Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
www.egi.euEGI‐InSPIRE RI‐261323
EGI‐InSPIRE
www.egi.euEGI‐InSPIRE RI‐261323
Identity management in the European Grid Infrastructure
Established solutions, new needs, open questions
Gergely SiposTechnical Outreach Manager
EGI.eu, [email protected]
9/6/2012 1Identity Management for research and collaboration Workshop
Utrecht, 6-7, September 2012http://www.terena.org/activities/vamp/ws1/
www.egi.euEGI‐InSPIRE RI‐261323
Outline
• European Grid Infrastructure - intro• AAI in the ‘grid middleware’
– X509 variants
• FIM in EGI– NGIs’ readiness– Bridging solutions– Pilots, production systems– FIM and the EGI Federated Cloud
• Conclusions
2
www.egi.euEGI‐InSPIRE RI‐261323
EGI‐InSPIRE
The EGI Ecosystem
3
Public Funding Bodies
European Commission
National Research Councils
Resource & service Providers
EGI.eu foundation
National Grid Infrastructures (NGIs) ~45
Technology Providers
Grid middleware software
Cloud provider software
RequirementsPolicies + Funding
Policies + Funding
Strategic Feedback
Requirements + Feedback
User Community
Services + Support
Requirements + Feedback
SW + Support
TRANSfoRm
VRC: Virtual Research CommunityVO: Virtual Organisation
www.egi.euEGI‐InSPIRE RI‐261323
EGI’s Strategic Focushttp://go.egi.eu/EGI2020
• Operational Infrastructure– Operate a European wide infrastructure– Offer its use to other research infrastructures– Build a federated cloud environment
• Virtual Research Environments (VREs)– Support the development, integration & operation of
community/project/domain specific services• Community & Coordination
– Community building through events– Community networking through the NGIs
4
www.egi.euEGI‐InSPIRE RI‐261323
Installed capacity (Apr ‘12)
5
Metric Value (yearly increase)
Sites 326 (+3%)
Nb. of CPU cores 270,800 (+31%)
Disk (PB) 139 PB (+31%)
Tape (PB) 134 PB (+50%)
www.egi.euEGI‐InSPIRE RI‐261323
Capacity usage (May 2011-April 2012)
6
Metric Value (yearly increase)
CPU time Total (Billion HEP‐SPEC 06 hours) 10.5 (+52.91%)
Computing jobs
Total (million) 492.5 (+46.42% )
Average job/day (million) 1.35
% of total consumed CPU time
High‐Energy Physics 93.60%
Astronomy and Astrophysics 2.25%
Life Sciences 1.30%
Various disciplines 1.23%
Remaining disciplines 1.62%
First runs of the Large Hidron Collider
www.egi.euEGI‐InSPIRE RI‐261323
Operations
Provisioning Infrastructure
Software Provisioning
30/05/2012
StagedRollout
CriteriaVerification ProductionCriteria
Definition
External Technology Providers
Deployed Software
SU
Requirements Software
• EGI Technology Roadmap
EMI, IGE, SAGA (cluster grids)EDGI (desktop grids)
www.egi.euEGI‐InSPIRE RI‐261323
AAI in the ‘grid middleware-based EGI’
Grid = federated resources exposed for controlled sharing via middleware services
– X.509 personal certificates• From IGTF CAs• From Terena Certificate Service (Federated request)
– Limited certificates• Restricted in lifetime and/or infrastructure coverage• E.g. GILDA CA (http://gilda.ct.infn.it/certification-authority)
• E.g. Swiss Short Lived Credential Service (SLCS)– Robot certificates
• Identify applications (often portals) instead of users• Growing popularity and availability
https://wiki.egi.eu/wiki/Robot_certificateshttps://wiki.egi.eu/wiki/EGI_robot_certificate_users
8
Tens of thousands
Thousands
Hundreds(<100 robot)
Nb. of users~20.000 in total
www.egi.euEGI‐InSPIRE RI‐261323
AAI Challenges
• EGI requirements for a generic AAI: – Geographical coverage, science discipline coverage,
scalability, robustness, simplicity, sustainability, compatibility with VRE & EGI operations services
• X.509 meets all, but one: SimplicityHow can X.509 based infrastructures simplified for users? – MyProxy, online CAs, Terena CAs, robot certificates,...
and ...federated identity management
9
www.egi.euEGI‐InSPIRE RI‐261323
Solutions - issues
10
Solution to simplify access Problem with the solution
MyProxy • Certificate management issues remain
Terena CAs • (Most of the) certificate management issues remain• Limited coverage (geographycal & discipline)
Robot certificates • Auth & logging responsibilities move to portals• Users become invisible to the infrastructure• For certain types of applications only
Short lived credential services (SWITCH SLCS, IGI Online CA)
• Limited geographical coverage
• Is Federated Identity Management a better alternative? • User communities say YES (FIM workshops & paper)
• Are the NGIs ready for adopting FIM? EGI Virtual Team project:
Assess the readiness of the NGIs in adopting FIM mechanisms: https://wiki.egi.eu/wiki/VT_Federated_Identity_Providers_Assessment
www.egi.euEGI‐InSPIRE RI‐261323
FIM assessment -EGI Virtual Team project
• Participants from Czech, French, Italian, Irish, Swiss NGIs + EGI.eu
• Defined, then filled a survey:
11
Are personal e‐sciencecertificates from TerenaCertificate Service (TCS)available in the NGI?
