250 likes | 385 Views
8 th EUGridPMA Meeting, Karlsruhe, 2006. The e –Infrastructure AAI roadmap in Europe Trends in European AA policy. EUGridPMA Karlsruhe meeting David Groep, NIKHEF. Aims of the Integrated AAI. Roadmap for the European e-Infrastructures create a single seamless AA experience for the user
E N D
8th EUGridPMA Meeting, Karlsruhe, 2006 The e–Infrastructure AAI roadmap in EuropeTrends in European AA policy EUGridPMA Karlsruhe meeting David Groep, NIKHEF
Aims of the Integrated AAI Roadmap for the European e-Infrastructures create a single seamless AA experience for the user Spans • the authentication/ID provisioning domain • as well as the authorisation area • across any kind of application • ‘grids’ like we know today • network access (eduroam) • web resource access • (m)any other services 8th EUGridPMA Meeting - trends in European AA policy
e-IRG integrated AAI Roadmap Trans-disciplinary (Grid projects, NRENs, other user communities) and trans-continental forums that move towards the establishment of a global, seamless AA infrastructure for e-Science applications should be encouraged. The e-IRG wishes to acknowledge the efforts made in this direction by the IGTF and the open information exchange point provided by TERENA task forces. Recommendation to the e-IRGAustrian EU Presidency 2006 8th EUGridPMA Meeting - trends in European AA policy
e-IRG mandate The main objective of the e-IRG is to support on the political, advisory and monitoring level, the creation of a policy and administrative framework for the easy and cost-effective shared use of electronic resources in Europe (focusing on Grid-computing, data storage, and networking resources) across technological, administrative and national domains. The e-IRG consists of official delegations from the ministries of Education of the various European countries. It has an important role in assigning funding priorities for EU framework programmes and the strategy for e-Europe. 8th EUGridPMA Meeting - trends in European AA policy
Contributors Roadmap contributors and actors in the field • e-IRG (high-level policy) • TERENA: TF-EMC2, TF-Mobility • IGTF • eduroam™ • GEANT2 JRA5 (eduGAIN) • REFEDs • many national federations (CH, ES, NL, NO, UK, …) • software providers: Shibboleth, A-Select, PAPI, … 8th EUGridPMA Meeting - trends in European AA policy
Grid Authorization • ‘user’ centric communities • either grass-roots or infrastructure-based • primary applications today in compute/data/database access 8th EUGridPMA Meeting - trends in European AA policy
Grid AuthZ status • User-centric community management today • for (virtually) all grids based on authentication by IGTF accredited authorities • these assertions are used for authorization, where • there is far greater variety in mechanisms and concepts • software in a continuous transition phase • actual user communities are ‘expert’ and relatively ‘small’,i.e., O(100 000) users 8th EUGridPMA Meeting - trends in European AA policy
Grid Authorization Current (deployed) models in most compute/data grids all based on ‘proxies’, implementing SSO and delegation • Identity-based authorization • lists of authorized users, possibly organised on a VO basis • model is being deprecated in larger deployments • Attribute-based authorization • VO-managed {databases, directories} issuing VO-signed assertions • VO identity itself based on IGTF certificates • resource providers grant access based on these VO attributes • pushed down with the service request (typically as ACs embedded as an extension in the proxy certificate), “VOMS” • in part supported by (proxy) credential caches: “MyProxy” 8th EUGridPMA Meeting - trends in European AA policy
Grid Characteristics • Special characteristics • rights delegation (typically to processes) • rights/role selection based on the ‘session’, and not the target resource per se • ‘on-demand’ creation of new sources of authority (VOs) • grid communities cut through organisations 8th EUGridPMA Meeting - trends in European AA policy
1 2 3 4 Software developments in AA (grid) software has become flexible over the past few years: • most software now supports both push and pull of attributes and assertions • it’s slowly becoming syntax-agnostic (X509 (AC), SAML, …) Pull Push 4 2 1 3 8th EUGridPMA Meeting - trends in European AA policy
OGSA AA model • Grid (OGSA) AA architecture • explicitly acknowledges multiple sources of authority in the authorization chain graphic: OGSA 1.0, GGF standard track document 8th EUGridPMA Meeting - trends in European AA policy
Grid Middleware AA support runtime graphic: Globus Toolkit 4, Frank Siebenlist et al. PERMIS/XACML PDP, or a SAML PIP, or … 8th EUGridPMA Meeting - trends in European AA policy
More initiatives • eduGAIN – summary with too many experts in the room • based on ‘federation connectors’ to mediate between federations (domains, realms) • common services • Home Location Service • (can be extended with others) • basic interactions • (AccessReq/AccesResp) • AuthNDataReq/ AuthNDataResp • HomeLocationReq/ HomeLocationResp • AttrReq/ AttrResp • AuthZReq/ AuthZResp • using WS and SAML • see links provided by Reimer and Diego 8th EUGridPMA Meeting - trends in European AA policy
