Add to collection(s) Add to saved
  1. No category

Presentazione standard di PowerPoint

advertisement 
Enabling Grids for E-sciencE
Federated access to
e-Infrastructures worldwide
Marco Fargetta, INFN Catania - Italy
(marco.fargetta@ct.infn.it)
VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013
DCIs developed in the last decade
Enabling Grids for E-sciencE
VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013
2
Enabling Grids for E-sciencE
Evolution
• Research organisations
are moving to cloud
computing
– Internal services and
research applications
• Many different cloud
models
– Public vs Private vs
Commercial
– IaaS, PaaS, SaaS
• Grid paradigm still
adopted by many projects
– Grid and cloud will co-exist
for a while
– Many mixed approach are
under investigation and
testing
VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013
3
e-Infrastructures problems
Enabling Grids for E-sciencE
• Different authentication/authorisation
– Username/password, X509, others
• Different tools to interact with
– GUI, CLI, API, Web Apps, Web Services, etc…
• Different middleware and workflows to
execute applications
• Very little standard adoption
– Lack of interoperability
• Difficult for users to move from a system
to another
VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013
4
Enabling Grids for E-sciencE
Science Gateways
“A Science Gateway is a community-developed set of
tools, applications, and data that is integrated via a
portal or a suite of applications, usually in a graphical
user interface, that is further customized to meet the
needs of a specific community.”
Teragrid/XSEDE
VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013
5
Primary requirement: building Science Gateways
should be like playing with Lego bricks
Enabling Grids for E-sciencE
Standards
Simplicity
Easiness of use
Re-usability
Sc. Gtwy E
Sc. Gtwy D
Sc. Gtwy C
Sc. Gtwy B
Sc. Gtwy A
•
•
•
•
VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013
6
Catania Science Gateway
Framework architecture
Enabling Grids for E-sciencE
App. 1
App. 2
Grid/Cloud
Engine
(based on SAGA)
Catania Science
Gateway
Embedded Services
....... MyCloud
CLEVER
Administrator(s)
Scientists
Cloud tenants
Orchestrator
(based on OCCI)
Cloud #1
HPC
Clusters
Cloud #2
Cloud #n
Users belonging
to Identity
Federations
Single logical domain
VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013
7
Unified authentication system
Enabling Grids for E-sciencE
• Users have to use only one account for
all the systems
– The account is generally provided by the home
institution
– SAML2.0 used
• Authentication to e-Infrastructure is
performed by the Science Gateway
– e-Infrastructures do not distinguish Science Gateway
users
– User tracking DB implemented for accounting and
auditing purposes, compliant with EGI policies
VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013
8
AuthN/AuthZ Schema
Enabling Grids for E-sciencE
Federation
2. Forwarded
to the IdP
Science Gateway
Retrieve e-Infrastructure
credentials
e-Infrastructures
VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013
10
Science Gateways deployed
Enabling Grids for E-sciencE
12 SGs in production and
others in development
Africa Grid
agINFRA
CHAIN-REDS
VRCs supported either by
region or discipline
COGITO-MED
DCH-RP e-Culture
DECIDE
EarthServer
EUMEDGRID
Very easy and intuitive access procedure
GARR
GISELA
User-driven development
Surveys to propose applications are available in
Italian and other languages
VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013
IGI
KLIOS
11
Official Identity (Inter-)Federations currently
supported by Catania Science Gateways
Enabling Grids for E-sciencE
VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013
12
The TERENA AAA Study
https://confluence.terena.org/display/aaastudy/AAA+Study+Home+Page
Enabling Grids for E-sciencE
VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013
(Objectives)
The goal has been broken
down into two objectives:
1. A collection of users’
access requirements
coming from different
communities;
2. A gap analysis of the
existing AAIs used in the
realm of research and
education, the use-cases
they support and the
associated challenges.
13
The TERENA AAA Study
Enabling Grids for E-sciencE
VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013
(Findings)
14
The TERENA AAA Study
Enabling Grids for E-sciencE
Recommendation
Action Required
VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013
(Recommendations)
Main Stakeholder(s)
Area
15
DCH-RP AAI Survey
Enabling Grids for E-sciencE
(www.dch-rp.eu)
• “Digital Cultural Heritage Roadmap for
Preservation” (DCH-RP) is a coordination
action supported by the European
Commission under the e-Infrastructure
Capacities Programme of Seventh
Framework Programme for Research (FP7)
• A survey about the AAI performed both
within and outside the project community
– Mainly research and cultural organisations
– 20 organisations already filled the survey
– http://dch-rp.eu/index.php?en/71/news-archive/6/dch-rp-questionnaire
VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013
16
DCH-RP AAI Survey
(Current findings)
Enabling Grids for E-sciencE
Are you aware of federated access
or of Identity Federations?
40%
60%
Is your institution part of a national
Identity Federation?
15%
Yes
10%
No
75%
I don't know
VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013
No
Yes
17
DCH-RP AAI Survey
(Current findings)
Enabling Grids for E-sciencE
Are you aware that in many European
countries Identity Federations are operated
by the NRENs?
Do you think your users would
benefit if your service would be
part of an existing Identity
Federation?
45%
55%
Yes
5% 5%
5%
5%
20%
No
60%
No
Yes
Possibly but not necessarily.
