PEARC17 BoF: Globus Toolkit Support Changes

3 posts / 0 new
Last post
PEARC17 BoF: Globus Toolkit Support Changes

Here is the statement from OSG software team I mentioned in the meeting:

http://osggoc.blogspot.com/2017/07/?m=1

BoF notes

Thanks to the following in-person participants:

  • Jim Marsteller - PSC
  • Derek Simmel - PSC / TAGPMA
  • Steve Tuecke - Globus
  • Jim Basney - NCSA/XSEDE
  • Derek Weitzel - OSG
  • Von Welch - CTSC
  • Ludek Matyska  - EGI / ELIXIR AAI
  • Mona Wong - SDSC
  • Vas - Globus
  • Gergely Sipos  - EGI
  • Rick Wagner - Globus
  • JP Navarro - Univ. of Chicago / XSEDE
  • Tabitha Samuel - NICS / XSEDE
  • Mats Rynge - OSG
  • Shane Filus - PSC

Slides:

Globus announcement:

Globus support after Dec 31 2017 will be focused on security fixes for GCSv4 and GSI (and critical bug fixes).

XSEDE is sponsoring these events because we want to understand community needs. This is an opportunity to re-assess our community needs and to better understand our use cases.

Suggestion that we focus on use cases rather than existing implementations.

Need an impact assessment among the communities. And what are the proposed solutions? Opportunity to migrate to new things together?

Where should we get our credentials (compatible with Globus and other technologies)?

  • Answer: from an InCommon IdP, Google, Orcid, or XSEDE (others can be added to Globus)
  • Globus Auth is the core of Globus future plans. Based on OAuth2 / OpenID Connect standards.
  • https://docs.globus.org/api/auth/
  • Does Globus expect most users to get identities from InCommon? Google and ORCID are also supported. Others identity providers can be added. XSEDE is also an identity provider.

If we're using Globus Auth now, do we need to use X.509 at all? Once the new Globus software is available, you won't need X.509, except you still need X.509 server certs for HTTPS. Globus is getting rid of X.509 user certificates (and proxy certificates).

Users need time to transition. Suggested: 6 months.

SSH for Globus Auth will be delivered later this year.

Will OpenSSH patches be required? OpenSSH server may need to be patched for username mapping. Use case at NICS using Duo for authentication with username mapping.

GCSv5 will be a completely separate source code base. GCSv5 runs on a different port than GCSv4 and GT6 GridFTP. GCSv5 is a completely new data service.

XSEDE

  • Some XSEDE gateways still use GRAM. LSU and TACC still run GRAM services.What is impact for X.509?
  • How will this integrate with XSEDE account management (e.g., AMIE)? Probably some AMIE changes will be needed.
  • What happens with XSEDE gateway community credentials? Can XSEDE replace gateway-submit-attributes?
  • XSEDE Service Provider (SP) Forum is gathering XSEDE's use cases.
  • XSEDE deployment timeline?

    • End of 2017: Have a plan, start evaluating options, start preparing solutions

    • January thru June 2018: finish preparing solutions and start migrations

    • End of June 2018: 6 months to finish migrate by end of 2018

OSG

  • OSG almost done deprecating use of GRAM.
  • OSG announcement: https://opensciencegrid.github.io/technology/policy/globus-toolkit/
  • Plan to support GSI and GridFTP as long as stakeholders need it.
  • Big VOs using standalone GridFTP with X.509 internally.
  • OSG users have been moving away from X.509 for a while. Using OSG Connect based on Globus Auth already.
  • OSG has mostly moved away from VOMS for user management.

ELIXIR AAI

  • ELIXIR AAI is not based on X.509 certificates at all, but community certificates can be used behind the scenes.
  • Sites use GridFTP and GSI libraries.
  • Doing risk/impact assessment.
  • Looking at open opportunities to move beyond legacy dependencies.
  • Ongoing discussion about using Globus services.

EGI

  • EGI has legacy users like LHC who need X.509 for foreseeable future.
  • OSG-EGI-WLCG need to coordinate.
  • GSI and GridFTP and VOMS are needed.
  • New communities coming in are using EGI Cloud, replacing X.509 with OpenID.
  • Opportunity to get rid of X.509 for cloud domain.
  • X.509 is a big barrier for new communities.
  • Doing OpenID with OpenStack cloud.
  • OneData (https://onedata.org/) for data transfer.

OSG-EGI may share the burden of maintaining GSI?

Opportunities for future discussions:

Any feedback about Globus communication? Announcement was clear.

Impacts on NSF Large Facilities? Large Facilities workshop coming up in September. Steve Tuecke from Globus will be attending.

What about levels of assurance? XSEDE has vetted and unvetted users. IGTF has multiple levels of assurance.Do we have connections to PRACE and EUDAT?

  • Dave Kelsey and David Groep from be included.

Invitation to participate in XSEDE discussion forum:

Log in to post comments