"Andrew's blog about Grids, Webs, Security and other interestingTM Stuff"
Web/Net
W3C
RFC Editor
Apache
Grid Security
EGEE/LCG
JSPG
EU GridPMA
EGEE JRA3
MWSG
Switch to list of recent blogs only
CHEP 2007, Victoria, Canada
Tue 11 September 2007 11:09am
This year's Computing in High Energy Physics conference marks ten years since my first one in Berlin. Looking back, the first rumblings of the desire for the grid were there, and I remember seeking out talks about CLEO's Nile distributed data processing system, and Funnel and Centipede from the HERA experiments. At the time, the idea of objects was mixed-in, with some vague concept that objects might interact with each other over the network: that idea has come and gone, although Web Services are a loosely coupled echo of it. This year the grid is part of the fabric, and implicitly the background to most of the talks and posters.
Back in 1997, C++ and object orientated programming had already won over the experiments, and people were turning up and pitching their solutions. But the new and controversial issue was Linux vs Windows NT: whether to go from a mix of VMS and Unix on proprietary hardware, onto Linux or Windows in PC's, as it was increasingly clear that PC-based hardware would be considerably cheaper. (I was there with my Linux binaries and RPMs of the CERN Program Library, which were redistributed by CERN itself until around 2000.)
This year, the Gartner Group's Hype Cycle graph appeared more than once, with the claim that the grid is now on the "Plateau of Productivity" (we'd better be, since almost all the distributed LHC computing production work is being done via the grid!)
In the security area, I gave an oveview of recent updates to GridSite's security toolkit (which was very similar to my talk in June but with "will do" replaced by "have done"...) I did have time to outline my feelings about identity federation: something we've managed to avoid in grids so far, but which is becoming more pressing as username/password based systems interact more with elements of the grid world, and with users used to the convenience of X.509 user certificates in their browser. In short, we seem to be expecting sites to do local identity federation, which isn't so bad for a few large sites like CERN (who are unifying username/password, kerberos and X.509 access with a single sign-on page), but it's not going to scale if every site or interactive service needs to do it.
On the photography front, CHEP always has interesting excursions - this time, whale watching - but instead I went and took some photographs around Victoria on the free afternoon, especially the harbour and the seaplanes:
A short video of a seaplane landing (done with a still camera in video mode, at 12x optical zoom):
Pictures of the conference hotel and seaplanes landing and taxiing:
GridPP18 in Glasgow
Thu 22 March 2007 11:03am
Most of my talks at collaboration meetings are status reports, but this time
I did an overview of
the "credential soup" of abbreviations and
acronyms in the security area, including
X.509, GSI, CAS, LDAP-VO, GACL, VOMS, XACML, SAML, Shibboleth, VOM, WS-Sec, ...
This talk also kicked off with a new concept: "Grid projects typically generate one new acronym for every 10,000 lines of code" (McNab's Law of Grid Acronyms!)
There are some new ideas on the (web) horizon, like OpenID and Shibboleth, but the credentials side of things is pretty much sorted in EGEE/LCG now. However access policies, and how to maintain them in production at sites, is still up in the air - with a mixture of solutions on offer and some big gaps.
GridSite and Subversion
Fri 15 December 2006 12:12pm
In the last couple of weeks I've been looking at adding support to GridSite
for the Subversion version control
system (ie like CVS). It's interesting from a GridSite point of view because
the server side comes in the form of modules which extend Apache, and the
network protocol is just WebDAV. It's been brought up before that there might
be some useful overlaps here, and Alessandra Forti who runs the Tier-2 here
in Manchester suggested it again last month (as part of managing configuration
files for grid installations using Subversion.)
Read more ...
MWSG at CERN and Escalade
Fri 17 November 2006 11:11am
I've not been back to annual
Escalade in Geneva since
2001 and I didn't again this year.
But the chocolate cooking pots ("les marmites") filled
with sweets were there in Migros at the airport, so brought one back to show
some sceptics back in Manchester. However, I'd forgotten (didn't know?) that
the yellow and red "fruit pastille" sweets contain explosive
bangers like Christmas-crackers, so I and a very helpful member of the
airport security staff removed the bangers and rewrapped the sweets
one by one...
All Hands Meeting, 2006
Fri 22 September 2006 1:09pm
The UK e-Science All Hands have
been at the University of Nottingham for the last few years, and this year
was Manchester HEP's best showing yet: as well as my
poster on GridSite
delegation and PPARC stand talk on LCG/EGEE/GridPP security, Joseph Dada
presented our work on Shibboleth extensions to GridSite and his certificate-based
Identity Provider; Yibiao Li talked about the bulk data transfer client
and server he's done based on HTTPS and GridSite's GridHTTP; and Mike Jones
talked about the NGS and GridPP VOMS services run here by him, Alessandra
Forti and Sergey Dolgobrodov.
