Horst Schwichtenberg AAI Needs of the Earthscience Grid Community EGI InSPIRE.

Slides:

Advertisements

Similar presentations

Lousy Introduction into SWITCHaai

Advertisements

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability AAI and Grids Christoph.

MyProxy Jim Basney Senior Research Scientist NCSA

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

Contrail and Federated Identity Management

MyProxy: A Multi-Purpose Grid Authentication Service

Secure access to spatial data for academia – the UK experience Workshop, Authentication, Authorization and Accounting for Data and Services in EU Public.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

EMI INFSO-RI Session Summary AAI Needs for DCIs John White, HIP Christoph Witzig, SWITCH

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.

20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.

Will Darby April  What is Federated Security  Example Implementations  Security Assertion Markup Language (SAML) Overview  Alternative.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Federated A(A(A))I Jens Jensen hepsysman, RAL,

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

National Computational Science National Center for Supercomputing Applications National Computational Science MyProxy: An Online Credential Repository.

Distributed Web Security for Science Gateways Jim Basney In collaboration with: Rion Dooley Jeff Gaynor

FIM-related activities and issues being discussed in Japan 1.GEO Grid Yoshio Tanaka (AIST) 2.HPCI, GakuNin Eisaku Sakane, Kento Aida (NII)

Climate Sciences: Use Case and Vision Summary Philip Kershaw CEDA, RAL Space, STFC.

Enterprise Identity Steve Plank – Microsoft Ivor Bright – Charteris Dave Nesbitt – Oxford Computer Group.

TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.

Grid Security Issues Shelestov Andrii Space Research Institute NASU-NSAU, Ukraine.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.

2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.

Enabling Grids for E-sciencE ENEA and the EGEE project gLite and interoperability Andrea Santoro, Carlo Sciò Enea Frascati, 22 November.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

EMI AAI Strategy & Plans John White / Helsinki Institute of Physics Federated Identity Systems for Scientific Collaborations Workshop , CERN,

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks ES Activity on Grid and its future Monique.

National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.

Neil Witheridge APAN29 Sydney February 2010 ARCS Authorisation Services Neil Witheridge Manager, ARCS Authorisation Services APAN29, Sydney, February 2010.

EMI INFSO-RI AAI in EEF Projects John White (Helsinki University) EMI Security Area Leader.

Serving society Stimulating innovation Supporting legislation Danny Vandenbroucke & Ann Crabbé KU Leuven (SADL) AAA-architecture for.

Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.

Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.

Kerberos and Identity Federations Daniel Kouřil, Luděk Matyska, Michal Procházka, Tomáš Kubina AFS & Kerberos Best Practices Worshop 2008.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

May 7, 2013 CEOS WGISS-35 Meeting 1 GEOSS Authentication and Single Sign-On Steven F. Browdy OMS Tech, Inc. IEEE.

Federated Identity in the Earth Science Domain: the Earth System Grid Federation, EGI-Inspire and GENESI-DEC Federated Identity System for Scientific Collaborations.

The Climate-G testbed towards a large scale data sharing environment for climate change S. Fiore Scientific Computing and Operations Division, CMCC, Italy.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.

June 24-25, 2008 Regional Grid Training, University of Belgrade, Serbia Introduction to gLite gLite Basic Services Antun Balaž SCL, Institute of Physics.

Ames Research CenterDivision 1 Information Power Grid (IPG) Overview Anthony Lisotta Computer Sciences Corporation NASA Ames May 2,

The GRelC Project: architecture, history and a use case in the environmental domain G. Aloisio - S. Fiore The Climate-G testbed is an interdisciplinary.

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Expanding the Earth Science Community Monique.

INSERT PROJECT ACRONYM HERE BY EDITING THE MASTER SLIDE (VIEW / MASTER / SLIDE MASTER) Monique Petitdidier IPSL/CETP CEOS/WGISS.

Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.

Glite. Architecture Applications have access both to Higher-level Grid Services and to Foundation Grid Middleware Higher-Level Grid Services are supposed.

Identity Management in DEISA/PRACE Vincent RIBAILLIER, Federated Identity Workshop, CERN, June 9 th, 2011.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Going from EGEE-NA ES cluster to EGI SSC.