Are the Grid institutionsof the NGI in nationalTCS federation?
Are the institutions ofthe potential users ofyour NGI eligible forcertificates from TCS?
Are there other relevant‘federated identity’based authenticationservices available in theNGI?
Ireland No(but server certificates are)
N.A. N.A. Exploring possibilities of aSLCS CA
Czech Rep. Yes All major but one (ongoing) Partly No
France No N.A. N.A. No
Switzerland No N.A. N.A. SLCS (IGTF accredited)
Italy Yes Most Partly Preparing a MICS CA
https://wiki.egi.eu/wiki/VT_Federated_Identity_Providers_Assessment
The Identity Federations of the NRENs are similarly exclusive
www.egi.euEGI‐InSPIRE RI‐261323
Possibilities for FIM integration with EGI
1. Middleware services ‘speak’ FIM (accept SAML assertions)
• External technology providers!EMI & IGE plans are under development
– EMI MJRA1.12 (Common Security Architecture Assessment)
• Accounting systems must be also adapted (SAML certificate DN)
2. FIM-X509 bridging – Mapping SAML idenity to X509Various solutions, routine useage:
1. GridCertLib & SLCS (Swiss portals)2. Online CA (portal for the Italian Grid Infrastructure)3. Catania Science Gateway framework (various science gateways)
12
www.egi.euEGI‐InSPIRE RI‐261323
GridCertLib & SLCS
13
GridCertLib(Java library)
SAML assertionfrom FIM login
SLCS certificate+
grid proxy(with VOMS)~11 days
VOMS
SLCS
Some web portalfor example WS‐PGRADE
Fix VO,unique user ID
Contact: Sergio Maffioletti ([email protected]) – GridCertLibZoltán Farkas ([email protected]) – WS‐PGRADE
www.egi.euEGI‐InSPIRE RI‐261323
Online CA for the IGI Portal
14
Browseruser
IGI Portal
CA bridge
CA backend
Web page
pop‐upwindow
IDEM Federation(Italian)
MyProxy
IGIVOMS
Alternative: Certificate into the browser
Contact: Marco Bencivenni ([email protected])
MICS certificate(13 months)
Fix VO,unique user ID
Plan: IGTF accreditation
www.egi.euEGI‐InSPIRE RI‐261323
Catania Science Gateway framework
15
SAML assertionfrom FIM login
SLCS certificate+
grid proxy(with VOMS)
VOMS
PortalFix VO,
Fix user ID
eToken server
User tracking & logging
Robot certificate
Contact: Roberto Barbera ([email protected])
www.egi.euEGI‐InSPIRE RI‐261323
EGI-InSPIRE activities 1.
• Make NGIs aware of available (bridging) solutions and the existing gaps – so these can get filled!– June 2012: ‘Authentication solutions in EGI’ report
https://documents.egi.eu/document/1178– August 2012: Blog post series
http://www.egi.eu/blog/2012/08/09/federated_identity_management.html– September 2012: AAI workshop
• Prague, 19th of September: http://go.egi.eu/aaiworkshop– December 2012 (approx): Science Gateway Primer
• ‘Manual for portal developers’ – witten by an EGI Virtual Team project• Chapter on integrating science gateways with identity federations• https://wiki.egi.eu/wiki/VT_Science_Gateway_Primer
16
www.egi.euEGI‐InSPIRE RI‐261323
AAI workshop
17
+ Discussion (16:00‐17:30)
www.egi.euEGI‐InSPIRE RI‐261323
EGI-InSPIRE activities 2.• Facilitate federated services – pilot & production
services– AAI pilot for EGA– GrIDP federation– FIM authentication in the EGI Federated Cloud
18
www.egi.euEGI‐InSPIRE RI‐261323
AAI Pilot: European Genome-phenome Archive (EGA)
19
EGA portal
Request access to dataset X
Data Access Committee
Grant access
Argus
Update policy (SPL)
PAP CLI
EGA
Request dataset
PEP API
Obtain autz info
Provide dataset
Logged in from the HAKA identity
federation
administration
execution Obtain authz info
www.egi.euEGI‐InSPIRE RI‐261323
Grid Identity Pool (GrIDP)federation
20
EGI.eu Single Sign On(~1700 users at the moment)
www.egi.euEGI‐InSPIRE RI‐261323
GrIDP plans
• Join various (web based) services from the NGIs (e.g. EGI Applications Database)– This is also a training for the NGIs!
