EGI‐InSPIRE www.egi.eu EGI‐InSPIRE RI‐261323 Identity management in the European Grid Infrastructure Established solutions, new needs, open questions Gergely Sipos Technical Outreach Manager EGI.eu, Amsterdam [email protected]9/6/2012 1 Identity Management for research and collaboration Workshop Utrecht, 6-7, September 2012 http://www.terena.org/activities/vamp/ws1/
28
Embed
Identity management in the European Grid Infrastructure · EGI‐InSPIRE RI‐261323 EGI‐InSPIRE Identity management in the European Grid Infrastructure Established solutions, new
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
www.egi.euEGI‐InSPIRE RI‐261323
EGI‐InSPIRE
www.egi.euEGI‐InSPIRE RI‐261323
Identity management in the European Grid Infrastructure
9/6/2012 1Identity Management for research and collaboration Workshop
Utrecht, 6-7, September 2012http://www.terena.org/activities/vamp/ws1/
www.egi.euEGI‐InSPIRE RI‐261323
Outline
• European Grid Infrastructure - intro• AAI in the ‘grid middleware’
– X509 variants
• FIM in EGI– NGIs’ readiness– Bridging solutions– Pilots, production systems– FIM and the EGI Federated Cloud
• Conclusions
2
www.egi.euEGI‐InSPIRE RI‐261323
EGI‐InSPIRE
The EGI Ecosystem
3
Public Funding Bodies
European Commission
National Research Councils
Resource & service Providers
EGI.eu foundation
National Grid Infrastructures (NGIs) ~45
Technology Providers
Grid middleware software
Cloud provider software
RequirementsPolicies + Funding
Policies + Funding
Strategic Feedback
Requirements + Feedback
User Community
Services + Support
Requirements + Feedback
SW + Support
TRANSfoRm
VRC: Virtual Research CommunityVO: Virtual Organisation
www.egi.euEGI‐InSPIRE RI‐261323
EGI’s Strategic Focushttp://go.egi.eu/EGI2020
• Operational Infrastructure– Operate a European wide infrastructure– Offer its use to other research infrastructures– Build a federated cloud environment
• Virtual Research Environments (VREs)– Support the development, integration & operation of
community/project/domain specific services• Community & Coordination
– Community building through events– Community networking through the NGIs
4
www.egi.euEGI‐InSPIRE RI‐261323
Installed capacity (Apr ‘12)
5
Metric Value (yearly increase)
Sites 326 (+3%)
Nb. of CPU cores 270,800 (+31%)
Disk (PB) 139 PB (+31%)
Tape (PB) 134 PB (+50%)
www.egi.euEGI‐InSPIRE RI‐261323
Capacity usage (May 2011-April 2012)
6
Metric Value (yearly increase)
CPU time Total (Billion HEP‐SPEC 06 hours) 10.5 (+52.91%)
• X.509 meets all, but one: SimplicityHow can X.509 based infrastructures simplified for users? – MyProxy, online CAs, Terena CAs, robot certificates,...
and ...federated identity management
9
www.egi.euEGI‐InSPIRE RI‐261323
Solutions - issues
10
Solution to simplify access Problem with the solution
MyProxy • Certificate management issues remain
Terena CAs • (Most of the) certificate management issues remain• Limited coverage (geographycal & discipline)
Robot certificates • Auth & logging responsibilities move to portals• Users become invisible to the infrastructure• For certain types of applications only
Short lived credential services (SWITCH SLCS, IGI Online CA)
• Limited geographical coverage
• Is Federated Identity Management a better alternative? • User communities say YES (FIM workshops & paper)
• Are the NGIs ready for adopting FIM? EGI Virtual Team project:
Assess the readiness of the NGIs in adopting FIM mechanisms: https://wiki.egi.eu/wiki/VT_Federated_Identity_Providers_Assessment
1. GridCertLib & SLCS (Swiss portals)2. Online CA (portal for the Italian Grid Infrastructure)3. Catania Science Gateway framework (various science gateways)
• Make NGIs aware of available (bridging) solutions and the existing gaps – so these can get filled!– June 2012: ‘Authentication solutions in EGI’ report
https://documents.egi.eu/document/1178– August 2012: Blog post series
http://www.egi.eu/blog/2012/08/09/federated_identity_management.html– September 2012: AAI workshop
