TF-EMC2 Lyon - 14/02/2011
Presenter or main title…
Accessing
Session Title or e-Infrastructure
subtitle…
Christopher Brown
Digital Infrastructure
e-Infrastructure Programme
 April 2006 – March 2009
 Followed UK’s 5 year investment in e-Science infrastructure
 Aims:
– Increase the benefits to, and use of, e-Infrastructure by a wider user
base
– Ensure that e-Infrastructure builds on and shares common core services
– Explore the ways in which the benefits of the capabilities being
developed in grid computing can be transferred to other domains
 4 thematic areas:
– Community engagement and support
– e-Infrastructure security
– Grid services and tools
– Knowledge organisation and semantic services
http://www.flickr.com/photos/triplemaximus/156523870/sizes/z/in/photostream/
14/02/2011 Slide 2
National Grid Service (NGS)
 Aims to facilitate UK research by providing access to a broad range of
computational and data based resources.
 Deliver a production quality e-infrastructure to support academic research
across all Higher Education Institutes (HEIs) in the UK
 Provide core services to enable collaborative access to computing and data
resources in support of UK researchers
 Ensures UK researchers can efficiently exploit computing facilities across
the globe – developed partnerships with infrastructures in EU, US, etc.
 http://www.ngs.ac.uk/
http://www.flickr.com/photos/14171139@N08/2041447039/sizes/z/in/photostream
14/02/2011 Slide 3
National Grid Service (NGS)
 Free to use for UK academics
 Joining process:
– Apply for your personal e-Science Certificate from the UK Certification
Authority
– Download your certificate into your browser
– Apply for a NGS Grid Account
– Backup your Certificate and Private Key from your browser
– Run the Certificate Wizard to set up your computer
– Get started using NGS tools
 http://www.ngs.ac.uk/
http://www.flickr.com/photos/chough/3600381635/sizes/m/in/photostream/
14/02/2011 Slide 4
SARoNGS (Jan 2008 – March 2009)
To deliver into production a Shibboleth based infrastructure for the NGS, to
enable HEI users/researchers to access NGS resources using their institutional
identities as provided through membership of the UK federation.
 Goals:
– Broaden the NGS user base.
– Easier access for researchers who are not technology specialists
– Easier support for the Service Provider
– Prevent unauthorised access
– Deliver a production service
 Access to NGS resources:
– People use X.509 Certificates
– Trusted globally – IGTF
– Sometimes seen as challenging to use
http://http://www.flickr.com/photos/pjh/187636402/sizes/z/in/photostream//
14/02/2011 Slide 5
SARoNGS
 In SARoNGS
– People who have certificates can keep using them
– Created transparently for people who don’t
– Users don’t even know they have certificates
 What’s in it for you?
– Users get non-certificate access to the NGS, mainly via portals
– SPs can hook into NGS SP/portal (if you wish), particularly if you require
X.509
– Use NGS’ VO management infrastructure
– Non-UK federations: can be reused
 http://www.jisc.ac.uk/whatwedo/programmes/einfrastructure/sarongs.aspx
 https://cts.ngs.ac.uk/
http://www.flickr.com/photos/dicknella/503494947/
14/02/2011 Slide 6
SARoNGS
 4main activities
ShibGrid
SHEBANGS
Grid Authn
VPMan
Authorisation
Translate attributes
SARoNGS
Demonstrator
MIMAS
– to provide grid authentication tied to the UK AMF (a new service based upon
outputs from the ShibGrid project)
– to link this authentication token with VO attributes from the grid computing domain
– to translate attributes within the context of UK AMF into attributes suitable for
consumption by grid computing infrastructures (a new service based upon the
outputs of the SHEBANGS project)
– to demonstrate these via both subject based and generic demonstrator
applications
http://www.flickr.com/photos/brothermagneto/3528084605/sizes/z/in/photostream/
14/02/2011 Slide 7
SARoNGS Architecture
User and management portals
VO Management
CTS access control
CTS
The NGS Grid
http://www.flickr.com/photos/triplemaximus/156523870/sizes/z/in/photostream/
MyProxy
research resources
(MIMAS)
14/02/2011 Slide 8
SARoNGS Architecture
http://www.flickr.com/photos/triplemaximus/156523870/sizes/z/in/photostream/
14/02/2011 Slide 9
SARoNGS Architecture
http://www.flickr.com/photos/triplemaximus/156523870/sizes/z/in/photostream/
14/02/2011 Slide 10
SARoNGS Architecture
http://www.flickr.com/photos/triplemaximus/156523870/sizes/z/in/photostream/
14/02/2011 Slide 11
SARoNGS Architecture
http://www.flickr.com/photos/triplemaximus/156523870/sizes/z/in/photostream/
14/02/2011 Slide 12
SARoNGS Architecture
http://www.flickr.com/photos/triplemaximus/156523870/sizes/z/in/photostream/
14/02/2011 Slide 13
SARoNGS Architecture
http://www.flickr.com/photos/triplemaximus/156523870/sizes/z/in/photostream/
14/02/2011 Slide 14
SARoNGS Architecture
http://www.flickr.com/photos/triplemaximus/156523870/sizes/z/in/photostream/
14/02/2011 Slide 15
Demo
http://www.flickr.com/photos/triplemaximus/156523870/sizes/z/in/photostream/
14/02/2011 Slide 16
OneVRE
 VRE funded project
 Connects different institutional portals through Access Grid (AG) technologies
 Connection through AG venues managed by VOMS certificates
 Using SARoNGS for OneVRE VO Management
– User logs in to portal using Proxy Cert issued by SARoNGS, includes all
the VOs the user is a member of
– VOs are basis for accessing the AG virtual venues on OneVRE servers
– OneVRE also allows users to securely share data and apps across
different AG and OneVRE servers
 http://wiki.rcs.manchester.ac.uk/community/OneVRE
http://www.flickr.com/photos/kubina/471164507/sizes/z/in/photostream/
14/02/2011 Slide 17
Limitations of the SARoNGS Grid Credentials
 Certs are only as good as the material on which they are based
 NGS would’ve liked to have the SARoNGS CA to become accredited with the
IGTF like the UK e-Science CA.
