Difference: WMProxyDocumentation (3 vs. 4)

Revision 42011-11-15 - FabioCapannini

Line: 1 to 1
 
META TOPICPARENT name="WebHome"
Line: 40 to 40
 
  1. Other client configuration steps:
    • Make sure $GLOBUS_LOCATION/lib and $GLITE_LOCATION/lib are included in the LD_LIBRARY_PATH
    • Add $GLITE_LOCATION/bin to your PATH
Changed:
<
<
re
>
>

0.1 Architecture

To adhere to the SOA model, WMProxy has been designed and implemented as a Simple Object Access Protocol (SOAP) Web service. The interface is described through the Web Service Description Language (WSDL). The WSDL file was written following the Web Services Interoperability Basic Profile (WS-I Basic Profile). This profile defines a set of Web Services specifications that promote interoperability. The WMProxy service runs in an Apache container extended with Fast CGI and Grid Site modules.
  • The Fast CGI module provides Common Gateway Interface (CGI) functionality with some other specific features. The most important advantage of Fast CGI is its performance and persistence. Fast CGI can be seen as a new implementation of CGI, designed to overcome CGI's performance problems. The major implementation differences are:
    • Fast CGI processes are persistent: Fast CGI applications are able to serve multiple requests
    • Application instances are spawned/killed dynamically according to demand
    • Fast CGI protocol multiplexes the environment information, standard input, output, and error over a single full-duplex connection.

WMProxy in its default configuration is run as a dynamic Fast CGI application in order to take full advantage of its capacity to accommodate request loads. However, it can be run in any of the available Fast CGI modalities. WMProxy is implemented as a single-threaded application thus ensuring more reliability and robustness than multi-threaded applications; thanks to the Fast CGI process manager the web server maintains a pool of processes that allow improving performances as generally done through multi-threaded application.

  • Grid Site provides a module extending the Apache webserver for use within Grid frameworks by adding support for Grid security credentials such as Grid Security Infrastructure (GSI) and Virtual Organization Membership Service (VOMS), and file transfer over HTTPS. It also provides a library for handling Grid Access Control Lists (GACL).
The Web Service hosting framework provided by Apache, Grid Site and gSOAP has allowed the development of the WMProxy service using the C++ language. The choice of the implementation language has been driven mostly by the need to re-use and integrate existing production-quality components and libraries. A further boost in this direction has been given by preliminary tests that have shown better performance for the couple C++/gSOAP in comparison with the most commonly used framework for the development of Web Services (e.g., Axis/Java). Last but not least the gSOAP interoperability with a variety of other SOAP implementations and toolkits that permitted the development of a service accessible from clients written in different programming language and running on any computer platform.

wmproxyintegration.gif

The integration of the WMProxy within the WMS is shown in Figure 1. WMProxy provides a core module performing validation, conversion, environment preparation and information logging for each incoming request, before delivering it to the Workload Manager (WM). WM is the core component of the WMS taking the appropriate actions to satisfy incoming requests. Communication between the WMProxy and the WM occurs through a thread-safe, file-system based queue. The LBProxy, which is used as a state storage of active jobs, is the only external service with which the WMProxy interacts. The LBProxy service provides an optimized access to the Logging and Bookkeeping Service (LB). Other relevant information about processed jobs/requests are stored in the local file system in a reserved area managed by the WMS.

0.2 Security, AuthN & AuthZ

Message exchange between client and server is performed with SOAP/HTTPS.

Authentication of the requesting user is done through the X.509 proxy certificate signed by a trusted Certification Authority (CA), which guarantees that the exposed public key is really owned by the user. The authentication process is handled by the Apache HTTP server by means of the SSL and Grid Site modules. The authenticated request together with information about the checked credential (e.g. expiration time, VOMS extensions), are then passed to WMProxy within the CGI environment. WMProxy does not need to directly manipulate Grid credentials in this phase.

Authorization is implemented through the Grid Access Control List (GACL) library, which is provided by Grid Site for manipulating Access Control List (ACL) files. Authorization can be either Fully Qualified Attribute Name (FQAN) (coarse-grained) or Distinguished Name (DN) based (fine-grained) according to the type of proxy presented by the client.

There are two authorization steps that are performed for an incoming request within the WMProxy:

  • Determine whether the requesting user is authorized to use the WMS services.
  • Determine whether the requesting user is either the owner of the job or has permissions to manage it. (This step is only performed for operations directly related to a given job)
User Mapping: when a user performs a request to the WMProxy service, he is mapped to a local user, which is needed to perform all filesystem operations related to single jobs. This mapping is done through LCMAPS module.

0.3 Credentials Delegation

0.3.1 Delegation Process

The delegation is the process used to transfer rights and privileges to another party. Since the WMProxy and the WMS when providing some services need to interact with other services, operating on behalf of the user, a delegation process is needed to transfer client proxy credentials to the server host. The delegation service is provided through a port type whose description is imported into the WMProxy WSDL file from the gLite common delegation WSDL file. Delegated credentials are uniquely identified by the association of the delegation identifier, provided by user, and the userís DN within the credentials. Multiple delegations of the same proxy credential are allowed with different delegation identifiers; however, it is recommended to do it once at the beginning of the working session and reuse the same delegation identifier, as delegation process is generally time-consuming. The WMProxy holds a cache of the delegated proxies, which is purged periodically from the expired credentials; upon a submission request the service performs a mapping between the incoming job and a proxy in its cache according to the requesting user DN and the specified delegation identifier. From that point on, each operation performed for that job is done using the credential associated to it in this way.

delegationsequence.gif

0.3.2 Credentials Renewal

The User can store a long-lived certificate that can be used by the WMS in order to renew the lifetime of a standard user certificate proxy (usually valid only for 12 hours). Long-running jobs may run into this limit and fail due to expioration of user proxy. WMProxy can automatically request the registration for renewing the proxy certificate sent by the user. This is done through the attribute "MyProxyServer" inside the submitting JDL. When a Proxy Renewal Registration is requested for a certain Job, the WMProxy registers it to the proxy renewal. From that moment on, credentials for such jobs are granted by renewed certificate credentials. Actually all jobs that uses the same credentials links to only one renewed certificate.
  -- FabioCapannini - 2011-11-04
Added:
>
>

META FILEATTACHMENT attachment="wmproxyintegration.gif" attr="" comment="" date="1321354517" name="wmproxyintegration.gif" path="wmproxyintegration.gif" size="41756" user="FabioCapannini" version="1"
META FILEATTACHMENT attachment="delegationsequence.gif" attr="" comment="" date="1321356590" name="delegationsequence.gif" path="delegationsequence.gif" size="4321" user="FabioCapannini" version="1"
 
This site is powered by the TWiki collaboration platformCopyright © 2008-2020 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback