Hi all, On this page: http://glueschema.forge.cnaf.infn.it/SpecV13/LDAP there is a comment that GlueChunkKey is obsolete because you can now query directly on the DN. However, I don't think that's the whole story, because it may also be useful to *print* the chunkkey value so you can extract the corresponding ID. That would be much harder to get from the DN, especially because it often gets split over multiple lines if you use ldapsearch. For example, consider this: for i in `ldapsearch -x -h lcg-bdii.cern.ch -p 2170 -b o=grid glueSEAccessProtocolType=gsidcap | grep GlueChunkKey: | cut -d= -f2 `; do ldapsearch -x -h lcg-bdii.cern.ch -p 2170 -b o=grid glueseuniqueid=$i glueforeignkey; done | grep GlueSiteUniqueID | cut -d= -f2 That chops the SEUniqueID out of the ChunkKey in the access protocol object from the first query, and feeds it into another query to get the site ID. It may not be totally elegant but it works! If you removed the chunkkey it would be much harder to do something like that on the command line. While it's true that the information does exist in the DN I think I would rather keep the ChunkKey concept anyway. Stephen
Hi Stephen, Maybe it's me, but I found all web pages describing the extensible queries to be pretty poor, and the RFC didn't help much. I've been intending to investigate these further; the wiki page and your email presented an excellent opportunity and I think I now understand them. Comments interleaved. Apologies if this is all obvious to others; it wasn't obvious to me earlier today. On Tuesday 29 January 2008 20:24:04 Burke, S (Stephen) wrote:
Hi all,
On this page:
http://glueschema.forge.cnaf.infn.it/SpecV13/LDAP
there is a comment that GlueChunkKey is obsolete because you can now query directly on the DN.
I believe this is half-true. Extensible queries allows "downward queries": one can discover attributes for objects where what you know is higher up in the hierarchy. For example, given a specific GlueSEUniqueID (e.g., ccsrm.in2p3.fr) one can query all available protocols that this SE supports with the following single query: ldapsearch -LLL -h lcg-bdii.cern.ch -p 2170 -x -b o=grid '(&(GlueSEUniqueID:dn:=ccsrm.in2p3.fr) (objectClass=GlueSEAccessProtocol))' GlueSEAccessProtocolType GlueSEAccessProtocolVersion Of course, one can also do this without extensible queries if you happen to know the parent DN: ldapsearch -LLL -h lcg-bdii.cern.ch -p 2170 -x -b GlueSEUniqueID=ccsrm.in2p3.fr,Mds-Vo-name=IN2P3-CC,Mds-Vo-name=local,o=grid '(objectClass=GlueSEAccessProtocol)' GlueSEAccessProtocolType GlueSEAccessProtocolVersion The queries are not identical, but "all things being equal" (if the GLUE/LDAP hierarchy is observed and the GlueSEUniqueID is unique), then the results are the same; I guess the first query is "better" (doesn't need the site's DN), but both should work. Extensible queries (if I understood correctly) are of no help in navigating upward. For example: what are the GlueSEUniqueIDs for SEs that support a specific protocol? To achieve this query, we can either do this using GLUE- or LDAP- concepts: if we don't get it from the ChunkKey, we must get it by (effectively) parsing the DN into its constituent RDNs and building the parent object from those RDNs. For a simple fixed-distance ancestor relationship, a simple cut (e.g. "cut -d, -f2-") should do.
However, I don't think that's the whole story, because it may also be useful to *print* the chunkkey value so you can extract the corresponding ID. That would be much harder to get from the DN,
True(-ish), ldapsearch certainly doesn't make this easy. From trawling various mailing lists, the shortest "fix": for the line-splitting problem is: perl -p00e 's/\r?\n //g'
For example, consider this:
for i in `ldapsearch -x -h lcg-bdii.cern.ch -p 2170 -b o=grid glueSEAccessProtocolType=gsidcap | grep GlueChunkKey: | cut -d= -f2 `; do ldapsearch -x -h lcg-bdii.cern.ch -p 2170 -b o=grid glueseuniqueid=$i glueforeignkey; done | grep GlueSiteUniqueID | cut -d= -f2
That chops the SEUniqueID out of the ChunkKey in the access protocol object from the first query, and feeds it into another query to get the site ID. It may not be totally elegant but it works! If you removed the chunkkey it would be much harder to do something like that on the command line.
