Software Links
Getting Started
- Doc Structure
- A Globus Primer
- Globus Is Modular!
- Quickstart
- Installing GT
- Platform Notes
- Migrating from GT2
- Migrating from GT3
Reference
- PDF version
- Best Practices
- Coding Guidelines
- API docs
- Public Interfaces
- Resource Properties
- Samples
- Glossary
- Performance Studies
Common Runtime
Security
Data Mgt
Information Svcs
Execution Mgt
Table of Contents
This guide contains information of interest to developers working with the WS RLS. It provides reference information for application developers, including APIs, architecture, procedures for using the APIs and code samples.
Features in GT 4.1.1 WS RLS
- Initial implementation of the WS RLS, which provides a Web services interface to the existing RLS.
- WS-ReplicaLocationCatalog: WSDL-defined interface for performing LRC operations, including creating/adding/deleting mappings, defining/undefining attribute definitions, and creating/modifying/removing attributes. The interface also defines a conceptual set of WS-ResourceProperties based upon which queries may be performed.
- A simple query dialect which may be used to form expressions to be used to query the WS-RLS based on logical/target names and attributes.
- WS-ReplicaLocationIndex: WSDL-defined interface for performing RLI operations. Since the RLI is used as a read-only query interface (querying the index of logical name entries), the WSDL defines domain specific operations. The operation of interest is the standard QueryResourceProperties.
Protocol changes since GT 4.0.4
- None.
API changes since GT 4.0.4
- None.
Exception changes since GT 4.0.4
- None.
Schema changes since GT 4.0.4
- None.
WS RLS depends on the following GT components:
- Java WS Core
- WS Authentication and Authorization
- Replica Location Service (RLS)
WS RLS depends on the following 3rd party software:
- None
Security recommendations include:
The following paragraph describes our INITIAL IMPLEMENTATION in this first look of the WS RLS interface -- THIS IS NOT INTENDED TO BE A FINAL SOLUTION.
Users of the WS RLS authenticate themselves to the WS RLS in the usual manner based on their credential. The WS RLS uses the WSAA and Authorization Framework to make authorization decisions. Then, the WS RLS uses a single certificate and key file to identify itself to the RLS irregardless of the user accessing the WS RLS. Thus users that can access the WS RLS are given the fixed WS RLS identity to access the RLS. Users accustomed to using RLS may not feel comfortable with this approach -- if it may be an issue for your environment, we suggest that you not use it with your production RLS. If you think of WS RLS as the gating interface to the RLS, as you should, then you should apply the appropriate authorization restrictions at the WS RLS level, which can be done using WSAA. This will in effect achieve a level of authorization similar to that of the RLS.
The WS RLS is deployed to the Java WS Core service container. It connects to a RLS service to perform the replica location operations. It serves as an alternative front-end to the current RLS interfaces.
The WS RLS is a WS-RF compliant service implemented using the Globus Java WS Core. It exposes a set of Resource Properties and operations to allow users to create, add and remove mappings from logical names to target names, to define and undefine attribute definitions associated with names, and to create, modify and delete attributes associated with names. A custom query expression dialect is defined by the WS RLS which may be used to query the mapping and attributes represented by the Resource Properties of the service.
The WS RLS is comprised of two WS-Resources, the ReplicaLocationCatalog and the ReplicaLocationIndex. Each WS-Resource defines ResourceProperties and a set of operations. The ReplicaLocationCatalog (or "catalog") defines the set of operations for manipulating name mappings and associated attributes along with the standard query resource properties operation. The ReplicaLocationIndex (or "index") specifies only the query resource properties operation since it is a read only inteface to the underlying index. Lifetime operations (set lifetime and destroy) do not apply to the WS RLS, because its WS-Resources live indefinitely. The resources are available so long as the service container is running and the WS RLS is deployed within the service container. Addressing the resources requires only the URL portion of the WS-Address.
For detailed information, please see the schema files. For the specification of types see Replica Location Types XSD. For the specification of port types see Catalog Port Type WSDL and Index Port Type WSDL.
Please see the WS RLS Command Reference.
The WS RLS defines a custom query dialect and provides a custom expression evaluator to support the dialect. The dialect is noticeably rudimentary. We expect to improve the dialect as the WS RLS matures. The following list enumerates the possible expressions when using the custom "http://globus.org/replica/location/06/01/QueryDialect" dialect provided by the WS RLS.
query-target: {logical-name}+
Queries the catalog based on logical names and returns matching target names.
query-logical: {target-name}+
Queries the catalog based on target names and returns matching logical names.
query-index-logical: {logical-name}+
Queries the index based on logical names and returns matching target names.
exists-logical: {logical-name}+
Evaluates existence of logical name in the catalog.
exists-target: {target-name}+
Evaluates existence of target name in the catalog.
query-logical-attributes: {logical-name}+
Queries the catalog for attributes associated with logical names.
query-logical-named-attributes: attribute-name {logical-name}+
Queries the catalog for attributes based on the given attribute-name for the associated logical names.
query-target-attributes: {target-name}+
Queries the catalog for attributes associated with target names.
query-target-named-attributes: attribute-name {target-name}+
Queries the catalog for attributes based on the given attribute-name for the associated target names.
The WS RLS requires certain WSDD and JNDI settings to be properly configured. The installed JNDI configuration file may be found at $GLOBUS_LOCATION/etc/globus_wsrf_replicalocation_resource/jndi-config.xml. To view the default JNDI file (current snapshot) from the Globus CVS repository click here. The installed WSDD configuration file may be found at $GLOBUS_LOCATION/etc/globus_wsrf_replicalocation_service/server-config.wsdd. To view the default WSDD file (current snapshot) from the Globus CVS repository click here. In most cases, you will not need to alter either of these files.
This information is in addition to the basic configuration instructions in the GT System Administrator's Guide.
The WS RLS's WSDD determines which services will be activated by the GT Java WS Core container. By default, the WS RLS defines two services.
ReplicaLocationCatalogService. The
ReplicaLocationCatalogServiceservice provides the WS interface to the RLS Local Replica Catalog capabilities. If you intend to activate this service, you need not alter the WSDD. If you do not wish to activate this service, simply remove it from the WSDD and restart the container.... <service name="ReplicaLocationCatalogService" provider="Handler". use="literal" style="document"> ... </service> ...ReplicaLocationIndexService. The
ReplicaLocationIndexServiceservice provides the WS interface to the RLS Replica Location Index capabilities. If you intend to activate this service, you need not alter the WSDD. If you do not wish to activate this service, simply remove it from the WSDD and restart the container.... <service name="ReplicaLocationIndexService" provider="Handler". use="literal" style="document"> ... </service> ...
The WS RLS's JNDI configuration determines the resource class to be used for each service defined by the WS RLS WSDD. It also determines other critical settings used by these resources. In this file, you will find settings for the two default services defined in the WSDD.
Each service has a JNDI Resource of name RLSConnectionSource. This JNDI Resource is used by the WS RLS service to open a connection to the backend RLS service. In many cases, you may find that the default settings require no modification for your setup. The url parameter sets the endpoint for the backend RLS. The certfile and keyfile parameters set the certificate and key files to be used by the WS RLS to communicate securely with the backend RLS.
You will notice that the default settings use the container's suggested certificate and key file paths. If you have chosen different paths in which to keep these files, please adjust the settings accordingly. At present, the WS RLS uses a single identity (defined by the certificate and key) to authenticate itself with the RLS in order to perform any user requested operations. When the WS RLS interface is finalized, it will most likely use a different approach to authentication between WS RLS and the back end RLS. At this time, we expect that the interface will change such that the caller's credentials will be used to make calls between the WS RLS and the back end RLS on behalf of the originating caller.
...
<resource
name="RLSConnectionSource"
type="org.globus.replica.rls.connection.impl.PooledRLSConnectionSource">
<resourceParams>
<parameter>
<name>factory</name>
<value>org.globus.wsrf.jndi.BeanFactory</value>
</parameter>
<parameter>
<name>url</name>
<value>rls://localhost</value>
</parameter>
<parameter>
<name>certfile</name>
<value>/etc/grid-security/containercert.pem</value>
</parameter>
<parameter>
<name>keyfile</name>
<value>/etc/grid-security/containerkey.pem</value>
</parameter>
</resourceParams>
</resource>
...