Supporting Dynamic Virtual
Organisations in the Education Domain
Prof Richard Sinnott
Technical Director National e-Science Centre
University of Glasgow
r.sinnott@nesc.gla.ac.uk
E-Science Institute VO workshop,
22nd November 2006
Grid Security
What do we really want?
Ease of use for end users
Single sign-on to distributed resources
Site autonomy
Manageability for local sys-admins
Scalability for large scale virtual organisations
Fine grained security as/when needed
Dynamicity (of users, resources, policies…)
…

Shibboleth + Grid + advanced authorisation
infrastructures can address many of these issues
E-Science Institute VO workshop,
22nd November 2006
Ease of Use
For Grids/e-Research to be truly
successful (ubiquitous)
have to be made as seamless to access and
use as the internet

Forget training, education for some (most?) users!
have to be based on research pull and not
middleware push
experiences in various projects have shown
that users don’t like digital certificates

The majority most certainly won’t jump through hoops to
get on the Grid
$> openssl pkcs12 -in cert.p12 -clcerts -nokeys -out usercert.pem!!!!
Typically not available on Windows!!!
Root access? Local sys-admin?
E-Science Institute VO workshop,
22nd November 2006
Many other issues
Identity management issues
Certificate Revocation Lists
When revoked? By whom? How timely?
Strong passwords for private keys
Users write them down, share them, forget them
Privilege Management
Numerous domains where never get access to local
account to “do stuff”

E-Health!
User classification
Tinkerers vs much larger e-Research Community

they want services to point their browser at and point click to run
things on the Grid
– I don’t want an account on a cluster, I’m a biologist who
wants to run BLAST on a free National Grid resource
As a result “me-Science” culture
E-Science Institute VO workshop,
22nd November 2006
How Can we Improve Things?
We don’t want each domain reinventing
their own security solutions
Best to exploit local authentication
Sites know best if users still at institution and
are best placed to state what their privileges
are/should be
E-Science Institute VO workshop,
22nd November 2006
Introducing Shibboleth
Shibboleth (http://shibboleth.internet2.edu)
Definition
Shibboleth [Hebrew for an ear of corn, or a stream or flood]
1. A word which was made the criterion by which to
distinguish the Ephraimites from the Gileadites. The
Ephraimites, not being able to pronounce sh, called the
word sibboleth. See --Judges xii.
2. Hence, the criterion, test, or watchword of a party; a
party cry or pet phrase. ]

Shibboleth will replace Athens as access mgt system across UK
academia
Federations based on trust


or more accurately trust but verify
numerous international federations exist MAMS, SWITCH, HAKA, SDSS…
E-Science Institute VO workshop,
22nd November 2006
Typical Shibboleth Scenario
Identity Provider
LDAP
AuthN
Home Institution
Federation
Service provider
5. User accesses resource
W.A.Y.F.
User
1.
User points browser at Grid
resource/portal (or non-Grid
resource)
E-Science Institute VO workshop,
22nd November 2006
Grid resource
/ portal
It’s a start, but…
Benefit from local authentication but really
want finer grained control…
I know you have authenticated, but I need to
know that you have sufficient/correct
privileges to access my VO resources
can also return various other information
needed to support authorisation decisions

At NeSC we have been working extensively with PERMIS
– (see David’s talk yesterday)
E-Science Institute VO workshop,
22nd November 2006
Role Based Access Controls
Basic idea is to define:
roles applicable to specific VO

roles often hierarchical
– Role X ≥ Role Y ≥ Role Z
– Manager can do everything (and more) than an employee can do
who can do everything (and more) than a trainee can do
actions allowed/not allowed for VO members
resources comprising VO infrastructure (computers, data
resources etc)
A policy then consists of sets of these rules


{ Role x Action x Target }
– Can user with VO role X invoke service Y on resource Z?
Policy itself can be represented in many ways, e.g. XML, XACML, …
Tools available for policy editing, associating users
with roles, signing policies etc
Policies stored as attribute certificates in LDAP server

