(Note that this will morph into an actual tutorial as we converge onto a solution!)

It has been discussed for sometime now about giving the credential system an overhaul. One of the new users of Ganga have now asked for better credential management that the current system cannot provide. I've consequently drawn up some plans for how this system would work for evaluation before implementing it.


Ganga needs to handle the following credentials:

  • One and only one Local Repo Credential (e.g. AFS)
  • Any number of additional credentials, e.g. LCG proxy, Westgrid proxy.

Each credential should be identified by such things as:

  • Username or DN
  • Role
  • VO

The management of these credentials should allow:

  • Specification of credentials that should be present at startup
  • Have configurable location to store file(s)
  • Check for validity and renewal if required
  • Detection of current credentials

On submission, the following should be possible:

  • Check for default credential given by Backend, Application and data
  • Allow user specified credentials at submit time
  • Allow multiple credentials to specified
  • Job should store enough Credential Info to identify the cred(s) required by the monitoring

Monitoring will then check that the appropriate credentials are available before attempting to monitor the jobs.


Interface changes:

  • Add global Credential objects to cover single repo cred and additional 'submit' creds
  • Add credential array to job object to track creds at submission

Required Interfaces:

  • ICredential - provides the exposes basic cred renewal, info, etc. functionality
  • ICredInfo - A simplified object based on ICredential that is stored with the job. The reason for this is to allow:


but not:


Concrete Classes:

These will be required for each type of supported credential and must allow:

  • Renewal
  • Info
  • Form UID based on appropriate info to allow easy ID of cred
  • Path to proxy file

Configuration Changes:

It would be preferable to allow users to specify the default Credential to use given the App, Backend, etc. I was thinking something like:

DefaultCredentials = { {'UID/Type' : {'Backend':'LCG', 'Application':'Athena'},
 {'UID/Type' : {'Backend':'Westgrid', 'Application':'Athena'} }

If a job is created that matches these defaults, the credential is checked for and must be provided to continue submission.

Note that to specify the credential, you can use the UID (which would fold in e.g. VO, Role, etc.) or the general Type (e.g. 'LCGProxy', 'LHCbProxy') and this would be a comma separated list to allow multiple ones to be used.


With this setup, though it would require a big rewrite of underlying code, the default interface of 'Start Ganga, Check for Grid Cert, turn off monitoring if not' as well as the checks for an AFS token to access the gangadir repo can remain exactly the same. However, it would then allow advanced users who want to have a single ganga repo manage jobs from various VOs or with various Roles to do this.

What do you think??

Edit | Attach | Watch | Print version | History: r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r1 - 2013-03-08 - MarkWSlater
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    ArdaGrid All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2022 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
or Ideas, requests, problems regarding TWiki? use Discourse or Send feedback