----
>>>> From: David Wallom [mailto:david.wallom at oerc.ox.ac.uk]
>>>> Sent: Thursday, July 27, 2006 8:42 AM
>>>> To: allcock at mcs.anl.gov; Erwin Laure; 'Gregor von Laszewski'
>>>> Cc: gin-data at ggf.org; 'Mihael Hategan'; 'Raj Kettimuthu'
>>>> Subject: Re: [gin-data] Re: progress...
>>>>
>>>>
>>>> Hello Bill,
>>>>
>>>>
>>>> That is a gridmapfile that uses the pool accounts patch that
>>>> was applied
>>>> through EDG. Within the UK we have a patch to make this work
>>>> with both PreWS
>>>> & WS version of GT4 if you want.
>>>>
>>>>
>>>> Cheers
>>>>
>>>>
>>>> David
>>>>
>>>>
>>>>
>>>>
>>>> On 27/7/06 14:35, "William E. Allcock" <allcock at mcs.anl.gov>
>>>> wrote:
>>>>
>>>>
>>>>
>>>>
>>>>> Never having used VOMS, I guess I am also a little
>>>>>
>>>>>
>>>> confused. I went to the
>>>>
>>>>
>>>>> registration page, and I looked in the gridmapfile.
>>>>>
>>>>>
>>>> However, the gridmap
>>>>
>>>>
>>>>> file isn't really a gridmap file, because it doesn't
>>>>>
>>>>>
>>>> actually map anything.
>>>>
>>>>
>>>>> It has a list of DNs, but there are no accounts associated
>>>>>
>>>>>
>>>> with them, which
>>>>
>>>>
>>>>> is what the gridmap file does. So, I think Gregor's (and
>>>>>
>>>>>
>>>> my) question is,
>>>>
>>>>
>>>>> what account will the GridFTP server that gets invoked be
>>>>>
>>>>>
>>>> run under? Or
>>>>
>>>>
>>>>> does each Grid take responsibility for mapping it to some
>>>>>
>>>>>
>>>> appropriately
>>>>
>>>>
>>>>> restricted account and we can just not worry about that?
>>>>>
>>>>>
>>>>> Bill
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> -----Original Message-----
>>>>>> From: owner-gin-data at ggf.org [mailto:owner-gin-data at ggf.org]
>>>>>> On Behalf Of Erwin Laure
>>>>>> Sent: Thursday, July 27, 2006 4:22 AM
>>>>>> To: Gregor von Laszewski
>>>>>> Cc: gin-data at ggf.org; Mihael Hategan; Raj Kettimuthu
>>>>>> Subject: [gin-data] Re: progress...
>>>>>>
>>>>>>
>>>>>> Hi Gregor,
>>>>>>
>>>>>>
>>>>>> You can get an initial list of Grids for testing purposes
>>>>>> from:
>>>>>> http://wiki.nesc.ac.uk/read/gin-jobs?GinResources
>>>>>>
>>>>>>
>>>>>> Why do you need accounts on these Grids? Wouldn't simply
>>>>>> joining the GIN
>>>>>> VO do? Information on how to join the VO is available at
>>>>>> http://wiki.nesc.ac.uk/read/gin-jobs
>>>>>> This VO is supported by all GIN sites.
>>>>>>
>>>>>>
>>>>>> Cheers,
>>>>>>
>>>>>>
>>>>>> -- Erwin
>>>>>>
>>>>>>
>>>>>> Gregor von Laszewski wrote:
>>>>>>
>>>>>>
>>>>>>> Erwin:
>>>>>>>
>>>>>>>
>>>>>>> we have tested our tool and it works as expected.
