Frascati, 14-15 December 2009 Slide 1 Identity Management in ESA Grid on-Demand Infrastructure HMA-T Final Presentation 14 December 2009, Frascati Fabrice.

Slides:



Advertisements
Similar presentations
Agenda Session (75 minutes duration, Friday sessions are 90 minutes) Co-lead introduces the session (5 minutes) –repeat of one chart from opening plenary.
Advertisements

GridWorld 2006 Use of MyProxy for the FusionGrid Mary Thompson Monte Goode GridWorld 2006.
ESA Data Integration Application Open Grid Services for Earth Observation Luigi Fusco, Pedro Gonçalves.
Contrail and Federated Identity Management
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 12 Slide 1 Distributed Systems Design 2.
DOSTAG Meeting #51, 3 rd May 2007 Access to ESA Earth Observation data (past and current missions)
Grid Security. Typical Grid Scenario Users Resources.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
1 Software & Grid Middleware for Tier 2 Centers Rob Gardner Indiana University DOE/NSF Review of U.S. ATLAS and CMS Computing Projects Brookhaven National.
National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.
SpaceGRID and EGSO Satu Keski-Jaskari Maria Vappula Parallal Computing – Seminar
WebFTS as a first WLCG/HEP FIM pilot
GFIPM Web Services Concept and Normative Standards GFIPM Delivery Team Meeting November 2011.
Makrand Siddhabhatti Tata Institute of Fundamental Research Mumbai 17 Aug
This chapter is extracted from Sommerville’s slides. Text book chapter
Earth Science GRID at ESA GRID on-Demand, e-collaboration… Luigi Fusco, Pedro Pereira Gonçalves.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 12 Slide 1 Distributed Systems Architectures.
GRACE Project IST EGAAP meeting – Den Haag, 25/11/2004 Giuseppe Sisto – Telecom Italia Lab.
1 Dr. Markus Hillenbrand, ICSY Lab, University of Kaiserslautern, Germany A Generic Database Web Service for the Venice Service Grid Michael Koch, Markus.
Digital Object Architecture
Climate Sciences: Use Case and Vision Summary Philip Kershaw CEDA, RAL Space, STFC.
1 School of Computer, National University of Defense Technology A Profile on the Grid Data Engine (GridDaEn) Xiao Nong
Grid-enabling OGC Web Services Andrew Woolf, Arif Shaon STFC e-Science Centre Rutherford Appleton Lab.
EO GRID Processing on Demand ESA grid activity report on 2007 luigi.fusco, guoqing li ESRIN, European Space Agency (ESA) Presented for WGISS-23,
Dr. Bhavani Thuraisingham October 2006 Trustworthy Semantic Webs Lecture #16: Web Services and Security.
ArcGIS Server and Portal for ArcGIS An Introduction to Security
University of Kaiserslautern Department of Computer Science Integrated Communication Systems ICSY License4Grid: Adopting DRM for Licensed.
Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
Technical Break-out group What are the biggest issues form past projects – need for education about standards and technologies to get everyone on the same.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.
NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.
Grid Security: Authentication Most Grids rely on a Public Key Infrastructure system for issuing credentials. Users are issued long term public and private.
CEOS WGISS-21 CNES GRID related R&D activities Anne JEAN-ANTOINE PICCOLO CEOS WGISS-21 – Budapest – 2006, 8-12 May.
CaGrid 2.0 Security Prototype 1. Goals Prototype some proposed security solutions – Ensure interoperability across programming models – Ensure interoperability.
Glite. Architecture Applications have access both to Higher-level Grid Services and to Foundation Grid Middleware Higher-Level Grid Services are supposed.
Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)
1 Chapter 12 Configuration management This chapter is extracted from Sommerville’s slides. Text book chapter 29 1.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
Open Grid Services for Earth Observation Pedro Gonçalves.
EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.
Tutorial on Science Gateways, Roma, Catania Science Gateway Framework Motivations, architecture, features Riccardo Rotondo.
HMA Sep 2009 – Slide 1 Daniele Marchionni Elsag Datamat HMA Follow On – Task 4 - Workplan.
ESRIN, 15 December 2009 Slide 1 Web Service Security in HMA-T HMA-T Final Presentation 14 December 2009 S. Gianfranceschi, Intecs.
ESRIN, 15 July 2009 Slide 1 Web Service Security support in the SSE Toolbox HMA-T Phase 2 AR Meeting 15 July 2009 S. Gianfranceschi, Intecs.
Frascati, 2-3 July 2008 Slide 1 HMA User Management in G-POD HMA-T Phase 2 KO Meeting 2-3 July 2008, Frascati Fabrice Brito, Terradue Srl
Research and Service Support Resources for EO data exploitation RSS Team, ESRIN, 23/01/2013 Requirements for a Federated Infrastructure.
HMA-T Phase 2 KO, 2-3 July 2008 Slide 1 HMA-Testbed Phase 2 Negotiation and KO Meeting 2-3 July 2008, Frascati Yves Coene, SPACEBEL.
ESRIN, 15 July 2009 Slide 1 Web Service Security support in the SSE Toolbox HMA-T Phase 2 FP 14 December 2009 S. Gianfranceschi, Intecs.
HMA-T User Management (07-118) Abstract Test Suite Dr Andrew Woolf STFC Rutherford Appleton Lab.
Frascati, 2-3 July 2008 Slide 1 User Management compliance testing for G-POD HMA-T Phase 2 KO Meeting 2-3 July 2008, Frascati Andrew Woolf, STFC Rutherford.
Jordi Farres HMA-WG Meeting ESRIN, 23 Jan 2013
Access Policy - Federation March 23, 2016
Bob Jones EGEE Technical Director
HMA Identity Management Status
HMA AWG Configuration Management Status 1 December 2008
DREAM High-Level Architecture
AAI for a Collaborative Data Infrastructure
Grid Security.
HMA Identity Management Status
Identity Management in ESA Grid on-Demand Infrastructure
ESA Single Sign On (SSO) and Federated Identity Management
NAAS 2.0 Features and Enhancements
HMA-Testbed Phase 2 AR-2 Meeting July 2009, Frascati
Web Service Security support in the SSE Toolbox
HMA Follow-on Kickoff Meeting
Web Service Security support in the SSE Toolbox
Presentation transcript:

