|
|
| (146 intermediate revisions by 5 users not shown) |
| Line 1: |
Line 1: |
| {{Template:Op menubar}} {{TOC_right}}
| | #REDIRECT [[Applications_on_Demand_Service_-_Information_pages]] |
| | |
| '''This page provides information about the '[http://access.egi.eu EGI platform for the Long-tail of science]' that allows individual researchers and small research teams to perform compute and data-intensive simulations on large, distributed networks of computers in a user friendly way. If you are interested in the project that developed and now maintains the platform, please jump to the [[Long-tail_of_science_project|Long-tail of science project]] page.
| |
| '''
| |
| | |
| | |
| = Information for users =
| |
| | |
| == What can you access in the platform? ==
| |
| | |
| The platform is accessible through [http://access.egi.eu this portal] and offers grid, cloud and application services from across the EGI community for individual researchers and small research teams. The platform offers the following type of resources:
| |
| | |
| *High-throughput computing sites for running compute/data-intensive jobs
| |
| *Cloud sites suited for both compute/data intensive jobs and hosting of scientific services
| |
| *Storage resources for storing job input and output data, and for setting up data catalogues
| |
| *Science gateways that provide graphical web environments for building and executing applications in the platform.
| |
| *Applications that are made available ‘as services’ through the science gateways.
| |
| | |
| Current available resources in the platform: <br>
| |
| | |
| {| width="60%" border="1" cellpadding="1" cellspacing="1"
| |
| |-
| |
| | Type
| |
| | Name
| |
| | Description
| |
| |-
| |
| | Cloud and storage site
| |
| | INFN Catania Openstack site
| |
| | INFN-CATANIA-STACK site capacity:
| |
| *20 vCPUs
| |
| *50 GB RAM
| |
| *10 floating IPs
| |
| *10 TB storage
| |
| |-
| |
| | High-throughput computing site
| |
| | INFN Catania gLite site
| |
| | GILDA-INFN-CATANIA site capacity:
| |
| *4 CPU cores
| |
| *30 GB of /opt/exp_soft
| |
| *40 GB RAM
| |
| |-
| |
| | Science gateway
| |
| | Catania Science Gateway
| |
| | The [https://www.catania-science-gateways.it/home Catania Science Gateway]
| |
| is a new generation of Science Gateway based on standard that changes the way
| |
| e-Infrastructures are used. The gateway incorporates several scientific
| |
| applications and offers these ‘as services’ for the user.
| |
| |-
| |
| | Application
| |
| | Hello World
| |
| | Hello World is a simple grid-based application that demonstrates the use of remote resources by printing the hostname where the job is executed. It is accessible through the Catania Science Gateway.
| |
| |-
| |
| | Application
| |
| | The Statistical R
| |
| | The Statistical R is a language and environment for statistical computing and graphics. It is accessible through the Catania Science Gateway.
| |
| |-
| |
| | Application
| |
| | The Semantic Search Engine (SSE)
| |
| | SSE is a framework conceived to demonstrate the potential of information coupled with semantic web technologies to address the issues of data discovery and correlation. It is accessible through the Catania Science Gateway.
| |
| |}
| |
| | |
| == Who can access the platform? ==
| |
| | |
| The platform is open for any researcher who needs a simple and user-friendly access to compute, storage and applications services in order to carry out data/compute intensive science and innovation. You need to be affiliated with, or at least have a partner (for example a referee), at a European research institution to qualify for access. The platform is designed to meet the needs of individual researchers and small research groups who have limited or no experience with distributed and cloud computing.
| |
| | |
| == How can you access the platform? ==
| |
| | |
| # Login to the [http://access.egi.eu entry portal] with an EGI SSO, Google or Facebook account. | |
| # Provide information on your profile page about your affiliation to a research institute or team.
| |
| # Request resources from the platform: Indicate what you would like to achieve with the resources so we can help you find the most suitable ones.
| |
| # After your request is approved, login to any of the science gateways and build or execute compute/data intensive applications.
