Presentation is loading. Please wait.

Presentation is loading. Please wait.

Horst Schwichtenberg AAI Needs of the Earthscience Grid Community EGI InSPIRE.

Published byCornelius Hawkins Modified over 8 years ago

Similar presentations

Presentation on theme: "Horst Schwichtenberg AAI Needs of the Earthscience Grid Community EGI InSPIRE."— Presentation transcript:

1 Horst Schwichtenberg horst.schwichtenberg@scai.fraunhofer.de AAI Needs of the Earthscience Grid Community EGI InSPIRE

2 ES Applications OGC INSPIRE GMES Civil Protection GEOSS Meteorology Greece: AUTH, IASA, NOA; SRI (Ukraine), GCRAS (Russia) Climate - GRelC EMA (France), IISAS (Slovakia), SRI (Ukraine) SEIS Geosciences- Geocluster UBO Climate - El Niño Cantabria – EELA2 IEEE CODATA WDCS Biodiversity BRGM (France), Footways(France), JKI (Germany) Hydrology Geospatial platform IMAA(Italy), INFN(Italy), EMA (France), IMHO(Portugal) ds CYCLOPS Platform CYCLOPS Infrastructure Environmental Monitoring Resource Infrastructure Processing Systems Infrastructure Data Systems GRID Platform (EGEE) Sensor systems Security Infrastructure Interoperability Platform Business logic Services Presentation and Fruition Services Spatial Data Infrastructure Services Advanced Grid Services Geospatial Resources Services UN-SPIDER ESA NASA EGU Pollution I Seismology G-OWS INSPIRE Civil Protection ERCIM NASA OGC SEIS IEEE ESA GMES GEOSS WDC EGU AUTH (Greece), IPGP (France), AUTH (Greece), Tubitak Ulakbim (Turkey), Univ. patras (Greece), INFP (Romania) CGGVeritas (France), DSI-IRD,Geoazur,IPGP, IPGS, ISTEP, Sisyphe, CRS4 (Italy), Univ. Genève, Univ. Neuchâtel,INHGA ( Romania), Institute for Water Resources "Jaroslav Cerni", Belgrade and CSASA at University of Kragujevac, Serbia Flood IPP-BAS (Bulgaria), IASA (Greece), EnvVO-SEEGRID Pollution Univ. Cantabria – EELA2 CMCC (Italy), IPSL (France), Univ Cantabria (Spain), SCAI (Germany)

3  Data of multiple sources and formats  Archived sensor data or derived data  Several sensor types  Several data processing levels  Filtering, Subsetting, Formatting, Gridding, etc.  Model output  Requirement to relate or analyse relation of many data sets  Different providers => different systems Earth Science Data 3 Data is Central for ES

4 Researcher Geographical Information Systems Data Centers / SDIs Compute Infrastructures Institutional Resources Other Exemplary overview 4

5 Researcher Geographical Information Systems Data Centers / SDIs Compute Infrastructures Institutional Resources Other GIS 5

6  Access mostly based on OWS  Web Service Specifications of the Open Geospatial Consortium (OGC)  Originally does not specify Authentication or Authorization OGC Services are broadly accepted in spatial data oriented ES domains  Work in progress:  GeoXACML (authorization for spatial data)  OGC call for OWS and Shibboleth interoper. (ref implementation: http://esdin.fgi.fi/wiki/index.php/Esdin:AuthIE:Client)  OGC Authentication Interop Experiment:  The following mechanisms are planned and on test: HTTP Authentication, HTTP Cookies, SSL/X509, SAML, Shibboleth and OpenID.  Shibboleth + OpendID (US) are relevant for ES  WS-Security with SAML/X509/Kerberos  Developments by G-OWS, Genesi-DR (Elsag-Datamat), INFN OGC roadmap on the way  Developments for Globus-OGC by lat/lon, deegree (see also OGF-OGC) Geographical Information Systems (GIS) 6

7 Researcher Geographical Information Systems Data Centers / SDIs Compute Infrastructures Institutional Resources Other Data Centers 7

8 Security environem OWS environment: – Not yet standardized – Browser based approach: No security at all OpenID, Shibboleth Username/Password (HTTP) GeoDRM gLite environment: – Consolidated security approach based on: X509 Certificates VOMS Proxies DN/FQAN matching AuthZ Coupling the two environments: – Client side: username/password (Shibboleth, OpenId, …) – Server side: X509 Certificates, VOMS Proxies How? – Shibboleth Credentials (Identity Provider) – SLCS Service (ShortLivedCredentialService) – VASH Service (VOMSAttributesfromShibbolethService)

9  e.g. ESA EO data  Application for Access  Personal Registration  Different AC Methods  (S)FTP Password Auth  Proprietary Access Clients  Send physical media per mail  Access to ESA data is also possible for ES users today via the GENESI-DR infrastructure see GENESI-DR project and follow up A first application interface to the GENESI infrastructure was developed by ES in EGEE-III  AA was not solved – two CAs Data Centers / Spatial Data Infrastructures (SDI) 9

