Upload
xenes
View
226
Download
0
Embed Size (px)
Citation preview
8/6/2019 VO Architecture
1/20
Lukas Hmmerle
Bern, 13. January 2011
Architecture
mailto:[email protected]:[email protected]8/6/2019 VO Architecture
2/20
2011 SWITCH
Main Ideas And Goals
SWITCH provides the architecture to implement VOsArchitecture should be based on AAI
Easy to add new services to a VO
No additional protocol should be required
VOs are only usable if there are services
SWITCH initially operates a three basic services
Solves the chicken and egg problem
2
8/6/2019 VO Architecture
3/20
2011 SWITCH
Architectural Problems to Solve
Membership: Users are from different Home OrganisationsAuthentication already is solved by AAI
Authorization: Only members of a VO should be able to
access their servicesHow to determine whether somebody is a member of a VO?
This is the main problem to solve!
Services: Should be able to use VO informationAdapting existing services may require further efforts
3
8/6/2019 VO Architecture
4/20
VO authorization is easy for groups of people who share
common attribute values
2011 SWITCH
Easy Virtual Organization Scenario
4
AuthType Shibboleth
ShibRequireSession On
ShibRequireAll
require homeOrg idpX.ch idpY.ch idpZ.ch
require affiliation student
require studyBranch medicine
Medicine students
Other users
IdP X IdP Z
IdP Y
VO
8/6/2019 VO Architecture
5/20
2011 SWITCH
General Authorization Scenario
5
In general VO members dont share a common attribute!
IdP X IdP Z
IdP Y
VO1 VO2 VO3
Thats a challenge and thats the problem to solve
8/6/2019 VO Architecture
6/20
Idea: Members of a VO are given a common attribute.
This (VO) attribute represents membership in a VO.
2011 SWITCH 6
Approach for VO Authorization
VO Attribute:
isMemberOf=VO1
isMemberOf=VO1;VO2;VO3
isMemberOf=VO2
isMemberOf=VO1;VO3
AuthType Shibboleth
ShibRequireSession On
require isMemberOfVO2
VO1
VO2
VO3
8/6/2019 VO Architecture
7/20
2011 SWITCH 7
How to Add a Common Attribute?
VO Service Provider must aggregate attributes!
1. Users Home Organisation
Attributes are set by users
Home Organisation
2. VO Platform(s)
Attributes are set by
VO administrator
Home Organisation
User
IdP
Attributes
Attributes
SP receives aggregated set of attributes
1.
3.
2.
VO Platform
VO
IdP
VO Service
SP Application
8/6/2019 VO Architecture
8/20
2011 SWITCH 8
The Involved Components
Home Organisation
UserIdP
Home Organisation:
Authenticates user and asserts basicidentity information
Virtual Organization Services:
Used by VO members in order to performtheir work. Could be wikis, calendars, etc.
Virtual Organization Platform:Set of software to manage VOs and their
members. Interacts with Virtual
Organization Services.
SP ApplicationSP Application
VO Service
SP Application
VO Platform
VO1
IdPAA
SP
VO2 VON
...
PlatformLogic DB
VO GUI
8/6/2019 VO Architecture
9/20
2011 SWITCH
VO Platform: The Missing Piece
Is the key component forVO administration
Basically manages the
membership information in DB
No custom-tailored solution
has existed yet
9
VO Platform
VO1
IdP
AA
SP
VO2 VON
...
Platform
LogicDB
VO GUI
8/6/2019 VO Architecture
10/20
2011 SWITCH
VO Services
SWITCH provides four basic services Wiki: Domesticated Dokuwiki (one instance per VO)
Mailinglist: Domesticated Sympa
Document management system: Modified LetoDMS
Attribute Viewer: For debugging
Goal was to choose very simple web applications.
No interface harmonization has been done yet.
10
8/6/2019 VO Architecture
11/20
Lukas Hmmerle
Bern, 13. January 2011
Demo
mailto:[email protected]:[email protected]8/6/2019 VO Architecture
12/20
2011 SWITCH
https://test.collaboration.switch.ch
12
https://test.collaboration.switch.ch/https://test.collaboration.switch.ch/8/6/2019 VO Architecture
13/20
8/6/2019 VO Architecture
14/20
2011 SWITCH
About the Pilot
Goals Verify that approach is working and accepted by users
Find out how it feels to work in a VO
Get user feedback to extend and improve the software
Current Status
24 Virtual Organizations (many of them by SWITCH)
4 available services (1 non-public VO Service at HEFR)
31 users from 14 different organizations
14
8/6/2019 VO Architecture
15/20
2011 SWITCH
Current Experiences and Issues
GeneralConcept and technology of our approach are complex
It took quite some time for all involved people to understand it
OrganizationalHandling of homeless users is not that easy
A VO admin cannot know if an invited user has an AAI account or not
UsabilityConsistency of VO Services
All services look different, which might be confusing for users
15
8/6/2019 VO Architecture
16/20
2011 SWITCH
More Information
Pilot home page
http://www.switch.ch/vo
Public Project web pagehttps://forge.switch.ch/redmine/projects/vo-pilot/
Contact
16
mailto:[email protected]://forge.switch.ch/redmine/projects/vo-pilot/wikimailto:[email protected]:[email protected]://forge.switch.ch/redmine/projects/vo-pilot/wikihttps://forge.switch.ch/redmine/projects/vo-pilot/wikihttp://www.switch.ch/vohttp://www.switch.ch/vo8/6/2019 VO Architecture
17/20
Lukas Hmmerle
Bern, 13. January 2011
Discussion
mailto:[email protected]:[email protected]8/6/2019 VO Architecture
18/20
2011 SWITCH
Questions on SWITCHs VO Approach
Do you think this approach for implementing VirtualOrganizations could be useful for you or your users?
Do you see problems with this approach?
Which features are you missing?
Do you know of use-cases or specific groups or projects
that would benefit from this approach?
18
8/6/2019 VO Architecture
19/20
2011 SWITCH
Your Contribution
Your short presentation/speak about:AAA Project ideas in the VO area
Finding project partners
19
8/6/2019 VO Architecture
20/20
2011 SWITCH
General AAA Questions
Do you have new project ideas?
Do you need partners or testers for your project idea?
How can the sustainability of AAA projects be ensured?
20