aspis security jens jensen science and technology facilities council ahm, 8-11 sep 2008 edinburgh

ASPiS Security

Jens Jensen <j.jensen @ rl ac uk>Science and Technology Facilities Council

AHM, 8-11 Sep 2008Edinburgh

ASPiS collaborators

• Mark Hedges, CeRch KCL• Adil Hasan, Liverpool• Andrea Weise, STFC/Reading• Eric .., → CeRch KCL• Jens Jensen, STFC• JISC-funded project

Project Overview

“New data grid technologywith new authentication technology”

Project Overview

• What is ASPiS?– Access to iRODS via Shibboleth– Collaboration between CeRch (KCL) and STFC

• What is Shibboleth– UK Access Management Federation

• What is iRODS?– “data grid” for provenance, digital libraries– Successor to SRB– Open Source

ASPiS goals

• Access to iRODS via Shibboleth– IRODS offers rule-based data management via microservices

– Positioned as data grid solution for preservation, curation, digital libraries

• Primary use cases:– Arts and Humanities data storage– Diamond Light Source– NGS data storage services

ASPiS goals

• Use Shibboleth attrs for access control– Can use attrs for AuZ decisions– ePEntitlement– Or extended attrs, e.g. from SARoNGS

• Prototype secure data management– Can be expanded later into trusted services– Open for adding security capabilities

• Interface with provenance management

User Security

• Enable access for security non-experts– X.509 considered “complicated”– Broaden user base via Shibboleth IdPs

• Users' VOs supported– Simple attribute-based– Simple gridmap style user mapping– Using VOMS? Via SARoNGS?

Shibboleth and NGS

• Other projects to enable access to NGS• SARoNGS

– Production deployment of ShibGrid and SHEBANGS

– Certificates generated dynamically – users don't know they have them!

– ~75% of NGS user base with IdP– ~95% by members of Federation– (Not all members have IdPs)– (Rough numbers, could have changed)

Architecture

SP

IdP

UsualShibStuff

Disk Store (Tape Store at RAL)

ProvenanceMetadata

Management

μservice

μservice

μservice

iRODS

rule

ACL

Implementing Security

• Make attributes available– To rule engine, microservices, provenance– Microservices reporting back to rule engine to

alter workflow

• Other issues– Using AC and SAML (SARoNGS)– Libraries

• iRODS in C, preservation systems in Java (Pasoa, RDF/OWL)

• Availability, maturity, support, interoperation

Security Considerations

• Use of Shib 1.3, vs Shib 2.0– Must work with existing Federation– Use of institutional attributes

• How useful are they?• Avoid bilateral negotiations

– Not sharing attributes between SPs• Single SP, federated iRODS?

• Non-Federation (or no IdP) users– Considered local config or LDAP managed

Security Considerations

• User to local mapping– LCMAPS or VPMan? Or something simpler?– Delegation of authentication– IRODS users/groups/domains/zones?

• Use or combined use with GSI– For users with certificates already, exisitng

NGS accounts• Consistency and portal access

– Supported in iRODS 1.1– Needs account management

Preservation Issues

• Persistency of ePTID– Federation rules permit recycling if not used for

2yrs– APSiS: do not permit login if account idle for

2yrs• Except if IdP guarantees uniqueness forever?

• Who is the ePTID?• Non-persistency of IdP logs• Verification of user-supplied attrs?

Other Issues

• QoS: priority mappings for some users?• iRODS needs rebuild (or at least relink)

when μservice changes

Current Status

• iRODS deployed at Reading, RAL• Shibboleth IdP at RAL

– DLS did not join the Federation at this time

• Not quite ready for testing yet

Conclusion

• Datastore for libraries, preservation– Interfacing to provenance mgmt

• Replacing SRB• Single sign-on access via Shib

– Usable– Secure