Diamond Moonshot Pilot Participation

Transcription

1 Diamond Moonshot Pilot Participation Presentation to Networkshop43 Bill Pulford, Scientific I.T. Coordinator Diamond Light Source Exeter, April 1st 2015 Acknowledgements Stefan Paetow (Janet/UK), DLS System Administrators

2 Outside Inside The Diamond Light Source

3 Diamond Beamlines

4 Examples of science Structure of the Histamine H1 receptor Bio-mimetics Tunable polymers Understand rejection in hip implants Improving nutritional quality in wheat Casting aluminium

5 No. users with fedids Some Diamond Statistics Exp. Sessions 2014 Unique s 2014 ~8500 > 2000 ~ 2800 > 7700 sessions 2014 Evolution of data volumes - current volume = 3.012Pb, number of files = 782,921,258 Data points from February 2015

6 Common users between facilities (2012)

7 Umbrella

8 Diamond Single Sign On Requirements The principal base requirements of any system chosen should include: Our users should see no degradation of the services that we already provide; i.e. both authenticate via web interfaces and actually login to beamlines to collect or analyse data.. Scientists can work together in teams with each member choosing their own SSO method. Involve minimal coding or infrastructure changes on the part of the facility Provide adequate security from external interference. Enable transparent access to remote computing and other resources and eliminate unnecessary data transfers Facilitate integration of external proposal submission schemes into the local Office administration software.

9 Diamond SSO - Web and Interactive Session Web login using the added IdP: Umbrella allows provides users with a unique, persistent iden<ty allows them login to the web sites at any of the par<cipa<ng facili<es and have access to the services offered. Interac<ve session crea<on with added IdP and Moonshot (now JISC Assent) Service now provided live by Janet UK in associa<on with a number of interna<onal educa<onal networks and with such EU projects such as GEANT. This allows the use of your Umbrella ID actually to login to beamline computers. i.e. I could use bpjep1@umbrellaid.org to login to a beamline at DLS and perhaps another simultaneously at a collabora<ng facility and acquire and/or analyse data

10 Future Authentication 1) Fedid -Diamond, CLF and ISIS - The users do not like the usernames and password. 2) Umbrella - Part of PANdata involving most large facilities in Europe. 3) EDURoam -. Uses the Radius server not Moonshot but limited security. Chargeable Identifier or CUI must be returned to identify requesting user.

11 Diamond s Moonshot progress history Completed: Connected Moonshot point of contact with eduroam authentication (June 2013) Added Umbrella as additional authentication source to PoC (late Aug 2013) Published Jasig CAS ABFAB authenticator on Maven Central (Nov 2013) Built Shibboleth ECP client together with DARIAH-DE (Dec 2013/Jan 2014) Launched pilot beamline with Moonshot + Umbrella using above (March 2014) Joined trust router network (September 2014) To do: Adapt the UAS to allow users to add/remove/modify account mappings (between home organisation and fedid). 1. Allow users possibly to pre-authorise themselves with their home account so that when a fedid is assigned, it is automatically assigned to all user mappings that have been added 2. Allow Office admins to delete/de-authorise mappings directly 3. Enable search on mappings (e.g. to allow administrators to find a user rapidly.) Update the Diamond CAS ABFAB Authentication client to bring it to comply with the Moonshot specifications. 1. Needs to be able to do channel bindings and assure internal security such as destroying username/password combo as soon as possible. 2. Exposure of all the attributes that are sent by a SAML assertion to the client if necessary 3. Correct the ownership of ABFAB client and Shibboleth ECP clients with DARIAH-DE.to DLS

12 Exploiting SSO Wirele ss Acces s Point Wirele ss Acces s Point Computer Computer ESRF Beamline Computer Computer Diamond Beamline System Linu x PC PSI Switzerland Diamond UK Wirele ss Acces s Point Computer Computer System Linu x PC 1000Base T or faster Authenticate Once Only System Linu x PC 1000Base T or faster 1000Base T or faster Linux Intrument Control Local Processing (Cluster) Linux Intrument Control Local Processing (Cluster) Linux Intrument Control Local Processing (Cluster) Disk array Disk array Central CPU cluster Central CPU cluster Central CPU cluster Data Store Data Store Data Store A user can perform the entire experimental process from proposal submission through data acquisition, data analysis to publication using one set of credentials. The diagram shows data acquisition at one facility while consulting data at another and using CPU resources of a third. Disk array Soleil Beamline Soleil France

13 Integrating External Proposal Submission

14 Possible project hierarchy

15 Industrial Futures Academic Dept. Dept. Site Site Facility 1 Interact High Power Cluster Data Repository Facility 2 Cloud Site Publisher ORCHID/ Openaire 15

16 Thank you all

17 The Umbrella Project Authentication The minimum user information possible is stored centrally to avoid Data Protection issues. The Authentication is done by the user logging into the Umbrella central site currently umbrellaid.org to generate a Shibboleth token. Authorization is delegated to the facility site. Minimum information necessary

18 Umbrella

19 Moonshot work at Diamond RADIUS uses for authentication PaNdata Umbrella IDs become DLS FedIds become Optionally, allow access as FedId as usual (no realm) SSH access with either Moonshot ID card UI or file-based user credentials Web access through CAS with format + password Eventual console access same as CAS

20 What is ABFAB? Federated Identity for AuthN/AuthZ for any application/ service Designed to take the best of breed of existing technologies, giving: Security Flexibility / wide scope Ease of integration Scaling

21 Fundamentals of ABFAB ABFAB builds on AAA technologies EAP (RFC 3748): strong & extensible mutual authentication RADIUS (RFC 2865) / RadSec (RFC 6614): federation between domains To this, ABFAB adds SAML (OASIS standard), for rich authorisation semantics Integration using operating system security APIs SSPI: Windows GSS-API (RFC 2078): Other operating systems SASL (RFC 4422): Windows and other operating systems