Job submission using PHP and shell scripts
From EGEE-see WIki
This guide is a part of SEE-GRID Gridification Guide. It is aimed to give an idea to developers of grid web services on how to deal with user credentials when they need to act on their behalf.
Contents |
How to act on user's behalf
For running a job on the grid, user need to have a valid credentials. For details of how to obtain valid certificate take a look at Quick User Guide for Submitting Jobs
In order to enable other (trusted) services to act on behalf of a grid user, a mechanism based on MyProxy Server is used. A user stores it's credentials on a MyProxy Server, which will delegate it on demand to a trusted grid service (like the web service that you're developing now).
Of course, not anyone should be able to get users credentials and act on their behalf. MyProxy Server is configured to allow proxy delegation only to a list of trusted services/hostnames which are holding a valid host certificate. In order to enable your web service to obtain user credentials and act on behalf of them, you first need to obtain valid host certificate from your local CA, and then you need to contact the system administrator of MyProxy Server and ask him/her to add your host to the list of trusted hosts that are authorized to retrieve user credentials (with or without pass phrase).
While developing a web service, wear in mind that security always comes first, and that you need to make a safe application in order for it to be trusted by your users and by MyProxy Server sys admin.
Delegating proxy to MyProxy server
You need to provide your users with the hostname (or a list of hostnames) of MyProxy server that trust your web service. User with an access to a configured User Interface delegates it's credentials to trusted MyProxy server (for example myproxy.ipb.ac.rs) with command
myproxy-init -d -s <myproxy_hostname>
Which would give output like:
Your identity: /DC=ORG/DC=SEE-GRID/O=People/O=Ss Cyril and Methodius Skopje Faculty of Electrical Engineering/CN=Gorgi Kakasevski Enter GRID pass phrase for this identity: Creating proxy .............................. Done Proxy Verify OK Your proxy is valid until: Sun Sep 9 14:17:41 2007 Enter MyProxy pass phrase: Verifying password - Enter MyProxy pass phrase: A proxy valid for 168 hours (7.0 days) for user gorgik now exists on myproxy.grid.auth.gr.
User would be asked for a GRID pass phrase, and he or she would need to create and confirm MyProxy pass phrase. This pass phrase is to be used later for retrieving or renewing proxy from MyProxy server, and user would need to provide it to your web service. You can also design your service to use passwordless credentials, in which case user should provide the -n option
myproxy-init -n -d -s <myproxy_hostname>
The option -d is put to use the certificate subject (DN) as the default username. Your web service should use a certificate based authentication and user permissions should be set according to his/her DN.
For more details on myproxy-init, take a look at Delegation of Credentials Using MyProxy, and, of course, use man myproxy-init.
Retrieving delegated proxy
Once a user stored his/her credential in the MyProxy repository, your web service can retrieve a proxy credential, whenever it's needed, with the myproxy-get-delegation command. For example:
$ myproxy-get-delegation -l <user_dn> -o <proxy_file_name>
Enter MyProxy pass phrase:
A proxy has been received for user <user_dn> in <proxy_file_name>
The myproxy-get-delegation command prompts for the pass phrase that user set previously with myproxy-init, retrieves a proxy credential for you, and stores it in the location you provided with <proxy_file_name>. The default lifetime of a proxy credential is 12 hours or that specified with the -t option when creating the stored credential with the myproxy-init command.
The option -S enables you to provide the MyProxy pass phrase in the command line when you're running it in non-interactive mode.
$ myproxy-get-delegation -l <user_dn> -S <my_proxy_pass_phrase>
A proxy has been received for user <user_dn> in /tmp/x509up_u501
If you used -n option for myproxy-init, you should also use it whit myproxy-get-delegation
$ myproxy-get-delegation -l <user_dn> -n -o <file_name>
A proxy has been received for user <user_dn> in <file_name>
Using the grid within service application
Now that you have users credentials, you can continue developing your service to do what you want it to do: either to submit and manage jobs or FTS transfers, manage data in various ways or get various meta-data. You need to have a configured UI or appropriate APIs and your grid service should use the grid in the almost the same way as user would. The only difference is that you would need to specify the path to appropriate user proxy file for each user (<proxy_file_name>). You need to make sure that these proxies are stored safely and that only the authenticated user can use only his own proxy. No mistakes are allowed!
For most grid related commands, the environmental variable X509_USER_PROXY should be set to point to the right proxy file, in order to override the default location of the user proxy credentials, which is normally /tmp/x509up_u<uid>. You should always use man pages to check the details of the command usage.
For guides on how to use grid for managing jobs and data, take a look at Job Management and [Data Management] section of our SEE-GRID Gridification Guide. All other sections of it might also be useful.
PHP based services
PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. PHP is powerful and modern server-side scripting language producing HTML or XML output which easily can be accessed by everyone via web interface (with the browser of your choice). PHP can execute shell scripts on the server side. The shell scripts contains gLite and globus commands for obtaining proxy certificate, job submission, data management etc. Using this technique we can easily create web interface to the Grid infrastructure.
Executing shell commands from PHP
PHP exec() function executes the given command. Description of exec() is:
string exec ( string $command [, array &$output [, int &$return_var]] )
The parameters are:
command - the command that will be executed.
output - if the output argument is present, then the specified array will be filled with every line of output from the command.
return_var - if the return_var argument is present along with the output argument, then the return status of the executed command will be written to this variable.
Example:
<?php
// outputs the username that owns the running php/httpd process
// (on a system with the "whoami" executable in the path)
echo exec('whoami');
?>
Also system() and shell_exec() can be used to execute commands.
Shell scripts an PHP
A shell script is a script written for the shell, or command line interpreter, of an operating system. It is often considered a simple domain-specific programming language. Typical operations performed by shell scripts include file manipulation, program execution, and printing text. Usually, shell script refers to scripts written for a Unix shell. There are several types of scripting languages among them bash, tcl, expect, perl etc. With combination of the gLite commands we can produce powerful scripts that can simplify the usage of the Grid infrastructure. Those scripts can be called with exec() from a PHP just like any other command.
Example:
#!/bin/bash # outputs the username that owns the script whoami
suPHP
SuPHP is a tool for executing PHP scripts with the permissions of their owners. It consists of an Apache module (mod_suphp) and a setuid root binary (suphp) that is called by the Apache module to change the UID of the process executing the PHP interpreter. As PHP was the programming technology of choice, the suPHP module was compiled and installed. The following one-line script demonstrates PHP scripts being run as the user who owns them.
<?php echo exec("whoami"); ?>
Configuration of suPHP:
##############################################
# PHP config
##############################################
LoadModule suphp_module modules/mod_suphp.so
<IfModule mod_suphp.c>
AddHandler x-httpd-php .php .php3 .php4 .phtml .phpm
suPHP_Engine on
DirectoryIndex index.php
</IfModule>
PHP web portal for job submission
Upon submission of the login form the myproxy-get-delegation command retrieves the proxy certificate from the MyProxy server using the username and password supplied. If the login information successfully retrieves a proxy cert, then a copy of the proxy cert is written to a specific directory on the web portal file system under the name USERNAME.cred. If a proxy file was supplied this file is uploaded to the same directory.
