Upload
von-welch
View
65
Download
2
Tags:
Embed Size (px)
Citation preview
Facilitating Scientific Collaborations by Delegating Identity Management
Reducing Barriers and Roadmap for Incremental Implementation
Robert Cowles, Craig Jackson, Von Welch (PI)
May 7th, 2015
NLCIO Meeting
2
Our Goal
Increase productivity of open DOE science through improved
understanding of identity management (IdM) and relevant
institutional risk.
3
IdM is Critical to Science• Control of unique instruments• Ability to QA data• Access to pre-publication data• Membership and structure of collaboration• Names on papers• Etc.
However, scientists don’t use IdM’s nomenclature!
4
Virtual Organization Identity Management
A number of approaches have been tried:
VOMS, Glide-ins, Science gateways,COManage, Community/group
accounts, etc.
We have 15 years of applied experimentation in virtual organization (VO) IdM.
5
Twenty+ Interviews
VOs•Atlas•BaBar •Belle-II•CMS•Darkside•Engage•Earth System Grid•Fermi Space Telescope•LIGO•LSST/DESC
Resource Providers•Atlas Great Lakes T2•FermiGrid•GRIF•U. Nebraska (CMS)•LCLS•RAL•GRIF/LAL•LLNL•NERSC•Blue Waters
7
Contradictory Demands
• Current Processes and Policies• Strong identification, authentication, and
authorization of user communities
• User communities• Large scale with dynamic membership• Span multiple resource providers• Desire ease-of-use (e.g. single sign-on)• Self management
8
Shared IdM Responsibilities
• Sharing of IdM between Labs and VOs has benefits.• Similar to outsourcing of
authentication to another org via federated identity.
• Sharing is not “all or nothing” – it lives on a spectrum related to risk and trust.
Brokered
Transitive
9
Our Products
• Understanding of motivations and barriers to IdM responsibility sharing.
• Guidance for addressing barriers.• Technical scheme for representing VO
IdM sharing.
These products are freely available, we're happy to help with their application:
http://cacr.iu.edu/collab-idm/
10
Drivers and Benefits of Sharing
• Allows scaling of scientists, Labs.• Centralized management of VO policies.• Places effort where most appropriate.• Avoid unneeded duplication of IdM data.• Eases collaboration inside of and across
VOs.• Improves ease of use through better
integration with science workflows.
11
Identified Barriers
• Historical Inertial• Risk Aversion• Compliance and Assurance
Requirements• Technology Limitations
12
Identified Mitigations for Barriers
• Sandboxes (VMs, limited APIs, etc.)
• User traceability (OSG)
• Site-VO agreements
13
DOE Policy analysis
Robert Cowles, Craig Jackson and Von Welch. Facilitating Scientific Collaborations by Delegating Identity Management: Reducing Barriers & Roadmap for Incremental Implementation• http://cacr.iu.edu/sites/cacr.iu.edu/files/FSCbyDIM0408.pdf
•Will be presented at CLHS 15 in June 2015
Discusses Deemed Export, Unclassified Foreign Visits, and shift to risk-based security to overcome inertia.
Data-centric Model for IdM SharingOffers a common language and
graphical representation to complex IdM requirements/implementation
Goal: Facilitate communication between scientists, IdM, CSO.
Functionalityauthentication authorization
allocation/schedulingaccounting
auditinguser support
incident response
Model IdM Data(1)User identifier(2)User contact info(3)VO membership/role
15
Thank you. Questions?
Von Welch ([email protected])
http://cacr.iu.edu/collab-idm
We thank the Department of Energy Next-Generation Networks for Science (NGNS) program (Grant No. DE-FG02-12ER26111) for
funding this effort.
The views and conclusions contained herein are those of the author and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of the
sponsors or any organization.
16
Full List of XSIM Products
Robert Cowles, Craig Jackson, and Von Welch. Identity Management Factors for HEP Virtual Organizations. 20th International Conference on Computing in High Energy and Nuclear Physics (CHEP2013), 2013
https://iopscience.iop.org/1742-6596/513/3/032022
17
Develop Model and ValidateRobert Cowles, Craig Jackson, and Von Welch. Identity Management for Virtual Organizations: An Experience-Based Model. eScience 2013, 2013
http://www.computer.org/csdl/proceedings/escience/2013/5083/00/5083a278-abs.html
Robert Cowles, Craig Jackson, Von Welch, and Shreyas Cholia. A Model for Identity Management in Future Scientific Collaboratories International Symposium on Grids and Clouds (ISGC) 2014, 2014
http://pos.sissa.it/archive/conferences/210/026/ISGC2014_026.pdf
18
Develop GuidanceVon Welch, Robert Cowles, and Craig Jackson. XSIM OSG IdM Guidance OSG-doc-1199, July 2014
http://osg-docdb.opensciencegrid.org/cgi-bin/ShowDocument?docid=1199
Robert Cowles, Craig Jackson, and Von Welch. Facilitating Scientific Collaborations by Delegating Identity Management: Reducing Barriers and Roadmap for Incremental Implementation. March, 2015.
http://cacr.iu.edu/sites/cacr.iu.edu/files/FSCbyDIM0408.pdf