Bugzilla – Bug 6167
incorporate GS4GT into CTSS4
Last modified: 2008-12-05 13:02:51
You need to log in before you can comment on or make changes to this bug.
A group of us met recently to discuss the packaging of GridShib for GT into CTSS4. JP Navarro's notes are attached for reference. As far as I can tell, here are the action items that I personally took away from this meeting: * attempt to remove dependency on BC provider in GS4GT * reconcile OpenSAML versions in GT 4.0.x * reconcile Xalan and Xerces endorsement issues in GT 4.0.x * create TG-wide trusted entities map file * implement GS4GT policy framework extensions for TG (Bug 5882) * create TG-wide policy file * document how to deploy, configure, and test GS-ST * document how to deploy, configure, and test GS4GT * provide GS-ST and GS4GT binaries for packaging purposes ------------------------------- From: JP Navarro <navarro@mcs.anl.gov> To: gig-pack@teragrid.org, Jim Basney <jbasney@ncsa.uiuc.edu>, Terry Fleury <tfleury@ncsa.uiuc.edu>, Tom Scavo <trscavo@ncsa.uiuc.edu>, Nancy Wilkins-Diehr <wilkinsn@sdsc.edu>, Aaron Shelmire <shelmire@psc.edu> Subject: Notes: Gateway kit packaging meeting, May 22 Date: Thu, 22 May 2008 14:54:03 -0500 Present: Charles, Eric, Jason, Jim, JP, Lee, Nancy, Terry, Tom NOTES: =========================================== CTSS Science Gateway Support Capability Kit =========================================== OVERVIEW Optional kit RPs choose to support TeraGrid Science Gateways by deploying this kit Supporting this kit implies supporting some form of community accounts Pre-requisites: CTSS Remote Compute 4.0.0 COMPONENTS gateway-support-registration (required) gridshib-gt (required) commshell (optional) gridshib-saml-tool (required, for RP and Inca testing) ACTION ITEMS Write capability kit definition document (Jim) Write capability kit implementation document (Lee/JP) Package gateway-support-registration component (gig-pack) Includes pacman and deployment instructions ========================= GridShib for GT component ========================= OVERVIEW GridShib for GT offers new WS GRAM capabilities: Logging individual users of community account based on attributes Resource providers can black-list to block individual problem gateway users Is pure Java, uses Ant, deploys to GLOBUS_LOCATION Uses a more recent OpenSAML 1.x than GT includes Installed with future TG globus-wsrf deployments, but disabled by default ACTION ITEMS Figure out patch integration with GT and VDT instead of replacing 4 GT jars (Charles, Tom) May involve producing GT 4.0/4.2 patches (Tom) Produce binaries (Tom/Charles) Produce pacman (gig-pack) Write deployment instructions (gig-pack) Write configuration and deployment testing instructions (Terry/Tom) Identify what Inca should test (Jim) Write Inca tests (Jason and Jim) ========================= Community Shell component ========================= OVERVIEW Restricts what executables/commands can be run Written in C++ To enable requires patch to GRAM2 and GRAM4 job manager scripts Is not LRM specific No GT or other interesting dependencies ACTION ITEMS Figure out which RPs want it using draft list from security-wg (Lee/JP) Provide initial NMI glue (Jim), tweak for TG and put in TG CVS (Charles) Build binaries for required platforms (gig-pack) Binary will include GT patch(es) Produce pacman (gig-pack) Write deployment instructions (gig-pack) Write configuration and deployment testing instructions (Terry/Tom) Instructions will explain how to apply patch to PreWS and WS GRAM deployments Identify what Inca should test (Jim) Write Inca tests (Jason and Jim) ================== GridShib SAML Tool ================== OVERVIEW Standalone Java, requires Ant No GT dependencies Required so that RPs and Inca can test GridShib for GT functionality ACTION ITEMS Provide binaries (Tom) Produce pacman (gig-pack) Write deployment instructions (gig-pack) Write configuration and deployment testing instructions (Terry/Tom) Work with Inca team to test existence and version (Jason) Please reply with corrections or important omissions. Thanks everyone, JP
(In reply to comment #0) > * implement GS4GT policy framework extensions for TG (Bug 5882) > * create TG-wide policy file We've decided that these two work items are not a requirement for this phase of the CTSS4 integration. There are no plans to extend the GS4GT policy framework at this time. Instead, this issue will be revisited at a later date.
(In reply to comment #0) > > * attempt to remove dependency on BC provider in GS4GT We have successfully downgraded from jce-jdk13-131.jar to jce-jdk13-125.jar in GridShib SAML Tools: http://bugzilla.globus.org/globus/show_bug.cgi?id=5791#c7 Thus the same dependency can be removed from GS4GT (Bug 6168).
(In reply to comment #0) > > * create TG-wide trusted entities map file The data required for this config file is being compiled in the wiki: http://www.teragridforum.org/mediawiki/index.php?title=Science_Gateway_Credential_with_Attributes_Status A pointer to this page has been sent to the gateways mailing list for comment.