Frascati, December 2009 Slide 1 Identity Management in ESA Grid on-Demand Infrastructure HMA-T Final Presentation 14 December 2009, Frascati Fabrice Brito & Andrew Woolf

Frascati, December 2009 Summary  ESA G-POD Infrastructure  Review of proposed tasks  Review of Deliverables  CITE Tests on the G-POD submission tool  Impact assessment of OGC version  Closed Actions

Frascati, December 2009 G-POD  Enhance the ability to create high level products and single stop shop for data access and processing  Support Industry and Research in service and science developments  Allow processing of large historical archives and near real- time data  e-collaboration (sharing of data sources, tools, models, algorithms) and improve Earth science complex applications (data fusion, data mining, modeling …)

Frascati, December 2009 G-POD Usage  Provide a “user-segment” environment Putting data & processors together allows “on-demand” processing  Offer scientists a “production lab” Focus on algorithms and reuse housekeeping functions (e.g. catalogue, software tools) Bridge gap from “prototype” to “production” processor  Offer scientists a “collaboration” environment Share tools and functions, reuse output of other processors (IPR is kept by the scientist) move processors close to the data reduce dissemination costs and effort evolutions benefit to all at once  Grid as a common shared platform for collaborations in scientific domain and routine operations environment

Frascati, December 2009 Slide 5 ESA G-POD Infrastructure  Computing and Storage Elements Working Nodes, +120 TB on-line store Middleware: GLOBUS 4, (and some exp in gLite3) Links to external CE and SE (e.g. CNR, EGEE)  Data Interfaces GS products Rolling Archives (ENVISAT, MSG) and MODIS NRT products over Europe + NASA and other external data providers  Software resources on-line IDL, Matlab, BEAT, BEAM, BEST, NEST, BRAT, CQFD, Compilers, public domain image processing utilities Spatial Catalogue access (e.g. EOLI) and data provision functions  web portal and web services access powered by gridify, maintenance and evolution under Terradue responsibility

Frascati, December 2009 Examples - Routine Production MERIS Level-3 Products NRT generation  Joint ESA collaboration with ACRI (France), JRC/Ispra (European Commission) and Brockmann Consult (BEAM). Monthly products published on-line Daily ASAR GM mapping of Antarctica  Daily Generation of 400-m resolution mosaics publish on WMS (in operations since 2005) ASAR on Demand  Integrated environment for SAR processing binds separate functionality into applications (flood monitoring, co-registration, etc) Volcanoes Monitoring by Infrared (AATSR) with extraction of thermal anomalies Monthly MERIS True-Color Mosaics Slide 6

Frascati, December 2009 G-POD Web Services Interface

Frascati, December 2009 G-POD User Management  Based on the Grid Security Infrastructure (GSI) Secure communications between elements of a computational Grid Security across organizational boundaries Includes delegation of credentials for computations that involve multiple resources and sites Identity management interfaces based on the use of proxy certificates (MyProxy)  This work package had the objective of improving the harmonization of the authentication and authorization approaches with HMA Evaluate and prototype the integration of the G-POD in a federated structure of ground segments and processing centres with common authorization interface

Frascati, December 2009 HMA-T G-POD (OGC )

Frascati, December 2009 Tasks  Harmonization of auth/N and auth/Z between ESA Grid Infrastructure (G-POD) and HMA  Assess the potential of in the ESA Grid infrastructure  Prototype SOAP implementing integrated in G- POD (reference using EODAIL IdP HMA-T/G-POD Web Service and Web Service Client (CLI)  Design conformance test scripts and test pages on the OGC CITE test environment

