globus online Globus Nexus Steve Tuecke Computation Institute University of Chicago and Argonne National Laboratory
Computation Institute (CI) Apply to challenging problems Accelerate by building the research cloud Promulgate via new educational methods
Apply computation: Examples Understand supernovae to measure universe Extract meaning from scientific images DTI for TBI Diffusion tensor imaging ASC FLASH Transform digital media into art Create better models for climate & energy policy CIM-EARTH Map human knowledge in the humanities and science ARTFL CMTS Center for multiscale theory and simulation Conte Center Explain cellular structur
Accelerate discovery via research cloud Millions of researchers worldwide need advanced IT to tackle important and urgent problems The Research Cloud Accelerate discovery and innovation worldwide by providing research IT as a service
Why SaaS? Software-as-a-Service (SaaS) Platform-as-a-Service (PaaS) Deliver advanced functionality that: Requires no user software installation or operation Minimal IT proficiency required Can be cheaply and incrementally adopted Usage-based subscription pricing; no big up-front costs Consolidates troubleshooting and support An expert group can proactively detect and correct problems Utilizes an efficient software delivery lifecycle Updates developed, tested and deployed quickly Dominates commercial & consumer markets What about the research market? Infrastructure-as-a-Service (IaaS)
Globus Transfer: For when you want to Transfer and synchronize files Easy fire-and-forget transfers Automatic fault recovery High performance Across multiple security domains Minimize IT costs Software as a Service (SaaS) No client software installation New features automatically available Consolidated support & troubleshooting Simple endpoint installation with Globus Connect and GridFTP >5,000 registered users, 6PB / 500M files transferred 7
Globus Storage: For when you want to Place your data where you want Access it from anywhere via different protocols Update it, version it, and take snapshots Share versions with who you want Synchronize among locations Globus Transfer, HTTP/REST, Desktop sync Globus Storage volume Commercial storage service provider National research center Campus computin g center
Globus Collaborate: For when you want to Join with a few or many people to: Share documents Track tasks Communicate Share data Work together With: Common groups Delegated management
PaaS for Research Software-as-a-Service (SaaS) Platform-as-a-Service (PaaS) No one SaaS provider can deliver it all Must create ecosystem that: Infrastructure-as-a-Service (IaaS) Allows any SaaS provider to easily participate Dramatically reduces the cost of creating and operating services within the ecosystem Provides seamless user experience across services Agnostic to / works across any cloud IaaS provider Integrates with (existing) research infrastructure Ecosystem requires Platform as a Service Target the unique needs of the research community 10
Globus Integrate: For when you want to Integrate with the Globus research cloud ecosystem Write programs that leverage: user identities, profiles, groups (Globus Nexus) data, compute and collaboration Globus Transfer Globus Storage Globus Collaborate Globus Compute Globus Integrate Globus Toolkit Globus Connect Multi User Globus Connect Globus Nexus via REST APIs and command line programs
Manage groups Globus Nexus: For when you want to Manage profiles Manage identities 12
Globus Nexus: Manage Identities Nexus is a federated identity relying party Multiple federated identities linked to Globus account Supports: InCommon/CILogon, OpenID, MyProxy, OAuth for MyProxy Nexus is a (federated) identity provider Native or federated identity provider to Globus and 3 rd party services User authenticates to Globus account with username/password or via 3 rd party federated identity provider Uses OAuth 2 profile (future: SAML, OpenID?) Auth provider for Globus REST APIs 13
14
Globus Nexus use of OAuth 2 User authentication Web browser: Globus account name and password Federated identity providers linked to Globus account Native application: RSA (using SSL key) X.509 client auth Username/password (Globus account, SAML ECP?) Client authentication using RSA (SSL key) Globus account name is valid client id Bearer access token for resource access 15
Delegated X.509 credential management Various (Globus) services require delegated X.509 client credentials to access resources Nexus federated authentication supports X.509 credential retrieval from Oauth for MyProxy Authenticate with OAuth Use access token to get X.509 credentials E.g., CILogon, GCMU, XSEDE Nexus REST API allows authorized services (OAuth clients) to get credential 16
Integration of new and old Campus Cluster Step 1 Access Endpoints Step 3 Username password OAuth Server Redirect Step 2 Certificate 1 Step 4 Username password Certificate 1 Step 6 Globus Online (Hosted Service) Step 7 Step 8 Globus Connect Multi User Username password MyProxy Online CA Step 5 PAM Step 9 Transfer request Certificate 1 GridFTP Server Step 10 Authorization Access files Certifficate 1 Redirect Certificate 2 Transfer request Certificate 2 Step 11 certificates Authentication & Data Transfer CILogon (OAuth) SAML InCommon IdP GridFTP Server Campus 2 Local Authentication System (LDAP, RADIUS, Kerberos etc) Local Storage
18
OAuth client vs resource Globus Transfer is OAuth client to Globus Nexus OAuth resource provider to 3 rd party client Goal: Allow full participation by 3 rd parties Use Globus Online services as OAuth client Use Globus Nexus OAuth as resource server How to implement resource servers as a relying party to the Nexus OAuth service? OAuth is silent on resource and OAuth server interaction Make it easy for SaaS developers to use Nexus OAuth 19
Delegated, scoped OAuth access Ecosystem of communicating services Any service can be client to any other service s resource Communication may be chained: user->s1->s2->s3 Use OAuth scope to limit resources accessible by an access token Must maintain scope dependency tree Delegation: client1 delegating to client2 Bearer access token can be passed from client1 to client2 for full delegation Or, allow client1 access token to be used to retrieve a new authorization code with narrow scope that is passed to client2, which client2 20 uses to get its own access token
Globus Nexus: Manage Groups User centric group management Create group Set policies (e.g., visibility, admins) Control admission workflows Approach: Keep identity issuance light-weight Move vetting from identity creation to group admission Allow each group to control own admission policy REST APIs Manage, query, etc. Import/export (into specified identity namespace) 21
Globus Nexus: Manage User Profiles Attribute/value information associated with Globus account Group admission can require an extensible set of attributes, which are drawn from and stored in the user profile REST APIs Future: Integrate with SAML attribute release and social network profiles 22
Domestication Goal: Common tools should be able to leverage federated identities, groups, profiles Wikis, issue tracking, science gateways, etc. Community effort to domesticate applications and services? What APIs? Identity: OAuth 2, SAML?, X.509 certs? Groups: LDAP? REST? Profile: OpenID Connect? 23
For More Information Visit https:///signup to: Get a free account and start moving files Visit for: Tutorials, FAQs, Pro Tips, Troubleshooting Papers, Case Studies Contact support@globusonline.org for: Help getting started & using the service Follow us at @globusonline on Twitter and Globus Online on Facebook 24