Grid Interest Group Activities WGISS-28, September 30, 2009 Pretoria, South Africa.

GSI: Security On Teragrid A Introduction To Security In Cyberinfrastructure By Dru Sepulveda.

EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

Tutorial on Science Gateways, Roma, Riccardo Rotondo Introduction on Science Gateway Understanding access and functionalities.

European Grid Initiative AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EMI is partially funded by the European Commission under Grant Agreement RI Security Token Service (STS) Simplified Credential Management Henri.

Frascati, 2-3 July 2008 Slide 1 HMA User Management in G-POD HMA-T Phase 2 KO Meeting 2-3 July 2008, Frascati Fabrice Brito, Terradue Srl

EGI-InSPIRE EGI-InSPIRE RI Services for Earth Sciences Services for the EGI Heavy User Communities – EGITF 2010 Horst Schwichtenberg.

Azure Active Directory Uday Hegde 2016 Redmond Summit | Identity Without Boundaries May 26, 2016 Group Program Manager, Azure AD

Frascati, 2-3 July 2008 Slide 1 User Management compliance testing for G-POD HMA-T Phase 2 KO Meeting 2-3 July 2008, Frascati Andrew Woolf, STFC Rutherford.

Federation made simple

HMA Identity Management Status

EMI Interoperability Activities

ESA Single Sign On (SSO) and Federated Identity Management

Single Sign-On (SSO) Authentication

Computer Network Information Center, Chinese Academy of Sciences

Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.

Presentation transcript:

Horst Schwichtenberg AAI Needs of the Earthscience Grid Community EGI InSPIRE

ES Applications OGC INSPIRE GMES Civil Protection GEOSS Meteorology Greece: AUTH, IASA, NOA; SRI (Ukraine), GCRAS (Russia) Climate - GRelC EMA (France), IISAS (Slovakia), SRI (Ukraine) SEIS Geosciences- Geocluster UBO Climate - El Niño Cantabria – EELA2 IEEE CODATA WDCS Biodiversity BRGM (France), Footways(France), JKI (Germany) Hydrology Geospatial platform IMAA(Italy), INFN(Italy), EMA (France), IMHO(Portugal) ds CYCLOPS Platform CYCLOPS Infrastructure Environmental Monitoring Resource Infrastructure Processing Systems Infrastructure Data Systems GRID Platform (EGEE) Sensor systems Security Infrastructure Interoperability Platform Business logic Services Presentation and Fruition Services Spatial Data Infrastructure Services Advanced Grid Services Geospatial Resources Services UN-SPIDER ESA NASA EGU Pollution I Seismology G-OWS INSPIRE Civil Protection ERCIM NASA OGC SEIS IEEE ESA GMES GEOSS WDC EGU AUTH (Greece), IPGP (France), AUTH (Greece), Tubitak Ulakbim (Turkey), Univ. patras (Greece), INFP (Romania) CGGVeritas (France), DSI-IRD,Geoazur,IPGP, IPGS, ISTEP, Sisyphe, CRS4 (Italy), Univ. Genève, Univ. Neuchâtel,INHGA ( Romania), Institute for Water Resources "Jaroslav Cerni", Belgrade and CSASA at University of Kragujevac, Serbia Flood IPP-BAS (Bulgaria), IASA (Greece), EnvVO-SEEGRID Pollution Univ. Cantabria – EELA2 CMCC (Italy), IPSL (France), Univ Cantabria (Spain), SCAI (Germany)

 Data of multiple sources and formats  Archived sensor data or derived data  Several sensor types  Several data processing levels  Filtering, Subsetting, Formatting, Gridding, etc.  Model output  Requirement to relate or analyse relation of many data sets  Different providers => different systems Earth Science Data 3 Data is Central for ES

Researcher Geographical Information Systems Data Centers / SDIs Compute Infrastructures Institutional Resources Other Exemplary overview 4

Researcher Geographical Information Systems Data Centers / SDIs Compute Infrastructures Institutional Resources Other GIS 5