GridSite Storage
Mon 3 July 2006 6:07pm
Last week's talk at GridPP 16 is now online on the talks page. This is the first proper overview of the GridSite-based storage system I'm proposing.
Fort L'Ecluse
Thu 22 June 2006 9:06pm
There were no meetings yesterday afternoon, so I took the chance to go
back to Fort L'Ecluse, over the border in France. I haven't visited it
properly since I was here as a student more than ten years ago, and it's
only open during the summer. You can see from the picture that it's pretty
dramatic: that's one fort, the Fort Superieur, at the top of a 250m cliff,
looking down to the Fort Inferieur, which itself is above a 90m drop down to
the River Rhone. But it gets better: there's
a staircase inside the cliff, that goes up 1165 steps from one to
the other!
Read more ...
CERN and WLCG
Mon 19 June 2006 9:06am
I'm at CERN this week for the
WLCG-OSG-EGEE
joint operations workshop. This is another LCG/EGEE + OSG joint meeting
(I missed the OSG/EGEE Middleware Security Meeting at SLAC) and is part of
getting one (con?)federated infrastructure ready for LHC startup next year.
Given the continuing difference in funtionality and deployment
between LCG/EGEE and local
infrastructures like NGS in the UK and TeraGrid in the US, I think it's pretty
clear that (W)LCG is becoming The Grid. It's already in production at the
scale of 30,000 jobs per day...
Read more ...
SlashGrid Reloaded
Thu 15 June 2006 10:06pm
Several years ago I had two Grid security projects: GridSite, which has grown
and grown; and SlashGrid, which never made it beyond a demonstrator. I've now
resurrected SlashGrid, this time for distributed storage rather than
as a secure container filesystem.
Read more ...
AMPPS building site (or "No More Trees, II")
Wed 31 May 2006 11:05pm
My post from November
had some pictures of the car park, with and then without the trees. Since
some people have asked, here is what the building site now looks like. It's
almost the same viewpoint, but now from the 6th rather than 7th floor, and
you can just a say see the reddish panels of the Aquatics Centre car park
through the steel frame of the AMPPS building.
Read more ...
Lightweight Grid Computing workshop
Fri 5 May 2006 10:05pm
Last week I went to a
Workshop on
Lightweight Grid Computing at Losehill Hall, on the edge of Castleton in
Derbyshire. The talks are all on the Daresbury website
(including mine about
GridSite hosting of simple webservices as scripts etc) and the focus was
very much on RealityGrid and similar
projects to come out of the HPC community - so my WLCG/EGEE perspective
was in a minority of one.
Read more ...
CHEP 2006, Mumbai
Mon 20 February 2006 6:02pm
I spent the last week at CHEP
2006 in India - my first trip that far east apart from a GGF
conference in Tokyo. I gave a
talk about
GridSite file access and storage and brought a
poster about
GridSite's security model for web services, but I really only had part
of the Sunday for sightseeing.
Read more ...
CERN Courier article on GridSite
Mon 13 February 2006 1:02pm
This month's CERN Courier has
an article they
asked me to write about GridSite Wiki (following on the from PPARC press
release last September), and I
broadened the scope to explain the internet anonymity vs accountability
problem, and the implications of widespread possession of X.509 user
certificates:
"When Tim Berners-Lee invented the World Wide Web 15 years ago at CERN,
he always intended that it should be easy for people to write to it, not
just read from it. But if websites are opened up to additions from
everyone, they often get vandalized or "spammed". These
problems have put security centre-stage in the development of a true
read-write Web. Fortunately, solutions are emerging from large
high-energy physics Grid projects..."
Read more ...
No more trees
Tue 29 November 2005 7:11pm
This was the view from my office window in Physics in the middle of last
month, when they started cutting down the trees. The site has been cleared
and piles driven for the Astronomy, Maths, Physics and Photon Science
building. The University has been one big building site all year, with money
for the merger with UMIST plus ongoing SRIF infrastructure spending, and it's
all very worthy - but I can't help thinking of all those trees cut down
to expand production at Isengard too..
Read more ...
GridSite for gLite 1.5
Mon 17 October 2005 2:10pm
The feature-freeze deadline for
EGEE's
gLite version 1.5 was at the end of last week, and this is the final official
release before the end of EGEE 1. It includes a some important new
GridSite features, some more bug and niggle-fixes, and a rationalisation
of the documentation.
Read more ...
Bona Fide Boffins...
Sat 24 September 2005 10:09am
So I'm in
The Register this week,
providing security for Wikis used by scientists (ie whether users are vandals
or "bona fide boffins"!)
Read more ...
