Presenter or main title…

Presenter or main title…Session Title or subtitle…

TF-EMC2 Lyon - 14/02/2011

Accessing e-Infrastructure

Christopher BrownDigital Infrastructure

April 2006 – March 2009 Followed UK’s 5 year investment in e-Science infrastructure Aims:

– Increase the benefits to, and use of, e-Infrastructure by a wider user base

– Ensure that e-Infrastructure builds on and shares common core services – Explore the ways in which the benefits of the capabilities being

developed in grid computing can be transferred to other domains 4 thematic areas:

– Community engagement and support– e-Infrastructure security– Grid services and tools– Knowledge organisation and semantic services

http://www.flickr.com/photos/triplemaximus/156523870/sizes/z/in/photostream/

e-Infrastructure Programme

14/02/2011 Slide 2

Aims to facilitate UK research by providing access to a broad range of computational and data based resources.

Deliver a production quality e-infrastructure to support academic research across all Higher Education Institutes (HEIs) in the UK

Provide core services to enable collaborative access to computing and data resources in support of UK researchers

Ensures UK researchers can efficiently exploit computing facilities across the globe – developed partnerships with infrastructures in EU, US, etc.

http://www.ngs.ac.uk/

http://www.flickr.com/photos/14171139@N08/2041447039/sizes/z/in/photostream

National Grid Service (NGS)

14/02/2011 Slide 3


Free to use for UK academics Joining process:

– Apply for your personal e-Science Certificate from the UK Certification Authority

– Download your certificate into your browser– Apply for a NGS Grid Account– Backup your Certificate and Private Key from your browser– Run the Certificate Wizard to set up your computer– Get started using NGS tools


http://www.flickr.com/photos/chough/3600381635/sizes/m/in/photostream/

National Grid Service (NGS)

14/02/2011 Slide 4


To deliver into production a Shibboleth based infrastructure for the NGS, to enable HEI users/researchers to access NGS resources using their institutional identities as provided through membership of the UK federation. Goals:

– Broaden the NGS user base.– Easier access for researchers who are not technology specialists– Easier support for the Service Provider– Prevent unauthorised access– Deliver a production service

Access to NGS resources:– People use X.509 Certificates– Trusted globally – IGTF– Sometimes seen as challenging to use

http://http://www.flickr.com/photos/pjh/187636402/sizes/z/in/photostream//

SARoNGS (Jan 2008 – March 2009)

14/02/2011 Slide 5

In SARoNGS– People who have certificates can keep using them– Created transparently for people who don’t– Users don’t even know they have certificates

What’s in it for you?– Users get non-certificate access to the NGS, mainly via portals– SPs can hook into NGS SP/portal (if you wish), particularly if you require

X.509– Use NGS’ VO management infrastructure– Non-UK federations: can be reused

http://www.jisc.ac.uk/whatwedo/programmes/einfrastructure/sarongs.aspx https://cts.ngs.ac.uk/

http://www.flickr.com/photos/dicknella/503494947/

SARoNGS

14/02/2011 Slide 6

4main activities

– to provide grid authentication tied to the UK AMF (a new service based upon outputs from the ShibGrid project)

– to link this authentication token with VO attributes from the grid computing domain – to translate attributes within the context of UK AMF into attributes suitable for

consumption by grid computing infrastructures (a new service based upon the outputs of the SHEBANGS project)

– to demonstrate these via both subject based and generic demonstrator applications

http://www.flickr.com/photos/brothermagneto/3528084605/sizes/z/in/photostream/

SARoNGS

SHEBANGS

VPMan

ShibGrid

MIMAS

Grid Authn Translate attributes

Authorisation Demonstrator

SARoNGS

14/02/2011 Slide 7


CTS MyProxy

User and management portals

The NGS Grid

VO Management

CTS access control

research resources(MIMAS)

SARoNGS Architecture

14/02/2011 Slide 8



14/02/2011 Slide 9



14/02/2011 Slide 10



14/02/2011 Slide 11



14/02/2011 Slide 12



14/02/2011 Slide 13



14/02/2011 Slide 14



14/02/2011 Slide 15


Demo

14/02/2011 Slide 16

VRE funded project Connects different institutional portals through Access Grid (AG) technologies Connection through AG venues managed by VOMS certificates Using SARoNGS for OneVRE VO Management

– User logs in to portal using Proxy Cert issued by SARoNGS, includes all the VOs the user is a member of

