Difference between revisions of "Long-tail of science"
Line 111: | Line 111: | ||
=== Instructions for OpenStack providers === | === Instructions for OpenStack providers === | ||
Keystone-VOMS has support for | Keystone-VOMS has support for per-user subproxies in the special branch called <code>subproxy_support</code> available in the github repository https://github.com/enolfc/keystone-voms (code is in progress of being integrated into the main branch of Keystone-VOMS). You can install the code from the repository following these instructions: | ||
<pre> git clone -b subproxy_support https://github.com/enolfc/keystone-voms.git | <pre> git clone -b subproxy_support https://github.com/enolfc/keystone-voms.git | ||
cd keystone-voms | cd keystone-voms |
Revision as of 23:49, 6 November 2015
Main | EGI.eu operations services | Support | Documentation | Tools | Activities | Performance | Technology | Catch-all Services | Resource Allocation | Security |
This page provides information about the 'EGI platform for the Long-tail of science' that allows individual researchers and small research teams to perform compute and data-intensive simulations on large, distributed networks of computers in a user friendly way. If you are interested in the project that developed and now maintains the platform, please jump to the Long-tail of science project page.
Information for users
What can you access in the platform?
The platform is accessible through this portal and offers grid, cloud and application services from across the EGI community for individual researchers and small research teams. The platform offers the following type of resources:
- High-throughput computing sites for running compute/data-intensive jobs
- Cloud sites suited for both compute/data intensive jobs and hosting of scientific services
- Storage resources for storing job input and output data, and for setting up data catalogues
- Science gateways that provide graphical web environments for building and executing applications in the platform.
- Applications that are made available ‘as services’ through the science gateways.
Current available resources in the platform:
Type | Name | Description |
Cloud and storage site | INFN Catania Openstack site | INFN-CATANIA-STACK site capacity:
|
High-throughput computing site | INFN Catania gLite site | GILDA-INFN-CATANIA site capacity:
|
Science gateway | Catania Science Gateway | The Catania Science Gateway
is a new generation of Science Gateway based on standard that changes the way e-Infrastructures are used. The gateway incorporates several scientific applications and offers these ‘as services’ for the user. |
Application | Hello World | Hello World is a simple grid-based application that demonstrates the use of remote resources by printing the hostname where the job is executed. It is accessible through the Catania Science Gateway. |
Application | The Statistical R | The Statistical R is a language and environment for statistical computing and graphics. It is accessible through the Catania Science Gateway. |
Application | The Semantic Search Engine (SSE) | SSE is a framework conceived to demonstrate the potential of information coupled with semantic web technologies to address the issues of data discovery and correlation. It is accessible through the Catania Science Gateway. |
Who can access the platform?
The platform is open for any researcher who needs a simple and user-friendly access to compute, storage and applications services in order to carry out data/compute intensive science and innovation. You need to be affiliated with, or at least have a partner (for example a referee), at a European research institution to qualify for access. The platform is designed to meet the needs of individual researchers and small research groups who have limited or no experience with distributed and cloud computing.
How can you access the platform?
- Login to the entry portal with an EGI SSO, Google or Facebook account.
- Provide information on your profile page about your affiliation to a research institute or team.
- Request resources from the platform: Indicate what you would like to achieve with the resources so we can help you find the most suitable ones.
- After your request is approved, login to any of the science gateways and build or execute compute/data intensive applications.
Presentations about the platform
- Slideset about the concept of the EGI long-tail of science platform: [1]
- Slideset about the authentication & authorization model adopted (incl. per-user subproxies): [2]
Information for providers
How to connect a science gateway to the platform
Connecting the science gateway with the User Registration Portal
Client service Registration
1. Open the GGUS ticket to operations that include return URIs
2. UNITY team send Client clientID and secretKey
unity.server.clientSecret= [YOUR SECRET KEY]
Connecting the science gateway with per-user subproxies
The platform uses per-user subproxies for user authentication. Science gateways must generate per-user sub proxies for their users and use these for any interact with VO resources in the platform. A gateway can generate such proxies in two ways: From a robot certificate physically hosted on your gateway server OR from a remote robot certificate that is hosted for you in the e-Token Server of INFN Catania in Italy. We recommend to choose the second option if you cannot obtain a robot certificate from your national IGTF CA (i.e. because there is no such CA in your country, or because it does not issue robot certificates.)
Instructions to use a local robot certificate:
- Obtain a robot certificate from your national IGTF Certification Authority following the instructions here.