OK, so this query navigates upward: what are the GlueSiteUniqueIDs for sites that have an SE that supports the gsidcap protocol? Below, I've copied an equivalent bash 1-liner that uses DN parsing to navigation up the tree (effectively doing "../.." in XPath terms). It should be possible to do the equivalent to "ancestor::GlueSite[1]" (i.e., navigate up until you find a GlueSite) by explicitly matching the attribute part of the GridSite RDN. for site_dn in $(ldapsearch -LLL -h lcg-bdii.cern.ch -p 2170 -x -b o=grid glueSEAccessProtocolType=gsidcap | perl -p00e 's/\r?\n //g' | sed -ne 's/^dn: [^,]*,[^,]*,\(.*\)/\1/p' | sort -u); do ldapsearch -LLL -h lcg-bdii.cern.ch -p 2170 -x -b $site_dn '(objectClass=GlueSite)' GlueSiteUniqueID | perl -p00e 's/\r?\n //g' | sed -ne 's/^GlueSiteUniqueID: \(.*\)/\1/p'; done The example is about the same size, but I've separated the line as much as possible for clarity. It might be possible to merge the perl line-wrap hack into the sed, so losing the perl dependency, but my sed is a little too rusty for that.
While it's true that the information does exist in the DN I think I would rather keep the ChunkKey concept anyway.
I'm not sure if parsing the DN to extract parent DN entries is a robust way of navigating, but I think it basically works [*]. Cheers, Paul. [*] - It doesn't work for a few sites that are published right now; but the first few I investigated all had broken information, like not publishing any GlueSite class object, or publishing objects that have no parent (!!), etc.
glue-wg-bounces@ogf.org
[mailto:glue-wg-bounces@ogf.org] On Behalf Of Paul Millar said: for site_dn in $(ldapsearch -LLL -h lcg-bdii.cern.ch -p 2170 -x -b o=grid glueSEAccessProtocolType=gsidcap |
perl -p00e 's/\r?\n //g' |
sed -ne 's/^dn: [^,]*,[^,]*,\(.*\)/\1/p' |
sort -u); do
ldapsearch -LLL -h lcg-bdii.cern.ch -p 2170 -x -b $site_dn '(objectClass=GlueSite)' GlueSiteUniqueID |
perl -p00e 's/\r?\n //g' |
sed -ne 's/^GlueSiteUniqueID: \(.*\)/\1/p'; done
I think you made my point! There's no way I could remember that, and I don't want to try to reinvent it every time I want to query for something - constructing ldap queries is hard enough already ... as a subsidiary point your query is not the same as mine, although it may happen to give the same result in this case. I assume that your method could be modified to do the same though, i.e. to only chop the DN back to the SE and query that for the ForeignKey (which will have to stay in the schema anyway). Stephen
Hi Stephen, On Wednesday 30 January 2008 20:54:18 Burke, S (Stephen) wrote:
[mailto:glue-wg-bounces@ogf.org] On Behalf Of Paul Millar said: for site_dn in $(ldapsearch -LLL -h lcg-bdii.cern.ch -p 2170 [...snip: nasty bash...] sed -ne 's/^GlueSiteUniqueID: \(.*\)/\1/p'; done
I think you made my point!
Could be :)
There's no way I could remember that, and I don't want to try to reinvent it every time I want to query for something - constructing ldap queries is hard enough already ...
Well, I just wanted to point out it was possible to do these sorts of queries without using a ChunkKey entry. That isn't to say we should get rid of them, only that, for these queries, they're not essential. LDAP's support for querying is pretty limited, I guess that's why most people end up using grep/sed/awk/perl/python/(...etc..)
as a subsidiary point your query is not the same as mine, although it may happen to give the same result in this case. I assume that your method could be modified to do the same though, i.e. to only chop the DN back to the SE and query that for the ForeignKey (which will have to stay in the schema anyway).
Sorry, that was my misunderstanding. I had a previous version of the script that did precisely that: chop the SEAccessProtocol DN back to find the SE, pull out the ForeignKey element and extract the SiteUniqueID from that. However, I though it would be "cleaner" to simply navigate straight up to the site-level object from the SEAccessProtocol object and extract the SiteUniqueID from there. Are there circumstances where this wouldn't work? (assuming people are publishing valid information) Cheers, Paul.
Paul Millar [mailto:paul.millar@desy.de] said:
However, I though it would be "cleaner" to simply navigate straight up to the site-level object from the SEAccessProtocol object and extract the SiteUniqueID from there.