>>>>>>>
>>>>>>>
>>>>>> However, there is
>>>>>>
>>>>>>
>>>>>>> some issue in regards to renewing accounts and alloctaions
>>>>>>>
>>>>>>>
>>>>>> on TG to run
>>>>>>
>>>>>>
>>>>>>> this that are not yet resolved. To no longer delay the
>>>>>>>
>>>>>>>
>>>>>> publication of
>>>>>>
>>>>>>
>>>>>>> the data, we have involved Raj that will start the program
>>>>>>>
>>>>>>>
>>>>>> for us on
>>>>>>
>>>>>>
>>>>>>> the TG. We hope this takes place tomorrow. This also
>>>>>>>
>>>>>>>
>>>>>> allows us to test
>>>>>>
>>>>>>
>>>>>>> the "easy deploy" requirement of the systems so it could
>>>>>>>
>>>>>>>
>>>>>> be replicated
>>>>>>
>>>>>>
>>>>>>> on other systems. Mike is improving the documentation to
>>>>>>>
>>>>>>>
>>>> make this
>>>>
>>>>
>>>>>>> happening.
>>>>>>>
>>>>>>>
>>>>>>> In return we have one question that we issued to this
>>>>>>>
>>>>>>>
>>>>>> mailinglist before:
>>>>>>
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On which other Grids should we test our software?
>>>>>>> Is there someone in the GIN working group that can let us
>>>>>>>
>>>>>>>
>>>>>> know which
>>>>>>
>>>>>>
>>>>>>> Grids we should approach next? From the experience we had
>>>>>>> with
>>>>>>> obtaining accouts, it looks like we want to get this
>>>>>>>
>>>>>>>
>>>>>> established ASAP.
>>>>>>
>>>>>>
>>>>>>> in order to start the application program. We probably need
>>>>>>>
>>>>>>>
>>>>>> some kind
>>>>>>
>>>>>>
>>>>>>> of "sponsor" or "champion" to push this out on the other
>>>>>>>
>>>>>>>
>>>>>> Grids. So if
>>>>>>
>>>>>>
>>>>>>> there are people from other Grids (other than TG) in this
>>>>>>> working
>>>>>>> group, maybe you can let us know how we should approach
>>>>>>> getting
>>>>>>> accounts on your Grids.
>>>>>>>
>>>>>>>
>>>>>>> I would assume this applies also to the other technologies
>>>>>>>
>>>>>>>
>>>>>> from the
>>>>>>
>>>>>>
>>>>>>> GIN-WG, do you have a uniform project description that I can
>>>>>>> point
>>>>>>> other Grids to as part of the application process?
>>>>>>>
>>>>>>>
>>>>>>> Gregor
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Jul 25, 2006, at 4:39 AM, Erwin Laure wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>>
>>>>>>>> GGF18 is coming up soon. Could we please get an update on
>>>>>>>>
>>>>>>>>
>>>>>> the interop
>>>>>>
>>>>>>
>>>>>>>> tests of SRB, SRM, and gridFTP?
>>>>>>>>
>>>>>>>>
>>>>>>>> We will use this information to make an interop matrix
>>>>>>>>
>>>>>>>>
>>>>>> available on
>>>>>>
>>>>>>
>>>>>>>> the GIN gridforge pages.
>>>>>>>>
>>>>>>>>
>>>>>>>> Also, we should prepare instructions of how people can run
>>>>>>>> these
>>>>>>>> tests themselves, i.e. test, whether their infrastructure
>>>>>>>> is
>>>>>>>> interoperable with others.
>>>>>>>>
>>>>>>>>
>>>>>>>> Cheers,
>>>>>>>>
>>>>>>>>
>>>>>>>> -- Erwin
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> +++++++++++++++++++++++++++++++++
>>>> Dr. David Wallom
>>>> Technical Manager
>>>> Oxford e-Research Centre
>>>> University of Oxford
>>>> c/o OUCS
>>>> 13 Banbury Road
>>>> Oxford
>>>> OX2 6NN
>>>>
>>>>
>>>> Tel : +44 (0)1865 283378
>>>> email: david.wallom at oerc.ox.ac.uk
>>>>
>>>>
>>>> PLEASE NOTE THE NEW EMAIL ADDRESS as OERC.OX.AC.UK
>>>> IERC WILL CONTINUE TO RECEIVE EMAIL FOR THE NEXT
>>>> FEW MONTHS BUT WILL EVENTUALLY PHASE OUT. PLEASE
>>>> CHANGE YOUR ADDRESS BOOK APPROPRIATELY
>>>>
>>>>
>>>> +++++++++++++++++++++++++++++++++
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>>
>>
>>
>
>
More information about the gin-data
mailing list