250 likes | 501 Views
TF-EMC 2 Lyon - 14/02/2011. Presenter or main title…. Accessing e-Infrastructure. Session Title or subtitle…. Christopher Brown Digital Infrastructure. e-Infrastructure Programme. April 2006 – March 2009 Followed UK’s 5 year investment in e-Science infrastructure Aims:
E N D
TF-EMC2 Lyon - 14/02/2011 Presenter or main title… Accessing e-Infrastructure Session Title or subtitle… Christopher BrownDigital Infrastructure
e-Infrastructure Programme • April 2006 – March 2009 • Followed UK’s 5 year investment in e-Science infrastructure • Aims: • Increase the benefits to, and use of, e-Infrastructure by a wider user base • Ensure that e-Infrastructure builds on and shares common core services • Explore the ways in which the benefits of the capabilities being developed in grid computing can be transferred to other domains • 4 thematic areas: • Community engagement and support • e-Infrastructure security • Grid services and tools • Knowledge organisation and semantic services http://www.flickr.com/photos/triplemaximus/156523870/sizes/z/in/photostream/
National Grid Service (NGS) • Aims to facilitate UK research by providing access to a broad range of computational and data based resources. • Deliver a production quality e-infrastructure to support academic research across all Higher Education Institutes (HEIs) in the UK • Provide core services to enable collaborative access to computing and data resources in support of UK researchers • Ensures UK researchers can efficiently exploit computing facilities across the globe – developed partnerships with infrastructures in EU, US, etc. • http://www.ngs.ac.uk/ http://www.flickr.com/photos/14171139@N08/2041447039/sizes/z/in/photostream
National Grid Service (NGS) • Free to use for UK academics • Joining process: • Apply for your personal e-Science Certificate from the UK Certification Authority • Download your certificate into your browser • Apply for a NGS Grid Account • Backup your Certificate and Private Key from your browser • Run the Certificate Wizard to set up your computer • Get started using NGS tools • http://www.ngs.ac.uk/ http://www.flickr.com/photos/chough/3600381635/sizes/m/in/photostream/
SARoNGS (Jan 2008 – March 2009) To deliver into production a Shibboleth based infrastructure for the NGS, to enable HEI users/researchers to access NGS resources using their institutional identities as provided through membership of the UK federation. • Goals: • Broaden the NGS user base. • Easier access for researchers who are not technology specialists • Easier support for the Service Provider • Prevent unauthorised access • Deliver a production service • Access to NGS resources: • People use X.509 Certificates • Trusted globally – IGTF • Sometimes seen as challenging to use http://http://www.flickr.com/photos/pjh/187636402/sizes/z/in/photostream//
SARoNGS • In SARoNGS • People who have certificates can keep using them • Created transparently for people who don’t • Users don’t even know they have certificates • What’s in it for you? • Users get non-certificate access to the NGS, mainly via portals • SPs can hook into NGS SP/portal (if you wish), particularly if you require X.509 • Use NGS’ VO management infrastructure • Non-UK federations: can be reused • http://www.jisc.ac.uk/whatwedo/programmes/einfrastructure/sarongs.aspx • https://cts.ngs.ac.uk/ http://www.flickr.com/photos/dicknella/503494947/
SARoNGS ShibGrid SHEBANGS • 4main activities • to provide grid authentication tied to the UK AMF (a new service based upon outputs from the ShibGrid project) • to link this authentication token with VO attributes from the grid computing domain • to translate attributes within the context of UK AMF into attributes suitable for consumption by grid computing infrastructures (a new service based upon the outputs of the SHEBANGS project) • to demonstrate these via both subject based and generic demonstrator applications Grid Authn Translate attributes VPMan SARoNGS MIMAS Authorisation Demonstrator http://www.flickr.com/photos/brothermagneto/3528084605/sizes/z/in/photostream/
SARoNGS Architecture User and management portals VO Management CTS MyProxy CTS access control research resources (MIMAS) The NGS Grid http://www.flickr.com/photos/triplemaximus/156523870/sizes/z/in/photostream/
SARoNGS Architecture http://www.flickr.com/photos/triplemaximus/156523870/sizes/z/in/photostream/
SARoNGS Architecture http://www.flickr.com/photos/triplemaximus/156523870/sizes/z/in/photostream/
SARoNGS Architecture http://www.flickr.com/photos/triplemaximus/156523870/sizes/z/in/photostream/
SARoNGS Architecture http://www.flickr.com/photos/triplemaximus/156523870/sizes/z/in/photostream/
SARoNGS Architecture http://www.flickr.com/photos/triplemaximus/156523870/sizes/z/in/photostream/