 Access mostly based on OWS  Web Service Specifications of the Open Geospatial Consortium (OGC)  Originally does not specify Authentication or Authorization OGC Services are broadly accepted in spatial data oriented ES domains  Work in progress:  GeoXACML (authorization for spatial data)  OGC call for OWS and Shibboleth interoper. (ref implementation:  OGC Authentication Interop Experiment:  The following mechanisms are planned and on test: HTTP Authentication, HTTP Cookies, SSL/X509, SAML, Shibboleth and OpenID.  Shibboleth + OpendID (US) are relevant for ES  WS-Security with SAML/X509/Kerberos  Developments by G-OWS, Genesi-DR (Elsag-Datamat), INFN OGC roadmap on the way  Developments for Globus-OGC by lat/lon, deegree (see also OGF-OGC) Geographical Information Systems (GIS) 6

Researcher Geographical Information Systems Data Centers / SDIs Compute Infrastructures Institutional Resources Other Data Centers 7

Security environem OWS environment: – Not yet standardized – Browser based approach: No security at all OpenID, Shibboleth Username/Password (HTTP) GeoDRM gLite environment: – Consolidated security approach based on: X509 Certificates VOMS Proxies DN/FQAN matching AuthZ Coupling the two environments: – Client side: username/password (Shibboleth, OpenId, …) – Server side: X509 Certificates, VOMS Proxies How? – Shibboleth Credentials (Identity Provider) – SLCS Service (ShortLivedCredentialService) – VASH Service (VOMSAttributesfromShibbolethService)

 e.g. ESA EO data  Application for Access  Personal Registration  Different AC Methods  (S)FTP Password Auth  Proprietary Access Clients  Send physical media per mail  Access to ESA data is also possible for ES users today via the GENESI-DR infrastructure see GENESI-DR project and follow up A first application interface to the GENESI infrastructure was developed by ES in EGEE-III  AA was not solved – two CAs Data Centers / Spatial Data Infrastructures (SDI) 9

 Data Policies can imply further security requirements regarding storage & processing  It might  be commercial / protected by NDAs  represent years of research (fear of prior publication)  INSPIRE, WMO and other large ES organizations define regulations Problem for ES: how to protect licensed data on the compute infrastructues Data Centers 10

Researcher Geographical Information Systems Data Centers / SDIs Compute Infrastructures Institutional Resources Other Compute Infrastructures 11

Compute Infrastructures  Recent Years: Most used infrastructures are based on gLite (EGEE), Globus (e.g. NGI-De), Unicore (DEISA)  Personal X509 certificates in many infrastructures by  National Authorities (compliant with EUGridPMA, IGTF)  Problem of the PKI infrastructure: not accepted by browser (e.g. Verisign, etc.); no hierachy on national level  Own CAs  Virtual Organisation membership, proxy certificates, delegation  Not useable in commercial clouds 12

Researcher Geographical Information Systems Data Centers / SDIs Compute Infrastructures Institutional Resources Other Institutional Resources 13

e.g. Access to data of prior research *nix user accounts LDAP / AD Kerberos VPN Institutional Resources 14

Researcher Geographical Information Systems Data Centers / SDIs Compute Infrastructures Institutional Resources Other Other resources 15

E.g. proprietary portals, catalogues, maps, etc. -Simple password auth -OpenID / Shibboleth (SAML) -Custom RBAC systems -Custom authentication methods (robots, …)) Licensed / restricted software Other resources 16

 Access control for data and code  Protect scientific work (ACLs for code & data) down to a single user (e.g. CGGveritas in EGEE-III, licencing)  End-to-End data/code protection (storage node to compute node to …) Summary of Requirements 17

 Federated identity and single sign-on  Interfaces/API  Security Assertion Markup Language (SAML) support, as well as support for the OAuth WRAP, WS-Trust, and WS-Federation protocols...  Available on Cloud infrastructures! We will switch between GRID and Cloud – Data will be available on cloud …  SSO solutions based on  Shibboleth, OpenID (future requirement for OGC Services)  AA for Science Gateways  Automatic certificate generation (e.g. Robot,...) to provide open public community services with compute resources on EGI in the background  AA interoperability for workflows and aggregation of services (see federated identity and SSO) 18 Summary of Requirements

 OGC OWS-6 Security Engineering Report: Sources 19

Thanks for your attention! 20

21