Technology Preview feature CuminAviary
This feature allows Cumin to use the Aviary web services provided in the condor-aviary package for certain functions in the user interface. If the CuminAviary feature is enabled, Cumin will use Aviary services rather than QMF method calls where possible.
The CuminAviary feature is controlled through the cumin configuration file. Relevant configuration parameters with descriptive comments can be found in the default /etc/cumin/cumin.conf file by searching for a line containing "Aviary interface to condor".
Aviary provides a job service and a query service; Cumin may use either, both or neither. By default, Cumin will use QMF methods rather than Aviary services.
To enable use of the Aviary job service, the 'aviary-job-servers' parameter must be uncommented and set (see the comments in the configuration file). Setting this parameter will cause Cumin to use the Aviary job service for job submission, for the hold, release, and remove job control functions, and for editing of job ad attributes.
To enable use of the Aviary query service, the 'aviary-query-servers' parameter must be uncommented and set (see the comments in the configuration file). Setting this parameter will cause Cumin to use the Aviary query service for retrieving job output files, retrieving job ad details, and retreiving the list of jobs in a submission.
Cumin will make INFO level entries in the log file for cumin-web that indicate whether use of the job and/or query services has been enabled and what type of certificate validation will be used for servers configured for SSL (see below). These log entries will begin with "AviaryOperations:" or contain the string "Aviary" somewhere in the message. If an Aviary operation fails, the yellow task banner associated with the operation will contain error information.
By default, the Aviary services in condor will not use SSL (Secure Socket Layer) for communication and no other configuration parameters need to be set for this feature. However, if the Aviary services in condor have been configured to use SSL then additional configuration parameters must be set.
First, note that the scheme for Aviary servers will change from "http" to "https" for any server using SSL. Failure to specify schemes correctly in the 'aviary-job-servers' or 'aviary-query-servers' parameters will prevent the CuminAviary feature from functioning. An incorrect server address may result in a default 90 second timeout when Cumin attempts to perform an operation using that server.
Second, the 'aviary-key' and 'aviary-cert' parameters must be set. These parameters give the full paths to a PEM formatted private key file and PEM formatted certificate file that Cumin will use as a client to access the Aviary services. The Aviary servers will validate Cumin's client certificate and allow access if validation succeeds.
Optionally, the 'aviary-root-cert' parameter may be set. This is the full path to a PEM formatted file containing CA (certificate authority) certificates that Cumin will use to validate the server certificate. If this parameter is unset Cumin will NOT validate server certificates.
Here is a note relating to the ordering of certificate chains within a file from the OpenSSL documentation: "SSL_CTX_use_certificate_chain_file() loads a certificate chain from file into ctx. The certificates must be in PEM format and must be sorted starting with the subject's certificate (actual client or server certificate), followed by intermediate CA certificates if applicable, and ending at the highest level (root) CA. There is no corresponding function working on a single SSL object."
Lastly, the 'aviary-domain-verify' parameter controls whether or not Cumin checks the hostname of the server against the server certificate during validation. This parameter has no effect unless 'aviary-root-cert' is set. The default value is True; it may be useful to set this parameter to False if the server is using a self-signed certificate with a non-matching hostname.
Cumin will provide server certificate validation using the Python ssl standard language module if available or M2Crypto otherwise. If neither of these components are available, server certificate validation will be disabled.
The CuminAviary feature has a dependency on
python-suds-0.4.1 or newer. This package has been added as a dependency in the cumin rpm.
Bug reports or requests for enhancement can be made through http://bugzilla.redhat.com. General questions about this feature can be handled through the email list
This feature is intended to be fully supported in an upcoming minor release.
Where to find this information:
Content similar to this Release Note may be found in the file /usr/share/doc/cumin-*/AVIARY-README after the software is installed. However, the Release Note should be considered more up to date and where there are any discrepancies the Release Note supersedes the readme file.
Technology Preview Policy:
Technology Preview features are not currently supported under Red Hat Enterprise Linux subscription services, may not be functionally complete, and are generally not suitable for production use. However, these features are included as a customer convenience and to provide the technologies with wider exposure.
Customers may find these features useful in non-production environments, and can provide feedback and functionality suggestions prior to their transition to fully supported status. Erratas will be provided for high-priority security issues.
During its development additional components of a Technology Preview feature may become available to the public for testing. It is the intention of Red Hat to fully support Technology Preview features in a future release.