- Register the robot in the vo.access.egi.eu VO: https://perun.metacentrum.cz/cert/registrar/?vo=vo.access.egi.eu
- Generate proxies from the robot using the <...> API.
Instructions to generate per-user subproxies from the e-Token Server:
- Contact the EGI User Community Support Team and send a short description of your gateway service and the way it would be integrated with platform resources. The team will arrange a robot certificate for your gateway from the SEEGRID CA (which operates as a 'catch-all' CA in EGI), will register this in the VO and in the e-Token Server in Italy.
- Provide the EGI User Community Support Team with a static IP address of your gateway server so requests for proxies can be authorized from this address on the e-Token Server.
- Generate proxies from the e-Token server using the <...> API.
How to join as a resource provider
Any EGI resource provider can join the platform to offer capacity for members of the long-tail of science. The site needs to run one of the supported grid or cloud middleware software, enable per-user sub-proxies (for user authentication and authorisation), and join the vo.access.egi.eu Virtual Organisation. The next subsections provide instructions on how to enable per-user sub-proxies on EGI sites. Please email long-tail-support@egi.eu if you wish to join as a resource provider.
In order to provide authorization to the users of the LToS VO, a couple of DNs (Distinghished Names) are required to be configured on the services to be enabled. For instance, for the CREAM CE the usual grid-mapfile is the place where to add them, for OpenStack it's /etc/keystone/voms.json. You can find below the instructions for each service.
The following Robot Certificate DNs must be configured:
/DC=EU/DC=EGI/C=HU/O=Robots/O=MTA SZTAKI/CN=Robot:zfarkas@sztaki.hu /C=IT/O=INFN/OU=Robot/L=Catania/CN=Robot: Catania Science Gateway - Roberto Barbera
Instructions for OpenStack providers
Keystone-VOMS has support for per-user subproxies in the special branch called subproxy_support
available in the github repository https://github.com/enolfc/keystone-voms (code is in progress of being integrated into the main branch of Keystone-VOMS). You can install the code from the repository following these instructions:
git clone -b subproxy_support https://github.com/enolfc/keystone-voms.git cd keystone-voms pip install .
Configuration and deployment of the plugin does not change from the normal Keystone-VOMS plugin, follow the Keystone-VOMS documentation to deploy it.
There are new parameters to configure in your keystone config file, under the [voms]
section:
allow_subproxy
, should be set toTrue
for enabling PUSP support.subproxy_robots
, should be set to*
(recommended) or to a list of the DNs that are allowed to create PUSP in the system.subproxy_user_prefix
, determines the expected prefix for the PUSP user specification. It is safe to leave it undefined so the default value (CN=eToken
is used.
Instruction for gLite providers
There is an EGI manual that shows how to set up a per-user sub-proxy (PUSP) to allow identification of the individual users under a common robot certificate. You can find the guide here: https://wiki.egi.eu/wiki/MAN12
Instruction for OpenNebula providers
Development is ongoing. Release is not expected before the EGI Community Forum
How to join the user support team
If you wish to support users in your country, region or science disciplinary area with the EGI platform, then please email support@egi.eu. We can train you and register you as a supporter.
Architecture details
Virtual Organisation
Name: vo.access.egi.eu
Scope: Global
Homepage URL: https://wiki.egi.eu/wiki/Long-tail_of_science
GGUS dedicated support: No (support provided in email - long-tail-support@egi.eu)
Acceptable use policy for users: https://documents.egi.eu/document/2635
Discipline: Support Activities
VO Membership management: VOMS+PERUN
- perun.cesnet.cz. The enrollment url is https://perun.metacentrum.cz/perun-registrar-cert/?vo=vo.access.egi.eu
- voms1.egee.cesnet.cz and voms2.grid.cesnet.cz
Contacts: <long-tail-support@mailman.egi.eu> for all support issues.
Policies
- Acceptable Use Policy and Conditions of Use of the EGI Platform for the Long-tail of Science: https://documents.egi.eu/document/2635
- SPG:Drafts:LToS Service Scoped Security Policy
Links for administrators
- Detailed accounting data about the VO users can be obtained by the VO managers at https://accounting.egi.eu/user/voadm.php
- To see the list of VO members: https://voms1.egee.cesnet.cz:8443/voms/vo.access.egi.eu/user/search.action
- To register in the VO (relevant for gateway robot certificates and for support staff): https://perun.metacentrum.cz/cert/registrar/?vo=vo.access.egi.eu
- VO membership management interface in PERUN: https://perun.metacentrum.cz/cert/gui/