The Catania Science Gateway framework Mr. Riccardo Rotondo Consortium GARR, Rome, Italy

Outline Introduction The Catania Science Gateway framework: o Architecture o Authentication and Authorisation Schema o Access workflow o The Catania Grid Engine OGF35, Delft (NL), 18 Jun 20122

The eResearch2020 report ( Some barriers in the adoption of Grids: o Changes on Grids means changes on applications o Time required to adapt usual workflows o Lack of structure to support anonymous access o Download and installation of applications o Interface o Slow to get to compared to other resources o Difficult to use in the beginning o Time spent to get the application compiled and running OGF35, Delft (NL), 18 Jun 20123

Using Grids is not straightforward  OGF35, Delft (NL), 18 Jun Users have to cope with complex security procedures, execution scripts, job description languages, command line based interfaces and lack of standards. This makes the learning curve very steep and keeps non IT-experts away.

Another consideration… OGF35, Delft (NL), 18 Jun There is a huge number of non IT-experts out there who do not belong to any constituted Virtual Research Community. How can we attract them ? VRCs # of users

The evolution leap in web browser OGF35, Delft (NL), 18 Jun evolution leap 6

Grid Interface Evolution The way users access Grid resources has continuously evolved towards simplicity and transparency: Command Line o Globus and gLite CLI o Used by the enthusiastic and early adopter scientists GUI applications o gEclipse, Grid2Win o Good to expand the communities but difficult to maintain Web Interface o GENIUS, P-GRADE o Easier for new users but monolithic Science Gateways OGF35, Delft (NL), 18 Jun “robot” certificate s on “e-tokens”

Community-driven web portals have started to integrate Grid Tools and Applications OGF35, Delft (NL), 18 Jun “A Science Gateway is a community-developed set of tools, applications, and data that is integrated via a portal or a suite of applications, usually in a graphical user interface, that is further customized to meet the needs of a specific community.” Teragrid/XSEDE

Our Reference Model OGF35, Delft (NL), 18 Jun Science Gateway Science Gateway App. 1 App. 2 App. N Embedded Applications Administrator Power User Basic User Users from different organisations having different roles and privileges Standard-based (SAGA) middleware-independent Grid Engine Standard-based (SAGA) middleware-independent Grid Engine

Authentication & Authorisation 10OGF35, Delft (NL), 18 Jun 2012

Identity Federationsh OGF35, Delft (NL), 18 Jun An Identity Federation consists of “[…] the agreements, standards, and technologies that make identity and entitlements portable across autonomous domains.” Burton Group

Identity Federations in the world ( OGF35, Delft (NL), 18 Jun

Identity Federation (IF) In the web technology arena many approaches are available to federate authentication A standard provided by OASIS defines the Security Assertion Markup Language (SAML) Several tools are available, e.g.: o Shibboleth o SimpleSAMLphp Organisations can rely on traditional tools to manage users: o LDAP, CAS, plain text, etc. Free and Open Source OGF35, Delft (NL), 18 Jun

Enabling Grid to Federations Grid services are starting to be integrated in community-dedicated web portals; The distributed/cross-domain nature of Grid requires strong security mechanisms Users struggle to comply with complex security rules: o Get & manage digital certificates, create proxy, update credentials and so on Some institutions want to maintain the control of their own users’ authentication OGF35, Delft (NL), 18 Jun

Federated Grid Science Gateway OGF35, Delft (NL), 18 Jun AuthorisationAuthorisation Science Gateway GrIDP (“catch-all”) GrIDP (“catch-all”) IDPCT (“catch- all”) IDPCT (“catch- all”) IDP_y LDAP Register to a Service 2. Sign in Authentication

Federated Grid User OGF35, Delft (NL), 18 Jun Science Gateway

Identity provided federated OGF35, Delft (NL), 18 Jun { idp1, idp2, … idpN } { idp1, idp2, … idPN } { idp1, idp2, … idpN }