| |
| | |
| == Presentations about the platform ==
| |
| * Slideset about the concept of the EGI long-tail of science platform: [https://documents.egi.eu/document/2358]
| |
| * Slideset about the authentication & authorization model adopted (incl. per-user subproxies): [https://documents.egi.eu/document/2363]
| |
| | |
| = Information for providers =
| |
| | |
| == How to connect a science gateway to the platform ==
| |
| | |
| === Connecting the science gateway with the User Registration Portal ===
| |
| | |
| <br>'''Client service Registration'''<br><br>1. Open the GGUS ticket to operations that include return URIs<br><br>2. UNITY team send Client clientID and secretKey<br>
| |
| <div class="moz-forward-container" style="font-size: 13.28px; line-height: 19.92px;"><br><div dir="ltr"><div><div>'''Authorization procedure Unity with Client:'''</div><div>'''<br>'''</div><div>1] The Client sends a request to the OpenID Provider</div><div><br></div><div>address: [https://unity.egi.eu/oauth2-as/oauth2-authz https://unity.egi.eu/oauth2-as/oauth2-authz]</div><div><br></div><div>parameters:</div><div>response_type:code</div><div>redirect_uri: [[Redirect url]]</div><div>client_id:unity-oauth-egrant</div><div>state: [[You should generate your own state eg. md5(uniqid(rand(), TRUE));]]</div><div>scope:profile openid </div><div><br></div><div>example:</div><div> [https://unity.egi.eu/oauth2-as/oauth2-authz https://unity.egi.eu/oauth2-as/oauth2-authz]</div><div> response_type=code</div><div> &client_id=123123123</div><div> &redirect_uri=https%3A%2F%2Fclient.pl%2Fauth</div><div> &scope=openid%20profile</div><div> &state=a123a123a123</div><div><br></div><div><br></div><div>2] Authorization Server authenticates the End-User.</div><div>3] Authorization Server obtains End-User Consent/Authorization.</div><div>4] Authorization Server sends the End-User back to the redirect uri from the first request ([[Redirect url]]) with code.</div><div><br></div><div>example of the response</div><div><br></div><div>Location: [https://client.pl/auth https://client.pl/auth]?</div><div> code=uniquecode123</div><div> &state=a123a123a123</div><div><br></div><div><br></div><div><br></div><div>5] Client sends the code to the Token Endpoint to receive an Access Token and ID Token in the response.</div><div><br></div><div>POST /token HTTP/1.1</div><div> Host: [http://client.pl/ client.pl]</div><div> Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW</div><div> Content-Type: application/x-www-form-urlencoded</div><div><br></div><div> grant_type=authorization_code&code=uniquecode123</div><div> &redirect_uri=https%3A%2F%2Fclient.pl%2Fauth</div><div><br></div><div><br></div><div><br></div><div><br></div><div>6] Client validates the tokens and retrieves the End-User's Subject Identifier.</div><div><br></div><div>example:</div><div><br></div><div> HTTP/1.1 200 OK</div><div> Content-Type: application/json</div><div> Cache-Control: no-store</div><div> Pragma: no-cache</div><div> {</div><div> "access_token":"accessToken123",</div><div> "token_type":"Bearer",</div><div> "expires_in":3600,</div><div> "refresh_token":"refreshToken123",</div><div> "id_token":"idToken123123"</div><div> }</div><div><br></div><div>You should decode id_token and make some validation (more information: [http://openid.net/specs/openid-connect-basic-1_0.html http://openid.net/specs/openid-connect-basic-1_0.html])</div><div><br></div><div><br></div><div>7] Client Gets some information from userpoint endpoint ([https://unity.egi.eu/oauth2/userinfo https://unity.egi.eu/oauth2/userinfo])</div><div><br></div><div>example</div><div>[https://unity.egi.eu/oauth2/userinfo?schema=openid&access_token=accessToken123 https://unity.egi.eu/oauth2/userinfo?schema=openid&access_token=accessToken123]"</div><div><br></div><div><br></div><div>8] User gets information about user such as email or name in json format</div><div><br></div><div><br></div><div><br></div><div>important