D6.1:Feedback and Analysis
Analysis and design documents
based on the previous release D6.1:Prototype_Implementation.
CCP4 license doesn't allow to redistribute the installed software. Installing within vagrant script and accepting license is OK. Distribute the virtual image with preinstalled CCP4 isn't OK.
- CCP4 is optional and by default disabled in scripts. The following tools might be distributed Coot, XIA2.
base VM and CernVM
Vagrant base VM image takes about 500 MB, VM image for EGI is about 2 GB, takes couple of minutes to distribute and deploy on very high speed EGI infrastructure, but on other sites might introduce significant delay. CernVM and CernVM-FS allows minimalized virtual machine image to be distributed with a shared CernVM-FS filesystem to distribute software. With other fine-grained proxy server (squid), these can be made very efficient.
- CernVM - ~20 MB, mounts FS with other packages of operating system
- CernVM-FS - RAL site operates repositories,
Common Security Model Design
Notes for D4.2
- The cloud – DaAS version of CCP4 is based on federal ID (STFC only) it is by invitation, the access is managed by LDAP group. https://daas.scd.stfc.ac.uk. CCP4-DaAS is using fedid for AA for the initial implementation. This is to facilitate users submitting jobs to SCARF from the VM and to access data in ICAT. Both use fedid for AA. We do not rule out adopting other credentials once we got the prototype working.
- The online version http://www.ccp4.ac.uk/ccp4online is accessible by registration – anybody can register
- The on premise software download is available for anybody
The ideas of westlife integration:
- The CCP4 suite installed within WP6 virtual folder VM will need to deal with license which in general doesn’t allow redistribution.
- The possible integration with DaAS and Tier 1 services will deal with challenge to allow access to only specific data and services.
- Technically the attributes from trusted identity provider will need to be used to allow access to DaAS or CCP4online – the decision whether such access will be given is
in competency of ccp board.
- There are ideas to adopt ORCID which can link identities from different identifiers together.
“an authentication service may (but may not) be part of the system.” We may require to have/register account at least at one external trusted Identity Provider (e.g. EUDAT), then authentication can be delegated to them.
"For instance, when a user registers with the current system and wants to use grid-based computing, they have to register separately with the EGI VO (is that necessary, desired, …?)." Probably joining different external accounts and identities. WP6 is expected to integrate EUDAT, Dropbox, Google, Amazon, … identities into one westlife account.
access control based on groups/roles, Agree, no other comment.
Virtual folder requirements? The access to majority of services will be provided via HTTP protocol, thus a horizontal mechanism to access/deny to the resources might be beneficial based on user token, session ID, or other HTTP related mechanism. The current development seems to use Apache web server, with reverse proxies to other application services based on context. Thus some HTTP related authentication mechanism integrated with D4.2 should be considered and context based access policy/authorization might be considered to be integrated with the authorization mechanism. It would be beneficial if Virtual folder web frontend can reuse/integrate html form based authentication of WP4 (5.2.1).
Integration with EUDAT and WP4 services
22th and 23th June 2016 - EUDAT User Meeting in Barcelona. Interview among Jesus (CNB-CSIC), Tomas (STFC), Hans van Piggelen and Herman Stehouwer (EUDAT)
- integration among WP6 and B2Drop/other EUDAT service can be done using B2Access, rather than via credentials provided to WEBDAV client directly
- B2NOTE annotating data stored in EUDAT, already integrated with B2SHARE, other B2* services are considered/ in development. Prototype http://b2note.bsc.es/devel Their architecture integrates NoSQL MongoDB and together with b2SHARE they utilize Virtuoso as backend data server allowing request via SPARQL. The roadmap considers to provide service also as an instance which can be downloaded and executed on WP6 VM, this might be part of WP6.
- CSIC effort is to address SCIPION integration as web service. Agreed to start working integrating SCIPION workflows, tools and UI into VM, which might bring other technical issues and solution for further integration. http://biocomp.cnb.csic.es/software
- EUDAT provides B2DROP - Dropbox like service giving access to the virtual storage via owncloud client (online/offline synchronization), WEBDAV protocol.
- B2ACCESS is recommended for federated authentication and authorization management (https://www.eudat.eu/services/b2access).
Integration with PDBE
EBI provides PDBE database (synchronized with PDB.ORG).
- e.g. compare current structure in virtual folder with published structure in PDBE