Federated Grid User OGF35, Delft (NL), 18 Jun Science Gateway

Number of users in … OGF35, Delft (NL), 18 Jun

Why Social Federation Federated identities are only a subset of potential users o Users can work in non-federated institutions o IDP can be not included in supported federations Mash-up Grid and social tools could be useful for many users and special applications o Outreach of science organizations to broader communities o “Citizen scientist” to government services o Freely accessible repositories (e.g. of cultural heritage) where one wants to profile visitors o E-collaboration using social facilities/tools in the same page user performs e-research Grid-based activities OGF35, Delft (NL), 18 Jun

Social Grid Authentication Social services are grouped in a special IDP o Included in our “catch-all” federation GrIDP Users have the same account even they access with different credentials, either social or federated o Each account can register a list of user s and these are used for identification OGF35, Delft (NL), 18 Jun

Federated Grid User OGF35, Delft (NL), 18 Jun Science Gateway

The Social Networks’ Bridge Identity Provider ( OGF35, Delft (NL), 18 Jun For more information watch the video

Authorisation (1/2) Technically a social IDP has same security mechanisms of other IDP but user identity are not generally verified Social user requires a stronger control on the authorisation o A preliminary identity control is requested Users from Social Networks can not automatically access resources o An authorisation request is mandatory The authorisations process does not use SAML A central server maintains authorisation assertions o An OpenLDAP server is used OGF35, Delft (NL), 18 Jun

Authorisation (2/2) To be authorised, users have to provide verifiable information o E.g., an address of an official organisation Name and available in institutional pages o Users registered in a federation don’t need to specify an official mail. o Users can own both federated and social credentials enabled for authorisation. Information is verified by the portal administrators who decide to accept/reject the request OGF35, Delft (NL), 18 Jun

Federation supported by DECIDE Science Gateway OGF35, Delft (NL), 18 Jun

Federation supported by the INDICATE Science Gateway OGF35, Delft (NL), 18 Jun

The GrIDP Identity Provider (1/2) 4 Identity Providers are available in GrIDP: A “catch-all” IdP created at Catania; The maat-G (enterprise) IdP; INFN-AAI IdP (all INFN researchers and associates); An idp that enables Social Networks credentials. OGF35, Delft (NL), 18 Jun

The GrIDP Identity Provider (2/2) OGF35, Delft (NL), 18 Jun

Register to GISELA Science Gateway 30 OGF35, Delft (NL), 18 Jun 2012

Access GISELA SG with IDEM credentials 31 OGF35, Delft (NL), 18 Jun 2012

Accessing with GRIDP credentials 32 OGF35, Delft (NL), 18 Jun 2012

The Social Networks’ Bridge Identity Provider ( OGF35, Delft (NL), 18 Jun For more information watch the video

Current Status 16 Liferay-based Science Gateways (hosted in 2 servers) are currently powered by Shibboleth at INFN Catania; 7 Federations supported; 4 instances are registered as official IDEM Service Provider; 4 Identity Providers are available in GrIDP. 34 OGF35, Delft (NL), 18 Jun 2012

Portal Framework 35OGF35, Delft (NL), 18 Jun 2012

Liferay ( Highly-configurable, scalable, open source portal framework; Compatible with JSR 168/286 standards and based on modern web 2.0 technologies; Liferay services planned to be used: o Portal; o CMS & WCM; o Collaboration and “social” software 36 OGF35, Delft (NL), 18 Jun 2012

Grid Access enable: Portlets as bricks Portlets can interact with the Grid e-Infrastructure Different approaches are available: o Execute the Command Line behind the portal; o Using API where available: Must be in Java or other languages supported by Liferay; o Call REST services from Javascript code in the browser; Additional layers between Liferay and the Grid can be necessary for some services; Each portlet can follow its own communication method. 37 OGF35, Delft (NL), 18 Jun 2012

Mixing portlet as well as OGF35, Delft (NL), 18 Jun Sc. Gtwy E Sc. Gtwy DSc. Gtwy CSc. Gtwy B Sc. Gtwy A Standards Simplicity Easiness of use Re-usability

