INDIGO – DataCloud Security and Authorization in WP5 INFN RIA-653549.

Slides:



Advertisements
Similar presentations
© 2012 Open Grid Forum Simplifying Inter-Clouds October 10, 2012 Hyatt Regency Hotel Chicago, Illinois, USA.
Advertisements

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
High Performance Computing Course Notes Grid Computing.
SCD in Horizon 2020 Ian Collier RAL Tier 1 GridPP 33, Ambleside, August 22 nd 2014.
4 TIME IT CAPACITY Actual Load Allocated IT-capacities Too Much Power = Unhappy CFO Not Enough Power = Grumpy Customers & Unhappy CEO Load Forecast.
Clouds C. Vuerli Contributed by Zsolt Nemeth. As it started.
WSO2 Identity Server Road Map
TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-
Carl A. Foster.  What is SAML?  Security Assertion and Markup Language is an XML-based standard for exchanging authentication and authorization between.
Be Smart, Use PwrSmart What Is The Cloud?. Where Did The Cloud Come From? We get the term “Cloud” from the early days of the internet where we drew a.
Web-based Portal for Discovery, Retrieval and Visualization of Earth Science Datasets in Grid Environment Zhenping (Jane) Liu.
Cloud Computing in Large Scale Projects George Bourmas Sales Consulting Manager Database & Options.
Introduction to Cloud Computing
Computing in Atmospheric Sciences Workshop: 2003 Challenges of Cyberinfrastructure Alan Blatecky Executive Director San Diego Supercomputer Center.
Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz
Cloud Models – Iaas, Paas, SaaS, Chapter- 7 Introduction of cloud computing.
EGI-Engage EGI-Engage Engaging the EGI Community towards an Open Science Commons Project Overview 9/14/2015 EGI-Engage: a project.
Presenter: Dipesh Gautam.  Introduction  Why Data Grid?  High Level View  Design Considerations  Data Grid Services  Topology  Grids and Cloud.
Climate Sciences: Use Case and Vision Summary Philip Kershaw CEDA, RAL Space, STFC.
SUNY FARMINGDALE Computer Programming & Information Systems BCS451 – Cloud Computing Prof. Tolga Tohumcu.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
Application Policy on Network Functions (APONF) G. Karagiannis and T.Tsou 1.
The Grid System Design Liu Xiangrui Beijing Institute of Technology.
NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.
GRID ARCHITECTURE Chintan O.Patel. CS 551 Fall 2002 Workshop 1 Software Architectures 2 What is Grid ? "...a flexible, secure, coordinated resource- sharing.
RI EGI-InSPIRE RI EGI Future activities Peter Solagna – EGI.eu.
Ruth Pordes November 2004TeraGrid GIG Site Review1 TeraGrid and Open Science Grid Ruth Pordes, Fermilab representing the Open Science.
DOCUMENT #:GSC15-PLEN-82r2 FOR:Presentation SOURCE:ATIS AGENDA ITEM: PLEN 6.14 CONTACT(S): Andrew White ATIS’
Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.
CLOUD COMPUTING. What is cloud computing ??? What is cloud computing ??? Cloud computing is a general term for anything that involves delivering hosted.
NRENs, Grids and Integrated AAI In Search For the Utopian Solution Christos Kanellopoulos AUTH/GRNET October 17 th, 2005 skanct at physics.auth.gr 2nd.
Globus and PlanetLab Resource Management Solutions Compared M. Ripeanu, M. Bowman, J. Chase, I. Foster, M. Milenkovic Presented by Dionysis Logothetis.
Development of e-Science Application Portal on GAP WeiLong Ueng Academia Sinica Grid Computing
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
Leveraging the Power of Microsoft March 16, 2006.
GRID ANATOMY Advanced Computing Concepts – Dr. Emmanuel Pilli.
University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington October 2007.
OASIS Cloud Authorization TC (CloudAuthZ) Rakesh Radhakrishnan, TC Member.
1 Active Directory Service in Windows 2000 Li Yang SID: November 2000.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI strategy and Grand Vision Ludek Matyska EGI Council Chair EGI InSPIRE.
Konrad Zemek, Łukasz Opioła, Michał Wrzeszcz, Renata G. Słota, Łukasz Dutka, Jacek Kitowski ACC Cyfronet AGH Department of Computer Science, AGH - UST.
INDIGO – DataCloud WP5 introduction INFN-Bari CYFRONET RIA
Overview of the global architecture Giacinto DONVITO INFN-Bari.
European Life Sciences Infrastructure for Biological Information ELIXIR Cloud Roadmap Chairs: Steven Newhouse, EMBL-EBI & Mirek Ruda,
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI-InSPIRE PY5 new activities Peter Solagna – EGI.eu.
INDIGO – DataCloud CERN CERN RIA
1 Authorization Federation in Multi-Tenant Multi-Cloud IaaS Navid Pustchi Advisor: Prof. Ravi Sandhu.
Authentication and Authorisation for Research and Collaboration AARC/CORBEL Workshop for Life Sciences AAI AARC Draft Blueprint.
EGI-InSPIRE RI EGI Compute and Data Services for Open Access in H2020 Tiziana Ferrari Technical Director, EGI.eu
Issues in Cloud Computing. Agenda Issues in Inter-cloud, environments  QoS, Monitoirng Load balancing  Dynamic configuration  Resource optimization.
Ian Bird, CERN WLCG Project Leader Amsterdam, 24 th January 2012.
PaaS services for Computing and Storage
Law Enforcement Information Sharing Program (LEISP) Federated Identity Management Pilot February 27, 2006.
AAI for a Collaborative Data Infrastructure
Cloud Security– an overview Keke Chen
The PaaS Layer in the INDIGO-DataCloud
Security Requirements for ChinaGrid Applications - What the current grid security solutions cannot do Hai Jin Huazhong University of Science and Technology.
Identity Federations - Overview
Federated IdM Across Heterogeneous Clouding Environment
EMI Interoperability Activities
PaaS Core Session (Notes from UPV)
EGI-Engage Engaging the EGI Community towards an Open Science Commons
ESA Single Sign On (SSO) and Federated Identity Management
Single Sign-On (SSO) Authentication
Example Use Case for Attribute Authorities and Token Translation Services - the case for eduGAIN Andrea Biancini.
Introduction to SOA Part II: SOA in the enterprise
Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.
Zero Trust in Practice: Identity Drives an Adaptive Workforce
Presentation transcript:

