ASPiS - Architecture for a Shibboleth-Protected iRODS System Mark Hedges, Tobias Blanke Centre for e-Research, Kings College London Adil Hasan, Jens Jensen.

Slides:



Advertisements
Similar presentations
Lousy Introduction into SWITCHaai
Advertisements

OGF-23 iRODS Metadata Grid File System Reagan Moore San Diego Supercomputer Center.
Federated Identity for Grid Architects Tom Scavo NCSA
Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.
Options for integrating the JANET Roaming Service (JRS) and Shibboleth Tim Chown University of Southampton (UK) JISC Access Management.
FAME-PERMIS Project University of Manchester University of Kent London, July 2006.
The National Grid Service and OGSA-DAI Mike Mineter
MyProxy Guy Warner NeSC Training.
VO Support and directions in OMII-UK Steven Newhouse, Director.
Spatial Data e-Infrastructure UK e-Science ALL HANDS MEETING September, Edinburgh, UK Higgins, C., Koutroumpas, M., Sinnott, R.O., Watt, J.,
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Contrail and Federated Identity Management
ICAT Developer Workshop : Consequence Shirley Crompton, ESC, STFC Daresbury Laboratory.
ACET The ASPiS project UK e-Science AHM Oxford, 08 Dec 2009 Jens Jensen, STFC.
A Very Brief Introduction to iRODS
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
Copyright JNT Association 20051Optional Copyright JNT Association Joining the UK Access Management Federation 4th April.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.
Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.
Dspace – Digital Repository Dawn Petherick, University Web Services Team Manager Information Services, University of Birmingham MIDESS Dissemination.
1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.
Understanding Active Directory
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.
Federated A(A(A))I Jens Jensen hepsysman, RAL,
Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz
The National Grid Service User Accounting System Katie Weeks Science and Technology Facilities Council.
Using SRB and iRODS with the Cheshire3 Information Framework Building Data Grids with iRODS May, 2008 National e-Science Centre Edinburgh Dr Robert.
I2Q & WMnet Pilot Presented by Jason Rousell – i2Q Jay Neale - i2Q.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
Helsinki Institute of Physics (HIP) Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.
Supporting further and higher education Middleware and AA within the JISC Environment Nicole Harris, JISC Development Group.
Simplify and Strengthen Security with Oracle Application Server Allan L Haensgen Senior Principal Instructor Oracle Corporation Session id:
Shibboleth Update Michael Gettes Principal Technologist Georgetown University Ken Klingenstein Director Interne2 Middleware Initiative.
ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.
ASPiS Security Jens Jensen Science and Technology Facilities Council AHM, 8-11 Sep 2008 Edinburgh.
Shibboleth: An Introduction
MAT U M A T U Middleware Assisted Take-Up Service For JISC Funded Early Adopters.
JISC Middleware Security Workshop 20/10/05© 2005 University of Kent.1 The PERMIS Authorisation Infrastructure David Chadwick
IRODS: the use of rules and micro services for automatic data conversion and signal pattern searching Martyn Fletcher, Tom Jackson, Bojian Liang, Michael.
Policy Based Data Management Data-Intensive Computing Distributed Collections Grid-Enabled Storage iRODS Reagan W. Moore 1.
NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Authentication and Integrated Identity Management HEPiX, CASPUR, Rome 3-7 April 2006.
Oxford University e-Science Centre 1 Managing Access 4 Dec Managing Access to Resources on the Grid 4 December 2002.
OGF22 25 th February 2008 OGF22 Demo Slides Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland
Delegation of Authority David Chadwick
GridShib and PERMIS Integration: Adding Policy driven Role-Based Access Control to Attribute-Based Authorisation in Grids Globus Toolkit is an open source.
Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)
A user-friendly approach to grid security Bruce Beckles University of Cambridge Computing Service A user-friendly approach to grid security “Grid ‘security’?
Standards driven AAA for Job Management within the OMII-UK distribution Steven Newhouse Director, OMII-UK
GSI: Security On Teragrid A Introduction To Security In Cyberinfrastructure By Dru Sepulveda.
1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.
Grid Security and Identity Management Mine Altunay Security Officer, Open Science Grid, Fermilab.
EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.
The National Grid Service Mike Mineter.
Rights Management for Shared Collections Storage Resource Broker Reagan W. Moore
The National Grid Service User Accounting System Katie Weeks Science and Technology Facilities Council.
Shibboleth Use at the National e-Science Centre Hub Glasgow at collaborating institutions in the Shibboleth federation depending.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
Digital Library Storage using iRODS Data Grids Mark Hedges, Tobias Blanke Centre for e-Research, King’s College London Arts and Humanities Data Service.
Virtual Organisation Management in the Level 2 Grid Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College.
Jens Jensen EU Grid PMA, Berlin Jan 2015
AAI for a Collaborative Data Infrastructure
A user-friendly approach to grid security
Tweaking the Certificate Lifecycle for the UK eScience CA
O. Otenko PERMIS Project Salford University © 2002
TeraGrid Identity Federation Testbed Update I2MM April 25, 2007
Presentation transcript:

ASPiS - Architecture for a Shibboleth-Protected iRODS System Mark Hedges, Tobias Blanke Centre for e-Research, Kings College London Adil Hasan, Jens Jensen Science and Technology Facilities Council Andrea Weise STFC / University of Reading Building data grids with iRODS, e-Science Institute, Edinburgh, 27 th May 2008

Overview of ASPiS Funded by JISC e-Infrastructure programme Partners: –Centre for e-Research, Kings College London –Science and Technology Facilities Council –(University of Reading - very helpful PhD student) Strand 1: access management in iRODS - integration with Shibboleth (and authorisation systems such as PERMIS) Strand 2: integration of iRODS with provenance capture systems

AuthN, AuthZ and iRODS Current authentication in iRODS (username/password, GSI). Current authorisation in iRODS. Issues with current mechanisms Shibboleth and federation Shibboleth and iRODS integration

Username/password AuthN IRODS + iCAT irodsEnv client iCAT contains list of usernames and passwords irodsA Contains username iinit Store hashed pw Username/hashed pw AuthN response Password

GSI AuthN IRODS client iCAT contains list of usernames and DNs User cert on client machine iinitChallenge/response AuthN response IRODS + iCAT Proxy server Get proxy cert compare DN in iCAT

Authorisation iCAT stores information on: –Users –Domains –Groups –Access Control Lists (ACLs) Access managed according to: –Mode of access (read / write / delete / annotate) –By user, domain, group Information held centrally.

Issues Centralised management of user identities and access rights Doesnt scale well Different organisations cannot maintain their own lists of users in data grid - duplication, lists can get out of synch Inflexible authorisation system - no locally managed admin of access rights Certificates a barrier to uptake of grids in some communities

Shibboleth Architecture for federated access to web based resources Based on circle of trust among organisations User identities managed locally to their institution Access to resources managed locally to the owning institution Adopted by JISC as solution for managing access to distributed web resources (UK Access management Federation)

Shibboleth Information Flow

Shibboleth & iRODS Apache mod_ shib access request iRODS+RE PIP Rule PDP μ-service attributes admin PEP response Capture & store attributes

Shib: Work so far & plans Gathering use-cases for access management (SRB users, NGS users, Diamond users and others). Setting up iRODS and Shibboleth test environments (including one for NGS users) Investigate, prototype and evaluate a number of options: –How a micro-service will call PDP/PEP –How to pass attributes through iRODS –Interaction with web-browser

Provenance How the data was derived affects the interpretation of the data. So, important to record how data is derived (i.e. provenance of the data). – derived includes the process of creation and subsequent modification and manipulation of the data. –we must store as much information as necessary to understand the data – depends on context of subsequent use. –implies that provenance is open-ended.

Provenance & iRODS Data to be stored in iRODS should also have provenance information attached to it. Requirements for provenance metadata will depend on the purpose and context of its use: –Implies that we must interoperate flexibly with existing (& future) provenance systems. Must also record the manipulations on the data once stored in iRODS: –Versions of rules operating on data. –Versions of micro-services operating on data. –Date when data manipulated, host data manipulated on. –Who did it.

Provenance & Data Curation Internal: store provenance information in iRODS itself: –In iCAT or part of iRODS that can be queried from iCAT –Capture all iRODS manipulations in rules and microservices. Rules cause micro-services to access external provenance systems. –Different micro-services for different external provenance systems. –Can configure rule to be executed using conditional rule execution (as for AuthZ).

Provenance & iRODS IRODS + iCAT + RE IRODS +RE IRODS + RE External Provenance System Internal Provenance System IRODS System Rule engine runs, manipulations recorded Rule causes micro- service to access external system client Client stores data in iRODS Update iCAT file metadata Update iCAT file metadata

Provenance: Work so far & Plans Gathering use-cases for what to store/access. Already working on how to query PASOA through iRODS (Andrea Weise). Starting to investigate how to capture information from iRODS system. –Need to understand how we can version rules and micro-services.

Contacts mark.hedges at kcl.ac.uk tobias.blanke at kcl.ac.uk a.hasan at rl.ac.uk j.Jensen at rl.ac.uk

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.