Tim Bell 24/09/2015 2Tim Bell - RDA.

Slides:

Advertisements

Similar presentations

Identity Network Ideals – Heterogeneity & Co-existence

Advertisements

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

FI-WARE Testbed Access Control temporary solution.

STUDY ON OPENSTACK BY JAI KRISHNA. LIST OF COMPONENTS Introduction Components Architecture Where it is used.

© 2012 IBM Corporation Architecture of Quantum Folsom Release Yong Sheng Gong ( 龚永生 ) gongysh #openstack-dev Quantum Core developer.

Campus Based Authentication & The Project Presented By: Tim Cameron National Council of Higher Education Loan Programs.

Ben Jones 12/9/2013 NEC'20132.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

1 Security on OpenStack 11/7/2013 Brian Chong – Global Technology Strategist.

WebFTS as a first WLCG/HEP FIM pilot

CLOUD FEDERATION Are We There Yet?. Tim Bell - CERN Why Do We Federate?

Tim 23/07/2014 2OSCON - CERN Mass and Agility.

CERN Cloud Infrastructure Report 2 Bruno Bompastor for the CERN Cloud Team HEPiX Spring 2015 Oxford University, UK Bruno Bompastor: CERN Cloud Report.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

GridPP Steve Lloyd, Chair of the GridPP Collaboration Board.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!

U.S. Department of Agriculture eGovernment Program August 14, 2003 eAuthentication Agency Application Pre-Design Meeting eGovernment Program.

Rackspace Analyst Event Tim Bell

Cloud Computing Infrastructure at CERN

Summit Held in Hong Kong, 1 st time in Asia –Beijing is the city with the most OpenStack developers Attendance 3,500 up from 3,000 in Portland –45% APAC,

Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.

26 September 2013 Federating OpenStack: a CERN and Rackspace Collaboration Tim Bell Toby Owen

EduGain Federation – Web SSO

Infrastructure Manager, CERN Clouds and Research Collide at CERN TIM BELL.

Tim 18/09/2015 2Tim Bell - Australian Bureau of Meteorology Visit.

Scenario w/ WS-Federation to SAML 2.0 interop challenge for Danish public sector The following slides illustrates in a basic manner the technical/security.

Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.

WebFTS File Transfer Web Interface for FTS3 Andrea Manzi On behalf of the FTS team Workshop on Cloud Services for File Synchronisation and Sharing.

WLCG and the India-CERN Collaboration David Collados CERN - Information technology 27 February 2014.

Cloud federation Are we there yet? Marek Denis CERN openlab Major Review Geneva, Switzerland › October

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Report and plans Attribute.

Using Heat to Deploy and Manage Applications in OpenStack Trevor Roberts Jr, VMware, Inc. CNA1763 #CNA1763.

Identity Management in DEISA/PRACE Vincent RIBAILLIER, Federated Identity Workshop, CERN, June 9 th, 2011.

Opening Up OpenStack’s Identity Service David W Chadwick, Ioram S Sette, Kristy W Siu.

Developer Day Windows Azure June 2012 & October 2012 News Mario Szpuszta Cloud Architect & Technical Evangelist, Microsoft Corp.

Tim Bell 04/07/2013 Intel Openlab Briefing2.

Computing for LHC Physics 7th March 2014 International Women's Day - CERN- GOOGLE Networking Event Maria Alandes Pradillo CERN IT Department.

LHC Computing, CERN, & Federated Identities

June 9, 2009 SURFfederatie: implementing a multi- protocol federation Hans Zandbelt & Joost van Dijk, SURFnet.

tons, 150 million sensors generating data 40 millions times per second producing 1 petabyte per second The ATLAS experiment.

Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Enabling SSO capabilities in the EGI Cloud services Peter Solagna – EGI.eu.

INDIGO – DataCloud CERN CERN RIA

CERN IT Department CH-1211 Geneva 23 Switzerland t OIS Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland.

1 Authorization Federation in Multi-Tenant Multi-Cloud IaaS Navid Pustchi Advisor: Prof. Ravi Sandhu.

Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.

Taming Local Users and Remote Clouds with HTCondor at CERN

L’Oreal USA RSA Access Manager and Federated Identity Manager Kick-Off Meeting March 21 st, 2011.

PaaS services for Computing and Storage

CERN Computing Infrastructure

Security on OpenStack 11/7/2013

Azure Active Directory - Business 2 Consumer

Resource Provisioning Services Introduction and Plans

Openlab Compute Provisioning Topics Tim Bell 1st March 2017

Identity Federations - Overview

Openlab major review Marek Denis Openlab research fellow

THE STEPS TO MANAGE THE GRID

OpenStack Ani Bicaku 18/04/ © (SG)² Konsortium.