• Prague, 19th of September: http://go.egi.eu/aaiworkshop– December 2012 (approx): Science Gateway Primer
• ‘Manual for portal developers’ – witten by an EGI Virtual Team project• Chapter on integrating science gateways with identity federations• https://wiki.egi.eu/wiki/VT_Science_Gateway_Primer
16
www.egi.euEGI‐InSPIRE RI‐261323
AAI workshop
17
+ Discussion (16:00‐17:30)
www.egi.euEGI‐InSPIRE RI‐261323
EGI-InSPIRE activities 2.• Facilitate federated services – pilot & production
services– AAI pilot for EGA– GrIDP federation– FIM authentication in the EGI Federated Cloud
18
www.egi.euEGI‐InSPIRE RI‐261323
AAI Pilot: European Genome-phenome Archive (EGA)
19
EGA portal
Request access to dataset X
Data Access Committee
Grant access
Argus
Update policy (SPL)
PAP CLI
EGA
Request dataset
PEP API
Obtain autz info
Provide dataset
Logged in from the HAKA identity
federation
administration
execution Obtain authz info
www.egi.euEGI‐InSPIRE RI‐261323
Grid Identity Pool (GrIDP)federation
20
EGI.eu Single Sign On(~1700 users at the moment)
www.egi.euEGI‐InSPIRE RI‐261323
GrIDP plans
• Join various (web based) services from the NGIs (e.g. EGI Applications Database)– This is also a training for the NGIs!
• Establish identity providers that can perform strong identity validation (e.g. Link X509 from the browser to SAML ID)
• Extend the federation with an 'attribute provider service‘– For simpler and fine grain autz.– To enable VOs in federation(s)– What service?
• VOMS (EMI-gLite), UVOS (EMI-Unicore), Grouper (Internet2), COIP (Nordunet)
21
www.egi.euEGI‐InSPIRE RI‐261323
The big challenge for EGI• Sustainability
– 20K (X509) users at the moment but 1.8M publicly funded researchers in Europe
– How do we engage with and support the long-tail of researchers?
• Technology– The 99% want other services (e.g. not
jobs!)– How do we enable these services to be
deployed?• Customers or Users?
– There are integration costs…. but who pays?
– PRACE & XSEDE: application process provides strong ties
– EGI & OSG: virtual organisations a barrier to strong ties
22
VRCs
# o
f use
rs
VOs
www.egi.euEGI‐InSPIRE RI‐261323
EGI’s answer: Platform architecture
• Core infrastructure platform– Management and uniform delivery of services
Project/community specific servicesProject/communityspecific servicesProject/communityspecific services
CustomAAI
X.509AAI
Sites are already available for scientific use
cases
www.egi.euEGI‐InSPIRE RI‐261323
EGI FedCloud - timeline• Sept 2011 – March 2013: Federated Cloud Task Force
https://wiki.egi.eu/wiki/Fedcloud-tf:FederatedCloudsTaskForce– Write a blueprint document– Deploy a testbed– Identify issues from non-technical/non-user areas
(policy, operations, dissemination)
• August 2012 – March 2013: Pilot use caseshttp://go.egi.eu/cloud– Support early adopters using the testbed– Collect and investigate requirements from early adopters– Establish processes and tools for user-facing services
• Replacing X509 with FIM at the IaaS level?– Collaboration with the Contrail project (Oct 2010 – Sep 2013)
http://contrail-project.eu
26
www.egi.euEGI‐InSPIRE RI‐261323
ConclusionsEGI’s requirements for a generic AAI: Geographical coverage, science discipline coverage, scalability, robustness, simplicity, sustainability, compatibility with EGI platforms.
• X509 certificates is not perfect, but NGIs ‘got used to it’• FIM is gaining momentum
– GrIDP federation– Grid portals and X509 bridges– Contrail FIM solution in EGI FedCloud
• Open questions– Community federations (e.g. ELIXIR) NREN/NGI federations ?– How could EGI and the NGIs best support federations? E.g.
• A global online CA by EGI/Terena?• A global attribute service by EGI/Terena for research federations?• Training events?, Outreach?
– Is FIM really needed in the middleware, or bridges do the job?– E-infrastructure accounting in the ‘FIM-world’
27
www.egi.euEGI‐InSPIRE RI‐261323
EGI‐InSPIRE
www.egi.euEGI‐InSPIRE RI‐261323
Questions
28
EGI Technical Forum 2012,Prague, Czech Republic, 17–21 Septemberhttp://tf12.egi.eu