Are there circumstances where this wouldn't work? (assuming people are publishing valid information)
In this particular case it wouldn't work if one site were publishing an SE belonging to a different site - not normal perhaps, but not necessarily forbidden. Similarly you are assuming that one site tree (at the mds-vo-name level) only publishes one gluesite object. In the general case that would obviously not work, for all the other high-level objects (CE, SE, Service) you can have several of them; for the site you usually only have one but again it's not clear that it's forbidden to have more. Stephen
Paul Millar [mailto:paul.millar@desy.de] said:
Well, I just wanted to point out it was possible to do these sorts of queries without using a ChunkKey entry.
... or maybe not; unless I'm missing something it seems you can't use wildcards in extensible queries: ldapsearch -x -h lcg-bdii.cern.ch -p 2170 -b o=grid '(&(GlueSEUniqueID:dn:*.ac.uk)(objectclass=GlueSA))' # extended LDIF # # LDAPv3 # base <o=grid> with scope sub # filter: (&(GlueSEUniqueID:dn:=*.ac.uk)(objectclass=GlueSA)) # requesting: ALL # ldapsearch: ldap_search_ext: Bad search filter (-7) If I replace the * with a specific name it works: ldapsearch -x -h lcg-bdii.cern.ch -p 2170 -b o=grid '(&(GlueSEUniqueID:dn:svr018.gla.scotgrid.ac.uk)(objectclass=GlueSA))' | grep GlueSAAccessControlBaseRule: GlueSAAccessControlBaseRule: atlas GlueSAAccessControlBaseRule: ngs GlueSAAccessControlBaseRule: totalep GlueSAAccessControlBaseRule: dteam GlueSAAccessControlBaseRule: atlas GlueSAAccessControlBaseRule: atlas GlueSAAccessControlBaseRule: camont GlueSAAccessControlBaseRule: pheno GlueSAAccessControlBaseRule: babar GlueSAAccessControlBaseRule: ops GlueSAAccessControlBaseRule: gridpp GlueSAAccessControlBaseRule: cms GlueSAAccessControlBaseRule: lhcb GlueSAAccessControlBaseRule: dzero GlueSAAccessControlBaseRule: sixt GlueSAAccessControlBaseRule: atlas GlueSAAccessControlBaseRule: biomed GlueSAAccessControlBaseRule: supernemo.vo.eu-egee.org GlueSAAccessControlBaseRule: ilc GlueSAAccessControlBaseRule: cdf GlueSAAccessControlBaseRule: alice GlueSAAccessControlBaseRule: zeus Stephen
Hi Stephen, in the initial mapping of GLUE 1 to LDAP, I've added the GLUEChunkKey to go round the lack of the operator ":dn:=" in the available implementations of OpenLDAP/MDS. In 1.3, I suggested to remove it because the currently deployed LDAP servers support this operator. In your scenario, you show a different use of the GLUEChunkKey, therefore this can be rediscussed for GLUE 2.0. (In GLUE 1.3 should stay anyway for backwards compatibility). Cheers, Sergio Burke, S (Stephen) ha scritto:
On this page:
http://glueschema.forge.cnaf.infn.it/SpecV13/LDAP
there is a comment that GlueChunkKey is obsolete because you can now query directly on the DN. However, I don't think that's the whole story, because it may also be useful to *print* the chunkkey value so you can extract the corresponding ID. That would be much harder to get from the DN, especially because it often gets split over multiple lines if you use ldapsearch. For example, consider this:
for i in `ldapsearch -x -h lcg-bdii.cern.ch -p 2170 -b o=grid glueSEAccessProtocolType=gsidcap | grep GlueChunkKey: | cut -d= -f2 `; do ldapsearch -x -h lcg-bdii.cern.ch -p 2170 -b o=grid glueseuniqueid=$i glueforeignkey; done | grep GlueSiteUniqueID | cut -d= -f2
That chops the SEUniqueID out of the ChunkKey in the access protocol object from the first query, and feeds it into another query to get the site ID. It may not be totally elegant but it works! If you removed the chunkkey it would be much harder to do something like that on the command line. While it's true that the information does exist in the DN I think I would rather keep the ChunkKey concept anyway.
Stephen _______________________________________________ glue-wg mailing list glue-wg@ogf.org http://www.ogf.org/mailman/listinfo/glue-wg
-- Sergio Andreozzi INFN-CNAF, Tel: +39 051 609 2860 Viale Berti Pichat, 6/2 Fax: +39 051 609 2746 40126 Bologna (Italy) Web: http://www.cnaf.infn.it/~andreozzi
participants (3)
-
Burke, S (Stephen) -
Paul Millar -
Sergio Andreozzi