Azure AD Application Proxy

ESA Single Sign On (SSO) and Federated Identity Management

OpenStack-alapú privát felhő üzemeltetés

Common Authentication and Authorisation Service for Life Science Research Mikael Linden, ELIXIR Finland.

* Introduction to Cloud computing * Introduction to OpenStack * OpenStack Design & Architecture * Demonstration of OpenStack Cloud.

Single Sign-On (SSO) Authentication

MMG: from proof-of-concept to production services at scale

07 | Introduction to Authentication

Computer Network Information Center, Chinese Academy of Sciences

Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.

Presentation transcript:

Tim Bell 24/09/2015 2Tim Bell - RDA

CERN Tool Chain 24/09/2015 Tim Bell - RDA 3

24/09/ Microsoft Active Directory Database Services CERN Network Database Account mgmt system Horizon Keystone Glance Network Compute Scheduler Cinder Nova Block Storage Ceph & NetApp CERN Accounting Ceilometer Tim Bell - RDA

IN2P3 INFN … Onwards the Federated Clouds Public Cloud such as Rackspace CERN Private Cloud 120K cores ATLAS Trigger 28K cores CMS Trigger 12K cores Brookhaven National Labs NecTAR Australia Many Others on Their Way 24/09/2015 Tim Bell - RDA5 ALICE Trigger 12K cores

Open Design Process 24/09/2015 Tim Bell - RDA6 Started at OpenStack Hong Kong design summit Iterative design using open blueprints Source code under Apache 2 license Continuous integration to ensure maintainability Diverse team

Implementation 24/09/2015 Tim Bell - RDA7

Keystone authentication options Password Active Directory OpenID Connect X.509 Kerberos Tivoli Federated Identity Manager … plug in architecture for extensions 24/09/2015 Tim Bell - RDA8

Policy 24/09/2015 Tim Bell - RDA9 LOGIN: madenis LANGUAGE: EN DEPARTMENT: IT/OIS FULLNAME: Marek Denis Assertion Keystone credentials { name: madenis groups: [ “devs”, “openlab” ] } [ { "local": [ { "user": { "name": "{0}" } } ], "remote": [ { "type": "ADFS_LOGIN" } ] }, { "local": [ { "group": { "id": “devs" } }, {“group”: {ïd”:”openlab”} } ], "remote": [ { "type":"DEPARTMENT", "any_one_of": ["IT/OIS"] } ] } ]

OpenStack Identity Federation in /09/2015 Tim Bell - RDA10

Examples of potential use #1 Federation with a cloud provider such as Rackspace Scenario Project with quota on an external cloud Define role mapping in external cloud using attributes User authenticates against private cloud IdP Accesses public cloud project Demo’d at the OpenStack summit in Paris in Autumn /09/2015 Tim Bell - RDA11

Examples of potential use #2 Indigo dataclouds project H2020 funded Needs build and test resources CERN defines an OpenStack project Maps INFN role to project members Web SSO Federates with EduGain API/CLI Federates with INFN Keystone using Keystone-to-Keystone 24/09/2015 Tim Bell - RDA12

Experiences Watch out for non-federated services Who owns the resources at the site ? How to ssh into a VM behind a firewall when no account on the central login services ? Traceability for ephemeral accounts CADF logs need to be kept to map user UUID to originator 24/09/2015 Tim Bell - RDA13

Summary OpenStack now includes Federated Identity as standard Web SSO CLI Pluggable for authentication methods SAML and OpenID connect most popular Significant commercial interest and investment Partner networks such as Cisco and HP Easy to miss non-federated services when deploying production uses 24/09/ Tim Bell - RDA

Questions ? 24/09/ OpenStack FIM links at louddocs/additional/README. html louddocs/additional/README. html CERN OpenStack technical details at production.blogspot.fr production.blogspot.fr Tim Bell - RDA

Usage Modes OpenStack with Web GUI handled by Federated Single Sign On OpenStack with Keystone authentication service validating against a SAML IdP OpenStack with Keystone authentication service validating against another Keystone 24/09/2015 Tim Bell - RDA16

24/09/ Tim Bell - RDA

OpenStack Status 4 OpenStack clouds at CERN Largest is ~120,000 cores in ~4,000 servers in two data centres 3 other instances with 45,000 cores total Currently running Juno release of OpenStack Migrating to Kilo in next two months 24/09/ Tim Bell - RDA

The Worldwide LHC Computing Grid Tier-1: permanent storage, re- processing, analysis Tier-0 (CERN): data recording, reconstruction and distribution Tier-2: Simulation, end-user analysis > 2 million jobs/day ~350’000 cores 500 PB of storage nearly 170 sites, 40 countries Gb links 19 24/09/2015 Tim Bell - RDA

24/09/ Tim Bell - RDA