• Establish identity providers that can perform strong identity validation (e.g. Link X509 from the browser to SAML ID)
• Extend the federation with an 'attribute provider service‘– For simpler and fine grain autz.– To enable VOs in federation(s)– What service?
• VOMS (EMI-gLite), UVOS (EMI-Unicore), Grouper (Internet2), COIP (Nordunet)
21
www.egi.euEGI‐InSPIRE RI‐261323
The big challenge for EGI• Sustainability
– 20K (X509) users at the moment but 1.8M publicly funded researchers in Europe
– How do we engage with and support the long-tail of researchers?
• Technology– The 99% want other services (e.g. not
jobs!)– How do we enable these services to be
deployed?• Customers or Users?
– There are integration costs…. but who pays?
– PRACE & XSEDE: application process provides strong ties
– EGI & OSG: virtual organisations a barrier to strong ties
22
VRCs
# o
f use
rs
VOs
www.egi.euEGI‐InSPIRE RI‐261323
EGI’s answer: Platform architecture
• Core infrastructure platform– Management and uniform delivery of services
• Cloud infrastructure platform (EGI Federated Cloud: http://go.egi.eu/cloud) – Hosting custom technologies for communities
• Collaborative infrastructure platform– Visibile and reusable community services
• EGI Applications Database, Training Marketplace, VM Image repository, etc.
23
www.egi.euEGI‐InSPIRE RI‐261323
The platform based EGIhttps://documents.egi.eu/document/1094
EGI infrastructure platform(clusters, storage,...)3rd party platforms (dedicated or shared)
e.g. Clusters; private grids, commercial cluds, GPUs, etc.
Research facilities e.g. sensor networks,
detectors, etc.
SWVM
DB
Research Communities
Grid middleware servicesCloud infrastructure platform
(EGI Federated Cloud)
24
Virtual machineVirtual machine
Virtual machine
job job job
‘Grid mw’ EGI: batch processing
Collaborative platformVirtual Research
Environment‘Cloud’ EGI:
applications in Virtual Machines
www.egi.euEGI‐InSPIRE RI‐261323
AAI in the EGI cloud
25
IaaSInstitutional cloudInstitutional cloud
VM MgmtVM
Mgmt DataData Information
Information
MonitoringMonitoring AccountingAccounting NotificationNotification
EGI‐wide message bus
Commercial cloudCommercial cloud
VM MgmtVM
Mgmt DataData Information
Information
MonitoringMonitoring AccountingAccounting NotificationNotification
Personalised environments for individual research communitiesin the European Research Area
NGI cloudNGI cloud
VM MgmtVM
MgmtDataData Informati
onInformati
on
MonitoringMonitoring AccountingAccounting NotificationNotification
PaaS
SaaS
Project/community specific servicesProject/communityspecific servicesProject/communityspecific services
CustomAAI
X.509AAI
Sites are already available for scientific use
cases
www.egi.euEGI‐InSPIRE RI‐261323
EGI FedCloud - timeline• Sept 2011 – March 2013: Federated Cloud Task Force
https://wiki.egi.eu/wiki/Fedcloud-tf:FederatedCloudsTaskForce– Write a blueprint document– Deploy a testbed– Identify issues from non-technical/non-user areas
(policy, operations, dissemination)
• August 2012 – March 2013: Pilot use caseshttp://go.egi.eu/cloud– Support early adopters using the testbed– Collect and investigate requirements from early adopters– Establish processes and tools for user-facing services
• Replacing X509 with FIM at the IaaS level?– Collaboration with the Contrail project (Oct 2010 – Sep 2013)
http://contrail-project.eu
26
www.egi.euEGI‐InSPIRE RI‐261323
ConclusionsEGI’s requirements for a generic AAI: Geographical coverage, science discipline coverage, scalability, robustness, simplicity, sustainability, compatibility with EGI platforms.
• X509 certificates is not perfect, but NGIs ‘got used to it’• FIM is gaining momentum
– GrIDP federation– Grid portals and X509 bridges– Contrail FIM solution in EGI FedCloud
• Open questions– Community federations (e.g. ELIXIR) NREN/NGI federations ?– How could EGI and the NGIs best support federations? E.g.
• A global online CA by EGI/Terena?• A global attribute service by EGI/Terena for research federations?• Training events?, Outreach?
– Is FIM really needed in the middleware, or bridges do the job?– E-infrastructure accounting in the ‘FIM-world’
27
www.egi.euEGI‐InSPIRE RI‐261323
EGI‐InSPIRE
www.egi.euEGI‐InSPIRE RI‐261323
Questions
28
EGI Technical Forum 2012,Prague, Czech Republic, 17–21 Septemberhttp://tf12.egi.eu