Correct me if I'm wrong but I would imagine "building a Fusion grid" simply means
installing some subset of
globus on clients and servers and getting hold of certificates for users. There
might be a small number of
machines that we might want to start jobs on using globusrun but we'll have to see
if even that is necessary.
The issue with accounts is essentially no different after globus than before. Sites
can map users to common
accounts or individual accounts as they see fit. I imagine eventually that I'll
modify MDSplus to use Akenti
authorization to determine which nodes of which MDSplus trees particular users have
read and/or write access.
We could then store an Akenti "uid" in the modified field of node when a user
writes to the node. Once this is
completed then users would not need local accounts on the data servers.
The main near term issues that I see are:
1) running mdsip server under inetd and having the server generate proxy
credentials on behalf of the client.
- I've looked at the gatekeeper code and can experiment using some of the
globus_gss_assist calls that it uses for this.
2) Getting globus installed on fusion machines
- this seems fairly simple especially for linux machines. I've successfully
built the globus 2.0 alpha 4 distribution on a local machine here. I don't know if
it has been built on Compaq Tru64 Unix which they will need at GA. It is doubtful
whether trying to get it to build on OpenVMS is worth the effort.
3) Make MDSplus/FusionGrid client distributions (rpm's for unix and installshield
setup for windows) which install MDSplus and required globus/akenti libraries, CA
credentials etc...).
4) Figure how we're going to generate certificates (which CA, setup registration
authorities etc...)
5) using callbacks to Akenti in mdsip server to do credential to local user
mapping.
6) Look into using Akenti uid's for tracking user responsible for modifying MDSplus
data.
-tom
Kate Keahey wrote:
> At the last telecon we discussed issues related to building a Fusion grid
> and I promised to send some info about tools. A few comments and questions
> below...
>
> Tools: After looking through some pointers it appears that only GRIPE (
> http://lexus.physics.indiana.edu/griphyn/gripe/gripe.html ) went beyond the
> "proposal stage" on that, and has actually some software to offer. GRIPE
> basically lets you request individual accounts in a more streamlined
> manner. There is a czar responsible for adding sites (together with
> information about how to contact sys admins and account sponsors on those
> sites etc.), and once the sites are in you can go to a webpage and request
> some accounts "wholesale". This might help. Otherwise (or even better in
> addition to) we can follow Mary's suggestion and try having "share
> accounts" that log their use for auditing purposes. The only concern I see
> is that this might have consequences for enforcing policies.
>
> Grid: I think we agree that the Fusion Grid will be composed of the Beowulf
> cluster, MDSServers at the three Fusion labs and did we ever decide if we
> want the Argonne cluster or not?
>
> Globus on Windows: I just talked to the person in charge of our MS
> implementation; this project is just starting. He says he will be able to
> give us an idea of some timelines after November 29th. As I remember we
> discussed some sort of backup plan for running a relational database server
> if we don't have Globus on Windows. Could somebody remind me the details of
> that "patch" and how long it would be good for?
>
> __________________________
> Dr. Kate Keahey
> Math & Computer Science Div.
> Argonne National Laboratory
> Argonne, IL 60439, USA
> (630) 252-1673
>
> ===============================================================================
>
> This message was sent to the SciDAC National Fusion Collaboratory (NFC)
> workers list nfc-workers. Visit the Collaboratory at
> <http://www.fusiongrid.org/>.
>
> To unsubscribe from this list, please send a message to
> majordomo@fusion.gat.com with the following text in the *body* of the
> message: unsubscribe nfc-workers
>
> David P. Schissel: <schissel@fusion.gat.com> <http://fusion.gat.com/~schissel/>
===============================================================================
This message was sent to the SciDAC National Fusion Collaboratory (NFC)
workers list nfc-workers. Visit the Collaboratory at
<http://www.fusiongrid.org/>.
To unsubscribe from this list, please send a message to
majordomo@fusion.gat.com with the following text in the *body* of the
message: unsubscribe nfc-workers
David P. Schissel: <schissel@fusion.gat.com> <http://fusion.gat.com/~schissel/>
This archive was generated by hypermail 2.1.1 : Thu Feb 07 2002 - 15:40:41 PST