INDIGO – DataCloud Security and Authorization in WP5 INFN RIA

Outline  The AAI problem  AAI WP5 objectives  The IAM service  Next steps INDIGO-DataCloud RIA

Context  Large scale virtualization resources to achieve on-demand compute capacities, improve flexibility for data analysis and avoid unnecessary costly large data transfers.  Development and adoption of a standards-based computing platform (with open software stack) that can be deployed on different hardware and e-infrastructures (such as clouds providing infrastructure-as-a-service (IaaS), HPC, grid infrastructures…) to abstract application development and execution from available (possibly remote) computing systems. This platform should be capable of federating multiple commercial and/or public cloud resources or services and deliver Platform-as-a-Service (PaaS) adapted to the scientific community with a short learning curve. INDIGO-DataCloud RIA

The AAI problem  Heterogeneous infrastructures use heterogeneous authentication/authorization mechanisms  Hard to integrate resources from distributed infrastructures without common AAI ground  Even where a single authentication technology is used, managing user and privileges on distributed resources in a dynamic and secure way is complex  DCIs are not easily and securely accessible from common users  Federated identity support lacking or very limited INDIGO-DataCloud RIA

AAI: main challenges  How can we have common auhtN and auhtZ primitives that “just work” across several distributed infrastructures?  Which tools should we provide to our users so that they have complete control on how authN and authZ is configured and performed on the resources (assembled from distributed providers) they will use for their research?  How do we avoid reinventing the wheel? How do we exploit what is already available, leverage existing standards and ensure that what we develop is sustainable? INDIGO-DataCloud RIA

Technical challenges (I)  Provide a layer where identities provided by different sources can be can be managed in a uniform way  Define how attributes linked to this identities (on which authorization decisions are based) are represented and understood at lower and higher levels of the INDIGO stack  Define a cryptografically strong token used to carry these attributes around in a secure way  Define how the token carrying the attributes is exchanged between services  Define how controlled delegation of privileges can happen INDIGO-DataCloud RIA

Technical challenges (II)  Provide the tools to support cross-organizational user and privilege management  Group management  Enrollment flows management  Provide tools to define, propagate, compose and enforce authorization policies based on these attributes at various levels of the INDIGO stack  Uniform and consistent authZ over resources assembled from multiple, heterogeneous providers INDIGO-DataCloud RIA

Security and AuthZ in WP5

The IAM service  Provides the tools needed to enable a secure composition of services from multiple providers in support of scientific applications  Provides a unified view on identities and privileges on resources assembled from various providers  Supports and integrates existing fed authN mechanims  Provides tools to define and manage enrollment flows for research communities INDIGO-DataCloud RIA

IAM service technologies  Standard APIs/protocols for user/group management  SCIM, VOOT  Federated AuthN support  SAML, OpenID connect  Attribute authority/token service  SAML, OAuth  Policy definition and composition  XACML INDIGO-DataCloud RIA

But before defining how the IAM service will work we need to define INDIGO-DataCloud RIA

Ground work first steps Lots of questions to be answered!  Agree on supported federated authN mechanism  SAML, OpenID connect  Define security token  SAML assertion? JWT? Macaroons?  Define protocol to request/exchange token  SAML attribute query vs OAuth2  Define how delegation is done INDIGO-DataCloud RIA

Cross-WP AAI task force?  Fast-paced discussion to sort out fundamental issues  Produce proposal for wider discussion INDIGO-DataCloud RIA

IAM service first steps  Define basic required functionalities  User and group management  Attribute authority/token services  Policy authoring and distribution  Enrollment flows and registration management  Survey existing solutions and protocols  Leverage standards  Consider extending existing enstabilished products and contribute back upstream  Design INDIGO-DataCloud RIA

Lots of work ahead of us Tight deadlines and relatively scarce effort but we do not start from scratch! INDIGO-DataCloud RIA

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.