Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

Difference between revisions of "Long-tail of science"

From EGIWiki
Jump to navigation Jump to search
Line 3: Line 3:
'''This page provides information about the '[http://access.egi.eu EGI platform for the Long-tail of science]' that allows individual researchers and small research teams to perform compute and data-intensive simulations on large, distributed networks of computers in a user friendly way. If you are interested in the project that developed and now maintains the platform, please jump to the [[Long-tail_of_science_project|[Long-tail of science project]]] page.
'''This page provides information about the '[http://access.egi.eu EGI platform for the Long-tail of science]' that allows individual researchers and small research teams to perform compute and data-intensive simulations on large, distributed networks of computers in a user friendly way. If you are interested in the project that developed and now maintains the platform, please jump to the [[Long-tail_of_science_project|[Long-tail of science project]]] page.
'''
'''
= Information for users =
= Information for users =


Revision as of 23:08, 6 November 2015

Main EGI.eu operations services Support Documentation Tools Activities Performance Technology Catch-all Services Resource Allocation Security



This page provides information about the 'EGI platform for the Long-tail of science' that allows individual researchers and small research teams to perform compute and data-intensive simulations on large, distributed networks of computers in a user friendly way. If you are interested in the project that developed and now maintains the platform, please jump to the [Long-tail of science project] page.


Information for users

What can you access in the platform?

The platform is accessible through this portal and offers grid, cloud and application services from across the EGI community for individual researchers and small research teams. The platform offers the following type of resources:

  • High-throughput computing sites for running compute/data-intensive jobs
  • Cloud sites suited for both compute/data intensive jobs and hosting of scientific services
  • Storage resources for storing job input and output data, and for setting up data catalogues
  • Science gateways that provide graphical web environments for building and executing applications in the platform.
  • Applications that are made available ‘as services’ through the science gateways.

Current available resources in the platform:  

Type Name Description
Cloud and storage site INFN Catania Openstack site INFN-CATANIA-STACK site capacity:
  • 20 vCPUs
  • 50 GB RAM
  • 10 floating IPs
  • 10 TB storage 
High-throughput computing site INFN Catania gLite site GILDA-INFN-CATANIA site capacity:
  • 4 CPU cores
  • 30 GB of /opt/exp_soft
  • 40 GB RAM
Science gateway Catania Science Gateway The Catania Science Gateway

is a new generation of Science Gateway based on standard that changes the way e-Infrastructures are used. The gateway incorporates several scientific applications and offers these ‘as services’ for the user.

Application Hello World Hello World is a simple grid-based application that demonstrates the use of remote resources by printing the hostname where the job is executed. It is accessible through the Catania Science Gateway.
Application The Statistical R The Statistical R is a language and environment for statistical computing and graphics. It is accessible through the Catania Science Gateway.
Application The Semantic Search Engine (SSE) SSE is a framework conceived to demonstrate the potential of information coupled with semantic web technologies to address the issues of data discovery and correlation. It is accessible through the Catania Science Gateway.

Who can access the platform?

The platform is open for any researcher who needs a simple and user-friendly access to compute, storage and applications services in order to carry out data/compute intensive science and innovation. You need to be affiliated with, or at least have a partner (for example a referee), at a European research institution to qualify for access. The platform is designed to meet the needs of individual researchers and small research groups who have limited or no experience with distributed and cloud computing.

How can you access the platform?

  1. Login to the entry portal with an EGI SSO, Google or Facebook account.
  2. Provide information on your profile page about your affiliation to a research institute or team.
  3. Request resources from the platform: Indicate what you would like to achieve with the resources so we can help you find the most suitable ones.
  4. After your request is approved, login to any of the science gateways and build or execute compute/data intensive applications.

Presentations about the platform

  • Slideset about the concept of the EGI long-tail of science platform: [1]
  • Slideset about the authentication & authorization model adopted (incl. per-user subproxies): [2]

Information for providers

How to connect a science gateway to the platform

Connecting the SG with the User Registration Portal


Client service Registration

1. Open the GGUS ticket to operations that include return URIs

2. UNITY team send Client clientID and secretKey


Authorization procedure Unity with Client:

1] The Client sends a request to the OpenID Provider


parameters:
response_type:code
redirect_uri: Redirect url
client_id:unity-oauth-egrant
scope:profile openid 

example:
    response_type=code
    &client_id=123123123
    &redirect_uri=https%3A%2F%2Fclient.pl%2Fauth
    &scope=openid%20profile
    &state=a123a123a123


2] Authorization Server authenticates the End-User.
3] Authorization Server obtains End-User Consent/Authorization.
4] Authorization Server sends the End-User back to the redirect uri from the first request (Redirect url) with code.

example of the response

    code=uniquecode123
    &state=a123a123a123



5] Client sends the code to the Token Endpoint to receive an Access Token and ID Token in the response.

