aspis security jens jensen science and technology facilities council ahm, 8-11 sep 2008 edinburgh
Post on 03-Jan-2016
214 Views
Preview:
TRANSCRIPT
ASPiS Security
Jens Jensen <j.jensen @ rl ac uk>Science and Technology Facilities Council
AHM, 8-11 Sep 2008Edinburgh
ASPiS collaborators
• Mark Hedges, CeRch KCL• Adil Hasan, Liverpool• Andrea Weise, STFC/Reading• Eric .., → CeRch KCL• Jens Jensen, STFC• JISC-funded project
Project Overview
“New data grid technologywith new authentication technology”
Project Overview
• What is ASPiS?– Access to iRODS via Shibboleth– Collaboration between CeRch (KCL) and STFC
• What is Shibboleth– UK Access Management Federation
• What is iRODS?– “data grid” for provenance, digital libraries– Successor to SRB– Open Source
ASPiS goals
• Access to iRODS via Shibboleth– IRODS offers rule-based data management via microservices
– Positioned as data grid solution for preservation, curation, digital libraries
• Primary use cases:– Arts and Humanities data storage– Diamond Light Source– NGS data storage services
ASPiS goals
• Use Shibboleth attrs for access control– Can use attrs for AuZ decisions– ePEntitlement– Or extended attrs, e.g. from SARoNGS
• Prototype secure data management– Can be expanded later into trusted services– Open for adding security capabilities
• Interface with provenance management
User Security
• Enable access for security non-experts– X.509 considered “complicated”– Broaden user base via Shibboleth IdPs
• Users' VOs supported– Simple attribute-based– Simple gridmap style user mapping– Using VOMS? Via SARoNGS?
Shibboleth and NGS
• Other projects to enable access to NGS• SARoNGS
– Production deployment of ShibGrid and SHEBANGS
– Certificates generated dynamically – users don't know they have them!
– ~75% of NGS user base with IdP– ~95% by members of Federation– (Not all members have IdPs)– (Rough numbers, could have changed)
Architecture
SP
IdP
UsualShibStuff
Disk Store (Tape Store at RAL)
ProvenanceMetadata
Management
μservice
μservice
μservice
iRODS
rule
ACL
Implementing Security
• Make attributes available– To rule engine, microservices, provenance– Microservices reporting back to rule engine to
alter workflow
• Other issues– Using AC and SAML (SARoNGS)– Libraries
• iRODS in C, preservation systems in Java (Pasoa, RDF/OWL)
• Availability, maturity, support, interoperation
Security Considerations
• Use of Shib 1.3, vs Shib 2.0– Must work with existing Federation– Use of institutional attributes
• How useful are they?• Avoid bilateral negotiations
– Not sharing attributes between SPs• Single SP, federated iRODS?
• Non-Federation (or no IdP) users– Considered local config or LDAP managed
Security Considerations
• User to local mapping– LCMAPS or VPMan? Or something simpler?– Delegation of authentication– IRODS users/groups/domains/zones?
• Use or combined use with GSI– For users with certificates already, exisitng
NGS accounts• Consistency and portal access
– Supported in iRODS 1.1– Needs account management
Preservation Issues
• Persistency of ePTID– Federation rules permit recycling if not used for
2yrs– APSiS: do not permit login if account idle for
2yrs• Except if IdP guarantees uniqueness forever?
• Who is the ePTID?• Non-persistency of IdP logs• Verification of user-supplied attrs?
Other Issues
• QoS: priority mappings for some users?• iRODS needs rebuild (or at least relink)
when μservice changes
Current Status
• iRODS deployed at Reading, RAL• Shibboleth IdP at RAL
– DLS did not join the Federation at this time
• Not quite ready for testing yet
Conclusion
• Datastore for libraries, preservation– Interfacing to provenance mgmt
• Replacing SRB• Single sign-on access via Shib
– Usable– Secure
top related