identity management in the european grid infrastructure
play

Identity management in the European Grid Infrastructure Established - PowerPoint PPT Presentation

EGI InSPIRE Identity management in the European Grid Infrastructure Established solutions, new needs, open questions Gergely Sipos Technical Outreach Manager EGI.eu, Amsterdam gergely.sipos@egi.eu Identity Management for research and


  1. EGI ‐ InSPIRE Identity management in the European Grid Infrastructure Established solutions, new needs, open questions Gergely Sipos Technical Outreach Manager EGI.eu, Amsterdam gergely.sipos@egi.eu Identity Management for research and collaboration Workshop 1 Utrecht, 6-7, September 2012 9/6/2012 www.egi.eu www.egi.eu EGI ‐ InSPIRE RI ‐ 261323 EGI ‐ InSPIRE RI ‐ 261323 http://www.terena.org/activities/vamp/ws1/

  2. Outline • European Grid Infrastructure - intro • AAI in the ‘grid middleware’ – X509 variants • FIM in EGI – NGIs’ readiness – Bridging solutions – Pilots, production systems – FIM and the EGI Federated Cloud • Conclusions 2 www.egi.eu EGI ‐ InSPIRE RI ‐ 261323

  3. The EGI Ecosystem VRC: Virtual Research Community VO: Virtual Organisation TRANSfoRm Policies + Funding User Community Requirements + Services + EGI ‐ InSPIRE Feedback Support Requirements + Resource & service Feedback Providers Policies + Requirements Technology Providers European EGI.eu foundation Funding Commission Grid middleware National Grid software National Research Infrastructures Strategic SW + Councils (NGIs) ~45 Feedback Support Cloud provider software Public Funding Bodies 3 www.egi.eu EGI ‐ InSPIRE RI ‐ 261323

  4. EGI’s Strategic Focus http://go.egi.eu/EGI2020 • Operational Infrastructure – Operate a European wide infrastructure – Offer its use to other research infrastructures – Build a federated cloud environment • Virtual Research Environments (VREs) – Support the development, integration & operation of community/project/domain specific services • Community & Coordination – Community building through events – Community networking through the NGIs 4 www.egi.eu EGI ‐ InSPIRE RI ‐ 261323

  5. Installed capacity (Apr ‘12) Metric Value (yearly increase) Sites 326 (+3%) Nb. of CPU cores 270,800 (+31%) Disk (PB) 139 PB (+31%) Tape (PB) 134 PB (+50%) 5 www.egi.eu EGI ‐ InSPIRE RI ‐ 261323

  6. Capacity usage (May 2011-April 2012) First runs of Metric Value (yearly increase) the Large Hidron CPU time Total (Billion HEP ‐ SPEC 06 hours) 10.5 (+52.91%) Collider Total (million) 492.5 (+46.42% ) Computing jobs Average job/day (million) 1.35 High ‐ Energy Physics 93.60% Astronomy and Astrophysics 2.25% % of total Life Sciences 1.30% consumed Various disciplines 1.23% CPU time Remaining disciplines 1.62% 6 www.egi.eu EGI ‐ InSPIRE RI ‐ 261323

  7. Software Provisioning • EGI Technology Roadmap External Technology EMI, IGE, SAGA (cluster grids) Providers EDGI (desktop grids) Software Requirements Operations Deployed Criteria Criteria Staged Production Software Definition Verification Rollout SU Provisioning Infrastructure 30/05/2012 www.egi.eu EGI ‐ InSPIRE RI ‐ 261323

  8. AAI in the ‘grid middleware-based EGI’ Grid = federated resources exposed for controlled sharing via middleware services Nb. of users ~20.000 in total – X.509 personal certificates Tens of thousands • From IGTF CAs • From Terena Certificate Service (Federated request) – Limited certificates Thousands • Restricted in lifetime and/or infrastructure coverage • E.g. GILDA CA (http://gilda.ct.infn.it/certification-authority) • E.g. Swiss Short Lived Credential Service (SLCS) Hundreds – Robot certificates (<100 robot) • Identify applications (often portals) instead of users • Growing popularity and availability https://wiki.egi.eu/wiki/Robot_certificates https://wiki.egi.eu/wiki/EGI_robot_certificate_users 8 www.egi.eu EGI ‐ InSPIRE RI ‐ 261323

  9. AAI Challenges • EGI requirements for a generic AAI: – Geographical coverage, science discipline coverage, scalability, robustness, simplicity, sustainability, compatibility with VRE & EGI operations services • X.509 meets all, but one: Simplicity How can X.509 based infrastructures simplified for users? – MyProxy, online CAs, Terena CAs, robot certificates,... and ...federated identity management 9 www.egi.eu EGI ‐ InSPIRE RI ‐ 261323

  10. Solutions - issues Solution to simplify access Problem with the solution MyProxy • Certificate management issues remain Terena CAs • (Most of the) certificate management issues remain • Limited coverage (geographycal & discipline) Robot certificates • Auth & logging responsibilities move to portals • Users become invisible to the infrastructure • For certain types of applications only Short lived credential services • Limited geographical coverage (SWITCH SLCS, IGI Online CA) • Is Federated Identity Management a better alternative? • User communities say YES (FIM workshops & paper) • Are the NGIs ready for adopting FIM? EGI Virtual Team project: Assess the readiness of the NGIs in adopting FIM mechanisms: https://wiki.egi.eu/wiki/VT_Federated_Identity_Providers_Assessment 10 www.egi.eu EGI ‐ InSPIRE RI ‐ 261323