– VOs are basis for accessing the AG virtual venues on OneVRE servers– OneVRE also allows users to securely share data and apps across

different AG and OneVRE servers http://wiki.rcs.manchester.ac.uk/community/OneVRE

http://www.flickr.com/photos/kubina/471164507/sizes/z/in/photostream/

OneVRE

14/02/2011 Slide 17

Certs are only as good as the material on which they are based NGS would’ve liked to have the SARoNGS CA to become accredited with the

IGTF like the UK e-Science CA. Not possible:

– Permitted reuse of eduPersonTargetedId – Names are not published– Id Management Policies too numerous/varied– Revocation vs Lifetime

http://www.flickr.com/photos/kubina/471164507/sizes/z/in/photostream/

Limitations of the SARoNGS Grid Credentials

14/02/2011 Slide 18


CollaborationGFIVO

CUCKOO

NGSSARoNGSSHINTAUVPMAN

IdentificationUK federation

OpenID ReviewNAMES

Data SharingASPiS

ES-LoAiREADAGASTSPIDER

PersonalisationGOLDDUST

DPIE2

IdentityThe Identity

Project

Past

14/02/2011 Slide 19

AIM Programme

1st Jan 2009 to 31st March 2011 (IdM Toolkit Pilots – Feb-Aug 2011) Focus:

– Process– Policy– Technology

Objectives

– Build foundations for production systems that universities might adopt in the future

– Prepare the sector for future developments– Improve user experience– Increase value and make AIM relevant to wider community – Enable integrated systems architecture– Develop practical tools to enable AIM

14/02/2011 | Slide 20

Exploring Innovative new areas


AIM Programme

UK Access Management Federation – Support– Expand– Improve– Increase uptake

Funding– Shibboleth Consortium (JISC, Internet2, SWITCH)

• Technical roadmap• Governance mechanisms• Operate open source project => Shibboleth Foundation?

– Extending Access Mgmt into BCE– Publisher Support– WAYFless URLs

14/02/2011 Slide 21http://www.flickr.com/photos/triplemaximus/156523870/sizes/z/in/photostream/

AIM Projects – NGS

A Proxy Credential Auditing Infrastructure for the UK e-Science National Grid Service– Develop proxy certificate auditing infrastructure that supports

monitoring/auditing use of proxy credential• General usage monitoring• Patterns of use and prediction of misuse• Exploit and harden existing software for this

• Globus Incubator project• Extensions to support

• VO-specific monitoring and usage• Resource-specific monitoring and usage

– Demonstrate in numerous projects and roll out to NGS Case studies: nanoCMOS, ENROLLER, DAMES, NeISS projects

• includes usage of NGS, ScotGrid, TeraGrid, D‐Grid

Wie JieThames Valley University 15 months

14/02/2011 Slide 22http://www.flickr.com/photos/argonne/4244642347/sizes/m/in/photostream/

AIM Projects – Web Services

Fiona CullochEDINA 12 months

14/02/2011 Slide 23http://www.flickr.com/photos/aqua-marina/840167789/sizes/m/in/photostream/

WSTIERIA (Web Services Tiered Internet Authorization )– Make web services work with UK federation – Investigating two approaches:

• using “façade” to handle authentication• new Shib features to invoke web service between SPs

– Tested on two application domains:• Geospatial web service (SEE-GEO)• WebDAV (widely deployed remote file-access protocol layered on

HTTP)– Community Benefit

• Web services interoperate with FAM• Improve end-user experience by application componentization

– Real components need authorization• Access presently hidden web services

– Discussing with MIMAS, SDSS, Shibboleth

AIM Projects – Social Net and Shib

Identity and Access Management using Social Networking Technologies– FOAF is an RDF (Resource Description Framework) vocabulary mainly

aimed at describing links between people and memberships– produce a functional WebID (formerly FOAF+SSL) based Authentication

system for Shibboleth based IdP and an Authentication and Authorisation system for Globus based grids

– Bridge to SAML/Shibboleth• Converting information available in RDF into SAML attributes

– e.g. WebID URI into eduPersonPrincipalName– Easy to derive membership of a project or (virtual) organisation based on

the FOAF relations– Easier ad-hoc collaborations (potentially with people outside the federation

too)

Mike JonesUniversity of Manchester 9 months

14/02/2011 Slide 24http://www.flickr.com/photos/marc_smith/4511843933/sizes/m/in/photostream/

Any questions?

14/02/2011 Slide 25

Documents

Presenter or main title…