1. ASPiS Security Jens Jensen Science and Technology Facilities Council AHM, 8-11 Sep 2008 Edinburgh

2. ASPiS collaborators Mark Hedges, CeRch KCL Adil Hasan, Liverpool Andrea Weise, STFC/Reading Eric.., → CeRch KCL Jens Jensen, STFC JISC-funded project

3. Project Overview “New data grid technology with new authentication technology”

4. Project Overview What is ASPiS? –Access to iRODS via Shibboleth –Collaboration between CeRch (KCL) and STFC What is Shibboleth –UK Access Management Federation What is iRODS? –“data grid” for provenance, digital libraries –Successor to SRB –Open Source

5. ASPiS goals Access to iRODS via Shibboleth –IRODS offers rule-based data management via microservices –Positioned as data grid solution for preservation, curation, digital libraries Primary use cases: –Arts and Humanities data storage –Diamond Light Source –NGS data storage services

6. ASPiS goals Use Shibboleth attrs for access control –Can use attrs for AuZ decisions –ePEntitlement –Or extended attrs, e.g. from SARoNGS Prototype secure data management –Can be expanded later into trusted services –Open for adding security capabilities Interface with provenance management

7. User Security Enable access for security non-experts –X.509 considered “complicated” –Broaden user base via Shibboleth IdPs Users' VOs supported –Simple attribute-based –Simple gridmap style user mapping –Using VOMS? Via SARoNGS?

8. Shibboleth and NGS Other projects to enable access to NGS SARoNGS –Production deployment of ShibGrid and SHEBANGS –Certificates generated dynamically – users don't know they have them! –~75% of NGS user base with IdP –~95% by members of Federation –(Not all members have IdPs)‏ –(Rough numbers, could have changed)‏

9. Architecture SP IdP Usual Shib Stuff Disk Store (Tape Store at RAL)‏ Provenance Metadata Management μservice iRODS rule ACL

10. Implementing Security Make attributes available –To rule engine, microservices, provenance –Microservices reporting back to rule engine to alter workflow Other issues –Using AC and SAML (SARoNGS)‏ –Libraries iRODS in C, preservation systems in Java (Pasoa, RDF/OWL)‏ Availability, maturity, support, interoperation

11. Security Considerations Use of Shib 1.3, vs Shib 2.0 –Must work with existing Federation –Use of institutional attributes How useful are they? Avoid bilateral negotiations –Not sharing attributes between SPs Single SP, federated iRODS? Non-Federation (or no IdP) users –Considered local config or LDAP managed

12. Security Considerations User to local mapping –LCMAPS or VPMan? Or something simpler? –Delegation of authentication –IRODS users/groups/domains/zones? Use or combined use with GSI –For users with certificates already, exisitng NGS accounts Consistency and portal access –Supported in iRODS 1.1 –Needs account management

13. Preservation Issues Persistency of ePTID –Federation rules permit recycling if not used for 2yrs –APSiS: do not permit login if account idle for 2yrs Except if IdP guarantees uniqueness forever? Who is the ePTID? Non-persistency of IdP logs Verification of user-supplied attrs?

14. Other Issues QoS: priority mappings for some users? iRODS needs rebuild (or at least relink) when μservice changes

15. Current Status iRODS deployed at Reading, RAL Shibboleth IdP at RAL –DLS did not join the Federation at this time Not quite ready for testing yet

16. Conclusion Datastore for libraries, preservation –Interfacing to provenance mgmt Replacing SRB Single sign-on access via Shib –Usable –Secure