A Simplified Access to Grid Resources for Virtual Research Communities

Similar documents
PoS(ISGC 2011 & OGF 31)023

Federated access to e-infrastructures worldwide

Introduction on Science Gateway

EGI-InSPIRE. GridCertLib Shibboleth authentication for X.509 certificates and Grid proxies. Sergio Maffioletti

GrIDP: Grid IDentity Pool Federation

ShibVomGSite: A Framework for Providing Username and Password Support to GridSite with Attribute based Authorization using Shibboleth and VOMS

A Guanxi Shibboleth based Security Infrastructure for e-social Science

South African Science Gateways

SLCS and VASH Service Interoperability of Shibboleth and glite

SAML-Based SSO Solution

glite Grid Services Overview

Liferay Security Features Overview. How Liferay Approaches Security

AAI in EGI Current status

Federated Identities and Services: the CHAIN-REDS vision

Guidelines on non-browser access

g-eclipse A Framework for Accessing Grid Infrastructures Nicholas Loulloudes Trainer, University of Cyprus (loulloudes.n_at_cs.ucy.ac.

Gatlet - a Grid Portal Framework

O365 Solutions. Three Phase Approach. Page 1 34

ArcGIS Server and Portal for ArcGIS An Introduction to Security

Grid Programming: Concepts and Challenges. Michael Rokitka CSE510B 10/2007

A solution for Access Delegation based on SAML. Ciro Formisano Ermanno Travaglino Isabel Matranga

SAML-Based SSO Solution

AMGA metadata catalogue system

DARIAH Update. 9th FIM4R Workshop. Vienna, Novemer 30, Peter Gietz, DAASI International GmbH.

Configuring Single Sign-on from the VMware Identity Manager Service to Marketo

INDIGO AAI An overview and status update!

Configuring Single Sign-on from the VMware Identity Manager Service to Trumba

A VO-friendly, Community-based Authorization Framework

30 Nov Dec Advanced School in High Performance and GRID Computing Concepts and Applications, ICTP, Trieste, Italy

Greek Research and Technology Network. Authentication & Authorization Infrastructure. Faidon Liambotis. grnet

The EPIKH, GILDA and GISELA Projects

Best Practices: Authentication & Authorization Infrastructure. Massimo Benini HPCAC - April,

Now SAML takes it all:

globus online Globus Nexus Steve Tuecke Computation Institute University of Chicago and Argonne National Laboratory

ArcGIS Enterprise Security: An Introduction. Gregory Ponto & Jeff Smith

SAP Security in a Hybrid World. Kiran Kola

CLI users are not listed on the Cisco Prime Collaboration User Management page.

EBS goes social - The triumvirate Liferay, Application Express and EBS

StratusLab Cloud Distribution Installation. Charles Loomis (CNRS/LAL) 3 July 2014

DEPLOYING MULTI-TIER APPLICATIONS ACROSS MULTIPLE SECURITY DOMAINS

CAS, Shibboleth, And an evolving SSO approach

GÉANT Community Programme

Deposited on: 10 September 2009

Grid Services and the Globus Toolkit

Manage Administrators and Admin Access Policies

Goal. TeraGrid. Challenges. Federated Login to TeraGrid

AARC Blueprint Architecture

EnterSpace Data Sheet

Leveraging the InCommon Federation to access the NSF TeraGrid

Lesson 6: Portlet for job submission

Grid technologies, solutions and concepts in the synchrotron Elettra

DDS Identity Federation Service

Cisco Unified Presence 8.0

Novell Access Manager 3.1

Authorization Strategies for Virtualized Environments in Grid Computing Systems

Management der Virtuellen Organisation DARIAH im Rahmen von Shibboleth- basierten Föderationen. 58. DFN- Betriebstagung, Berlin, 12.3.

CILogon Project

EGI Check-in service. Secure and user-friendly federated authentication and authorisation

CLI users are not listed on the Cisco Prime Collaboration User Management page.

