Presentation is loading. Please wait.

Presentation is loading. Please wait.

Sponsored by the National Science Foundation Towards Uniform Clearinghouse APIs GEC17 Developer Working Sessions July 23, 2013 0830-1030.

Published byEunice Webb Modified over 8 years ago

Similar presentations

Presentation on theme: "Sponsored by the National Science Foundation Towards Uniform Clearinghouse APIs GEC17 Developer Working Sessions July 23, 2013 0830-1030."— Presentation transcript:

1 Sponsored by the National Science Foundation Towards Uniform Clearinghouse APIs GEC17 Developer Working Sessions July 23, 2013 0830-1030

2 Sponsored by the National Science Foundation2 Overview This session is to discuss the effort to design and implement a common API for GENI-compatible Clearinghouses –What is a Clearinghouse (CH) ? –Why do we want a common CH API? –What might a common API look like?

3 Sponsored by the National Science Foundation3 What is a Clearinghouse? A Federation is a human activity of collaboration and trust among organizations, subject to certain policies and agreements. A Clearinghouse provides a collection of services that facilitates this collaboration and trust by ensuring these policies and agreements.

4 Sponsored by the National Science Foundation4 What is a Clearinghouse [2]? Services that mint and manage credentials are called Authorities. We have two kinds in GENI: –Member Authority: Generate User Credentials What attributes are associated with a person –Slice Authority: Generate Slice Credentials What a person may do on a slice Credentials are signed statements about people: Both assertions (what is true about this person) or policy (what is permitted about this person)

5 Sponsored by the National Science Foundation5 What is a Clearinghouse? [3] A Federation is comprised of a set of collaborating organizations –The CH is a collection of the Aggregates and Authorities of these collaborating organizations that are selected to participate in this Federation –The CH provides directory services for looking up Federation Aggregates and Authorities –It is the source of trust root(s) for a given federation

6 Sponsored by the National Science Foundation6 What is a Clearinghouse? [4] Clearinghouses are independent –No trust relationship exists between them –Members or Slices defined at the authorities in one CH are not necessarily recognized at another

7 Sponsored by the National Science Foundation7 Entity Relationships CH-1 CH-2 SA-A SA-B MA-B MA-A AM-1 AM-3 AM-2 An authority can be a member of multiple CH’s A CH can have multiple Authorities, and multiple AM’s. An aggregate can be a member of multiple CH’s A slice is a member of exactly one SA An experimenter is a member of exactly one MA

8 Sponsored by the National Science Foundation8 Why do we want a common CH API? Many federations out there, each with their own authorities, and interfaces –In GENI, we have the GPO and PG CH –FIRE and OFELIA are working on setting up their own –Other international efforts underway Need to support federations that are generated “on the fly” to represent time-limited initiatives We want GENI tools to be able to be able to go to a CH (or any of a list of CH’s) and be able to interact with them in a uniform way

9 Sponsored by the National Science Foundation9 Clearinghouse API – Brief Overview A CH API consists of these pieces: –The Clearinghouse API itself –The APIs of the Authorities available through the CH Slice Authority (SA) API Member Authority (MA) API –No need to specify the API of the aggregates that belong to a CH: this is the AM API The common CH API is still being edited and reviewed. A draft will be available shortly on the GENI wiki.

10 Sponsored by the National Science Foundation10 Clearinghouse API Directory Services –getAuthorities: Get list of associated MA’s and SA’s (by URL plus some additional descriptive meta-data) Selected by optional match criteria –getAggregates: Get list of associated aggregates (by URL plus some additional descriptive meta-data) Selected by optional match criteria –Reverse Lookup: Find the authority associated with a given URN Trust Root Services: –getTrustRoots: Get list of trust roots assocaited with the CH (that any member of the federation should take and insert into their own trust bundle).

11 Sponsored by the National Science Foundation11 Slice Authority API Manage Slice Objects –Create, Renew, Update, Lookup Slice Credentials –getCredentials: get credentials for given user relative to given slice May be SFA Slice Credentials or ABAC Credentials or some other form supported by CH Optional –Slice Membership –Projects and Project Membership –Slivers per Slice [Non-authoritative]

12 Sponsored by the National Science Foundation12 Member Authority API Lookup_public member_info Certificate, public SSH, SSL keys Lookup_private_member_info –Private SSL, SSH keys Lookup_identifying_member_info –Name, email, affiliation Creating/setting this member information is out-of-band: no common public I/F provided. Breaking up the member information into these chunks enables different MA’s to apply different authorization/access policies to different kinds of information.

