We have been asked to look at the definition of the LDM-503-10a milestone, which exists in the schedule for this year but was never defined (nor what a test plan defined).
The following JIRA tasks apply here:
- - DM-19208Getting issue details... STATUS
- - DM-19211Getting issue details... STATUS
- - DM-19209Getting issue details... STATUS
- - DM-20586Getting issue details... STATUS
1) The near-term milestone LDM-503-10a should have the following descriptive text:
"This test demonstrates the successful integration of a single-sign-on federated authentication system, and a basic authorization system, with the major Aspects of the LSST Science Platform (Portal, Notebook, and API), with the API Aspect containing at least a TAP service. It will be demonstrated on a Kubernetes cluster provided by NCSA. It is not required for authorization to be applied at the database level; it is sufficient for this milestone to apply at the TAP level. Data served will remain that from the original PDAC work, i.e., SDSS Stripe 82 and/or WISE."
2) A second milestone (here called LDM-503-10x) should be established for late 2019 (December: post-close-of-F19) with the description:
"This test demonstrates the ingest and service of an "LSST-like" dataset in an instance of the LSST Science Platform at NCSA. The dataset is expected to be based on the HSC public data release(s) and should include both images and catalogs. The ingest should be performed through a version of the Science Data Model Standardization mechanism for generating concrete datasets compatible with the DPDD. Catalogs should be available through TAP and queryable from both the Portal and Notebook Aspects. Image metadata should be available through an ObsTAP service (and preferably also through an SIAv2 service, but this is not mandatory for this milestone), and images should be available from the URLs provided by the metadata service(s). Image cutouts should be available through a SODA service. Images should be queryable from both the Portal and Notebook Aspects, and there should be a well-defined relationship documented between API-based and Butler-based access to images."
Test plan sketch for LDM-503-10a
Choose a deployed instance of the LSST Science Platform (LSP). Either
lsst-lsp-int may be used for this test, as it is a test of functionality, not of capabilities in a production system.
Note in the test report whether VPN access was required in order to permit this test to be executed. Eventually it will not / must not be needed, but for this milestone it is still acceptable.
- Go to the Science Platform welcome page. Access the Portal Aspect.
- Log in to the Portal Aspect with NCSA credentials. Verify that the Portal search screen comes up. Note the user name displayed in the upper left of the Portal. Log out.
- Log in to the Portal Aspect with alternate credentials that are associated with the same identity. Verify that the Portal search screen comes up and that the user name displayed in the upper left of the Portal is the same as in the previous step.
- Navigate to the TAP search screen and ensure that the LSST TAP service associated with the chosen LSP instance is selected.
- Verify that the same WISE and SDSS catalog tables that were explored in the previous LSP test report are now visible in the TAP service.
- Perform a specified set of searches on the AllWISE object catalog data and save the results. This is not a database performance test; a few small representative searches should be sufficient. Possibilities (to be confirmed in the final test plan):
- A cone search returning O(10**4) records, performed from the cone search UI. Verify that appropriate ADQL text is available through the UI. Obtain the asynchronous TAP URL from the Portal UI for this search.
- A wide-area search using the constraints table, with parameters tuned to produce a similarly sized results table. Verify that appropriate ADQL text is available through the UI.
- An explicit ADQL query returning comparably sized results.
- Verify that the established Portal functionality (see the previous LSP test report) for viewing the catalog search results is available for TAP search results.
- While already logged in, from the Portal Aspect testing above, go to the Science Platform welcome page and access the Notebook Aspect.
- Verify that no login credentials are requested (i.e., that SSO is operational from Portal to Notebook). Request a session of the "small" category with the most recent "recommended" release image.
- Use the JupyterLab UI to create a small test file in the user's home directory with distinctive name and content.
- Log out of the Notebook Aspect session.
- Attempt to access the Portal Aspect; verify that credentials are requested (i.e., that logout is also cross-Aspect) but do not log in.
- Go to the Science Platform welcome page and access the Notebook Aspect, using NCSA credentials to log in (i.e., not the credentials that had been used to initiate the previous session). Request a session of the "medium" category with the most recent "recommended" image.
- Verify that the distinctive test file is visible, and more generally that the user environment appears to be the same one that was presented in the previous session.
- Upload the result files from the Portal queries above to the Notebook Aspect environment (this may be done via WebDAV, if available, or the JupyterLab UI,
scpto NCSA, or any other convenient means; the ability to perform these uploads in the ultimate LSP-ish way is not under test here).
- Load the test notebook for LDM-503-10a from the appropriate tag of the appropriate Github repository (TBD; requires consultation with Simon Krughoff and Gabriele Comoretto to establish these details). Note the SHA that applied to the test notebook.
- Execute the test notebook. It should be designed to:
- Perform in Python the same set of TAP searches that were performed in the Portal, most likely coded directly as ADQL.
- Compare the results with the uploaded results from the Portal and verify that they have the same content.
- Access in Python the asynchronous TAP query URL that was saved from the Portal test above. Verify that it, too, returned the same results as the corresponding direct Portal and Python/ADQL queries.
- Attempt to access the Portal Aspect; verify that logging in via the Notebook Aspect (above at #6) allows immediate access to the Portal Aspect without an additional login. Verify that the user name display is the same as in the Portal Aspect tests above.
- Obtain an authorization token for the LSP, either specifically or by default including TAP-read access as a capability/right.
- Use this token on a remote host, outside the LSP, to perform the three TAP searches described above in the Portal Aspect section, via Python API, with explicit provision of the authorization token to the API.
- Verify that the results are the same as in the Portal and Notebook Aspect tests.
- Optional (not required to meet the milestone, but worth including in the test report if available): Use the authorization token with a community tool such as TOPCAT to perform at least one of the same searches.