[occi-wg] OCCI testing tutorial and q on use with secured services

Sill, Alan alan.sill at ttu.edu
Wed Jan 5 05:08:37 CST 2011 

OK, I can try to help here along these lines.

As a reminder, all OGF documents require a section on security considerations - see the discussion on this topic in GFD.152.  It doesn't mean you have to alter the spec, but all of the documents in the pipeline will require this section, so if it is missing it will have to be added along the lines of what I have suggested.

We don't usually have to get the security area groups involved in adding this section, but I have added Jens Jensen to the cc list here to suggest that he take a look at the documents currently in process for OCCI in comparison to GFD.152 and make suggestions as needed. The basic requirement  is to describe the security considerations of the use of the protocol, in this case most likely by describing the relationship of OCCI to http and placing adequate references to the use of grid security in that context. See GFD.152 for details.

Alan


On Jan 5, 2011, at 4:02 AM, "Thijs Metsch" <tmetsch at platform.com<mailto:tmetsch at platform.com>> wrote:



Hi,

Thanks for the links - regarding a GUI for testing to show how OCCI works on the inside: maybe Michael Behrens from R2AD can help? They developed a cool JavaFX GUI for OGF 28...

Regarding security: I might be able to help: I can deploy my implementation on an apache secured container. I wrote a blog article about it once (need to find it). If you can help write an article on OCCI & security I would volunteer to help - I guess other people also have some security ideas in mind. We could use such an article for getting an extension on our spec on security. I was also wondering if the DCI-fed group in OGF can help here? @Alexander? Maybe with a set of use-cases? So the model would be in DCI-fed an the OCCI spec extension would describe the more 'technical' implementation.

Cheers,

-Thijs

-----Original Message-----
From: Alan Sill [<mailto:alan.sill at ttu.edu>mailto:alan.sill at ttu.edu]
Sent: Tue 04/01/2011 18:37
To: Thijs Metsch
Cc: Alan Sill; David Wallom; alexander.papaspyrou at tu-dortmund.de<mailto:alexander.papaspyrou at tu-dortmund.de>; <mailto:occi-wg at ogf.org> occi-wg at ogf.org<mailto:occi-wg at ogf.org>
Subject: Re: [occi-wg] OCCI testing tutorial and q on use with secured services

Thijs, this tool looks good!  It is beyond what I had aimed at, which was an article, perhaps using a more general REST command-line or GUI tool, to allow people to see the "inner workings" of how OCCI-based control and interaction with a resource worked.  You went all the way to a packaged took for testing, which is great, if perhaps less instructive and pedagogical for the community. Still, all of the ingredients are there for a nice Linux Journal-type of article or blog entry on OCCI testing.

Re. the HPC profile, I have to admit ahead of time that I am not a great fan of that work, which I saw as very disconnected from the actual ways that grid jobs and data are handled and scheduled by large-scale infrastructure projects in practice.  It is true, however, that a nice body of work was done that led to a set of demonstrations before that group concluded.

The best link to documents that are related to this work is probably this one:  <http://www.ogf.org/hpcp/specs.php> http://www.ogf.org/hpcp/specs.php

It contains a nice catalog of related OGF published documents, some of which have valuable content.

For practical utility with existing grid projects, we have got to be able to use certificates for AuthN and have some sort of usable AuthZ behind it.  GSI-AuthZ is one example but even simple Apache certificate parsing would be useful for low level-of-assurance AuthN in portal settings.  I have in mind demonstrating use of a "super-portal" that can launch canned grid jobs and interact with them in ways that conventional portals cannot.

That goed beyond the testing topic mentioned above, however, which probably be separated from this as a topic.  For that, I think the time is right to put an article or two out into the literature for pedagogical value.  Any ideas?

Thanks!

Alan

On Jan 4, 2011, at 9:42 AM, Thijs Metsch wrote:

