emi infso-ri-261611 session summary aai needs for dcis john white, hip christoph witzig, switch...
Post on 18-Dec-2015
213 views
TRANSCRIPT
EMI I
NFS
O-R
I-261
611
Session SummaryAAI Needs for DCIs
John White, HIPChristoph Witzig, SWITCH
[email protected]@switch.ch
EMI I
NFS
O-R
I-261
611
Outline
• Introduction• Requirements and Plans of different Communities• Summary Findings
• Note:– authN = authentication– authZ = authorization
EMI I
NFS
O-R
I-261
611
Introduction• AAI = authentication and authorization infrastructure• DCI = distributed computing infrastructure• AAI-DCI Workshop– organized as part of EMI workplan– Indico:
https://www.egi.eu/indico/sessionDisplay.py?sessionId=11&slotId=0&confId=48 - 2010-09-14
– Milestone document to follow
• EMI needs to provide harmonized middleware stack– Provide user-friendly interface, especially for
authenticating to an infrastructure
EMI I
NFS
O-R
I-261
611
Questionnaire to Communities (1/2)
• Targeted a set of communities with dependency to an (emerging) infrastructure– Many tied to an ESFRI project
• All are rather large communities distributed over many European countries
• Most are rather early in their lifecycle
EMI I
NFS
O-R
I-261
611
Questionnaire to Communities (2/2)
1. How are users authenticated?1. Which credentials are in use?2. How is the user vetting done?
2. Is there a link to national identities?3. Which types of resources are in use? How are users
authorized?1. Resources access through Grid?2. Resources accessed without Grid?
4. Where does project want to be in ~5 years?5. Are users and resource owners happy with current
authN and authZ schemes?
EMI I
NFS
O-R
I-261
611
The vision …
EMI I
NFS
O-R
I-261
611
… and the reality
EMI I
NFS
O-R
I-261
611
Earthscience Grid (1/2)
• Horst Schwichtenberg, Fraunhofer Institute• Access to data is central for ES– Archived sensor data or derived data from multiple
sources and in multiple formats• different providers and different systems
• Geographical Information System (GIS)– WS Specification from Open Geospatial Consortium
(OGC) no specification for authN/authZ– Work in progress
• HTTP authN, HTTP cookies, SSL X.509, SAML, Shibboleth and openID
EMI I
NFS
O-R
I-261
611
Earthscience Grid (2/2)
• Requirements:– Protect data down to the single user– Federated identity and single sign-on• SAML and OAuth, WS-* protocols• SSO based on Shibboleth and OpenID
– Science gateways to provide access to computing infrastructure (EGI) in the background• Automatic certificate generation
– Data centers need to protect licensed data and code
EMI I
NFS
O-R
I-261
611
Biomedical Community (1/2)
• Key requirements:– Preserve patient privacy– Copyrighted data processing tools
• Current authN:– X.509 (grid users and French Health Professional
smartcards)
• Resources:– EGI storage (SRM) and external data repositories– Web-based resources
EMI I
NFS
O-R
I-261
611
Biomedical Community (2/2)
• Goal in ~5 years:– Homogenous AA handling in Grid services– Access control to relational and semantic stores
• User’s view: – AA scheme is irrelevant. Only functionality
matters. – Dedicated solutions often needed in Life Sciences.
EMI I
NFS
O-R
I-261
611
CLARIN (1/2)
• Dieter Van Uytvanck, MPI for Psycholinguistics• Aim:– Provide language resources and technologies for
humanities and social sciences
• Typical use-case:– On basis of browsing catalogues and/or searching
through data create a virtual collection and process it through work flows using web services
EMI I
NFS
O-R
I-261
611
CLARIN (2/2)
• Long term AA objectives:– Rely on user’s home organization of national AAIs for
establishing trust SAML, Shib– CLARIN as legal entity to sign contracts with national
identity federations– Rely on eduGAIN to provide trust between national
AAIs• Issues raised:– License acceptance must be solved (special license
service)– Multi-level WAYFs and attribute release consent
confusing for the user
EMI I
NFS
O-R
I-261
611
Photon Facilities (1/2)
• Hans Weyer, PSI• Environment:– Photon facilities with wide range of research areas
and ~30’000 visiting scientists / year– ~15 synchrotrons in EU, often national facilities
• Facilities partly co-operating, partly competing
EMI I
NFS
O-R
I-261
611
Photon Facilities (2/2)
• AA Ansatz: “Umbrella”– Use EU wide, central user identification• Username, pwd, email, birthday
– Local management of additional, site-specific attributes• Phone, registrations, facility roles, proposals
– Based on SAML– Note: Do not plan to use national AAIs for authN
EMI I
NFS
O-R
I-261
611
ILL – Neutron Science
• Neutron facility, very diverse user community• Need federated authentication and
management of user’s attributes• authN should provide access to – Web based applications– Network connection– Workstation access
EMI I
NFS
O-R
I-261
611
ELIXIR• ESFRI BMS Project coordinated by EBI• Very large user community (~1 mio users)• Provide access to life science data (genoms, …)
for many different sciences
• Users are not authenticated• many users find authN unacceptable
• Sensitive data (e.g. patients data) handled through a special procedures (data custodian)
EMI I
NFS
O-R
I-261
611
Lifewatch
• Axel Poigné, Fraunhofer• Still design phase – no decisions taken• Present thoughts:– X.509 not appropriate– Use Shibboleth • Credential translation for access to Grid• OpenID complementary
EMI I
NFS
O-R
I-261
611
HEP
• Maarten Litmaath, CERN• Key technologies:– X.509, IGTF– VOMS
• Issues with Grid security– Certificates are difficult for users to handle– Proxy issues, use of primary FQANs– etc
EMI I
NFS
O-R
I-261
611
Other talks
• Moonshot: D.Kouril, CESNET• Goal: enable use of identity federations and SAML for non-web
applications• Target core internet protocols: SSH, SMTP, IMAP, NFSv4, HTTP…• Started spring 2010
• Presentations of– IGI: V.Ciaschini, INFN– UK NGI, C. Devereux, STFC
EMI I
NFS
O-R
I-261
611
Summary Findings (1/2)
• Different communities do have different requirements
• User-centric view is mandatory– Very large and very diverse user communites – Many users have “modest IT knowledge” and “limited
enthusiasm for complex solutions”
EMI I
NFS
O-R
I-261
611
Summary Findings (2/2)
• Key technologies– Federated identity / SAML / Shibboleth
• With / without leveraging national AAIs– X.509 still basis for Grid technology
– SLCS, MICS CA– Need novel ways to bridge security domains
• ECP support in Shibboleth (useful for portals Swiss Grid Portal project)
• Security token service (work item in EMI)• Pseudonymity service (EMI)• Moonshot
• Key requirement for AA solutions:– Standards-based, interoperable
EMI I
NFS
O-R
I-261
611
• Should be aware of time lag between development and deployment
• But if not all, then most roads lead to Rome