the identity challenge in science - nitrd · pdf file• developersof collaborave+...
TRANSCRIPT
![Page 1: The identity challenge in science - NITRD · PDF file• Developersof collaborave+ science+tools,+ applicaons,+and+cyberinfrastructures+n eed+to:](https://reader033.vdocuments.us/reader033/viewer/2022051717/5a7044797f8b9a93538bd449/html5/thumbnails/1.jpg)
www.ci.anl.gov www.ci.uchicago.edu
1
• Developers of collabora7ve science tools, applica7ons, and cyberinfrastructures need to: – Assign iden))es to their users – Manage user profiles – Organize users into groups for authoriza7on
• Providing high-‐quality implementa)ons of such capabili7es is challenging – Complexity of associated security protocols – Reliability, availability, scalability, security are all hard
• The result is many iden)ty ‘islands’ across science domains and projects—oGen poorly implemented
The iden7ty challenge in science
![Page 2: The identity challenge in science - NITRD · PDF file• Developersof collaborave+ science+tools,+ applicaons,+and+cyberinfrastructures+n eed+to:](https://reader033.vdocuments.us/reader033/viewer/2022051717/5a7044797f8b9a93538bd449/html5/thumbnails/2.jpg)
www.ci.anl.gov www.ci.uchicago.edu
2
Sharing Service
Transfer Service
Globus Toolkit
Glo
bus
Onl
ine
API
s
Glo
bus
Con
nect
Streamline collabora7ve tool development
Globus Nexus (Identity, Group, Profile) Globus Nexus
(Identity, group, & profile management)
Custom Web Application
• Allows developers to focus on core applica7on logic
• Simplifies integra7on with campus infrastructure
![Page 3: The identity challenge in science - NITRD · PDF file• Developersof collaborave+ science+tools,+ applicaons,+and+cyberinfrastructures+n eed+to:](https://reader033.vdocuments.us/reader033/viewer/2022051717/5a7044797f8b9a93538bd449/html5/thumbnails/3.jpg)
www.ci.anl.gov www.ci.uchicago.edu
3
Nexus provides four key capabili7es • Iden)ty provisioning
– Create and manage Globus iden77es • Iden)ty hub
– Link with other iden77es; use to authen7cate to Nexus and other services
• Group hub – User-‐managed group crea7on, management; groups can be used for authoriza7on
• Profile management – User-‐managed profile aTributes and visibility; can be used in group admission
I
I I I
I
I a b
I
UV
G
![Page 4: The identity challenge in science - NITRD · PDF file• Developersof collaborave+ science+tools,+ applicaons,+and+cyberinfrastructures+n eed+to:](https://reader033.vdocuments.us/reader033/viewer/2022051717/5a7044797f8b9a93538bd449/html5/thumbnails/4.jpg)
www.ci.anl.gov www.ci.uchicago.edu
4
Iden7ty provisioning
• Globus Nexus can act as an iden7ty provider (IDP) for a project – User management, email valida7on…
• DOE Systems Biology Knowledge Base (kBase) is an example of such a project. ~400 iden77es to date
I
![Page 5: The identity challenge in science - NITRD · PDF file• Developersof collaborave+ science+tools,+ applicaons,+and+cyberinfrastructures+n eed+to:](https://reader033.vdocuments.us/reader033/viewer/2022051717/5a7044797f8b9a93538bd449/html5/thumbnails/5.jpg)
www.ci.anl.gov www.ci.uchicago.edu
5
Iden7ty hub
• Link iden))es from other federated IDP(s) with a Nexus iden7ty – E.g., InCommon (SAML), Google (OpenID), XSEDE (OAuth MyProxy), IGTF-‐cer7fied X.509 CA, SSH
• Use linked iden)ty to authen7cate to Nexus as the Nexus iden7ty (e.g., use campus iden7ty)
• Leverage Nexus federated IDP to 3rd-‐party services – Via Oauth or LDAP – E.g., to XSEDE, Jira, Zendesk, Drupal, Globus data management, Confluence
• Have Nexus cache delegated creden)als – X.509, via CILogon, MyProxy
I I I
I
![Page 6: The identity challenge in science - NITRD · PDF file• Developersof collaborave+ science+tools,+ applicaons,+and+cyberinfrastructures+n eed+to:](https://reader033.vdocuments.us/reader033/viewer/2022051717/5a7044797f8b9a93538bd449/html5/thumbnails/6.jpg)
www.ci.anl.gov www.ci.uchicago.edu
6
Iden7ty hub management
![Page 7: The identity challenge in science - NITRD · PDF file• Developersof collaborave+ science+tools,+ applicaons,+and+cyberinfrastructures+n eed+to:](https://reader033.vdocuments.us/reader033/viewer/2022051717/5a7044797f8b9a93538bd449/html5/thumbnails/7.jpg)
www.ci.anl.gov www.ci.uchicago.edu
7
• Dr. Smith creates a BIRN id (Nexus id via BIRN-‐tailored interface)
• Dr. Smith links campus id and XSEDE id • Dr. Smith can then:
– Authen7cate to BIRN with campus id – Query catalog (Nexus/BIRN id) – Request data transfer from BIRN to campus (Nexus and campus ids)
– Request transfer from BIRN to XSEDE (Nexus and XSEDE ids)
– Repeat these tasks: use cached creden7als
