Difference: CsGsiSupport (2 vs. 3)

Revision 32010-08-31 - andrec

Line: 1 to 1
 
META TOPICPARENT name="ClosedCanarieProjectNEP52"
This page contains information on GSI support in the cloud scheduler.
Line: 6 to 6
  Enabling GSI support in the cloud scheduler will also put some restrictions on the VM which will only allow jobs from the owner of that VM to be started on it. In other words, jobs owned by user B will not be started on a VM owned by user A. The rationale behind this is to prevent access to a delegated proxy on a VM to other users.
Added:
>
>
The GSI support is still in prototype mode and is available under the myproxy-integration-dev branch.
 

Requirements:

Added:
>
>
  • A cloud scheduler codebase with GSI support
    • checkout from myproxy-integration-dev branch
 
  • A working CA is required to sign the dummy VM host certificate.
Added:
>
>
    • Done. Running on alto.cloud.nrc.ca
 
  • A working Globus Toolkit is required on the host running the cloud scheduler.
  • The user requires a valid grid certificate (x509)
Added:
>
>
  • The VM images must have a recent version of the condor startup scripts (with generic local condor config support)
 

Install NEP-52 root CA package

Added:
>
>
On the cloud scheduler host:
 
Changed:
<
<
$ wget https://wiki.heprc.uvic.ca/twiki/pub/Restricted/CsGsiSupport/globus_simple_ca_ebd3459c_setup-0.20.tar.gz
>
>
$ wget --no-check-certificate https://wiki.heprc.uvic.ca/twiki/pub/Restricted/CsGsiSupport/globus_simple_ca_ebd3459c_setup-0.20.tar.gz
 $ gpt-build ./globus_simple_ca_ebd3459c_setup-0.20.tar.gz # gpt-postinstall # $GLOBUS_LOCATION/setup/globus_simple_ca_ebd3459c_setup/setup-gsi
Line: 26 to 33
 $ cd VM-host-cert $ grid-cert-request -dir . -host NEP-52_VM_instance -ca
Changed:
<
<
For the time being, the NEP-52 CA is hosted on alto.cloud.nrc.ca. Send the above certificate request to Andre.Charbonneau@nrc-cnrc.gc.ca
>
>
For the time being, the NEP-52 CA is hosted on alto.cloud.nrc.ca. Send the above certificate request to Andre.Charbonneau@nrc-cnrc.gc.ca
 Install the signed certificate in the VM-host-cert directory created above.

Configure GSI Authentication in Condor

Line: 38 to 45
 SEC_CLIENT_ENCRYPTION_METHODS = 3DES GRIDMAP = /etc/grid-security/grid-mapfile.condor
Changed:
<
<
This will enable both authentication (GSI) and encryption for clients connecting to this condor server. Do not forget to create the grid mapfile specified in the above configuration. If you do not create the grid mapfile, users will sill be authenticated and authorized to ues the services, but will be mapped to gsi@unmappeduser.
>
>
This will enable both authentication (GSI) and encryption for clients connecting to this condor server. Do not forget to create the grid mapfile specified in the above configuration.

For some unknown reason, my grid mapfile must contain an entry for the host cert of cloud scheduler (vm129 in my case), such as:

"/C=CA/O=Grid/CN=host/vm129.cloud.nrc.ca" condor@vm129.cloud.nrc.ca
(Replace vm129.cloud.nrc.ca with the hostname of your cloud scheduler host.)

Note that if uses are not listed in the grid mapfile, these users will sill be authenticated and authorized to look at the condor info (READ operations), but will not be allowed to submit any jobs.

  In order to the changes to take effect, you need to restart condor:
Line: 82 to 97
 /usr/local/nimbus/services/etc/nimbus/nimbus-grid-mapfile
Changed:
<
<

Add x509 proxy info in your job description

>
>

Testing

Restart the cloud scheduler

Create a user proxy (full legacy)

$ grid-proxy-init -old

Add x509 proxy info in your job description

 In order to use GSI authentication, you need to specify your user proxy in your job description. This is done using the x509userproxy classad attribute. For example:
x509userproxy = /tmp/x509up_u20200
Changed:
<
<
>
>

Submit the job

$ condor_submit <job-description-file>
 

Credential renewal

NOT IMPLEMENTED YET
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback