Applications on Demand Service - architecture
Main | EGI.eu operations services | Support | Documentation | Tools | Activities | Performance | Technology | Catch-all Services | Resource Allocation | Security |
Applications on Demand Service menu: | Home • | Documentation for providers • | Documentation for developers • | Architecture |
Technical and architecture details
User Registration Portal
The User Registration Portal (URP) of the platform is hosted by CYFRONET in Poland and serves as the entry point for users. The portal offers login with social or EGI SSO accounts, and allow users to manage their profiles, resource requests and a central hub to access the connected science gateways. The portal is used by the user support team to review user profiles and to evaluate the users' resource requests. The portal is accessible at http://access.egi.eu.
Available resources
Current available resources grouped by categories:
- Cloud Resources:
- 67 vCPU cores
- 144 GB of RAM
- 4TB of object storage
- High-Throughtput Resources:
- ~13Million HEPSPEC
- 1.4 TB of disk storage
Type | Name | Description |
Cloud and storage |
INFN Catania (upgrading to OpenStack Mitaka in progress) |
INFN-CATANIA-STACK site capacity:
|
INFN Bari |
RECAS-BARI site capacity:
| |
CESGA |
CESGA site capacity:
| |
High-Throughput Compute and Storage |
INFN Catania |
GILDA-INFN-CATANIA site capacity: High-Throughput Compute
File Storage
|
INFN Bari |
INFN-Bari site capacity: High-Throughput Compute
File Storage
| |
CYFRONET-LCG2 |
CYFRONET-LCG2 site capacity: High-Throughput Compute
File Storage
| |
BEgrid-ULB-VUB |
BEgrid-ULB-VUB site capacity: High-Throughput Compute
File Storage
| |
CESGA |
CESGA site capacity: High-Throughput Compute
File Storage
|
The HTC, cloud and storage resources of the platform are federated through the 'vo.access.egi.eu' Virtual Organisation of EGI (VO).
Technical details of this VO are the following:
- ID Card in the EGI Operations Portal: http://operations-portal.egi.eu/vo/view/voname/vo.access.egi.eu
- Name: vo.access.egi.eu
- Scope: Global
- Homepage URL: https://wiki.egi.eu/wiki/Long-tail_of_science
- Acceptable use policy for users: https://documents.egi.eu/document/2635
- Discipline: Support Activities
- VO Membership management: VOMS+PERUN
- perun.cesnet.cz. The enrollment url is https://perun.metacentrum.cz/perun-registrar-cert/?vo=vo.access.egi.eu
- voms1.grid.cesnet.cz and voms2.grid.cesnet.cz
- Contacts:
- <long-tail-support@mailman.egi.eu> for all support issues.
- Managers: Gergely.Sipos@egi.eu, Diego.Scardaci@egi.eu, Peter.Solagna@egi.eu and Giuseppe.LaRocca@egi.eu
Per-user sub-proxies
The purpose of a per-user sub-proxy (PUSP) is to allow identification of the individual users that operate using a common robot certificate. A common example is where a web portal (e.g., a scientific gateway) somehow identifies its user and wishes to authenticate as that user when interacting with EGI resources. This is achieved by creating a proxy credential from the robot credential with the proxy certificate containing user-identifying information in its additional proxy CN field. The user-identifying information may be pseudo-anonymised where only the portal knows the actual mapping.