(New tools/wizards presented at OGF18 Washington)
E-Science Institute VO workshop,
22nd November 2006
Finer Grained Shibboleth Scenario
Identity Provider
Service provider
LDAP
AuthN
Shib
Frontend
Home Institution
6. Make final AuthZ decision
Federation
5. Pass authentication info and
attributes to authZ function
W.A.Y.F.
User
1. User points browser at Grid
resource/portal
E-Science Institute VO workshop,
22nd November 2006
Grid Portal
Ok, but…
I can do authorisation but I want singlesign on to lots of distributed resources
Browser allows to keep session information so
can access other resources without signing in
again


Provided authorisation information valid for different
service providers
– Each service provider completely autonomous
Can configure attribute release/attribute acceptance
policies per identity provider/service provider
E-Science Institute VO workshop,
22nd November 2006
So where is the
education and what do
I mean by VO…???
E-Science Institute VO workshop,
22nd November 2006
DyVOSE Project
Dynamic Virtual Organisations in e-Science
Education (DyVOSE)
Principal Investigators


Dr Richard Sinnott (NeSC Glasgow)
Prof David Chadwick (Salford/Kent)
Developers



Dr John Watt (NeSC Glasgow)
Dr Sassa Otenko (Salford/Kent)
Mr Tuan Anh Nguyen (Salford/Kent)
Other Key People Involved


Dr David Berry (NeSC Edinburgh)
Dr Jos Koetsier (NeSC Edinburgh)
Just wrapping up now!
E-Science Institute VO workshop,
22nd November 2006
Grid Computing module
Part of advanced MSc at Glasgow
Now in its 3rd year (teaching begins again January 2007)
Involves
20 lectures, 10 tutorials, 3 problem sets,
1 large programming assignment


Huge amount of work in doing this for first time
Technological landscape fluidity?
First year taught by
Richard Sinnott (NeSC, Course Director)
Colin Perkins (DCS)
John Watt (NeSC, DyVOSE researcher)

Materials available on the web (www.nesc.ac.uk/hub/projects/dyvose)
includes lectures, background reading, past exam papers…
E-Science Institute VO workshop,
22nd November 2006
DyVOSE Phase 1
Focus on applying existing PERMIS technology to
establish static PMI at GU
ScotGrid
GU Condor pool
Other (known!)
Grid resources
Education
VOpolicies
PERMIS based
authorisation
Authorisation checks
Authorisation decisions
E-Science Institute VO workshop,
22nd November 2006
Explorations in Course
Students used PERMIS Policy Editor to develop
security policy for use in their assignment
Sorting/searching “complete works of Shakespeare”
… run on single PC,
… using training lab Condor pool,
… * as GT3.3/Condor service,
… as GT3.3 service using GSI,

To see how authorisation at service level achieved
– Service should be accessible by themselves and lecturing staff only
… using * for GT3.3-PERMIS authorised service

To see how authorisation at method level achieved
– Students split into groups (StudentGroup1, StudentGroup2)
» Sort method available to their group and lecturers only
» Search method available to all
» (Groups = PERMIS roles)
Performance aspects investigated throughout…
E-Science Institute VO workshop,
22nd November 2006
Conclusions…
It works!
We learned a lot about Globus, PERMIS,
LDAP, GGF SAML AuthZ api, teaching Grid…
16 students took the course in 2004
Of those


