EUDAT & AAI Daan Broeder MPI for Psycholinguistics
Initially six research communities on Board EPOS: European Plate Observatory System CLARIN: Common Language Resources and Technology Infrastructure ENES: Service for Climate Modelling in Europe LifeWatch: Biodiversity Data and Observatories VPH: The Virtual Physiological Human INCF: International Neuroinformatics
Communities and Data Centers Identifying basic requirements Identify commonalities, common data services
EUDATs Mission Collaborative Data Infrastructure Data Generators Users User- focused func*onality, data capture & transfer, VREs Trust Data Cura*on Support Services Data discovery & naviga*on, workflow crea*on, annota*on, interpretability Common Data Services Persistent storage, iden*fica*on, authen*city, workflow execu*on, mining 4
EUDAT services Metadata Catalogue Aggregated EUDAT metadata domain. Data inventory Safe Replica6on Data curation and access optimization Data Staging Dynamic replication to HPC workspace for processing Simple Store Researcher data store (simple upload, share and access) AAI Network of trust among authentication and authorization actors PID Identity Integrity Authenticit y Loca*ons PID metadata data
EUDAT services Services under evalua6on EUDAT Box dropbox- like service easy sharing local synching Seman6c Anno checking & referencing Dynamic Data immediate handling EUDAT Box Sync file system with central storage Support collaborative work Only started thinking about AAI Dynamic Data Manage unfinished datasets: sensor data, surveys, Metadata for DD Cite / point using PIDs
What EUDAT Services need AAI? B2SHARE YouTube for scientists catering for long tail data uses its own user-store B2SAFE irods & icommands, HTTP API Data replicas stored at data-centers Many offer access through GridFTP or irods & icommands X.509 based access, certificate subject contains AUTZ attributes But this is not interesting for many communities that prefer HTTP HTTP API via OAUTH or CERTs tokens B2DROP [No Logo Yet] based on PowerFolder supporting local/ldap/ssl radius,shibboleth
Possible AAI Strategies & considerations 1. Solve everything for everyone 2. Solve many things for many people 3. Give precedence to non-it savvy community needs 4. Rely on supported software requiring minimal adaptations 5. Avoid necessary adaptations for the communities 6. Avoid need for new central DBs EUDAT initially went for 1, 5
* IdP B IdP A x.509 zoned creden*al conversion service unique user Ids, project- wise mapped to arribute based access control informa*on IdP D OpenID Ω consolidated creden*als AtP 1 AtP 2 AtP 3 Δ AuthZ Attribute Provider either community-managed or ( ) attributes provided by user s home IdP are reused *
Providing access to replica DO requires the availability of AUTZ information also! from a reliable central authority Communities want to control their own AUTZ Central AUTZ service synchronized with center/ community specific Authorization EUDAT AUTZ (XACML) center A AUTZ DO DO DO DATA center Y DATA center X
EUDAT Solutions 1 Communities use: Shib, X509, Need for a identity credential conversion to a single EUDAT identity In the FIM IDF/SAML world this requires to use of also a central user store since no unique user id is available e.g. eptid attribute Experimented with using Contrail Cloud Federation computing project ran from 2010 until Jan 2014 Homeless Web2nonWeb e.g. OAUTH, SLCS EUDAT credentials Unfortunately insufficient results Problematic necessary seeding of the contrail DB with user records AUTZ was never proved working for any EUDAT community Contrail software no longer supported
Contrail edugain or ESFRI SPFs AAI services provided by the EUDAT centers to the EUDAT communi*es EUDAT communi*es Haka federa*on DFN- AAI federa*on Contrail homeless (IdP for the homeless users) Web2nonWeb (bridge to non- web services) Database that stores everything service (CLARIN) service (ENES) service (EPOS) SIR.es federa*on management (for community memberships) REMS service (for dataset access rights)
EUDAT solution 2 Currently experimenting with using Unity Cloud Identity and Federation Management part of the UNICORE grid middleware stack Homeless Web2nonWeb e.g. SLCS (for now via contrail) EUDAT credentials Results seem better, promised: Automatic EUDAT credential creation at first login Easy promotion from homeless to external authentication Unity only solution in the making (SLCS) Supported (if necessary) as part of UNICORE stack
EUDAT solution 3 Nevertheless after the contrail experience need to be careful Perhaps simple limited but proven solutions can be considered More community centric Rely on SAML federations only Requiring eppn with homeless IdP as alternative Web2nonWeb as X509 should be delivered by those services that require it
Simpler distributed approach edugain + ESFRI SPFs Haka federa*on DFN- AAI federa*on AAI services provided by the EUDAT centers to the EUDAT communi*es Orphanage (IdP for the homeless users) Web2nonWeb (bridge to non- web services) EUDAT communi*es service (CLARIN) service (ENES) service (EPOS) SIR.es federa*on management (for community memberships) REMS service (for dataset access rights)
Thank you for your attention