Myproxy Configuration and Issues in SC3
Overview
This document tries to cover the problems seen so far in SC3 with myproxy usage. It describes the long-term solution that will be implemented, and also describes a short-term solution for immediate use within SC3.
FTS usage of Myproxy
Currently all FTS transfers are done using the user proxy. As opposed to the Resource Broker which can delegate the user proxy at time of job submission, the FTS relies on being able to get a proxy from a myproxy server. Currently each FTS server hard-configures the myproxy server it will use for getting proxies to do the transfers. This leads to a set of issues:
- The client needs to know what myproxy server a particular FTS has been configured to use. This is currently not published anyway automatically.
- For a multi-hop transfer, which will be controlled by an experiment framework, if the two channels are on different FTS servers which have different default myproxy servers, then the user will need to be submitted twice.
- The client must use the myproxy server specified by the FTS - it would be better if the user specified a proxy store that they trusted, and then allowed the FTS to retrieve from it.
- Problems have been seen with Myproxy when trying to use renewable proxies without passwords (as needed by the RB) and retrievable proxies with passwords (as needed by the FTS) on the same MyProxy server.
Solution to the problems
The clean solution to the problems above is to
- Allow the client to specify the myproxy server on which it has stored a proxy when submitting a job. This can introduce a failure where the client has now put the proxy into a myproxy server that doesn't allow the given FTS server to retrieve from it.
- Publish into the BDII for each FTS server what myproxy server will be used by default if none are specified by the client.
- Allow the client to use a delegated proxy, so myproxy is not required. This does mean that if the transfer does not happen before the proxy expires, the transfer will fail (as curently would happen for a job where there is no proxy in myproxy).
All of these solutions require code changes in the FTS clients and servers, so will take time to roll out. The issue is covered in
JRA1 Savannah Bug#10633
Package revisions which have the appropriate fixes
TBA.
Short-term "fix"
The short-term fix is to create another FTS server at CERN which will allow all SC3 FTS servers to retrieve from it. The hostname is
myproxy-fts.cern.ch
. Currently the allowed hosts are (taken from allowed hosts at
myproxy.cern.ch
as default)
/DC=org/DC=doegrids/OU=Services/CN=cmsdcmon1.fnal.gov
/C=CH/O=CERN/OU=GRID/CN=host/lxgate10.cern.ch
/C=CH/O=CERN/OU=GRID/CN=host/lxshare021d.cern.ch
/C=CH/O=CERN/OU=GRID/CN=host/lxshare025d.cern.ch
/C=CH/O=CERN/OU=GRID/CN=host/lxshare026d.cern.ch
/C=CH/O=CERN/OU=GRID/CN=host/fts001.cern.ch
/C=CH/O=CERN/OU=GRID/CN=host/fts002.cern.ch
/C=CH/O=CERN/OU=GRID/CN=host/fts003.cern.ch
/C=CH/O=CERN/OU=GRID/CN=host/fts004.cern.ch
/C=CH/O=CERN/OU=GRID/CN=host/fts005.cern.ch
/C=CH/O=CERN/OU=GRID/CN=host/fts006.cern.ch
/O=GermanGrid/OU=FZK/CN=f01-015-104.gridka.de
/O=GermanGrid/OU=FZK/CN=f01-015-104-e.gridka.de
/C=CA/O=Grid/CN=host/sc5.triumf.ca
/DC=org/DC=doegrids/OU=Services/CN=fts01.usatlas.bnl.gov
/C=IT/O=INFN/OU=Host/L=Pisa/CN=ecgi1.pi.infn.it
/O=GermanGrid/OU=FZK/CN=cms.fzk.de
We can add whatever sites are needed, please let us know at
lcg-sc.support@cern.ch
.
Interaction with VOBOX and Resource Broker myproxy servers
With the current myproxy server, it is not possible to store a
renewable and a
retrievable proxy for the same user on a single server. Since the FTS requires a retrievable proxy, and the RB/VOBOX a renewable proxy, you need different myproxy servers (e.g.
myproxy-fts.cern.ch
). If a user needs to use both a VOBOX (or a RB: RB=VOBOX in terms of proxy renewal) and FTS the user has to register 2 proxies in 2 different
myproxy servers:
- One proxy in myproxy.cern.ch without a password (-n option of myproxy-init), and use this for the VOBOX (and RB). All VOBOXES point by default to
myproxy.cern.ch
- One proxy in
myproxy-fts.cern.ch
with a password and use this for FTS transfers.
--
JamesCasey - 26 Sep 2005