3 students completed the whole assignment
– Several got the Globus version running
– Vast majority managed to get Condor pool version
up/running
But it is quite static and not really a scalable model
for larger scale VOs
E-Science Institute VO workshop,
22nd November 2006
Dynamicity, Scalability…?
UK Shibboleth federation based around small set of
pre-agreed attributes based on eduPerson schema
eduPersonScopedAffiliation: indicates the user’s relationship
(e.g., staff, student, etc) within the institution;
eduPersonTargetedID: needed when an SP is presented with
an anonymous assertion only, e.g.
eduPersonScopedAffiliation. This attribute provides a
persistent user pseudonym;
eduPersonPrincipalName: used where a persistent user
identifier consistent across different services is needed;
eduPersonEntitlement: enables an institution to assert that a
user satisfies an additional set of specific conditions that
apply for access to a particular resource
Grid vision for dynamic virtual organisations
Add, remove, change people, institutes, their privileges on
the fly for changing sets of resources as required by the VO
E-Science Institute VO workshop,
22nd November 2006
Putting the “Dy” in DyVOSE
• Dynamic PMI Case Study
Glasgow
Edinburgh
Glasgow SoA
using Glasgow DIS
to issue Edin. roles
Edinburgh SoA
using Glasgow DIS
to issue Edin. roles
LDAP
LDAP
ACs created
for Edin.
roles
Glasgow
Education
VO policies
Edinburgh
Education
VO policies
PERMIS based Authorisation
checks/decisions
Grid
BLAST
Service
Implemented
by Students
Grid
BLAST
Data
Service
data input
Grid-data Client
E-Science Institute VO workshop,
22nd November 2006
Protein/nucleotide
data returned based
on student team role
Nucleotide
+ Protein
Sequence
DB
Delegation Issuing Service (DIS)
Dynamic delegation scenarios with DIS
Edinburgh issues a Delegation Statement to the Glasgow
SoA that allows them (or possibly depending on policy
someone they delegate to) to assign the EDINBURGH
PERMIS role ‘EdTeamN/P’

Done through Glasgow policy addition
Or…
Glasgow SoA trusts Edinburgh SoA to issue these and
potentially other roles to local users at Glasgow directly
(as determined by own local policy/discretion)

Attribute certificates created and signed by DIS
Both models supported…
Edinburgh Data Service searches both LDAP directories

Service finds User entries in Glasgow LDAP that contain the correct
Edinburgh role – ACCESS GRANTED
ACs revocable at any time
E-Science Institute VO workshop,
22nd November 2006
Conclusions on DIS
It works!
11 students took the course in 2005
Of those


All managed to build the client and get protein/nucleotide
data from Edinburgh
– Hence the DIS did its job!
3 students completed it all
» Adv. MSc so we like to give challenging assignments! ;o)
E-Science Institute VO workshop,
22nd November 2006
Virtual Organisations ala DIS
Each service provider defines their own roles
for accessing their own resources
Use DIS directly to issue roles to remote
known/trusted users in the VO
Delegate to remote admin (who may also delegate
depending on delegation policy) to issue roles on
service/service provider behalf
User attempts to access resource via Shibboleth and
needed attributes pulled to make authZ decision
E-Science Institute VO workshop,
22nd November 2006
A Word about Trust
Do we trust authN at remote site?
GLASS project

nSure active directory
– Student = matriculation
– Staff = HR database
» Resources autonomous so can always say no!
» Single sign-on =/= anyone signs on!
Main benefit of Shibboleth is for single
sign on to access many service providers
In the same VO
In different VOs
E-Science Institute VO workshop,
22nd November 2006
Shibboleth Access to Grid
Resources/non-Grid Resources
WebMAIL
Services Shib-enabled in Glasgow
E-Science Institute VO workshop,
22nd November 2006
E-Science Institute VO workshop,
22nd November 2006
E-Science Institute VO workshop,
22nd November 2006
E-Science Institute VO workshop,
22nd November 2006
Future Plans
Several other projects looking to exploit
these kinds of things
Major EPSRC pilot project (£5.3M) on “Meeting the
Design Challenges of nanoCMOS Electronics”
(project just started)

Security essential in this domain including support for IP of
data, simulations, processes, licenses,…
Further proposals building on these solutions
E-Science Institute VO workshop,
22nd November 2006
Resolving Differences?
We cannot ignore the human element in
all of this…
E-Science Institute VO workshop,
22nd November 2006
Risk Assessment and Monitoring
E-Science Institute VO workshop,
22nd November 2006
Are we ready for when things go
wrong …?
Prevention is better than cure…
E-Science Institute VO workshop,
22nd November 2006
Questions?
E-Science Institute VO workshop,
22nd November 2006