SARoNGS Architecture http://www.flickr.com/photos/triplemaximus/156523870/sizes/z/in/photostream/
SARoNGS Architecture http://www.flickr.com/photos/triplemaximus/156523870/sizes/z/in/photostream/
Demo http://www.flickr.com/photos/triplemaximus/156523870/sizes/z/in/photostream/
OneVRE • VRE funded project • Connects different institutional portals through Access Grid (AG) technologies • Connection through AG venues managed by VOMS certificates • Using SARoNGS for OneVRE VO Management • User logs in to portal using Proxy Cert issued by SARoNGS, includes all the VOs the user is a member of • VOs are basis for accessing the AG virtual venues on OneVRE servers • OneVRE also allows users to securely share data and apps across different AG and OneVRE servers • http://wiki.rcs.manchester.ac.uk/community/OneVRE http://www.flickr.com/photos/kubina/471164507/sizes/z/in/photostream/
Limitations of the SARoNGS Grid Credentials • Certs are only as good as the material on which they are based • NGS would’ve liked to have the SARoNGS CA to become accredited with the IGTF like the UK e-Science CA. • Not possible: • Permitted reuse of eduPersonTargetedId • Names are not published • Id Management Policies too numerous/varied • Revocation vs Lifetime http://www.flickr.com/photos/kubina/471164507/sizes/z/in/photostream/
Past Data Sharing ASPiS ES-LoA iREAD AGAST SPIDER NGS SARoNGS SHINTAU VPMAN Identity The Identity Project Collaboration GFIVO CUCKOO Identification UK federation OpenID Review NAMES Personalisation GOLDDUST DPIE2 http://www.flickr.com/photos/triplemaximus/156523870/sizes/z/in/photostream/
AIM Programme • 1st Jan 2009 to 31st March 2011 (IdM Toolkit Pilots – Feb-Aug 2011) • Focus: • Process • Policy • Technology • Objectives • Build foundations for production systems that universities might adopt in the future • Prepare the sector for future developments • Improve user experience • Increase value and make AIM relevant to wider community • Enable integrated systems architecture • Develop practical tools to enable AIM Exploring Innovative new areas http://www.flickr.com/photos/triplemaximus/156523870/sizes/z/in/photostream/
AIM Programme • UK Access Management Federation • Support • Expand • Improve • Increase uptake • Funding • Shibboleth Consortium (JISC, Internet2, SWITCH) • Technical roadmap • Governance mechanisms • Operate open source project => Shibboleth Foundation? • Extending Access Mgmt into BCE • Publisher Support • WAYFless URLs http://www.flickr.com/photos/triplemaximus/156523870/sizes/z/in/photostream/
Wie Jie Thames Valley University 15 months AIM Projects – NGS • A Proxy Credential Auditing Infrastructure for the UK e-Science National Grid Service • Develop proxy certificate auditing infrastructure that supports monitoring/auditing use of proxy credential • General usage monitoring • Patterns of use and prediction of misuse • Exploit and harden existing software for this • Globus Incubator project • Extensions to support • VO-specific monitoring and usage • Resource-specific monitoring and usage • Demonstrate in numerous projects and roll out to NGS • Case studies: nanoCMOS, ENROLLER, DAMES, NeISS projects • includes usage of NGS, ScotGrid, TeraGrid, D‐Grid http://www.flickr.com/photos/argonne/4244642347/sizes/m/in/photostream/
Fiona Culloch EDINA 12 months AIM Projects – Web Services • WSTIERIA (Web Services Tiered Internet Authorization ) • Make web services work with UK federation • Investigating two approaches: • using “façade” to handle authentication • new Shib features to invoke web service between SPs • Tested on two application domains: • Geospatial web service (SEE-GEO) • WebDAV (widely deployed remote file-access protocol layered on HTTP) • Community Benefit • Web services interoperate with FAM • Improve end-user experience by application componentization • Real components need authorization • Access presently hidden web services • Discussing with MIMAS, SDSS, Shibboleth http://www.flickr.com/photos/aqua-marina/840167789/sizes/m/in/photostream/
Mike Jones University of Manchester 9 months AIM Projects – Social Net and Shib • Identity and Access Management using Social Networking Technologies • FOAF is an RDF (Resource Description Framework) vocabulary mainly aimed at describing links between people and memberships • produce a functional WebID (formerly FOAF+SSL) based Authentication system for Shibboleth based IdP and an Authentication and Authorisation system for Globus based grids • Bridge to SAML/Shibboleth • Converting information available in RDF into SAML attributes • e.g. WebID URI into eduPersonPrincipalName • Easy to derive membership of a project or (virtual) organisation based on the FOAF relations • Easier ad-hoc collaborations (potentially with people outside the federation too) http://www.flickr.com/photos/marc_smith/4511843933/sizes/m/in/photostream/