The CHAIN-REDS Project

Identity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014

Grid services. Enabling Grids for E-sciencE. Dusan Vudragovic Scientific Computing Laboratory Institute of Physics Belgrade, Serbia

BEYOND AUTHENTICATION IDENTITY AND ACCESS MANAGEMENT FOR THE MODERN ENTERPRISE

GRID COMPUTING IN MEDICAL APPLICATIONS

Identity management. Tuomas Aura T Information security technology. Aalto University, autumn 2011

Storage Made Easy. Mirantis

Centrify for Dropbox Deployment Guide

Storage Made Easy. SoftLayer

Portal Express 6 Overview

Teamware: A Collaborative, Web-based Annotation Environment. Kalina Bontcheva, Milan Agatonovic University of Sheffield

FeduShare Update. AuthNZ the SAML way for VOs

Configuration Guide - Single-Sign On for OneDesk

New trends in Identity Management

ArcGIS for Server: Administration and Security. Amr Wahba

Globus Platform Services for Data Publication. Greg Nawrocki University of Chicago & Argonne National Lab GeoDaRRS August 7, 2018

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES BEST PRACTICES FOR IDENTITY FEDERATION IN AWS E-BOOK

USING SAML TO LINK THE GLOBUS TOOLKIT TO THE PERMIS AUTHORISATION INFRASTRUCTURE

Federated Authentication with Web Services Clients

Q u e s t i o n m a r k C o n f e r e n c e

EBS goes social - The Triumvirate Liferay, Application Express and EBS

RCauth.eu / MasterPortal update

The LGI Pilot job portal. EGI Technical Forum 20 September 2011 Jan Just Keijser Willem van Engen Mark Somers

BIG-IP V11.3: PRODUCT UPDATE. David Perodin Field Systems Engineer III

TECHNICAL GUIDE SSO SAML Azure AD

Chapter 2 Introduction to the WS-PGRADE/gUSE Science Gateway Framework

UNIT IV PROGRAMMING MODEL. Open source grid middleware packages - Globus Toolkit (GT4) Architecture, Configuration - Usage of Globus

Scientific Data Curation and the Grid

Pilots to support guest users solutions

CILogon. Federating Non-Web Applications: An Update. Terry Fleury

TECHNICAL GUIDE SSO SAML. At 360Learning, we don t make promises about technical solutions, we make commitments.

2. HDF AAI Meeting -- Demo Slides

How to build Scientific Gateways with Vine Toolkit and Liferay/GridSphere framework

OpenIAM Identity and Access Manager Technical Architecture Overview

IBM C Exam. Volume: 65 Questions

Report for the GGF 15 Community Activity: Leveraging Site Infrastructure for Multi-Site Grids

App Gateway Deployment Guide

EUDAT. Towards a pan-european Collaborative Data Infrastructure

INTEGRATING OKTA: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

Federated access to Grid resources

Attributes for Apps How mobile Apps can use SAML Authentication and Attributes

Transcription:

Consorzio COMETA - Progetto PI2S2 UNIONE EUROPEA A Simplified Access to Grid Resources for Virtual Research Communities Roberto BARBERA (1-3), Marco FARGETTA (3,*) and Riccardo ROTONDO (2) (1) Department of Physics and Astronomy of the University of Catania, Italy (2) INFN NaAonal InsAtute of Nuclear Physics, Division of Catania, Italy (3) Consorzio COMETA, Catania, Italy (*) email: marco.fargema@ct.infn.it ISGC2011 & OGF31 Taipei, 25.03.2011 www.consorzio-cometa.it

Outline Science Gateway Enabling technologies The Scenario DECIDE project Grid Security and Federation Shibboleth and Robot certificates integration Conclusions and outlook Taipei, ISGC2011-25-03.2011 2

Grid Interface Evolution The way users access Grid resources has continously evolved towards simplicity and transparency: Command Line Globus and glite CLI Used by the enthusiastic and early adopter scientists GUI applications geclipse, Grid2Win Good to expand the communities but difficult to maintain Web Interface GENIUS, P-GRADE Easier for new users but monolithic Science Gateways Taipei, ISGC2011-25-03.2011 3

Science Gateway definition A framework of tools that allows scientists to run applications with little concern for where the computation actually takes place. This is similar to cloud computing in which applications run as Web services on remote resources in a manner that is not visible to the end user. However, a science gateway is usually more than a collection of applications. Gateways often let users store, manage, catalogue, and share large data collections or rapidly evolving novel applications they cannot find anywhere else. Training and education are also a significant part of some Science Gateways Source: TeraGrid Project Taipei, ISGC2011-25-03.2011 4

The brick Approach Science Gateways need to be customised to meet the needs of the Virtual Research Community they support; Build them from scratch requires a lot of effort; Many small tasks behind the portal are the same and can be shared across different gateways; The development should be oriented to create modules, bricks, easily deployable in different application context. Taipei, ISGC2011/OGF31-25-03.2011 5

Liferay Highly-configurable, scalable, open source portal framework; Compatible with JSR 168/286 standards; Based on modern web 2.0 technologies; Several (>60) portlets for the e-collaboration available out-of-the-box; Available with both commercial and free open source licenses; Liferay is presently the most used framework to build Science Gateways. Taipei, ISGC2011/OGF31-25-03.2011 6

