Neil Witheridge APAN29 Neil Witheridge APAN29 Sydney Sydney February 2010 February 2010 ARCS Authorisation Services Neil Witheridge Manager, ARCS Authorisation Services APAN29, Sydney, February 2010
Neil Witheridge APAN29 Sydney Neil Witheridge APAN29 Sydney February 2010 February 2010
ARCS Authorisation Services
Neil WitheridgeManager, ARCS Authorisation Services
APAN29, Sydney, February 2010
Neil Witheridge APAN29 Sydney Neil Witheridge APAN29 Sydney February 2010 February 2010
Australian Government eResearch Investment
• National Collaborative Research Infrastructure Strategy - Platforms for Collaboration (PfC) investment (2007-11)
• Super Science Initiative eResearch Components(2009-13)
• … critical importance of eResearch Infrastructure to future research competitiveness
• … intended to enhance research collaborations, assist researchers to manage massive data sets, and provide super-computing and analysis tools that enable Australian researchers to tackle the complex, national and global issues needed to secure Australia's future.
Source: https://www.pfc.org.au/bin/view/Main
Neil Witheridge APAN29 Sydney Neil Witheridge APAN29 Sydney February 2010 February 2010
Platforms for Collaboration PfC component investments:• Australian Research Collaboration Service (ARCS)
– Develop and operate services linking systems and resources nationwide
– Develop and operate collaboration and workflow tools for researchers
– Includes “Authorisation Services”• Australian National Data Service (ANDS)
• National Computational Infrastructure (NCI)
• Australian Access Federation (AAF) and Research Networks (AARNET)
Source: http://www.ivec.org/ForumAug09/02_Francis.ppt
Neil Witheridge APAN29 Sydney Neil Witheridge APAN29 Sydney February 2010 February 2010
ARCS MissionTo provide long-term eResearch support services including, but not limited to, interoperability and
collaboration infrastructure and services through a continuous and open process of
consultation and engagement with the Australian research community.
ARCS is an unincorporated collaborative venture of the Members of ARCS:ANU, CSIRO, eRSA, Intersect, QCIF, iVEC, TPAC, VPAC … serves as the vehicle for the coordinated delivery of national eResearch support, services and tools.
Source: http://www.arcs.org.au/about
Neil Witheridge APAN29 Sydney Neil Witheridge APAN29 Sydney February 2010 February 2010
Research Group Needs
CMS / Wiki InstrumentData Storage
HPCGrid Services
Repository
Analyse Data
Write & Publish Report
StoreData
Run ExperimentGenerate Data
CollaborativelyCreate web content
VO configured foraccessing Grid resources
CollaborateCommunicate
Meet
Authentication and authorisation for protection of valuable resources
Researcher
PrincipalInvestigator Researchers
ResearchGroup
IdP
Identity Mgnt inAAF IdP(s)
IdP
IdP
AAF
Neil Witheridge APAN29 Sydney Neil Witheridge APAN29 Sydney February 2010 February 2010
ARCS’ Current Tools and Services• Compute Cloud*• Grid Services Infrastructure*• Virtual Machine Hosting
• Data Fabric*• Database Service• Data Transfer Service
* Immediately accessible, others require request and coordinated provision to research group.
• Web-based Collaboration– Sakai– Plone– Jabber– Joomla– Twiki
• Video Collaboration– Desktop solution: EVO*– Room solution: Access Grid
• Security Services– Grid Certificates*– Access Service
Neil Witheridge APAN29 Sydney Neil Witheridge APAN29 Sydney February 2010 February 2010
ARCS Authorisation Services Role• Support Research Groups and Service Providers in delivering
services requiring authentication and authorisation (authNZ)• Analyse requirements, and provide expertise, advice, exemplars• Exemplars (demonstrate what can be done to protect resources)
• Implement (procure/develop) and deploy authNZ solutions• satisfying research groups’ and service provider’s security requirements
• Provide customer support for ARCS Authorisation Services• ARCS CA’s, ARCS IdP, ARCS SLCS Server & Clients, ARCS Access Service
• Develop and pursue a ‘unified strategy’ for authNZ• Apply security technologies and protocols & track international trends
• Rely on the AAF for Federated Access (i.e. use Shibboleth)• Integrate with Grid Security Infrastructure
• Analyse access scenarios and identify patterns & solutions
Neil Witheridge APAN29 Sydney Neil Witheridge APAN29 Sydney February 2010 February 2010
ARCS Access Service• Provides a Gateway to ARCS Services
• Registration (assignment of Default Authorisation Rights)
•Tracking user communities (auEduPersonSharedToken)
•Allocate ARCS Username (ARCS Services unique identifier)•consistent user naming across ARCS Services
•Caching attributes at time of registration•Allow detection of attribute change (e.g. IdP, affiliation)
• Authorisation Rights Management•Register Authorisation Rights tokens
• urn:<ServiceIdentifier>:<Token value>
Neil Witheridge APAN29 Sydney Neil Witheridge APAN29 Sydney February 2010 February 2010
Current focus on Authentication
IdP
ARCSCMS / Wiki
InstrumentARCS
Data Fabric
HPC (Grid)
ARCSRepository
researcher
Belongs toFederation IdP
Analyse Data
ResearchGroup
Member ofResearch Group
Write & Publish Report
StoreData
Run ExperimentGenerate Data
CollaborativelyCreate web content
VO configured foraccessing Grid resources
SPARCS
SLCS Service
SPARCS
IdP Check
SPARCS
Access ServiceRegister via Access Service for SLCS, Data Fabric, Wiki,
Repository
Generate Grid (SLCS)Credential
Confirm AttributesReleased by IdP
SP GSISP
GSI
GSI
SP
LDAP
webDAV
AAF
IdentityProvider
Authenticate
ARCSSLCS CA
SPARCSSLCSService
Grid CertenabledService
ARCS internal/backend
processing
Get SLCSCertificate
Access using IdP username and passwordvia AAF Login
Access using ARCS SLCS cert or proxy
(e.g. Grid Services, iRODS via iCommands)
ARCSMyProxy
Get ProxyCertificate
Arbitrary username& password
ARCSLDAP
Access using ARCS username and password
ARCS username& password
Register
ARCS internal/backend
processing
SP (12 wks timeout)ARCSAccessService
ARCS Cred’senabledService
Access using IdP username and passwordvia AAF Login
(e.g. Data Fabric via webDAV)
SPAAF-enabledService
ARCS internal/backend
processingAccess using IdP username and passwordvia AAF Login (e.g. Data Fabric, Plone, TWiki)
Neil Witheridge APAN29 Sydney Neil Witheridge APAN29 Sydney February 2010 February 2010
ARCS Auth Svcs Future Directions• Authentication• IGTF Accreditation for SLCS (Level-2) CA•Explore MICS (Long-lived Grid credentials from IdPs)
•Understand AAF & Shibboleth Roadmap implications•New Shibboleth profiles (ECP, Key-holder)•AusCERT PKI and implications
•Understand Grid Services trends and implications
• Authorisation•Develop and utilise the ARCS Access Service•Implement Authorisation Rights Management
•Develop authorisation exemplars (e.g. use of XACML)
Neil Witheridge APAN29 Sydney Neil Witheridge APAN29 Sydney February 2010 February 2010
Thankyou
Questions ?