What is happing now? Several domains implemented some integrated AAI today • ‘evaluationary’ grid middleware solutions – targeted at ‘expert power users’ • wireless network access – targeted at ‘the masses’, almost irrespective of status • web resources – targeted at ‘selected academic users’, but not very selective as resources are not ‘high value’ • … 8th EUGridPMA Meeting - trends in European AA policy
Production app: eduroam • transparent (wireless) network access based on credentials issued by the home organisation • distributed RADIUS infrastructure based on pair-wise hierarchical trust • no ‘qualified’ AuthZ 8th EUGridPMA Meeting - trends in European AA policy
Production apps examples • Examples from the Access Management Infrastructure for the UK • ScienceDirect • BlackBoard • BIOSIS • CAB Abstracts • Education Image Gallery, Education Media Online • Index to The Times • Land, Life & Leisure • Statistical Accounts of Scotland • Landmap • Zetoc Alert, Search • other domains started use similar technology (such as Dutch government DigID project using A-Select) 8th EUGridPMA Meeting - trends in European AA policy
Issues with integration • Wider value range of resources to control • from ‘low-risk’ wireless access to ‘high-risk’ supercomputers • To engage more users, the current model of user-held credentials, or having disparate credentials for ‘grid’ and other activities, not necessarily sustainable • only scientific power users could maybe manage • general audience just cannot handle the current grid AA systems • need integrated models, that respects both local autonomy, recognises existing credential quality, and retains the global coordination we have today • note that this is technology-agnostic, its pure policy • the software stacks we have today can almost do anything 8th EUGridPMA Meeting - trends in European AA policy
Possible interfaces to integration • indirect AuthN based on existing IdM’s • enable grid AuthN systems (e.g. VOMS) to also propagate other (home) IdM attributes • enable resource access controls to talk to multiple SoAs • express VO membership as a function of home IdM attributes The reverse can also be considered • VO membership could entitle you to ‘guest’ associate-ship with a real organisationso that (selected) VO members can use resources that are available to the real organisation • these scenario’s are largely independent of the middleware (GSI or Shib or A-Select or …) • except that SAML cannot yet well support (restricted) delegation 8th EUGridPMA Meeting - trends in European AA policy
PKI AuthN based on existing IdMs • see presentation by Christoph Witzig in a moment 8th EUGridPMA Meeting - trends in European AA policy
2. Propagating other IdP attributes slide from: Chistoph Witzig, SWITCH, EGEE MWSG 2006-09-27 8th EUGridPMA Meeting - trends in European AA policy
3. Multiple SoA support in access control • enable resource access controls to talk to multiple SoAs • based on pluggable authorization framework, such as in newer middleware like Globus Toolkit 4, gLite, &c graphic from: Chistoph Witzig, SWITCH, GGF16, February 2006 8th EUGridPMA Meeting - trends in European AA policy
4. VO membership as function of home attributes query to resolve membership list of FQAN ?! role: productionmembers:- John Doe- the students of UHO:class 101, 2008- Maggie 8th EUGridPMA Meeting - trends in European AA policy
Many interesting issues to be addressed Technical issues solvable – policy harmonisation is non-trivial • far wider range of qualities in the attributes • different incentives for keeping information current • responsibility for attributes resides with different parties • VO to manage community membership –but can small VOs maintain such an infrastructure? a task for an (independent) ‘e-Infrastructure’ provider • home organisation to manage organic attributes – but not attributes are usually considered ‘equally valuable’, and there is lots of variety between the UHOs • access rights may suddenly depend on attributes with different quality 8th EUGridPMA Meeting - trends in European AA policy
encourage work towards a common federation for academia and research institutes that ensures mutual recognition of the strength and validity of their authorization assertions. e-IRG RecommendationDutch EU Presidency 2004 • how do we go about it? • what role do we have in this domain? • we have experience in policy coordination ... 8th EUGridPMA Meeting - trends in European AA policy
Proposal: possible directions forward • At the national level, for each authority • monitor developments towards the creation of national AAIs and federations • engage in (national) AAI initiatives that support your current and potential subscriber base • promote the bridging of emerging federations at the national level • At the European and global level • ensure awareness of IGTF policy coordination work and its relevance to developments in the overall AAI developments • actively foster the definition of levels of assurance, its expression in all relevant syntaxes, and engage in the definition of these levels • ensure that our policies do not inadvertently put up roadblocks on the way towards an integrated AAI • promote (national) federations that interface with our current and future subscriber base at both the authN and (later) the AuthZ level 8th EUGridPMA Meeting - trends in European AA policy