data:</div><div>unity.server.clientId= [YOUR CLIENT ID]<br>unity.server.clientSecret= [YOUR SECRET KEY]<br></div><div>unity.server.authorize=[https://unity.egi.eu/oauth2-as/oauth2-authz https://unity.egi.eu/oauth2-as/oauth2-authz]</div><div>unity.server.token=[https://unity.egi.eu/oauth2/token https://unity.egi.eu/oauth2/token]</div><div>unity.server.base=[https://unity.egi.eu/ https://unity.egi.eu]</div><div><br></div><div>full configuration:</div><div>[https://unity.egi.eu/oauth2/.well-known/openid-configuration https://unity.egi.eu/oauth2/.well-known/openid-configuration]</div></div><div><br></div>
| |
| | |
| === Connecting the science gateway with per-user subproxies ===
| |
| | |
| The platform uses [[EGI_AAI|per-user subproxies]] for user authentication. Science gateways must generate per-user sub proxies for their users and use these for any interact with VO resources in the platform. A gateway can generate such proxies in two ways: From a robot certificate physically hosted on your gateway server OR from a remote robot certificate that is hosted for you in the e-Token Server of INFN Catania in Italy. We recommend to choose the second option if you cannot obtain a robot certificate from your national IGTF CA (i.e. because there is no such CA in your country, or because it does not issue robot certificates.)
| |
| | |
| '''Instructions to use a local robot certificate:'''
| |
| # Obtain a robot certificate from your national IGTF Certification Authority following the instructions [http://www.egi.eu/how-to/get_a_certificate.html here].
| |
| # Register the robot in the vo.access.egi.eu VO: https://perun.metacentrum.cz/cert/registrar/?vo=vo.access.egi.eu
| |
| # Generate proxies from the robot using the <...> API.
| |
| | |
| '''Instructions to generate per-user subproxies from the e-Token Server:'''
| |
| # Contact the [mailto:ucst@egi.eu EGI User Community Support Team] and send a short description of your gateway service and the way it would be integrated with platform resources. The team will arrange a robot certificate for your gateway from the SEEGRID CA (which operates as a 'catch-all' CA in EGI), will register this in the VO and in the e-Token Server in Italy.
| |
| # Provide the [mailto:ucst@egi.eu EGI User Community Support Team] with a static IP address of your gateway server so requests for proxies can be authorized from this address on the e-Token Server.
| |
| # Generate proxies from the e-Token server using the <...> API.
| |
| | |
| == How to join as a resource provider ==
| |
| | |
| <span style="font-size: 13.28px; line-height: 19.92px; font-weight: normal;">Any EGI</span><span style="font-size: 13.28px; font-weight: normal; line-height: 1.5em;"> </span><span style="line-height: 19.92px; font-size: 13.28px; font-weight: normal; background-color: initial;">resource provider can join the platform to offer capacity for members of the long-tail of science. The site needs to run one of the supported grid or cloud middleware software, enable per-user sub-proxies (for user authentication and authorisation), and join the [http://operations-portal.egi.eu/vo/view/voname/vo.access.egi.eu vo.access.egi.eu Virtual Organisation]. The next subsections provide instructions on how to enable per-user sub-proxies on EGI</span><span style="font-size: 13.28px; font-weight: normal; line-height: 1.5em;"> </span><span style="font-size: 13.28px; font-weight: normal; line-height: 19.92px; background-color: initial;">sites. Please email long-tail-support@egi.eu if you wish to join as a resource provider.</span>
| |
| | |
| In order to provide authorization to the users of the LToS VO, a couple of DNs (Distinghished Names) are required to be configured on the services to be enabled. For instance, for the CREAM CE the usual grid-mapfile is the place where to add them, for OpenStack it's /etc/keystone/voms.json. You can find below the instructions for each service.