Status Report Completed: * Removed the dependency on BouncyCastle provider (jce-jdk13-131.jar) in GridShib SAML Tools and GridShib for GT (Bug 6168) * Begun to collect the data required for a required RP config file: http://www.teragridforum.org/mediawiki/index.php?title=Science_Gateway_Credential_with_Attributes_Status * Fixed all known bugs in GridShib SAML Tools TODO: * Reconcile Xalan and Xerces incompatibility and endorsement issues in GT 4.0.x (Bug 6099) * Create TG-wide trusted entities map file (from data in wiki above) * Create TG-wide identity attributes list (which permits blacklisting on e-mail address, e.g.) * Document how to configure GS4GT for GRAM in GT 4.0.x * Provide GS4GT binaries for packaging purposes * Fix all known bugs in GridShib for GT (Bug 5966) (Bug 6074) (Bug 6169)
(In reply to comment #4) > > * Reconcile Xalan and Xerces incompatibility and endorsement issues in GT 4.0.x > (Bug 6099) This critical bug has been reopened since it appears that two needed JAR files are missing from the GT4.0.8 distribution. (The latter is required for the CTSS4 capability kit that we're trying to build.)
(In reply to comment #5) > (In reply to comment #4) > > > > * Reconcile Xalan and Xerces incompatibility and endorsement issues in GT 4.0.x > > (Bug 6099) > > This critical bug has been reopened ... A new bug has been spun off from the old one: http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6296 A Globus Toolkit Advisory has been released: http://www.globus.org/toolkit/advisories.html?version=4.0
(In reply to comment #4) > > * Create TG-wide identity attributes list (which permits blacklisting > on e-mail address, e.g.) This is done. See http://bugzilla.globus.org/globus/show_bug.cgi?id=5966#c4 and subsequent comments for implementation details. Note: There is nothing that needs to be distributed specially with CTSS4 since the identity attribute list has been incorporated into GS4GT proper. This feature will be distributed with GS4GT v0.6.1.
These are the work items yet to do: * Create TG-wide trusted entities map file (see Comment #3) * Document how to configure GS4GT for GRAM in GT 4.0.x * Provide GS4GT binaries for packaging purposes (Bug 6074) * Fix all known bugs in GridShib for GT (especially Bug 6169) Bug 5791 blocks all further work on GS4GT. In other words, the final release of GS-ST v0.5.0 is required before we can continue with this effort.
(In reply to comment #8) > > * Create TG-wide trusted entities map file (see Comment #3) Terry Fleury has taken ownership of this work item. Such a file has been drafted. We are still discussing the naming conventions used therein. > Bug 5791 blocks all further work on GS4GT. In other words, the final release > of GS-ST v0.5.0 is required before we can continue with this effort. GS-ST v0.5.0 RC3 will be released today (Aug 25, 2008).
(In reply to comment #0) > > * document how to deploy, configure, and test GS-ST This item fell off the list for some reason, but it turns out to be a requirement. We're investigating ways to deploy GS-ST into CTSS4...
(In reply to comment #9) > > GS-ST v0.5.0 RC3 will be released today (Aug 25, 2008). This has been delayed pending resolution of Bug 6342.
(In reply to comment #11) > (In reply to comment #9) > > > > GS-ST v0.5.0 RC3 will be released today (Aug 25, 2008). > > This has been delayed pending resolution of Bug 6342. There are no remaining bugs blocking the release of GS-ST v0.5.0 RC3. We now begin two days of testing with GS4GT v0.6.1 RC.
As an update, all major bugs have been fixed. There are some lesser, annoying bugs that we'll work on and lots of documentation to write, but we're making progress towards our goal. The final version of GridShib SAML Tools v0.5.0 has been released: http://www.globus.org/mail_archive/gridshib-user/2008/09/msg00009.html Release Candidate 2 of GridShib for GT will be released shortly (depending on the nightly build results). The final version of GS4GT will be released the week of Sep 22nd.
(In reply to comment #13) > > Release Candidate 2 of GridShib for GT will be released shortly (depending on > the nightly build results). The final version of GS4GT will be released the > week of Sep 22nd. GridShib for GT v0.6.1 RC2 was released on 15 Sep 2008: http://www.globus.org/mail_archive/gridshib-user/2008/09/msg00010.html The final version of GS4GT v0.6.1 will be released on 26 Sep 2008.
We had a gig-pack conference call today. Here are the personal action items I took away from this call: * Finalize GridShib for GT v0.6.1 ** Provide final GS4GT binaries for packaging * Send static GS4GT config file to JP ** Add AAA test account to config file * Document how to configure GS4GT for GRAM in GT 4.0.x ** Include item re cron job that refreshes GS4GT config file * Add a section to status page re creating a new gateway config * Consult with Nancy re getting config data into the database
(In reply to comment #15) > > * Finalize GridShib for GT v0.6.1 > ** Provide final GS4GT binaries for packaging Done. http://gridshib.globus.org/downloads/gridshib-gt-0_6_1-GT4.0.8-bin.tar.gz http://gridshib.globus.org/downloads/gridshib-gt-0_6_1-GT4.0.8-bin.zip > * Send static GS4GT config file to JP > ** Add AAA test account to config file Done. https://info.teragrid.org/gateways/trusted_authorities_entity_map.txt http://info.teragrid.org/gateways/trusted_authorities_entity_map.txt > * Consult with Nancy re getting config data into the database In progress.
(In reply to comment #15) > > * Document how to configure GS4GT for GRAM in GT 4.0.x Done.
All the work items identified in this bug entry have been addressed. Although the Capability Kit has not been released, all work items assigned to me are complete. Ongoing support will be provided as needed of course, but for all practical purposes this bug is resolved.
