1 / 15

Overview

Update on Shib+Grid work at National e-Science Centre at the University of Glasgow Prof Richard Sinnott Technical Director National e-Science Centre University of Glasgow r.sinnott@nesc.gla.ac.uk. Overview. Brief update on Grid/Shib work in GLASS project DyVOSE project

max
Download Presentation

Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Update on Shib+Grid work at National e-Science Centre at the University of GlasgowProf Richard Sinnott Technical Director National e-Science CentreUniversity of Glasgowr.sinnott@nesc.gla.ac.uk

  2. Overview • Brief update on Grid/Shib work in • GLASS project • DyVOSE project • Demo… or death by snapshot!?!? • Plans for the future in this space • …have also explored combinations of Shibboleth and Grid in other projects as reported previously at GGF 16 in Athens

  3. GLASS Project • Glasgow early adoption of Shibboleth (GLASS) • JISC funded started March 2006 for 1 year • Exploring early adoption of Shibboleth • Working with Computer Services directly • Scenarios based upon • teaching • single sign-on to “Grid + non-Grid” resources • access to NHS resources/data • looking at secure access to and usage of brain trauma patient data at Glasgow Southern General Hospital • Builds upon university wide unified account management system being rolled out • based on Novell nSure technology

  4. GLASS Status • Numerous components/scenarios implemented already • Have Shib-enabled various non-Grid based services and integrated them with unified account management system at Glasgow • WebSurf • Student/staff service, e.g. courses registered, credits earned, grades etc • Moodle • Glasgow virtual e-learning environment • FileStorage (work on-going) • All staff/students have access to central, secure storage • NetMail (work on-going) • All staff/students have access to central, secure email

  5. DyVOSE Project • Based on advanced MSc Grid Computing module taught at Glasgow • 16 students in 2004/5, 11 students in 2005/6 • Project involved NeSC Glasgow, NeSC Edinburgh, University of Kent • Project more or less complete - final report in progress • Work focused initially on static PMI for Grid based VOs using PERMIS • Later work focused on dynamic PMI for Grid based VOs using extended version of PERMIS

  6. Static PMI Case Study • Applied existing PERMIS technology to establish static Privilege Management Infrastructure at GU GU Condor pool ScotGrid Other (known!) Grid resources PERMIS based Education authorisation VO policies Authorisation checks Authorisation decisions

  7. Early Explorations in Course • Students used PERMIS Policy Editor to develop security policy for use in their assignment • Sorting/searching “complete works of Shakespeare” • … run on single PC, • … using training lab Condor pool, • … * as GT3.3/Condor service, • … as GT3.3 service using GSI, • To see how authorisation at service level achieved • Service should be accessible by themselves and lecturing staff only • … using * for GT3.3-PERMIS authorised service • To see how authorisation at method level achieved • Students split into groups (studentteam1, studentteam2) • Sort method available to their group and lecturers only • Search method available to all • Made use of GGF SAML AuthZ call-out api • Performance aspects investigated throughout…

  8. Dynamicity…? • UK Shibboleth federation based around small set of pre-agreed attributes based on eduPerson schema • eduPersonScopedAffiliation: indicates the user’s relationship (e.g., staff, student, etc) within the institution; • eduPersonTargetedID: needed when an SP is presented with an anonymous assertion only, e.g. eduPersonScopedAffiliation. This attribute provides a persistent user pseudonym; • eduPersonPrincipalName: used where a persistent user identifier consistent across different services is needed; • eduPersonEntitlement: enables an institution to assert that a user satisfies an additional set of specific conditions that apply for access to a particular resource • Grid vision for dynamic virtual organisations • Add, remove, change people, institutes, their privileges on the fly for changing sets of resources as required by the VO

  9. Putting the “Dy” in DyVOSE Glasgow SoA using Glasgow DIS to issue Edin. roles Edinburgh SoA using Glasgow DIS to issue Edin. roles ACs created for Edin. roles • Dynamic PMI Case Study Glasgow Edinburgh LDAP LDAP Glasgow Education VO policies Edinburgh Education VO policies PERMIS based Authorisation checks/decisions Nucleotide + Protein Sequence DB Grid BLAST Service Grid BLAST Data Service data input Implemented by Students Protein/nucleotide data returned based on student team role Grid-data Client

  10. DyVOSE Dynamic PMI Explorations • Dynamic PMI Case Study • Student were split into two teams • They were issued with Attribute Certificates which assigned them with one of two roles (GlaTeamN and GlaTeamP) • Students implemented a BLAST Grid Service which queried an external database (hosted in Edinburgh) containing various genomic data • Database was PERMIS protected so only members of the correct team got the right data (based on EdTeam roles) • Students PERMIS protected their service so only members of their own team could invoke the service

  11. Dynamic PMI Case Study…ctd • PERMIS Policy Details • BLAST DATA Service (Edinburgh) • Send Nucleotide Data if User presents PERMIS Role “EdTeamN” • Send Protein Data if User presents PERMIS Role “EdTeamP” • BLAST Service (Glasgow) • Invoke BLASTN service if User presents PERMIS Role “GlaTeamN” • Invoke BLASTP service if User presents PERMIS Role “GlaTeamP”

  12. Delegation Issuing Service (DIS) • Dynamic delegation scenarios with DIS • Edinburgh issues a Delegation Statement to the Glasgow SoA that allows them (or possibly depending on policy someone they delegate to) to assign the EDINBURGH PERMIS role ‘EdTeamN/P’ • Done through Glasgow policy addition • Or… • Glasgow SoA trusts Edinburgh SoA to issue these and potentially other roles to local users at Glasgow directly (as determined by own local policy/discretion) • Attribute certificates created and signed by DIS • Both models supported… • Edinburgh Data Service searches both LDAP directories • Service finds User entries in Glasgow LDAP that contain the correct Edinburgh role – ACCESS GRANTED • ACs should be revocable at any time

  13. Demo

  14. Future Plans • Several other projects exploring this space • Working with EDINA on Shibboleth access to Geographical Information Systems (project starts in October 2006) • Major EPSRC pilot project (£5.3M) on “Meeting the Design Challenges of nanoCMOS Electronics” due to start October 2006 • Security essential in this domain including support for IP (of data, simulations, processes, licenses,…) • Scottish Grid Service proposal outline accepted and case now being made • User/e-Research focus with seamless Shib-access and usage of resources, services! Access to - federated!! - Grid resources should be as seamless as accessing the internet for end users...

  15. Questions?

More Related