  11. FIM assessment - EGI Virtual Team project The Identity Federations of the • Participants from Czech, French, Italian, Irish, Swiss NRENs are similarly exclusive NGIs + EGI.eu • Defined, then filled a survey: Are personal e ‐ science Are the Grid institutions Are the institutions of Are there other relevant certificates from Terena of the NGI in national the potential users of ‘federated identity’ Certificate Service (TCS) TCS federation? your NGI eligible for based authentication available in the NGI? certificates from TCS? services available in the NGI? Ireland No N.A. N.A. Exploring possibilities of a (but server certificates are) SLCS CA Czech Rep. Yes All major but one (ongoing) Partly No France No N.A. N.A. No Switzerland No N.A. N.A. SLCS (IGTF accredited) Italy Yes Most Partly Preparing a MICS CA https://wiki.egi.eu/wiki/VT_Federated_Identity_Providers_Assessment 11 www.egi.eu EGI ‐ InSPIRE RI ‐ 261323

  12. Possibilities for FIM integration with EGI 1.Middleware services ‘speak’ FIM (accept SAML assertions) • External technology providers! EMI & IGE plans are under development – EMI MJRA1.12 (Common Security Architecture Assessment) • Accounting systems must be also adapted (SAML  certificate DN) 2.FIM-X509 bridging – Mapping SAML idenity to X509 Various solutions, routine useage: 1. GridCertLib & SLCS (Swiss portals) 2. Online CA (portal for the Italian Grid Infrastructure) 3. Catania Science Gateway framework (various science gateways) 12 www.egi.eu EGI ‐ InSPIRE RI ‐ 261323

  13. GridCertLib & SLCS VOMS SLCS SLCS certificate + GridCertLib SAML assertion grid proxy from FIM login (Java library) (with VOMS) ~11 days Some web portal Fix VO, for example WS ‐ PGRADE unique user ID Contact: Sergio Maffioletti (sergio.maffioletti@gc3.uzh.ch) – GridCertLib Zoltán Farkas (zoltan.farkas@sztaki.mta.hu) – WS ‐ PGRADE 13 www.egi.eu EGI ‐ InSPIRE RI ‐ 261323

  14. Online CA for the IGI Portal Alternative: Plan: Certificate into IGTF accreditation the browser Browser Web user page CA backend CA bridge MICS certificate (13 months) IGI pop ‐ up MyProxy window Portal IGI IDEM Federation VOMS (Italian) Fix VO, Contact: unique user ID Marco Bencivenni (marco.bencivenni@cnaf.infn.it) 14 www.egi.eu EGI ‐ InSPIRE RI ‐ 261323

  15. Catania Science Gateway framework eToken server Robot VOMS certificate SLCS certificate SAML assertion + Portal from FIM login grid proxy (with VOMS) Fix VO, Fix user ID User tracking & logging Contact: Roberto Barbera (roberto.barbera@ct.infn.it) 15 www.egi.eu EGI ‐ InSPIRE RI ‐ 261323

  16. EGI-InSPIRE activities 1. • Make NGIs aware of available (bridging) solutions and the existing gaps – so these can get filled! – June 2012: ‘Authentication solutions in EGI’ report https://documents.egi.eu/document/1178 – August 2012: Blog post series http://www.egi.eu/blog/2012/08/09/federated_identity_management.html – September 2012: AAI workshop • Prague, 19 th of September: http://go.egi.eu/aaiworkshop – December 2012 (approx): Science Gateway Primer • ‘Manual for portal developers’ – witten by an EGI Virtual Team project • Chapter on integrating science gateways with identity federations • https://wiki.egi.eu/wiki/VT_Science_Gateway_Primer 16 www.egi.eu EGI ‐ InSPIRE RI ‐ 261323

  17. AAI workshop + Discussion (16:00 ‐ 17:30) 17 www.egi.eu EGI ‐ InSPIRE RI ‐ 261323

  18. EGI-InSPIRE activities 2. • Facilitate federated services – pilot & production services – AAI pilot for EGA – GrIDP federation – FIM authentication in the EGI Federated Cloud 18 www.egi.eu EGI ‐ InSPIRE RI ‐ 261323

  19. AAI Pilot: European Genome-phenome Archive (EGA) Data Access Committee Logged in from the HAKA identity Grant federation access Request access to dataset X Update policy (SPL) administration PAP CLI EGA Argus Obtain autz info Request PEP portal dataset API execution Obtain authz info Provide dataset EGA 19 www.egi.eu EGI ‐ InSPIRE RI ‐ 261323

  20. Grid Identity Pool (GrIDP) federation EGI.eu Single Sign On (~1700 users at the moment) 20 www.egi.eu EGI ‐ InSPIRE RI ‐ 261323

Recommend


More recommend