I don't know
maybe. on the other side, many users could not appreciate auth,
Not applicable
VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013
18
DCH-RP AAI Survey
(Current findings)
Enabling Grids for E-sciencE
Do you see any problems if
users, in order to access to
your service, are authenticated
by a "catch-all" Identity
Provider?
5%
5%
5%
5% 5%
20%
Would you like to get support to create an
Identity Provider to manage users
accounts for your organization?
15%
30%
10%
55%
Yes
No
45%
I dont see any problems, but for sure others in my organization will.
I don't know
Our users need to be authenticated by us
No
Yes
I don't know
Not applicable
Pssible issue related to spred of personal data
Not applicable
VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013
19
The GrIDP “catch-all” federation
Enabling Grids for E-sciencE
(http://gridp.garr.it)
v
VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013
20
The Open and Social IdP’s
Enabling Grids for E-sciencE
VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013
21
Mobile Support
Enabling Grids for E-sciencE
(Both Android and iOS)
REST API
DCH-RP eCSG Mobile
Science Gateway
glibrary.ct.infn.it
Call gLibrary REST API through
API Server Gateway
Authorization
service
Authentication
service
VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013
E-Infrastructure
22
Enabling Grids for E-sciencE
Implementation
• Discovery service modified to provide a
JSON with federations and IdPs
– Based on Shibboleth DS
• Federations and IdPs selection
developed as native apps both for
Android and iOS
• IdP login page shown in a web view
– After the login, the native app catches the SAML token
and closes the web view
– The token is used for the communication with RESTful
services
VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013
23
Mobile Authentication
Enabling Grids for E-sciencE
Web views
Native apps
VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013
24
Enabling Grids for E-sciencE
IdP Management
• Catch-all IdP does not
have a user DB to access
– Users need to ask for
registration
• Anonymous selfregistration not supported
• A web application has
been developed to
manage the registration
workflow
– LDAP as back-end DB
VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013
25
Enabling Grids for E-sciencE
VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013
IdP Management
26
Science Gateway Authorisation
Enabling Grids for E-sciencE
• At first access users are
sent to an authorisation
request form
• Fields are automatically
populated with
information from SAML
token
– If not available, users must
provide information
• If different roles are
available users can
select one or more of
them
– Users can apply for new
roles at any time
VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013
27
Science Gateway Authorisation
Enabling Grids for E-sciencE
VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013
28
After Signing-in …
… accessing Digital Repositories
Enabling Grids for E-sciencE
VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013
29
After Signing-in …
… accessing Digital Repositories
Enabling Grids for E-sciencE
VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013
30
After Signing-in …
… managing services in federated clouds
Enabling Grids for E-sciencE
VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013
31
After Signing-in …
… running jobs on different infrastructures
Enabling Grids for E-sciencE
VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013
32
Enabling Grids for E-sciencE
Support to other
organisations
• Some organisations are deploying SGs
using our framework and tools
– Including those for authentication/authorisation
• Federations are not everywhere
– Many project partners are located in countries without a
national identity federation
– No know-how on SAML is present
• We are supporting organisations to
deploy their IdPs
– They are starting with “catch-all” ones for their local
communities
VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013
33
Some of the IdPs supported
Enabling Grids for E-sciencE
VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013
34
Implementation and status
Enabling Grids for E-sciencE
• IdPs deployed use the same tools and
web application of our catch-all IdP
– They use Shibboleth, LDAP and the web application
developed by INFN Catania for user management
• 3 IdPs currently under test and 1 already
included in the GrIDP federation
– Some NRENs are also planning to create their
federation and add more IdPs
• IdPs for own users are also foreseen in
the short term
VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013
35
Enabling Grids for E-sciencE
Summary
• Identity federations make authentication
on distributed systems easy and safe
– Still many organisations are not federated and tools for
not-federated users are needed
• We built a catch-all federation and IdPs
– Catch-all IdPs important for services whose users are
distributed in many countries and belonging to many
organisations
• Many organisations supported to
implement their services (IdPs and SGs)
– Tools for user management could be integrated in the
main SAML implementations (e.g. Shibboleth)
VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013
36
Enabling Grids for E-sciencE
Outlook
• Finalise the deployment of IdPs and
integrate them the in GrIDP federation
• Foresee the use of SAML for the
authentication to clouds
– OpenStack based clouds allow the use of SAML
• Investigate the integration with OAuth
protocol for mobile authentication and
authorisation
– Current approach has several limitations
VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013
37
Enabling Grids for E-sciencE
VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013
38
Related documents
Developing academic reading skills through
Developing academic reading skills through
Helsinki catering presentation
Helsinki catering presentation
Critical Enablers for HIV, TB & Malaria Responses
Critical Enablers for HIV, TB & Malaria Responses
User communities and applications
User communities and applications
ICT for optimizing synergies among energy grids in smart cities
ICT for optimizing synergies among energy grids in smart cities
Revise for GCSE Humanities: The 1950`s
Revise for GCSE Humanities: The 1950`s
Political Communications
Political Communications
wyniki badania ankietowego nt. potrzeb i oczekiwa
wyniki badania ankietowego nt. potrzeb i oczekiwa
Practical Information - ECHA
Practical Information - ECHA
Download
advertisement