POST /token HTTP/1.1
  Host: client.pl
  Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
  Content-Type: application/x-www-form-urlencoded

  grant_type=authorization_code&code=uniquecode123
    &redirect_uri=https%3A%2F%2Fclient.pl%2Fauth




6] Client validates the tokens and retrieves the End-User's Subject Identifier.

example:

  HTTP/1.1 200 OK
  Content-Type: application/json
  Cache-Control: no-store
  Pragma: no-cache
  {
   "access_token":"accessToken123",
   "token_type":"Bearer",
   "expires_in":3600,
   "refresh_token":"refreshToken123",
   "id_token":"idToken123123"
  }

You should decode id_token and make some validation (more information: http://openid.net/specs/openid-connect-basic-1_0.html)


7] Client Gets some information from userpoint endpoint (https://unity.egi.eu/oauth2/userinfo)

example


8] User gets information about user such as email or name in json format



important data:
unity.server.clientId=  [YOUR CLIENT ID]
unity.server.clientSecret= [YOUR SECRET KEY]
unity.server.base=https://unity.egi.eu

full configuration:

Connecting the science gateway with per-user subproxies

EGI_AAI are used within the platform to authenticate users. Science gateways must generate per-user sub proxies for their users and use these for any interact with VO resources in the platform. A gateway can generate such proxies in two ways:

  1. From a robot certificate hosted in your gateway server. You can get a robot certificate from your national IGTF Certification Authority following the instructions here.
  1. If you are unable to complete this step (for example because there is no IGTF CA in your country, or because it does not issue robot certificates, then contact the EGI User Community Support Team who can arrange a robot certificate for your gateway from the SEEGRID CA that operates as a 'catch-all' CA in EGI.


  • The robot certificate has to be registered in the VO you are willing to use. The complete EGI VO list is available here.
  • Contact the EGI User Community Support Team to store your robot certificate in the e-Token server.
  • Provide the EGI User Community Support Team with a static IP address that will be used to interact with the e-Token Server.
  • After the setup is completed, the EGI User Community Support Team will send you an identifier of your robot in the e-Token Server. You will have to use this identifier to interact with the e-Token server,



How to join as a resource provider

Any EGI resource provider can join the platform to offer capacity for members of the long-tail of science. The site needs to run one of the supported grid or cloud middleware software, enable per-user sub-proxies (for user authentication and authorisation), and join the vo.access.egi.eu Virtual Organisation in EGI. The next subsections provide instructions on how to enable per-user sub-proxies on EGI sites. Please email support@egi.eu if you wish to join as a resource provider. The ID Card of the VO is available at http://operations-portal.egi.eu/vo/view/voname/vo.access.egi.eu.

In order to provide authorization to the users of the LToS VO, a couple of DNs (Distinghished Names) are required to be configured on the services to be enabled. For instance, for the CREAM CE the usual grid-mapfile is the place where to add them, for OpenStack it's /etc/keystone/voms.json. You can find below the instructions for each service.

Both the following Robot Certificate DNs must be configured: 

/DC=EU/DC=EGI/C=HU/O=Robots/O=MTA SZTAKI/CN=Robot:zfarkas@sztaki.hu
/C=IT/O=INFN/OU=Robot/L=Catania/CN=Robot: Catania Science Gateway  - Roberto Barbera

Instructions for OpenStack providers

Keystone-VOMS has support for PUSP in the special branch called subproxy_support available in the github repository https://github.com/enolfc/keystone-voms (code is in progress of being integrated into the main branch of Keystone-VOMS). You can install the code from the repository following these instructions: 

 git clone -b subproxy_support https://github.com/enolfc/keystone-voms.git
 cd keystone-voms
 pip install .

Configuration and deployment of the plugin does not change from the normal Keystone-VOMS plugin, follow the Keystone-VOMS documentation to deploy it.

There are new parameters to configure in your keystone config file, under the [voms] section:

  • allow_subproxy, should be set to True for enabling PUSP support.
  • subproxy_robots, should be set to * (recommended) or to a list of the DNs that are allowed to create PUSP in the system.
  • subproxy_user_prefix, determines the expected prefix for the PUSP user specification. It is safe to leave it undefined so the default value (CN=eToken is used.

Instruction for gLite providers

There is an EGI manual that shows how to set up a per-user sub-proxy (PUSP) to allow identification of the individual users under a common robot certificate. You can find the guide here: https://wiki.egi.eu/wiki/MAN12

Instruction for OpenNebula providers

Development is ongoing. Release is not expected before the EGI Community Forum

How to join the user support team

If you wish to support users in your country, region or science disciplinary area with the EGI platform, then please email support@egi.eu. We can train you and register you as a supporter.


Architecture details

Virtual Organisation

Name: vo.access.egi.eu

Scope: Global

Homepage URL: https://wiki.egi.eu/wiki/Long-tail_of_science

GGUS dedicated support: No (support provided in email - long-tail-support@egi.eu)

Acceptable use policy for users: https://documents.egi.eu/document/2635

Discipline: Support Activities

VO Membership management: VOMS+PERUN

Contacts: <long-tail-support@mailman.egi.eu> for all support issues.

Policies

Links for administrators

Retrieved from "https://wiki.egi.eu/w/index.php?title=Long-tail_of_science&oldid=84661"