globus online globus nexus
play

globus online Globus Nexus Steve Tuecke Computation Institute - PowerPoint PPT Presentation

globus online Globus Nexus Steve Tuecke Computation Institute University of Chicago and Argonne National Laboratory Computation Institute (CI) Apply to challenging problems Accelerate Promulgate by building the via new educational research


  1. globus online Globus Nexus Steve Tuecke Computation Institute University of Chicago and Argonne National Laboratory

  2. Computation Institute (CI) Apply to challenging problems Accelerate Promulgate by building the via new educational research cloud methods www.globusonline.org

  3. Apply computation: Examples Create better models ASC FLASH Understand for climate & energy supernovae to CIM-EART CIM-EARTH policy measure universe Extract Explain meaning cellular from CMTS structur Center for multiscale theory and simulation scientific DTI for TBI Map human images Diffusion tensor imaging knowledge in the Transform humanities and digital science media into ARTFL Conte Center www.globusonline.org art

  4. Accelerate discovery via research cloud Millions of researchers worldwide need advanced IT to tackle important and urgent problems The Research Cloud Accelerate discovery and innovation worldwide by providing research IT as a service www.globusonline.org

  5. Software-as-a-Service (SaaS) Why SaaS? Platform-as-a-Service (PaaS) Infrastructure-as-a-Service (IaaS) • Deliver advanced functionality that: – Requires no user software installation or operation • Minimal IT proficiency required – Can be cheaply and incrementally adopted • Usage-based subscription pricing; no big up-front costs – Consolidates troubleshooting and support • An expert group can proactively detect and correct problems – Utilizes an efficient software delivery lifecycle • Updates developed, tested and deployed quickly • Dominates commercial & consumer markets – What about the research market? www.globusonline.org

  6. Globus Transfer: For when you want to… • Transfer and synchronize files – Easy “fire-and-forget” transfers – Automatic fault recovery – High performance – Across multiple security domains • Minimize IT costs – Software as a Service (SaaS) • No client software installation • New features automatically available – Consolidated support & troubleshooting – Simple endpoint installation with Globus Connect and GridFTP >5,000 registered users, 6PB / 500M files transferred www.globusonline.org 7

  7. Globus Storage: For when you want to … • Place your data where you want • Access it from Globus Transfer, HTTP/REST, Desktop sync anywhere via different protocols • Update it, version it, Globus Storage and take snapshots volume • Share versions with who you want • Synchronize among National Campus Commercial research computin storage service locations center g center provider www.globusonline.org

  8. Globus Collaborate: For when you want to… Join with a few or many people to: • Share documents • Track tasks • Communicate • Share data • Work together With: • Common groups • Delegated management www.globusonline.org

  9. Software-as-a-Service (SaaS) PaaS for Research Platform-as-a-Service (PaaS) Infrastructure-as-a-Service (IaaS) • No one SaaS provider can deliver it all • Must create ecosystem that: – Allows any SaaS provider to easily participate – Dramatically reduces the cost of creating and operating services within the ecosystem – Provides seamless user experience across services – Agnostic to / works across any cloud IaaS provider – Integrates with (existing) research infrastructure • Ecosystem requires Platform as a Service – Target the unique needs of the research community www.globusonline.org 10

  10. Globus Integrate: For when you want to… • Integrate with the Globus research cloud ecosystem • Write programs that leverage: – user identities, profiles, groups (Globus Nexus) – data, compute and collaboration Globus Globus Globus Globus Transfer Storage Collaborate Compute Globus Connect Multi User Globus Integrate Globus Connect Globus Nexus Globus Toolkit … via REST APIs and command line programs www.globusonline.org

  11. Globus Nexus: For when you want to… Manage groups Manage profiles Manage identities www.globusonline.org 12

  12. Globus Nexus: Manage Identities • Nexus is a federated identity relying party – Multiple federated identities linked to Globus account – Supports: InCommon/CILogon, OpenID, MyProxy, OAuth for MyProxy • Nexus is a (federated) identity provider – Native or federated identity provider to Globus and 3 rd party services – User authenticates to Globus account with username/password or via 3 rd party federated identity provider – Uses OAuth 2 profile (future: SAML, OpenID?) • Auth provider for Globus REST APIs www.globusonline.org 13