Frascati, December 2009  ATS and ETS  STFC Tech. Note - HMAT-TN-0001-STFC-T2 User Management Technical Note v0.1 (additional deliverable) download_wiki_attachment.php?attId=543&download=y download_wiki_attachment.php?attId=543&download=y Deliverables

Frascati, December 2009 OGC version (1/2)  Improved from earlier versions: simplification (e.g. removed ‘Orchestrating Service Provider’) new authentication sequence (compared with 0.0.4): direct to Service Provider having its own IdP provides much greater detail about possible implementation of authorisation policy (e.g. using XACML)

Frascati, December 2009 OGC version (2/2)  New ATS structure: M1: Basic tests (SOAP, SAML, encryption, digital signature, removed combined encryption/signature test) M2: Authentication (default Federating Entity IdP, Federating Entity IdP, External Entity IdP, authentication failure, removed default External Entity IdP) M3: Service request/authorisation (synchronous, asynchronous, authorisation failure)  Issues WS-Addressing use still not well described Spec still refers explicitly just to ordering/programming/catalogue digital signature (see later slides, and TN)

Frascati, December 2009  Worked with Intecs (lead) as agreed at AR STFC provided input, reviewed and tested STFC provided ETS Team Engine code to Intecs (java security code, file handling, asynchronous request polling etc.) now one common ETS  Note: EO-DAIL still doesn’t support HM service requests Continue to use a ‘proxy’ approach:  obtain encrypted SAML token from IdP  decrypt token at client (TEAM engine) using ‘cached’ IdP private key  encrypt service request at client using end service public key CITE Tests (1/4)

Frascati, December 2009 CITE Tests (2/4)  ETS implementation (follows ATS): WS-Security module: ATC-1.1 (SOAP binding), ATC-1.2 (SAML GMES profile), ATC-1.3 (encryption – now as per STFC approach, as agreed at AR), ATC-1.4 (digital signature) Authentication module: ATC-2.1 (Federating entity is default IdP), ATC-2.2 (Federating entity is request-designated IdP), ATC-2.3 (External entity is request-designated IdP), ATC-2.4 (Authentication request failure) Authorisation module: ATC-3.1 (synchronous request), ATC-3.2 (asynchronous request – not implemented since not complete, next slide), ATC-3.4 (authorisation failure) Slide 15

Frascati, December 2009 CITE Tests (3/4)  Concerning asynchronous requests there are two sets of remaining issues Specification issues  is not clear on details of how WS-Addressing should be used –presumably wsa:ReplyTo should be used for response endpoint –what about faults – separate endpoint? –what about firewalls etc. – ‘anonymous’ endpoint?  ATC-3.2 (asynchronous) –“NOTE: This abstract test case is still under finalization” –therefore also not implemented in ETS Implementation issues  TEAM engine: requires new architectural feature – an endpoint for asynchronous responses –at minimum, requires inbuilt ‘http server’ (Note previously STFC ETS used ‘polling’ approach) Slide 16

Frascati, December 2009  Test results (WS-Security): ATC-1.1: SOAP binding (IdP and SP) ATC-1.2: SAML encoding for authentication token ATC-1.3: AES-128 encryption used ATC-1.4: SHA-1 signature digest used  Test results (authentication): ATC-2.1: Federated IdP (local identification resolved by default) ATC-2.2: Federated IdP (local identification specified) ATC-2.3: External IdP specified ATC-2.4: SOAP fault on invalid login  Test results (G-POD authorisation): ATC-3.1: Synchronous request ATC-3.2: Asynchronous request (empty test because ATS not finalised) ATC-3.3: Authorisation failure (‘commercial’ CITE Tests (4/4)

Frascati, December 2009 CLOSED Actions  A25 -> Analyse new OGC expected from DAIL project in october 2008 spec analysed; ATS/ETS developed (jointly with Intecs) as described above  A204 -> ATS 1.3 to be changed to test the actual encryption algorithm and not only check the WSDL. Done – new CTL does this for ATC-1.3  A207 -> Provide real test for checking encryption algorithm and not WSDL STFC provided ATC-1.3 code to Intecs, who incorporated this in the implementation  A208 -> Align ATS/ETS:CTL with version of OGC Done in collaboration with Intecs

Frascati, December 2009 Future Directions  still needs clarification on WS-Addressing standardise failure reporting (both authn/authz) – needed for automated workflows digital signature (CanonicalizationMethod,  TEAM Engine issues Asynchronous polling (with CTL changes), WS-Addressing XPath function () vs. CTL (bug?)  Clarify the relation and evolution regarding the ESA SSO activity  Adoption of on G-POD still needs to be clarified Meeting with SSO team in a future date ref. Tech Note from STFC

Frascati, December 2009 Slide 20 Thank you!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.