Example of a Per-User Sub-Proxy (PUSP):
subject : /C=IT/O=INFN/OU=Robot/L=Catania/CN=Robot: EGI Training Service - XXXXX/CN=user:test1/CN=1286259828 issuer : /C=IT/O=INFN/OU=Robot/L=Catania/CN=Robot: EGI Training Service - XXXXX/CN=user:test1 identity : /C=IT/O=INFN/OU=Robot/L=Catania/CN=Robot: EGI Training Service - XXXXX type : RFC3820 compliant impersonation proxy strength : 1024 path : /home/XXXXX/proxy.txt timeleft : 23:59:15 key usage : Digital Signature, Key Encipherment, Data Encipherment === VO training.egi.eu extension information === VO : training.egi.eu subject : /C=IT/O=INFN/OU=Robot/L=Catania/CN=Robot: EGI Training Service - XXXXX issuer : /DC=org/DC=terena/DC=tcs/OU=Domain Control Validated/CN=voms1.grid.cesnet.cz attribute : /training.egi.eu/Role=NULL/Capability=NULL timeleft : 23:59:17 uri : voms1.grid.cesnet.cz:15014
E-Token Server
The platform adopted the e-Token server [1] as a central service to generate PUSPs for science gateways. In a nutshell the e-Token server is a standard-based solution developed by and hosted in INFN Catania for central management of robot certificates and provisioning of digital, short-term proxies from these, allowing seamless and secure access to e-Infrastructures with X.509-based Authorisation layer.
The e-Token server uses the standard JAX-RS framework [2] to implement RESTful Web services in Java technologies and provides, to the end-users, portals and new generation of Science Gateways, a set of REST APIs to generate PUSPs given a unique identifier. PUPS are usually generated starting from standard X.509 certificates. These digital certificates have to be uploaded into one of the secure USB smart cards (e.g. SafeNet Aladdin eToken PRO 32/64 KB) and plugged in the server.
The e-Token server was conceived for providing a credential translator system to Science Gateways and Web Portals that need to interact with the EGI platform for the long-tail (and in general with any e-Infrastructure).
[1] Valeria Ardizzone, Roberto Barbera, Antonio Calanducci, Marco Fargetta, E. Ingrà, Ivan Porro, Giuseppe La Rocca, Salvatore Monforte, R. Ricceri, Riccardo Rotondo, Diego Scardaci, Andrea Schenone: The DECIDE Science Gateway. Journal of Grid Computing 10(4): 689-707 (2012)
[2] Java API for RESTful Web Services (JAX-RS): https://en.wikipedia.org/wiki/Java_API_for_RESTful_Web_Services
Policies
Acceptable Use Policy (AUP) and Conditions of Use of the 'EGI Access Platform'
EGI Access Platform Security Policy
Links for administrators
User approval:
- Approve affiliation: https://access.egi.eu:8888/modules#/list/Affiliations
- Approve resource request: https://e-grant.egi.eu/ltos/auth/login
Gateway and support approval:
- VO membership management interface in PERUN: https://perun.metacentrum.cz/cert/gui/
- To register in the VO (relevant for gateway robot certificates and for support staff): https://perun.metacentrum.cz/cert/registrar/?vo=vo.access.egi.eu
Monitoring:
- Detailed accounting data about the VO users can be obtained by the VO managers at https://accounting-devel.egi.eu/user/voadm.php
- To see the list of VO members: https://voms1.grid.cesnet.cz:8443/voms/vo.access.egi.eu/user/search.action
Accounting:
- Accounting data of platform users: ...
- ...