  13. www.globusonline.org 14

  14. Globus Nexus use of OAuth 2 • User authentication – Web browser: • Globus account name and password • Federated identity providers linked to Globus account – Native application: • RSA (using SSL key) • X.509 client auth • Username/password (Globus account, SAML ECP?) • Client authentication using RSA (SSL key) – Globus account name is valid client id • Bearer access token for resource access www.globusonline.org 15

  15. Delegated X.509 credential management • Various (Globus) services require delegated X.509 client credentials to access resources • Nexus federated authentication supports X.509 credential retrieval from Oauth for MyProxy – Authenticate with OAuth – Use access token to get X.509 credentials – E.g., CILogon, GCMU, XSEDE • Nexus REST API allows authorized services (OAuth clients) to get credential www.globusonline.org 16

  16. Integration of new and old Step 1 Access Endpoints CILogon Redirect (OAuth) Globus Online (Hosted Service) Certificate 2 SAML Step 2 Step 7 Step 8 Transfer Step 3 Transfer request Redirect Username request InCommon password Certificate 1 Certificate 1 Certificate 2 IdP Globus Connect Multi ‐ User Step 4 Username MyProxy GridFTP password OAuth Online CA Step 11 Server GridFTP Server Certificate 1 certificates Campus Cluster PAM Server Authentication Step 6 & Data Transfer Step 10 Step 9 Step 5 Campus 2 Authorization Access files Username Certifficate 1 password Local Authentication System Local (LDAP, RADIUS, Kerberos etc) Storage www.globusonline.org

  17. www.globusonline.org 18

  18. OAuth client vs resource • Globus Transfer is – OAuth client to Globus Nexus – OAuth resource provider to 3 rd party client • Goal: Allow full participation by 3 rd parties – Use Globus Online services as OAuth client – Use Globus Nexus OAuth as resource server • How to implement resource servers as a relying party to the Nexus OAuth service? – OAuth is silent on resource and OAuth server interaction – Make it easy for SaaS developers to use Nexus OAuth www.globusonline.org 19

  19. Delegated, scoped OAuth access • Ecosystem of communicating services – Any service can be client to any other service’s resource – Communication may be chained: user->s1->s2->s3 • Use OAuth scope to limit resources accessible by an access token – Must maintain scope dependency tree • Delegation: client1 delegating to client2 – Bearer access token can be passed from client1 to client2 for full delegation – Or, allow client1 access token to be used to retrieve a new authorization code with narrow scope that is passed to client2, which client2 uses to get its own access token www.globusonline.org 20

  20. Globus Nexus: Manage Groups • User centric group management – Create group – Set policies (e.g., visibility, admins) – Control admission workflows • Approach: – Keep identity issuance light-weight – Move vetting from identity creation to group admission – Allow each group to control own admission policy • REST APIs – Manage, query, etc. – Import/export (into specified identity namespace) www.globusonline.org 21

  21. Globus Nexus: Manage User Profiles • Attribute/value information associated with Globus account • Group admission can require an extensible set of attributes, which are drawn from and stored in the user profile • REST APIs • Future: Integrate with SAML attribute release and social network profiles www.globusonline.org 22

  22. Domestication • Goal: Common tools should be able to leverage federated identities, groups, profiles – Wikis, issue tracking, science gateways, etc. • Community effort to domesticate applications and services? • What APIs? – Identity: OAuth 2, SAML?, X.509 certs? – Groups: LDAP? REST? – Profile: OpenID Connect? www.globusonline.org 23

  23. For More Information • Visit https://www.globusonline.org/signup to: – Get a free account and start moving files • Visit www.globusonline.org for: – Tutorials, FAQs, Pro Tips, Troubleshooting – Papers, Case Studies • Contact support@globusonline.org for: – Help getting started & using the service • Follow us at @globusonline on Twitter and Globus Online on Facebook www.globusonline.org 24

Recommend


More recommend