One Liferay many views Taipei, ISGC2011-25-03.2011 7

Grid Access Portlets can interact with the Grid e-infrastructure Different approaches available: Execute the Command Line behind the portal Using API where available Must be in Java or other languages supported by Liferay Invoke REST services from javascript code in the browser Additional layers between liferay and the Grid can be necessary for some services Each portlet can follow its own communication method Taipei, ISGC2011-25-03.2011 8

A Real Use Case: the DECIDE Project (www.eu-decide.eu) Objectives: Create a support service for the early diagnosis of the Alzheimer and other brain diseases; Build a service accessible via web by the clinicians: Based on a grid e-infrastructure; Validate the service through applications to real patients cases Strategy: Promoting the use by clinicians of specialised applications: CIVET/ADABoost (RMI images); GridSPM (Pet/SPECT images); EEG patterns; Building a pilot European reference e-service linking the database of images of the European clinical centres; Supporting the clinical community with other performing applications, currently available just to a few researchers. Taipei, ISGC2011/OGF31-25-03.2011 9

Different Actors People accessing DECIDE services can have different roles and privileges on the available resources Normal User (Neurologist) Upload input data Retrieve the analysis results Expert/External (Collaborator) Normal User privileges but can run analysis on data Data Manager (Scientist) Expert user but can verify the data and update the main DataBase (DB of normal cases) Roles and privileges are defined on an application basis Taipei, ISGC2011-25-03.2011 10

DECIDE Service Architecture Taipei, ISGC2011/OGF31-25-03.2011 11

Too Strong Security The distributed nature of Grid requires strong security mechanisms; Users struggle to comply with complex security rules: Create certificates, create proxy, update credentials and so on; Some institutions want to maintain the control of their users authentication and the service available: Science Gateways have to be able to interact with other services. Taipei, ISGC2011/OGF31-25-03.2011 12

Science Gateway Federation In the web technology arena many approaches are available to federate the authentication among different entities; A standard provided by OASIS defines the Security Assertion Markup Language (SAML); Shibboleth is one of the most famous SAML-based tools: Implement the SAML standard; Allows different approaches to manage users: LDAP, CAS, Plain text, etc.; Deployed in many universities and research institutes; Free and Open Source; Easy to integrate with Liferay; Shibboleth has been selected for the integration. Taipei, ISGC2011/OGF31-25-03.2011 13

A&A schema Science Gateway Authorisation 1. Access a Service Authentication GrIDP (WAYF) 2. Login IDPCT IDP_1 IDP_n LDAP CAS... Taipei, ISGC2011-25-03.2011 14

Usage workflow 3. Verify ACL 4. Robot Proxy Science Gateway 5. Perform Operations Credentials exchange 1. Portal Login 2. Operation Request Taipei, ISGC2011-25-03.2011 6. Results 15

Role Mapping Authorisation is centralised into the LDAP portal; Robot proxy may have VOMS attributes corresponding to the roles in LDAP: For each application and user profile a LDAP role and a VOMS attribute is defined; Users have to explicitly request the authorisation for the roles they need: A group of experts evaluates the requests; If users try to access Grid resources with other tools they do not gain more privileges; Roles coming from the federation are currently not accepted: For other projects they could be granted. Taipei, ISGC2011/OGF31-25-03.2011 16

Activity Tracking All Grid activities performed with robot certificates Impossible to distinguish the users from the proxy (nonrepudiability violation) The Science Gateway is responsible for the users No generic operations on the resources are allowed Only a set of well defined applications and data are accessible through the portal The portal and the services made available have to track the user The administrator should be able to identify a user in case of malicious operation on the Grid resources Taipei, ISGC2011-25-03.2011 17

User Tracking System User 1. ask for a service 5. get the results 2. create a proxy with the robot certificate 3. execute action 4. get output 2,3. track user Admin query for accounting data L&B Taipei, ISGC2011/OGF31-25-03.2011 18

Conclusions and outlook Conclusions Science Gateways can simplify the use of Grid resources to Virtual Research Communities Integrate Shibboleth with robot certificates allows an easier access to Grid resources for the users User access verified at many levels from the own institution to the gateway Future Work Integrate different federations in the same portal Test the new Science Gateway in a production environment Goal of DECIDE is to provide a production service Taipei, ISGC2011-25-03.2011 19

Thank you for your kind attention! Any questions? Taipei, ISGC2011-25-03.2011 20

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback