IPSL - PRODIGUER. Messaging Platform Design

IPSL - PRODIGUER

IPSL User @ Command Line

TGCC

IDRIS

CINES

Demain

MQ Cluster

MQ Apps

API

DB’s

IP

S

L

IP

S

L

IPSL User @ Browser | Command Line |

Desktop

json

TGCC

MQ Relay

IDRIS

MQ Relay

CINES

MQ Relay

CNRM

MQ Relay

XXX

MQ Relay msg msg msg msg msg

Solution = Durable Message Queues

AMQP : Advanced Message Queue

Protocol

RabbitMQ : AMQP Implementation

1. Erlang – i.e. parallel & scalable;

2. Persistence – i.e. durable;

3. Multi-OS – i.e. ubiquitous;

Message Flow 1: CC.NODE ---> CC.MQ

MQ Relay @ Computing Centre

(amqp + rabbit-mq + shovel)

simul (fortran) liblIGCM(ksh) MQ client (c) args args

Compute Node @ Computing

Centre

msg

ssl

Message Flow 2: CC.MQ ---> IPSL.MQ

MQ Relay @ Computing Centre

(amqp + rabbit-mq + shovel)

shovel

(ini)

failover ???

(python)

MQ Cluster @ IPSL

(amqps + rabbit-mq + shovel)

shovel

(ini)

msg msg

Message Flow 3: IPSL.MQ <---> IPSL.MQ-APP

MQ Cluster @ IPSL

(amqps + rabbit-mq + shovel)

tcp/ip (port=5672)

MQ APPS @ IPSL

sim-mon

(python) metrics(python) (python)esg-f es-doc(python)

primary

api

(python) (python)smtp (python)img

secondary

Message Flow 4: IPSL.MQ-APP ---> Other

MQ APPS @ IPSL

sim-mon

(python) metrics(python) (python)esg-f es-doc(python)

primary

api

(python) (python)smtp (python)img

secondary

DB @ IPSL _{@ ESG-F}API API@ SMTP _{@ IPSL}

ES-DOC File Server @ IPSL FE @ brows er tcp/ip https wss smtp ???

Message Flow 4: IPSL.API ---> IPSL.FE

API @ IPSL

(tornado http & ws server)

sim-mon

(python) metrics(python) (python)xxx

FE @ browser

(jquery, backbone, underscore, bootstrap)

sim-mon

(javascript) metrics(javascript) (javascript)xxx

Message Content

Message Content

Security

Security : Transport Level

_{AMQPS = encrypted advanced messaging protocol} _{Communication channel is encrypted via SSL}

_{SSL Certificate Authority = CNRS}

_{Example RabbitMQ server configuration:}

[

{rabbit, [

{ssl_listeners, [5671]}, # port number {ssl_options, [

{cacertfile,"/path/to/ca/cacert.pem"}, # certifcate authority .pem file {certfile,"/path/to/server/cert.pem"}, # server certificaye .pem file {keyfile,"/path/to/server/key.pem"}, # server certificate key file {verify,verify_peer}, # requires client to present a certificate

{fail_if_no_peer_cert,false} # validates presented client certificate ]}

]} ].

Security : Transport Level



_{Clients pass SSL credentials via connection params:}

– ssl = flag indicating whether to enable SSL

handshake

– ssl_options = dictionary of SSL options

● cacertfile : "/path/to/ca/cacert.pem" ● certfile : "/path/to/client/cert.pem" ● keyfile : "/path/to/client/key.pem" ● verify : verify_peer

Security : Transport Level



_{SSL TODO}

– Obtain CNRS root authority certificate – Create signed server certificates

– Deploy server certificates

– Update Rabbit MQ server config file & restart

– Create signed client certificates (one per client ?) – Deploy client certificates alongside client binaries – Update clients to update AMQP connection strings

Security

Security : Authentication

– Authentication = SASL PLAIN

– SASL = Simple Authentication and Security Layer – PLAIN = clear-text username & password

– SASL PLAIN = default for RabbitMQ servers and clients – SASL PLAIN requires SSL to be secure

– Servers are setup with user accounts

– Server authentication is at the MQ exchange level

– Clients pass in credentials via amqps connection string

– Clients should pass base64 encoded SHA-256 encrypted credentials – User must be created in target RabbitMQ server

Security

Security : Authorization

– User names map to server permissions defined

against:

● MQ Virtual hosts

● MQ Exchanges

● MQ Queues

– Virtual Host = prodiguer

– Exchanges = in, internal, out

– Queues = logger, main, smon … etc

– Each user account (publisher / consumer) will have to

assigned relevant permissions

– Permissions assigned using either RabbitMQ

RabbitMQ - Configuration



_{Environment variables}

– rabbitmq-env.config

– RabbitMQ initialises several environment variables – Unlikely they need to be changed



_{Server Configuration file}

– rabbitmq.config

– No need to change general options

– Management options include a json file for

initialising exchanges, queues, virtual hosts, users … etc.

RabbitMQ - Operations

_{RabbitMQ management plugin}

– rabbitmq-plugins enable rabbitmq_management – front-end

● http://SERVER-NAME:15672/

● Can view connections, channels, exchanges, queues ● Can view, create, update, delete virtual hosts

● Can view, create, update, delete users ● Can enable / disable statistics

– API

● HTTP REST service

● Can perform all tasks supported by front-end ● e.g. create a virtual host

– curl -i -u guest:guest -H "content-type:application/json" \ – -XPUT http://localhost:15672/api/vhosts/foo

– Command Line Interface ● Wraps the API

Further Info

 _AMPQ – _{http://www.amqp.org/} – http://en.wikipedia.org/wiki/Advanced_Message_Queuing_Protocol  _RabbitMQ – Security - SSL ● http://www.rabbitmq.com/ ssl.html ● http://www.rabbitmq.com/troubleshooting- ssl.html – Security – SASL ● http://en.wikipedia.org/wiki/ Simple_Authentication_and_Security_Layer ● http://security.stackexchange.com/questions/15040/standards-for-encrypting- passwords-in-configuration-files

– Security – Access Control

● http://www.rabbitmq.com/access- control.html

– Configuration