 Not possible:
– Permitted reuse of eduPersonTargetedId
– Names are not published
– Id Management Policies too numerous/varied
– Revocation vs Lifetime
http://www.flickr.com/photos/kubina/471164507/sizes/z/in/photostream/
14/02/2011 Slide 18
Past
NGS
SARoNGS
SHINTAU
VPMAN
Collaboration
GFIVO
CUCKOO
Data Sharing
ASPiS
ES-LoA
iREAD
AGAST
SPIDER
Identification
UK federation
OpenID Review
NAMES
http://www.flickr.com/photos/triplemaximus/156523870/sizes/z/in/photostream/
Identity
The Identity
Project
Personalisation
GOLDDUST
DPIE2
14/02/2011 Slide 19
AIM Programme
 1st Jan 2009 to 31st March 2011 (IdM Toolkit Pilots – Feb-Aug 2011)
 Focus:
– Process
– Policy
– Technology
Exploring Innovative
new areas
 Objectives
– Build foundations for production systems that universities might adopt
in the future
– Prepare the sector for future developments
– Improve user experience
– Increase value and make AIM relevant to wider community
– Enable integrated systems architecture
– Develop practical tools to enable AIM
http://www.flickr.com/photos/triplemaximus/156523870/sizes/z/in/photostream/
14/02/2011 | Slide 20
AIM Programme
 UK Access Management Federation
– Support
– Expand
– Improve
– Increase uptake
 Funding
– Shibboleth Consortium (JISC, Internet2, SWITCH)
• Technical roadmap
• Governance mechanisms
• Operate open source project => Shibboleth Foundation?
– Extending Access Mgmt into BCE
– Publisher Support
– WAYFless URLs
http://www.flickr.com/photos/triplemaximus/156523870/sizes/z/in/photostream/
14/02/2011 Slide 21
Wie Jie
Thames Valley University
15 months
AIM Projects – NGS
 A Proxy Credential Auditing Infrastructure for the UK e-Science National Grid
Service
– Develop proxy certificate auditing infrastructure that supports
monitoring/auditing use of proxy credential
• General usage monitoring
• Patterns of use and prediction of misuse
• Exploit and harden existing software for this
• Globus Incubator project
• Extensions to support
• VO-specific monitoring and usage
• Resource-specific monitoring and usage
– Demonstrate in numerous projects and roll out to NGS
 Case studies: nanoCMOS, ENROLLER, DAMES, NeISS projects
• includes usage of NGS, ScotGrid, TeraGrid, D‐Grid
http://www.flickr.com/photos/argonne/4244642347/sizes/m/in/photostream/
14/02/2011 Slide 22
Fiona Culloch
EDINA
12 months
AIM Projects – Web Services
 WSTIERIA (Web Services Tiered Internet Authorization )
– Make web services work with UK federation
– Investigating two approaches:
• using “façade” to handle authentication
• new Shib features to invoke web service between SPs
– Tested on two application domains:
• Geospatial web service (SEE-GEO)
• WebDAV (widely deployed remote file-access protocol layered on
HTTP)
– Community Benefit
• Web services interoperate with FAM
• Improve end-user experience by application componentization
– Real components need authorization
• Access presently hidden web services
– Discussing with MIMAS, SDSS, Shibboleth
http://www.flickr.com/photos/aqua-marina/840167789/sizes/m/in/photostream/
14/02/2011 Slide 23
Mike Jones
University of Manchester
9 months
AIM Projects – Social Net and Shib
 Identity and Access Management using Social Networking Technologies
– FOAF is an RDF (Resource Description Framework) vocabulary mainly
aimed at describing links between people and memberships
– produce a functional WebID (formerly FOAF+SSL) based Authentication
system for Shibboleth based IdP and an Authentication and Authorisation
system for Globus based grids
– Bridge to SAML/Shibboleth
• Converting information available in RDF into SAML attributes
– e.g. WebID URI into eduPersonPrincipalName
– Easy to derive membership of a project or (virtual) organisation based on
the FOAF relations
– Easier ad-hoc collaborations (potentially with people outside the federation
too)
http://www.flickr.com/photos/marc_smith/4511843933/sizes/m/in/photostream/
14/02/2011 Slide 24
Any questions?
14/02/2011 Slide 25