(BIRN=Biomedical Informa7cs Research Network)
BIRN Gateway
Campus (SAML)
BIRN Campus
Campus identity Nexus
identity
Name: Dr. Smith Email: [email protected]
Name: Dr. Smith Email: [email protected] Linked id: Campus Linked id: XSEDE
XSEDE
OAuth XSEDE identity
Iden7ty hub: Biomedical science
![Page 8: The identity challenge in science - NITRD · PDF file• Developersof collaborave+ science+tools,+ applicaons,+and+cyberinfrastructures+n eed+to:](https://reader033.vdocuments.us/reader033/viewer/2022051717/5a7044797f8b9a93538bd449/html5/thumbnails/8.jpg)
www.ci.anl.gov www.ci.uchicago.edu
8
Use linked iden7ty
8
![Page 9: The identity challenge in science - NITRD · PDF file• Developersof collaborave+ science+tools,+ applicaons,+and+cyberinfrastructures+n eed+to:](https://reader033.vdocuments.us/reader033/viewer/2022051717/5a7044797f8b9a93538bd449/html5/thumbnails/9.jpg)
www.ci.anl.gov www.ci.uchicago.edu
9
Group hub
• User-‐managed group crea7on, management • Flexible control over admission policies and visibility • Groups can be used in authoriza7on decisions
9
Example: kBase • Every kBase user
added to kbase_users • Subgroups also
created • Groups used for
access control
I
UV
G
![Page 10: The identity challenge in science - NITRD · PDF file• Developersof collaborave+ science+tools,+ applicaons,+and+cyberinfrastructures+n eed+to:](https://reader033.vdocuments.us/reader033/viewer/2022051717/5a7044797f8b9a93538bd449/html5/thumbnails/10.jpg)
www.ci.anl.gov www.ci.uchicago.edu
10
Group membership interface
10
![Page 11: The identity challenge in science - NITRD · PDF file• Developersof collaborave+ science+tools,+ applicaons,+and+cyberinfrastructures+n eed+to:](https://reader033.vdocuments.us/reader033/viewer/2022051717/5a7044797f8b9a93538bd449/html5/thumbnails/11.jpg)
www.ci.anl.gov www.ci.uchicago.edu
11
Branded sites
Open Science Grid University of Chicago XSEDE
DOE kBase Indiana University University of Exeter
Globus Online NERSC NIH BIRN
![Page 12: The identity challenge in science - NITRD · PDF file• Developersof collaborave+ science+tools,+ applicaons,+and+cyberinfrastructures+n eed+to:](https://reader033.vdocuments.us/reader033/viewer/2022051717/5a7044797f8b9a93538bd449/html5/thumbnails/12.jpg)
www.ci.anl.gov www.ci.uchicago.edu
12
Implementa7on and deployment
Elas7c Load Balancer
Monitoring
Logging
OSSEC
Nexus
REST API Web
Nexus
REST API Web
Nexus
REST API Web
![Page 13: The identity challenge in science - NITRD · PDF file• Developersof collaborave+ science+tools,+ applicaons,+and+cyberinfrastructures+n eed+to:](https://reader033.vdocuments.us/reader033/viewer/2022051717/5a7044797f8b9a93538bd449/html5/thumbnails/13.jpg)
www.ci.anl.gov www.ci.uchicago.edu
13
Globus Nexus usage as of 9/13
• >12,000 users and 4977 linked iden77es
• 557 groups totaling: – 1638 ac7ve members – 229 pending or invited members
– 162 rejected or suspended members
• Largest group (kbase) has 402 members
0
2,000
4,000
6,000
8,000
10,000
12,000
14,000
Nov-‐10
Feb-‐11
May-‐11
Aug-‐11
Nov-‐11
Feb-‐12
May-‐12
Aug-‐12
Nov-‐12
Feb-‐13
May-‐13
Aug-‐13
Total users
1
10
100
1000
1 21 41 61 81 101 121
Users in group
![Page 14: The identity challenge in science - NITRD · PDF file• Developersof collaborave+ science+tools,+ applicaons,+and+cyberinfrastructures+n eed+to:](https://reader033.vdocuments.us/reader033/viewer/2022051717/5a7044797f8b9a93538bd449/html5/thumbnails/14.jpg)
www.ci.anl.gov www.ci.uchicago.edu
14
User profiles
• Profile = set of aTributes/values about a user – E.g., name, email, address, field of science, etc.
• Types of profile aTributes: – Self-‐asserted (e.g., name) – Validated (e.g., email, linked iden7ty) – Asserted by other user
• Sources of profile aTributes: – Social sites (e.g., LinkedIn, Facebook, Google+) – Campus Shibboleth servers – Nexus users
![Page 15: The identity challenge in science - NITRD · PDF file• Developersof collaborave+ science+tools,+ applicaons,+and+cyberinfrastructures+n eed+to:](https://reader033.vdocuments.us/reader033/viewer/2022051717/5a7044797f8b9a93538bd449/html5/thumbnails/15.jpg)
www.ci.anl.gov www.ci.uchicago.edu
15
Iden77es and groups in XSEDE • Proposal: Replace current ad-‐hoc systems with Globus Nexus iden7ty and group service – Reduce complexity, reduce cost, increase capability
• Careful process of documenta7on and review – “Architecture and development requirements: User and iden7ty management”
– “User management proposal: Affected use cases” – “User management proposal: Mo7va7ng stories” – “Proposal: Refactoring XSEDE iden7ty and group capabili7es”
• Hope to reach closure by end of 2013