[Discuss] Globus retirement considerations in WLCG

Maarten Litmaath Maarten.Litmaath at cern.ch
Tue Apr 21 23:03:36 CEST 2020 

Hi Mischa, all,
I have added potential LCMAPS dependencies to the set we have so far:

https://twiki.cern.ch/twiki/bin/view/LCG/GlobusRetirement#LCMAPS

I propose we ask on the UMD Release Team list if any other products
have a dependency on Globus either directly or e.g. through LCMAPS.

________________________________________
From: Mischa Salle [msalle at nikhef.nl]
Sent: 21 April 2020 22:31
To: Maarten Litmaath
Cc: Maarten Litmaath via discuss; Brian Hua Lin
Subject: Re: [Discuss] Globus retirement considerations in WLCG

Hi Maarten, all,

On Tue, Apr 21, 2020 at 06:34:12PM +0000, Maarten Litmaath wrote:
> Hi Mischa, all,
> which products do we know depend on LCMAPS?
not sure, but I'm pretty sure the ARC CE does (and the CREAM CE but
that's already out of support end of this year).
Furthermore, it's of course still used in gridftp and gsissh when doing
VOMS-based mappings via the lcas-lcmaps-gt-interface callout.
Then there is a plugin for xrootd to use LCMAPS (probably from BrianB)
and it could also be that SToRM is using LCMAPS (AndreaC will know).
I think that's probably all for software that might still be needed in
2022 but I might have missed things.
We could check which products in the UMD have an RPM dependency on
LCMAPS but that could be misleading if it's indirect.

Mischa

> ________________________________________
> From: Mischa Salle [msalle at nikhef.nl]
> Sent: 20 April 2020 10:19
> To: Maarten Litmaath via discuss
> Cc: Brian Hua Lin; Maarten Litmaath
> Subject: Re: [Discuss] Globus retirement considerations in WLCG
>
> Hi all,
>
> On Tue, Apr 07, 2020 at 10:00:23PM +0000, Maarten Litmaath via discuss wrote:
> > Hi Brian, all,
> > it is good that we still have more than 1.5 years to sort things out, thanks!
> >
> > My main concern is with MyProxy: I suspect WLCG and/or various other
> > communities we care about will still be needing it beyond that time frame.
> >
> > We probably will need to revisit this business in the course of next year.
>
> I think there are several separate issues we have to keep in mind:
> - first of all, many especially smaller communities in Europe will
>   probably not easily move from proxy certs to some form of tokens.
> - There are several parts of the gridcf that are still quite widely used
>   I think:
>     - gridftp (server and client)
>     - myproxy
>     - gsi-openssh
>   plus several of the gsi-based libraries that are dependencies for
>   tools like LCMAPS and probably others.
>   In particular the client tools need to be supported until all the
>   relevant services are no longer using (only) proxies.
> - I actually don't know how the ARC-CE is doing things, and whether they
>   have plans to move away from certificates. If not, that most probably
>   requires support for (part of) the gct.
>
> I doubt that we can expect all these dependencies to be solved before
> January 2022, but perhaps I'm too pessimistic.
>
> Concerning support, I think one of the bigger problem is that we'll at
> some point need to patch to accept TLS1.3 (and higher), which is less
> trivial than just doing minor updates. Several tools can be made gct
> free (such as most of LCMAPS and myproxy) but that also would take
> effort.
>
> Mischa
>
>
> >
> > ________________________________________
> > From: Brian Lin [blin at cs.wisc.edu]
> > Sent: 07 April 2020 21:18
> > To: discuss at gridcf.org
> > Cc: Maarten Litmaath
> > Subject: Re: [Discuss] Globus retirement considerations in WLCG
> >
> > Hi Maarten,
> >
> > FWIW, with the current OSG timeline, the OSG will continue to support
> > the GCT until January 2022 so that's the earliest you can expect OSG
> > effort to drop off.
> >
> > As for MyProxy, Dave Dykstra has been investigating HashiCorp's Vault,
> > which seems like it could be a token-based replacement and hopefully
> > that would require less effort than removing the GSI dependencies.
> >
> > Thanks,
> > Brian
> >
> > On 4/7/20 12:28 PM, Maarten Litmaath via discuss wrote:
> > > Hi all,
> > > does anyone have comments / thoughts about this matter?  Thanks!
> > >
> > > ________________________________________
> > > From: discuss [discuss-bounces at gridcf.org] on behalf of Maarten Litmaath via discuss [discuss at gridcf.org]
> > > Sent: 30 March 2020 22:45
> > > To: discuss at gridcf.org
> > > Cc: Maarten Litmaath
> > > Subject: [Discuss] Globus retirement considerations in WLCG
> > >
> > > Dear Grid Community Forum,
> > > in the WLCG Management Board meeting of March 17 there was a discussion about
> > > a possible retirement timeline for the remaining WLCG dependencies on Globus:
> > >
> > >      https://indico.cern.ch/event/870359/#9-globus-retirement-planning
> > >
> > > Prompted by the plans and timelines that already exist in OSG:
> > >
> > >      https://opensciencegrid.org/technology/policy/gridftp-gsi-migration/
> > >
> > > For WLCG, removing the dependency on GridFTP is being tackled in the TPC WG
> > > of the DOMA project:
> > >
> > >      https://twiki.cern.ch/twiki/bin/view/LCG/ThirdPartyCopy
> > >
> > > Currently, GridFTP is also being used for job submissions to CREAM instances,
> > > which should all be gone by the end of this year, and ARC CE instances,
> > > which already support HTTPS as an alternative.
> > >
> > > While it looks viable for WLCG not to depend on GridFTP by the end of 2021,
> > > can we actually remove Globus as a build dependency from the various storage
> > > service implementations (which ones?) that currently make use of it?
> > >
> > > Also taking into account that other communities may be unable to replace
> > > X509 certificates with tokens as "quickly" as WLCG hopes to do, implying
> > > there may need to remain code in the affected implementations that is able
> > > to deal with X509 somehow?
> > >
> > > Next we come to GSI.  Besides its use in conjunction with GridFTP and SRM,
> > > WLCG has a critical dependency on it through MyProxy!  For as long as we
> > > need the latter, I suspect it would not be a big deal to support GSI in
> > > addition, but it would be nicer if MyProxy were made independent of it...
> > >
> > > Next we come to the Grid CF build infrastructure: what would be the plan
> > > for when it can no longer make use of OSG effort or resources?
> > >
> > > What are your thoughts about these matters?  Was anything missed?  Thanks!
> > >
> > > _______________________________________________
> > > discuss mailing list
> > > discuss at gridcf.org
> > > https://mailman.egi.eu/mailman/listinfo/discuss
> > >
> > > _______________________________________________
> > > discuss mailing list
> > > discuss at gridcf.org
> > > https://mailman.egi.eu/mailman/listinfo/discuss
> >
> >
> > _______________________________________________
> > discuss mailing list
> > discuss at gridcf.org
> > https://mailman.egi.eu/mailman/listinfo/discuss
>
> --
> Nikhef                      Room  H155
> Science Park 105            Tel.  +31-20-592 5102
> 1098 XG Amsterdam           Fax   +31-20-592 5155
> The Netherlands             Email msalle at nikhef.nl
>   __ .. ... _._. .... ._  ... ._ ._.. ._.. .._..

--
Nikhef                      Room  H155
Science Park 105            Tel.  +31-20-592 5102
1098 XG Amsterdam           Fax   +31-20-592 5155
The Netherlands             Email msalle at nikhef.nl
  __ .. ... _._. .... ._  ... ._ ._.. ._.. .._..

More information about the discuss mailing list