17th International Conference on Computing in High Energy and Nuclear Physics (CHEP09) IOP Publishing Journal of Physics: Conference Series 219 (2010) 082004 doi:10.1088/1742-6596/219/8/082004 DIRAC: Secure Web User Interface A Casajus Ramo 1, M Sapunov 2, 1 University of Barcelona, Diagonal 647, ES-08028 Barcelona, Spain 2 Centre de Physique des Particules de Marseille, 163 Av de Luminy Case 902 13288 Marseille, France E-mail: [email protected] Abstract . Traditionally the interaction between users and the Grid is done with command line tools. However, these tools are difficult to use by non-expert users providing minimal help and generating outputs not always easy to understand especially in case of errors. Graphical User Interfaces are typically limited to providing access to the monitoring or accounting information and concentrate on some particular aspects failing to cover the full spectrum of grid control tasks. To make the Grid more user friendly more complete graphical interfaces are needed. Within the DIRAC project we have attempted to construct a Web based User Interface that provides means not only for monitoring the system behavior but also allows to steer the main user activities on the grid. Using DIRAC's web interface a user can easily track jobs and data. It provides access to job information and allows performing actions on jobs such as killing or deleting. Data managers can define and monitor file transfer activity as well as check requests set by jobs. Production managers can define and follow large data productions and react if necessary by stopping or starting them. The Web Portal is build following all the grid security standards and using modern Web 2.0 technologies which allow to achieve the user experience similar to the desktop applications. Details of the DIRAC Web Portal architecture and User Interface will be presented and discussed. 1. Introduction Since the beginning of the distributed computing era users need to know what has happened to their payloads. Command line interfaces have been the usual tools, but in the framework of LCG and EGEE projects several graphical interfaces were created. Most current monitoring systems provide really low level or very high level views. Although these types of views are very useful for site managers, users require other ways to control their grid activity. Few monitoring systems provide views useful for non- expert users or interactivity with the monitored object. When the development of the new revision of DIRAC Project started, an interactive monitoring interface was defined as the key new feature. It had to allow users to monitor their jobs in a platform independent way. Using the web proved to be a framework that allowed having an interactive c 2010 IOP Publishing Ltd 1 17th International Conference on Computing in High Energy and Nuclear Physics (CHEP09) IOP Publishing Journal of Physics: Conference Series 219 (2010) 082004 doi:10.1088/1742-6596/219/8/082004 monitoring interface easy to use for non-expert users, and a powerful way to interact with DIRAC [1] for experts. In order to decrease the learning curve, the Web Monitoring had to have a user-friendly interface mimicking standard graphical interface elements like menus or windows commonly found in desktop applications. Another key requirement was a complete interactivity in the monitoring interface. All the actions users can do via command line have to be available via the monitoring web interface as well. Interaction requires having an authorization and authentication mechanism based on grid certificates. After formulating these requirements we started to look for a satisfactory solution. The well known and widely used Grid monitors were carefully examined: GridView [2], GridPP [3] and MonALISA [4]. GridView is a monitoring and visualization tool which provides a high level view of various functional aspects of the LHC Computing Grid (LCG). It shows the statistics of data transfers, jobs running and service availability information for Grid. Unfortunately for us it’s really high level view solution used to display statistical information; it does not meet user needs. GridPP is a brilliant 3D monitor which gathers information from resource brokers around the world. Using images from NASA's Blue Marble Project, presents a visualization of the Grid at work. It could be used as a general overview for the DIRAC system, but similarly to GridView this is a high level solution. Moreover, the client itself is written in Java and is not web based. Although there is an option which allows mapping the monitoring data to Google Maps, it can’t interact with a user on the level we want to. MonALISA is a framework based on dynamic distributed service architecture and is able to provide complete monitoring, control and global optimization services for complex systems. The monitor can be used at a user level but it can’t provide certificate based authorization, and control interfaces provided by this monitor can’t be used for job manipulation. Based on the previous studies we decided to create our own monitoring client to fit our needs. The main features to provide were security access to the web monitor using grid certificates and user- system interaction. The resulting DIRAC’s monitoring interface is designed and built with an interaction paradigm in mind instead of passively looking at the objects history. In this paper we describe in Section 2 the architecture of the monitoring system and justify the choice of its components and their implementation. Overview of the security issues and solutions is presented in Section 3. Interaction between the Web Portal and services is described in Section 4. The user interface, goals and features as well as known limitations are described in Sections 5 and 6 respectively. Section 7 is devoted to conclusions and outlook for future work. 2. Architecture overview 2.1. Brief explanation of how it works In this section we present the architecture of the web monitoring interface and it’s interaction with DIRAC. We start with a quick explanation of the way it works from the mouse click to the page update. Details will follow later in this chapter. When a user clicks on any element of the web page an event is triggered and processed by JavaScript interpreter. We used a JavaScript library to create a common look and feel through the whole set of web pages. Using a JavaScript library allows us to focus our efforts on building functionality by having a set of widgets ready to use. To mimic the look-and-feel of a desktop application the ExtJS library [5] is used. It allows to dynamically display information retrieved from the web server using AJAX techniques [6], so there is no need to refresh the whole page. AJAX provides a way to do a standard GET/POST HTTP query from the user's browser to the web server and feeds the results to ExtJS components which can modify the web page dynamically and hide the client-server interaction. When the web server receives a query, it is processed by DIRAC code running in the web server. To handle all the parameters parsing and URL mapping, the Pylons Web Framework [7] is used. 2 17th International Conference on Computing in High Energy and Nuclear Physics (CHEP09) IOP Publishing Journal of Physics: Conference Series 219 (2010) 082004 doi:10.1088/1742-6596/219/8/082004 Pylons processes all the incoming HTTP queries, translates the parameters to Python variables and maps each URL to a Python function. The Python function executed by pylons acts as an adapter to DIRAC. If some information is required from a DIRAC service, the function uses DIRAC clients to retrieve it. When a connection to a DIRAC service is required the DISET [1] secure protocol (which is part of the DIRAC framework) is used. Once the web server gets a response from the service, it passes the results back to the user’s browser. This information is then processed by JavaScript code and the web page is modified accordingly. Fig 1. Protocol used for interaction between layers 2.2. Server side architecture DIRAC Web Portal uses Pylons as the Python framework to handle all the HTTP processing. Pylons include a web server for testing purposes, but it doesn’t scale properly. To make the solution more scalable, Pylons is run in conjunction with an Apache web server. Apache can run multiple processes to serve requests and spawn or kill processes if needed. Each Apache process runs a Pylons instance. The client authentication can be handled by the Apache mod_ssl module. Although Apache is a well known and rock solid solution, perhaps it’s not really suitable for our needs. As an alternative we have tried to use Lighttpd [8], a well known web server. This web server is used by projects such as YouTube and Wikipedia. Its high speed IO-infrastructure allows a better scaling on the same hardware than the Apache server. Moreover, its event-driven architecture is optimized for a large number of parallel connections. Unfortunately, Lighttpd doesn’t fully support OpenSSL authentication mechanisms. If future releases provide the required functionality, probably Lighttpd will be used instead of Apache for our solution. Another alternative to Apache is Nginx [9], a web server with load balancing and fault tolerance. But it doesn’t fully support OpenSSL neither. DIRAC web logic is coded in Python and runs under Pylons which is also coded in Python. To run it under Apache, the mod_python module is used. By internally invoking a Python interpreter, it allows to increase the execution speed instead of using the standard CGI mechanism that needs to instantiate the interpreter each time a request is received.