Interaction with Grid Services 39OGF35, Delft (NL), 18 Jun 2012

How to interact with GRID A Simple API for Grid Applications (SAGA): o The OGF (Open Grid Forum) Standard; o JSAGA: a Java implementation of SAGA; A generic Grid Engine for Science Gateways based on SAGA; o Grid Engine based on JSAGA; o EGI Portal Policy & Grid Security Traceability; Grid Engine usage example. OGF35, Delft (NL), 18 Jun

A Simple API for Grid Applications (SAGA) SAGA is an API that provides the basic functionality required to build distributed applications, tools and frameworks; It is independent of the details of the underlying infrastructure (e.g., the middleware); SAGA is an OGF specification: Several Implementations are available: o A C++ and a Java implementation developed at the Louisiana State University / CCT and Vrije Universiteit Amsterdam ( ); o A Java implementation developed at CCIN2P3 ( o A Python implementation based on those above. OGF35, Delft (NL), 18 Jun

The Catania Grid Engine An additional layer interposed between the Portal Framework and the GRID in other to make applications access directly to GRID Services. It’s based on two essential components: o The Job Engine o The Data Engine OGF35, Delft (NL), 18 Jun

Job Engine Not only a collection of API for job submission; A complete layer able to make portlets, and so applications, to access all GRID services need for the execution: o Thread pool responsible for the submission; o User Tracking Database; o Permanent checking of the job status; o Output automatically retrived by the Science Gateway; o Easy interface for Job Managment OGF35, Delft (NL), 18 Jun

Data Engine Make interfaces simple for non expert users o CLI-based Grid storage interface is not straightforward Grid transactions require user certificates Complexity of current protocols to manage grid storage elements o Very little or no support for access through modern browsers or others web-based applications OGF35, Delft (NL), 18 Jun

Summary of standards adopted The framework for Science Gateways developed at Catania is fully web-based and adopts official worldwide standards and protocols, through their most common implementations These are: o The JSR 168 and JSR 286 standards (also known as "portlet 1.0" and "portlet 2.0" standards)JSR 168JSR 286 o The OASIS Security Assertion Markup Language (SAML) standard and its Shibboleth and SimpleSAMLphp implementationsOASISSecurity Assertion Markup LanguageShibbolethSimpleSAMLphp o The Lightweight Direct Access Protocol, and its OpenLDAP implementationOpenLDAP o The Cryptographic Token Interface Standard (PKCS#11) standard and its Cryptoki implementationCryptographic Token Interface Standard o The Open Grid Forum (OGF) Simple API for Grid Applications (SAGA) standard and its JSAGA implementationOpen Grid ForumSimple API for Grid ApplicationsJSAGA 45 OGF35, Delft (NL), 18 Jun 2012

Current Status 16 Liferay-based Science Gateways (hosted in 2 servers) are currently powered by Shibboleth at INFN Catania; 7 Federations supported; 4 instances are registered as official IDEM Service Provider; 4 Identity Providers are available in GrIDP. 46 OGF35, Delft (NL), 18 Jun 2012

References OGF35, Delft (NL), 18 Jun

Credits & Acknowledgments Valeria Ardizzone (GARR); Roberto Barbera (UNICT & INFN) Riccardo Bruno (COMETA); Antonio Calanducci (COMETA); Marco Fargetta (COMETA) Elisa Ingrà (GARR); Giuseppe La Rocca (INFN) Salvatore Monforte (INFN); Fabrizio Pistagna (INFN); Rita Ricceri (INFN); Diego Scardaci (INFN); 48 Credits Acknowledgments Vincenzo Ciaschini (INFN); Enrico Fasanelli (INFN); Maria Laura Mantovani (GARR); Barbara Monticini (GARR); Simona Venuti (GARR) OGF35, Delft (NL), 18 Jun 2012

Thank you for your kind attention OGF35, Delft (NL), 18 Jun