Hacking the Grid
Mon 2 August 2004 10:08am
A couple of links: Greg Newby's "Hacking the Grid" talk from the 5th Hackers on Planet Earth conference makes some points about security implications of using huge, home-grown services which are difficult to upgrade; and today SlashDot has a story based on a NIST press release about studying the effects of viruses and DoS attacks on grids. (Although it's not clear from the press release that NIST actually knows what a Grid is.)
HTTP as a data protocol and HTTP-Downgrade
Mon 26 July 2004 11:07am
I've been going on about the suitability of HTTP as a data protocol
for a while now, despite the received wisdom favouring protocols like
GridFTP. The graph is one of Richard Hughes-Jones' and shows off-the-shelf
curl + Apache from RedHat Linux outperforming GridFTP on the
MB-NG private network for 2GB
files.
Recently I've added an HTTP-Downgrade mechanism
to GridSite to allow Grid applications to
downgrade from HTTPS to HTTP - once they've got any necessary
authorization out of the way - and start making use of these performance
benefits themselves.
Read more ...
WSRF::Lite, REST and practical web/grid services
Wed 21 July 2004 9:07am
Yesterday I went to Mark McKeown's
tutorial about his
WSRF::Lite - a
Perl container following Globus/IBM's
WSRF proposal for Grid Services.
Recently, I've also been thinking about the
practicality and security issues surrounding web/grid services, and
yesterday crystalised some of these ideas.
Read more ...
Oxford e-Science Security Workshop
Sat 10 July 2004 7:07pm
On Thursday and Friday I attended the security workshop organised by
Howard Chivers and Andrew Martin in Oxford. This aimed to present practical
experience with Grid security issues, and to get some of this written down
properly in the form of papers. I gave the last talk on the Thursday, and
just as I started talking about the controversial issue of "SOAP over
HTTPS" vs message/XML level securing of Web Services, the heavens
opened and a violent
thunderstorm began. Had some new WS-DivineIntervention working group
been started?
Read more ...
GSI Proxies become RFC 3820
Wed 7 July 2004 4:07pm
Last week Globus's GSI Proxy profile for conventional X.509v3 digital certificates became IETF RFC 3820. Most major Grid projects are using this delegation part of GSI, however much of the rest they depend on, so it's excellent news. From my point of view, this means that the GSI support that GridSite adds to Apache now represents a standard.
EGEE JRA1 All Hands meeting
Wed 30 June 2004 10:06pm
The first half of this week I've been at the EGEE
JRA1 middleware
workshop at
Coseners' House in Abingdon.
This has been one of the first overviews in one place of the
gLite architecture and software
development process that EGEE is proposing to start with.
It's naturally still rough, and the clear divisions between the Alien and EU
DataGrid origins of different components is still clear. Going over to a
pull model for getting jobs into sites also resurrects a bunch of security
questions which we'd at least conceptually solved during EU DataGrid...
Transit of Venus
Tue 8 June 2004 7:06pm
I managed to get some pictures of the
transit
of Venus this morning, using my
childhood 60mm refractor in the attic. After trying various combinations and
blocking out the window, I took this picture with the Sun projected onto
pieces of door against the wall. The Sun's disc is about a metre in
diameter, and when the clouds permitted I could see the two current prominent
sun spots quite well. In this picture the cloud has come back in (about
7:45am) but Venus's disc is still clearly visible in the bottom left hand
corner.
Geneva
Mon 7 June 2004 7:06pm
I've got to make 3 trips to CERN in May and June, but for the middle one,
Jill came out for the weekend and we did some touristy things. I'd not
really had the chance to do that for few years, although after spending 18
months out there as student in the 1990s it always feels like a second home.
Read more ...
CERN-UK awards
Wed 2 June 2004 7:06pm
Today Frank Harris and I received awards from CERN to mark the end of
GridPP-1 (and the beginning of GridPP-2 of course!) Frank's "Lifetime
Achievement" award reflected all the work he's done over the years,
including leading the Delphi experiment's online system (back when I was on
Opal) and more recently in preparation for the LHC computing and as part of
EU DataGrid - where, along with the Loose Canons, his lobbying for the
applications interests is now reflected in the successes we're having with
the same codebase within LCG. Mine ("Outstanding Achievement in Grid
development") cited my security work, and GridSite specifically.
Read more ...
Switch to list of recent blogs only
Contact info
Dr Andrew McNab,
Department of Physics
and Astronomy,
University of Manchester,
Manchester,
United Kingdom,
M13 9PL
Andrew.McNab@cern.ch
Phone: +44-161-306-6474
Fax: +44-161-273-5867
Recent blogs
- CHEP 2007, Victoria, Canada
- GridPP18 in Glasgow
- GridSite and Subversion
- MWSG at CERN and Escalade
- All Hands Meeting, 2006
- GridSite Storage
- Fort L'Ecluse
- CERN and WLCG
- SlashGrid Reloaded
- AMPPS building site (or "No More Trees, II")