Roadmap
No | Task | Priority |
Responsible | Start date | Deadline | Comment | STATUS | |
---|---|---|---|---|---|---|---|---|
Definition of the LTOS portal Terms and Conditions | Medium |
Solagna | 1 April | T. Ferrari: recommendation to lower the priority of this action considering that the LTOS portal is under revision in the context of the service request workflow definion for the marketplace |
||||
Setup of the structures (team, processes,procedures) needed to support the LTOS platform |
Medium |
Solagna | 1 May | |||||
Registration of LTOS components in GOC DB |
High |
Krakowian | started | 1 April | DONE | |||
Agree on OLAs supporting LTOS resources | High |
Krakowian |
1 April | OLAs with RPs: https://documents.egi.eu/document/2773, OLAs with SPs: https://documents.egi.eu/document/2782 |
In progress | |||
Finalization of the LTOS business model |
Medium |
Solagna |
1 May |
|||||
High |
La Rocca |
started |
1 April |
DONE |
||||
Accounting system integration |
Medium |
La Rocca | started | TBD |
In progress | |||
Implementing Roles in the URP |
Low |
Szepieniec |
TBD |
better understand requirement |
||||
La Rocca | started |
finished |
https://github.com/csgf/OpenIdConnectLiferay | DONE | ||||
Space for the resource providers logos |
Low |
Szepieniec |
Started |
Logos of NGIs/institutions providing resources for the LToS platform should be added on page [1] (in the bottom). [1] https://access.egi.eu/start |
In progress | |||
Integration with QCG |
Medium |
La Rocca |
started |
TBD |
https://ggus.eu/?mode=ticket_info&ticket_id=117764 | In progress | ||
Medium |
Szepieniec |
started |
1 April explanation | DONE | ||||
Medium | Szepieniec | started |
1 April explanation | DONE | ||||
Low |
Szepieniec | TBD | DONE | |||||
Medium |
Szepieniec | 1 April explanation | DONE | |||||
information menu |
Medium |
Szepieniec | 1 May | |||||
Medium | Szepieniec | 1 April |
DONE | |||||
High |
Szepieniec |
1 April |
DONE | |||||
Low |
Szepieniec | 1 May | access.egi.eu does already contain an EGI logo but the link is wrong. It should point to www.egi.eu instead of https://access.egi.eu/ |
DONE | ||||
High | Szepieniec | 1 April | HTC [Computing] = 10k hours HTC [Storage] = 100 GB of total storage capacity Cloud [Computing] = 10 vCPU cores per hours Cloud [Storage] = 100 GB of storage volume |
DONE | ||||
Low |
Szepieniec | TBD | ||||||
Medium | Szepieniec | 1 April | MK+GLR where to put link | DONE | ||||
Add an institutional email for the communications |
High |
Peter |
TBD | Duplicate of https://rt.egi.eu/rt/Ticket/Display.html?id=10240 | ||||
Medium | Szepieniec | 1 June | DONE | |||||
High | Krakowian |
http://argo.egi.eu/lavoisier/status_report-site?report=OPS-MONITOR-Critical&accept=html |
DONE | |||||
High | Krakowian | http://argo.egi.eu/lavoisier/status_report-site?report=OPS-MONITOR-Critical&accept=html |
DONE | |||||
Setup GGUS units for trouble tickets |
High | Peter |
TBD | In progress | ||||
Define identity vetting manual for user request approvers |
High |
La Rocca |
TBD | |||||
High | Krakowian |
21.03 |
1 April |
DONE | ||||
Sign OLA with SG |
High | Krakowian | 21.03 | 1 April | IN progress | |||
Document process on how to monitor user-level accounting & how to respond to quota overuse |
Low |
La Rocca |
TBD |
|||||
Manage user-level quota inside the SG |
Low | La Rocca | TBD | |||||
Define and implement process for downtime notification |
Medium |
Krakowian |
TBD |
|||||
High |
Krakowian |
14.03.2016 |
1 April |
https://documents.egi.eu/document/2769 | DONE | |||
Discuss details of joining with interested sites and SGs |
High |
La Rocca |
TBD |
In progress | ||||
High |
Szepieniec |
TBD |
DONE | |||||
Involve NGI representatives in request approver team |
Medium |
Solagna |
1 April |
|||||
High |
Szepieniec |
Started |
DONE | |||||
Medium |
Szepieniec/Miguel |
Started |
https://ggus.eu/?mode=ticket_info&ticket_id=123076 |
DONE | ||||
High |
La Rocca |
Started |
DONE | |||||
Adoption of URP to Hungarian Academic Cloud |
Low |
Sipos |
||||||
LToS Long-tail-user-requests missing information in new affiliation email |
High |
Roksana |
Started |
|||||
LToS admin portal fake profile |
High |
Roksana |
Started |
|||||
LToS admin portal logout impossible |
High |
Roksana |
Started |
|||||
LToS admin portal |
High |
Roksana |
Started |
|||||
LToS admin portal misleading icons |
High |
Roksana |
Started |