>
> Hi,
>
> Is that similar to what Andre Merzky did with SAGA for last OGF? Since OCCI can also be used for job submission we can demo that demo with OCCI soon as well - but that's another topic :-)
>
> Is there a link/documentation for the HPC profile stuff?
>
> Attached is a Screenshot of what I guess Alan had in mind - will share the code soon.
>
> Cheers,
>
> -Thijs
>
> -----Original Message-----
> From: David Wallom [<mailto:david.wallom at oerc.ox.ac.uk>mailto:david.wallom at oerc.ox.ac.uk]
> Sent: Tue 04/01/2011 15:38
> To: Thijs Metsch; alexander.papaspyrou at tu-dortmund.de<mailto:alexander.papaspyrou at tu-dortmund.de>; <mailto:alan.sill at ttu.edu> alan.sill at ttu.edu<mailto:alan.sill at ttu.edu>
> Cc: <mailto:occi-wg at ogf.org> occi-wg at ogf.org<mailto:occi-wg at ogf.org>
> Subject: Re: [occi-wg] OCCI testing tutorial and q on use with secured services
>
> Hi,
>
> Another thing that should be considered is to replicate what has been done
> with the HPC Basic Profile Interoperability demonstration that has
> successfully run at a number of OGF and other meetings. That uses all
> known implementations  and is a good example that OGF management and
> community can use to show 'success'.
>
> Regards
>
> David
> --
> ===================================
> Dr David Wallom
> Oxford e-Research Centre
> University of Oxford
> Rm 160, 7 Keble Road
> Oxford
> OX1 3QG
>
> +44(0)1865 610601
> ===================================
>
>
>
>
>
> On 04/01/2011 09:40, "Thijs Metsch" <tmetsch at platform.com<mailto:tmetsch at platform.com>> wrote:
>
> >Indeed a good idea - will try to create such a thingy soon.
> >
> >BTW. I have tested using my implementation with SSL activated. Had it
> >running with GSI-Authz also a while back. Currently I do not support
> >that anymore (I changed the framework in the background). But at least I
> >can verify that it can be done :-)
> >
> >Cheers,
> >
> >-Thijs
> >
> >> -----Original Message-----
> >> From: occi-wg-bounces at ogf.org<mailto:occi-wg-bounces at ogf.org> [<mailto:occi-wg-bounces at ogf.org>mailto:occi-wg-bounces at ogf.org] On
> >> Behalf Of <mailto:alexander.papaspyrou at tu-dortmund.de> alexander.papaspyrou at tu-dortmund.de<mailto:alexander.papaspyrou at tu-dortmund.de>
> >> Sent: Tuesday, January 04, 2011 10:25 AM
> >> To: <mailto:alan.sill at ttu.edu> alan.sill at ttu.edu<mailto:alan.sill at ttu.edu>
> >> Cc: <mailto:occi-wg at ogf.org> occi-wg at ogf.org<mailto:occi-wg at ogf.org>
> >> Subject: Re: [occi-wg] OCCI testing tutorial and q on use with secured
> >> services
> >>
> >> A very good idea, Alan.
> >>
> >> It would be great if we could provide an automated test suite running
> >> somewhere "in the cloud" (GAE maybe?) which people can use to verify
> >> their OCCI implementations. Any opinions on this?
> >>
> >> -Alexander
> >>
> >> Am 20.12.2010 um 23:52 schrieb Alan Sill:
> >>
> >> > How about an OCCI testing tutorial using some of the deployed
> >> instances as an example?  A starting point might be the tool at the
> >> following link.  (Version 2.3.3 released today.)
> >> >
> >> > Project:
> >> > rest-client - Project Hosting on Google Code
> >> >
> >> > Link:
> >> > <http://code.google.com/p/rest-client/> http://code.google.com/p/rest-client/
> >> >
> >> > I'd also like to see a test with SSL-secured httpd services,
> >> preferably in a GSI AuthZ or other user cert-secured context.  I know
> >> this will be trivial but I'd just like to see if anyone has done it in
> >> a deployed context to date.  Any links?
> >> >
> >> > Thanks,
> >> > Alan
> >> >
> >> > P.S.: Please ignore the auto-reply message - I'm reading messages on
> >> this topic this holiday...
> >> >
> >> > _______________________________________________
> >> > occi-wg mailing list
> >> > <mailto:occi-wg at ogf.org> occi-wg at ogf.org<mailto:occi-wg at ogf.org>
> >> > <http://www.ogf.org/mailman/listinfo/occi-wg> http://www.ogf.org/mailman/listinfo/occi-wg
> >>
> >> _______________________________________________
> >> occi-wg mailing list
> >> <mailto:occi-wg at ogf.org> occi-wg at ogf.org<mailto:occi-wg at ogf.org>
> >> <http://www.ogf.org/mailman/listinfo/occi-wg> http://www.ogf.org/mailman/listinfo/occi-wg
> >_______________________________________________
> >occi-wg mailing list
> ><mailto:occi-wg at ogf.org>occi-wg at ogf.org<mailto:occi-wg at ogf.org>
> ><http://www.ogf.org/mailman/listinfo/occi-wg>http://www.ogf.org/mailman/listinfo/occi-wg
>
>
>
>
> <screeny.png>

More information about the occi-wg mailing list