120 likes | 265 Views
ARCS Authorisation Services. Neil Witheridge Manager, ARCS Authorisation Services APAN29, Sydney, February 2010. Australian Government eResearch Investment. National Collaborative Research Infrastructure Strategy - Platforms for Collaboration (PfC) investment (2007-11)
E N D
ARCS Authorisation Services Neil Witheridge Manager, ARCS Authorisation Services APAN29, Sydney, February 2010
Australian Government eResearch Investment • National Collaborative Research Infrastructure Strategy - Platforms for Collaboration (PfC) investment (2007-11) • Super Science Initiative eResearch Components(2009-13) • … critical importance of eResearch Infrastructure to future research competitiveness • … intended to enhance research collaborations, assist researchers to manage massive data sets, and provide super-computing and analysis tools that enable Australian researchers to tackle the complex, national and global issues needed to secure Australia's future. Source: https://www.pfc.org.au/bin/view/Main
Platforms for Collaboration PfC component investments: • Australian Research Collaboration Service (ARCS) • Develop and operate services linking systems and resources nationwide • Develop and operate collaboration and workflow tools for researchers • Includes “Authorisation Services” • Australian National Data Service (ANDS) • National Computational Infrastructure (NCI) • Australian Access Federation (AAF) and Research Networks (AARNET) Source: http://www.ivec.org/ForumAug09/02_Francis.ppt
ARCS Mission To provide long-term eResearch support services including, but not limited to, interoperability and collaboration infrastructure and services through a continuous and open process of consultation and engagement with the Australian research community. ARCS is an unincorporated collaborative venture of the Members of ARCS: ANU, CSIRO, eRSA, Intersect, QCIF, iVEC, TPAC, VPAC … serves as the vehicle for the coordinated delivery of national eResearch support, services and tools. Source: http://www.arcs.org.au/about
Research Group Needs Research Group Repository IdP Principal Investigator Write & Publish Report Researchers IdP Collaborate Communicate Meet Identity Mgnt in AAF IdP(s) HPC Grid Services Analyse Data IdP VO configured for accessing Grid resources Researcher Store Data AAF Collaboratively Create web content Run Experiment Generate Data Data Storage Instrument CMS / Wiki Authentication and authorisation for protection of valuable resources
Compute Cloud* Grid Services Infrastructure* Virtual Machine Hosting Data Fabric* Database Service Data Transfer Service * Immediately accessible, others require request and coordinated provision to research group. Web-based Collaboration Sakai Plone Jabber Joomla Twiki Video Collaboration Desktop solution: EVO* Room solution: Access Grid Security Services Grid Certificates* Access Service ARCS’ Current Tools and Services
ARCS Authorisation Services Role • Support Research Groups and Service Providers in delivering services requiring authentication and authorisation (authNZ) • Analyse requirements, and provide expertise, advice, exemplars • Exemplars (demonstrate what can be done to protect resources) • Implement (procure/develop) and deploy authNZ solutions • satisfying research groups’ and service provider’s security requirements • Provide customer support for ARCS Authorisation Services • ARCS CA’s, ARCS IdP, ARCS SLCS Server & Clients, ARCS Access Service • Develop and pursue a ‘unified strategy’ for authNZ • Apply security technologies and protocols & track international trends • Rely on the AAF for Federated Access (i.e. use Shibboleth) • Integrate with Grid Security Infrastructure • Analyse access scenarios and identify patterns & solutions
ARCS Access Service • Provides a Gateway to ARCS Services • Registration (assignment of Default Authorisation Rights) • Tracking user communities (auEduPersonSharedToken) • Allocate ARCS Username (ARCS Services unique identifier) • consistent user naming across ARCS Services • Caching attributes at time of registration • Allow detection of attribute change (e.g. IdP, affiliation) • Authorisation Rights Management • Register Authorisation Rights tokens • urn:<ServiceIdentifier>:<Token value>
SP ARCS Repository Confirm Attributes Released by IdP Register via Access Service for SLCS, Data Fabric, Wiki, Repository Write & Publish Report Generate Grid (SLCS) Credential Belongs to Federation IdP IdP GSI HPC (Grid) SP SP SP Analyse Data ARCS SLCS Service ARCS Access Service ARCS IdP Check Member of Research Group VO configured for accessing Grid resources researcher Research Group Store Data Collaboratively Create web content Run Experiment Generate Data SP ARCS Data Fabric SP GSI Instrument ARCS CMS / Wiki webDAV GSI LDAP Current focus on Authentication
ARCS internal/ backend processing AAF Identity Provider AAF- enabled Service SP Access using IdP username and password via AAF Login (e.g. Data Fabric, Plone, TWiki) Authenticate ARCS username & password ARCS LDAP ARCS Access Service (12 wks timeout) SP Register Access using IdP username and password via AAF Login ARCS internal/ backend processing ARCS Cred’s enabled Service Access using ARCS username and password (e.g. Data Fabric via webDAV) Access using IdP username and password via AAF Login Get SLCS Certificate ARCS SLCS Service ARCS SLCS CA ARCS MyProxy SP Get Proxy Certificate Arbitrary username & password ARCS internal/ backend processing Grid Cert enabled Service Access using ARCS SLCS cert or proxy (e.g. Grid Services, iRODS via iCommands)
ARCS Auth Svcs Future Directions • Authentication • IGTF Accreditation for SLCS (Level-2) CA • Explore MICS (Long-lived Grid credentials from IdPs) • Understand AAF & Shibboleth Roadmap implications • New Shibboleth profiles (ECP, Key-holder) • AusCERT PKI and implications • Understand Grid Services trends and implications • Authorisation • Develop and utilise the ARCS Access Service • Implement Authorisation Rights Management • Develop authorisation exemplars (e.g. use of XACML)
Thankyou Questions ?