| |
| | |
| The following Robot Certificate DNs must be configured:
| |
| | |
| <pre>/DC=EU/DC=EGI/C=HU/O=Robots/O=MTA SZTAKI/CN=Robot:zfarkas@sztaki.hu
| |
| /C=IT/O=INFN/OU=Robot/L=Catania/CN=Robot: Catania Science Gateway - Roberto Barbera</pre>
| |
| | |
| === Instructions for OpenStack providers ===
| |
| | |
| Keystone-VOMS has support for per-user subproxies in the special branch called <code>subproxy_support</code> available in the github repository https://github.com/enolfc/keystone-voms (code is in progress of being integrated into the main branch of Keystone-VOMS). You can install the code from the repository following these instructions:
| |
| <pre> git clone -b subproxy_support https://github.com/enolfc/keystone-voms.git
| |
| cd keystone-voms
| |
| pip install .
| |
| </pre>
| |
| Configuration and deployment of the plugin does not change from the normal Keystone-VOMS plugin, follow the [https://keystone-voms.readthedocs.org/en/latest/ Keystone-VOMS documentation] to deploy it.
| |
| | |
| There are new parameters to configure in your keystone config file, under the <code>[voms]</code> section:
| |
| | |
| *<code>allow_subproxy</code>, should be set to <code>True</code> for enabling PUSP support.
| |
| *<code>subproxy_robots</code>, should be set to <code>*</code> (recommended) or to a list of the DNs that are allowed to create PUSP in the system.
| |
| *<code>subproxy_user_prefix</code>, determines the expected prefix for the PUSP user specification. It is safe to leave it undefined so the default value (<code>CN=eToken</code> is used.
| |
| | |
| === Instruction for gLite providers ===
| |
| | |
| There is an EGI manual that shows how to set up a per-user sub-proxy to allow identification of the individual users under a common robot certificate. You can find the guide here: https://wiki.egi.eu/wiki/MAN12
| |
| | |
| === Instruction for OpenNebula providers ===
| |
| | |
| OpenNebula sites are not yet supported in the platform.
| |
| | |
| == How to join the user support team ==
| |
| | |
| If you wish to support users in your country, region or science disciplinary area with the EGI platform, then please email support@egi.eu. We can train you and register you as a supporter.
| |
| | |
| <br>
| |
| | |
| = Architecture details =
| |
| | |
| == Virtual Organisation ==
| |
| | |
| Name: vo.access.egi.eu
| |
| | |
| Scope: Global
| |
| | |
| Homepage URL: https://wiki.egi.eu/wiki/Long-tail_of_science
| |
| | |
| GGUS dedicated support: No (support provided in email - long-tail-support@egi.eu)
| |
| | |
| Acceptable use policy for users: https://documents.egi.eu/document/2635
| |
| | |
| Discipline: Support Activities
| |
| | |
| VO Membership management: VOMS+PERUN
| |
| * perun.cesnet.cz. The enrollment url is https://perun.metacentrum.cz/perun-registrar-cert/?vo=vo.access.egi.eu
| |
| * voms1.egee.cesnet.cz and voms2.grid.cesnet.cz
| |
| | |
| Contacts:
| |
| <long-tail-support@mailman.egi.eu> for all support issues.
| |
| | |
| == Policies ==
| |
| | |
| * Acceptable Use Policy and Conditions of Use of the EGI Platform for the Long-tail of Science: https://documents.egi.eu/document/2635
| |
| * [[SPG:Drafts:LToS Service Scoped Security Policy]]
| |
| | |
| == Links for administrators ==
| |
| | |
| * Detailed accounting data about the VO users can be obtained by the VO managers at https://accounting.egi.eu/user/voadm.php
| |
| * To see the list of VO members: https://voms1.egee.cesnet.cz:8443/voms/vo.access.egi.eu/user/search.action
| |
| * To register in the VO (relevant for gateway robot certificates and for support staff): https://perun.metacentrum.cz/cert/registrar/?vo=vo.access.egi.eu
| |
| * VO membership management interface in PERUN: https://perun.metacentrum.cz/cert/gui/
| |
| | |
| | |
| [[Category:Task_forces]] [[Category:LToS]]
| |
The wiki is deprecated and due to be decommissioned by the end of September 2022.