10  Data Policies can imply further security requirements regarding storage & processing  It might  be commercial / protected by NDAs  represent years of research (fear of prior publication)  INSPIRE, WMO and other large ES organizations define regulations Problem for ES: how to protect licensed data on the compute infrastructues Data Centers 10

11 Researcher Geographical Information Systems Data Centers / SDIs Compute Infrastructures Institutional Resources Other Compute Infrastructures 11

12 Compute Infrastructures  Recent Years: Most used infrastructures are based on gLite (EGEE), Globus (e.g. NGI-De), Unicore (DEISA)  Personal X509 certificates in many infrastructures by  National Authorities (compliant with EUGridPMA, IGTF)  Problem of the PKI infrastructure: not accepted by browser (e.g. Verisign, etc.); no hierachy on national level  Own CAs  Virtual Organisation membership, proxy certificates, delegation  Not useable in commercial clouds 12

13 Researcher Geographical Information Systems Data Centers / SDIs Compute Infrastructures Institutional Resources Other Institutional Resources 13

14 e.g. Access to data of prior research *nix user accounts LDAP / AD Kerberos VPN Institutional Resources 14

15 Researcher Geographical Information Systems Data Centers / SDIs Compute Infrastructures Institutional Resources Other Other resources 15

16 E.g. proprietary portals, catalogues, maps, etc. -Simple password auth -OpenID / Shibboleth (SAML) -Custom RBAC systems -Custom authentication methods (robots, …)) Licensed / restricted software Other resources 16

17  Access control for data and code  Protect scientific work (ACLs for code & data) down to a single user (e.g. CGGveritas in EGEE-III, licencing)  End-to-End data/code protection (storage node to compute node to …) Summary of Requirements 17

18  Federated identity and single sign-on  Interfaces/API  Security Assertion Markup Language (SAML) support, as well as support for the OAuth WRAP, WS-Trust, and WS-Federation protocols...  Available on Cloud infrastructures! We will switch between GRID and Cloud – Data will be available on cloud …  SSO solutions based on  Shibboleth, OpenID (future requirement for OGC Services)  AA for Science Gateways  Automatic certificate generation (e.g. Robot,...) to provide open public community services with compute resources on EGI in the background  AA interoperability for workflows and aggregation of services (see federated identity and SSO) 18 Summary of Requirements

19  OGC OWS-6 Security Engineering Report: http://portal.opengeospatial.org/files/?artifact_id=35461 Sources 19

20 Thanks for your attention! 20

21 21

Download ppt "Horst Schwichtenberg AAI Needs of the Earthscience Grid Community EGI InSPIRE."

Similar presentations

Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Interoperability AAI and Grids Christoph.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability AAI and Grids Christoph.
MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Contrail and Federated Identity Management

Contrail and Federated Identity Management
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Secure access to spatial data for academia – the UK experience Workshop, Authentication, Authorization and Accounting for Data and Services in EU Public.

Secure access to spatial data for academia – the UK experience Workshop, Authentication, Authorization and Accounting for Data and Services in EU Public.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
EMI INFSO-RI-261611 Session Summary AAI Needs for DCIs John White, HIP Christoph Witzig, SWITCH

EMI INFSO-RI Session Summary AAI Needs for DCIs John White, HIP Christoph Witzig, SWITCH
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
20 March 2007 VOMS etc - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.

20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.
Will Darby 91.514 5 April 2010.  What is Federated Security  Example Implementations  Security Assertion Markup Language (SAML) Overview  Alternative.

Will Darby April  What is Federated Security  Example Implementations  Security Assertion Markup Language (SAML) Overview  Alternative.
Copyright B. Wilkinson, 2008. This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
Federated A(A(A))I Jens Jensen hepsysman, RAL, 20110701.

Federated A(A(A))I Jens Jensen hepsysman, RAL,
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
National Computational Science National Center for Supercomputing Applications National Computational Science MyProxy: An Online Credential Repository.

National Computational Science National Center for Supercomputing Applications National Computational Science MyProxy: An Online Credential Repository.
Distributed Web Security for Science Gateways Jim Basney In collaboration with: Rion Dooley Jeff Gaynor

Distributed Web Security for Science Gateways Jim Basney In collaboration with: Rion Dooley Jeff Gaynor
FIM-related activities and issues being discussed in Japan 1.GEO Grid Yoshio Tanaka (AIST) 2.HPCI, GakuNin Eisaku Sakane, Kento Aida (NII)

FIM-related activities and issues being discussed in Japan 1.GEO Grid Yoshio Tanaka (AIST) 2.HPCI, GakuNin Eisaku Sakane, Kento Aida (NII)
Climate Sciences: Use Case and Vision Summary Philip Kershaw CEDA, RAL Space, STFC.

Climate Sciences: Use Case and Vision Summary Philip Kershaw CEDA, RAL Space, STFC.

Similar presentations

Ads by Google