13 Sponsored by the National Science Foundation13 Diversity across CH’s Note that not all CH’s will have the same object models and support the same services –Each may support a ‘slice object’ but may associate CH-unique attributes –Some may support slice-membership or projects, others may not We want the CH/Authority API’s to support these kinds of variability –CHs/Authorities should support a get_version method that advertises its essential services and object models

14 Sponsored by the National Science Foundation14 Generic CH Object Model Slice: SLICE_URN: URN SLICE_UID: UID SLICE_NAME: STRING SLICE_CREDENTIAL: CREDENTIAL SLICE_DESCRIPTION: STRING SLICE_EXPIRATION: UTC SLICE_EXPIRED : BOOLEAN SLICE_CREATION: UTC SLICE_EMAIL: EMAIL Member: MEMBER_URN: URN MEMBER_UID: UID MEMBER_FIRSTNAME: STRING MEMBER_LASTNAME: STRING MEMBER_CREDENTIAL: CREDENTIAL MEMBER_EMAIL: EMAIL Project: PROJECT_URN: URN PROJECT_UID: UID PROJECT_NAME: STRING PROJECT_DESCRIPTION: STRING PROJECT_EXPIRATION: UTC PROJECT_EXPIRED: BOOLEAN PROJECT_CREATION: UTC PROJECT_EMAIL: EMAIL Project Member: PROJECT_URN: URN MEMBER_URN: URN ROLE: STRING Slice Member: SLICE_URN: URN MEMBER_URN: URN ROLE: STRING Member Key: MEMBER_URN: URN KEY_ID: INT KEY_NAME: STRING KEY_TYPE: STRING KEY_VALUE: STRING ENCRYPTION_TYPE: STRING PUBLIC: BOOLEAN Credential: MEMBER_URN: CREDENTIAL SUBJECT: URN OBJECT: URN PREDICATE: STRING Required Optional N : 1 1 : N N Slice has many members of different roles Project has many members of different roles

Download ppt "Sponsored by the National Science Foundation Towards Uniform Clearinghouse APIs GEC17 Developer Working Sessions July 23, 2013 0830-1030."

Similar presentations

FIBRE-BR Meeting GENI I&M Marcelo Pinheiro. Agenda GENI Overview GENI User groups GENI I&M Use Cases GENI I&M Services.

FIBRE-BR Meeting GENI I&M Marcelo Pinheiro. Agenda GENI Overview GENI User groups GENI I&M Use Cases GENI I&M Services.
D u k e S y s t e m s Some tutorial slides on ABAC Jeff Chase Duke University.

D u k e S y s t e m s Some tutorial slides on ABAC Jeff Chase Duke University.
PlanetLab Architecture Larry Peterson Princeton University.

PlanetLab Architecture Larry Peterson Princeton University.
Sponsored by the National Science Foundation 1 Activities this trimester 0.5 revision of Operational Security Plan Independently (from GPO) developing.

Sponsored by the National Science Foundation 1 Activities this trimester 0.5 revision of Operational Security Plan Independently (from GPO) developing.
Sponsored by the National Science Foundation Campus Policies for the GENI Clearinghouse and Portal Sarah Edwards, GPO March 20, 2013.

Sponsored by the National Science Foundation Campus Policies for the GENI Clearinghouse and Portal Sarah Edwards, GPO March 20, 2013.
D u k e S y s t e m s Authorization Framework: Status Jeff Chase Duke University.

D u k e S y s t e m s Authorization Framework: Status Jeff Chase Duke University.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
ERMS in the Library What should it do for us? Helen Clarke Head, Collections Services University of Calgary.

ERMS in the Library What should it do for us? Helen Clarke Head, Collections Services University of Calgary.
Sponsored by the National Science Foundation GENI Clearinghouse Panel GEC 12 Nov. 2, 2011 INSERT PROJECT REVIEW DATE.

Sponsored by the National Science Foundation GENI Clearinghouse Panel GEC 12 Nov. 2, 2011 INSERT PROJECT REVIEW DATE.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.

Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.
Long-term Archive Service Requirements draft-ietf-ltans-reqs-00.txt.

Long-term Archive Service Requirements draft-ietf-ltans-reqs-00.txt.
Introduction to UDDI From: OASIS, Introduction to UDDI: Important Features and Functional Concepts.

Introduction to UDDI From: OASIS, Introduction to UDDI: Important Features and Functional Concepts.
Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.

Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.
D u k e S y s t e m s Accountability and Authorization GEC 12 Jeff Chase Duke University Thanks: NSF TC CNS-0910653.

D u k e S y s t e m s Accountability and Authorization GEC 12 Jeff Chase Duke University Thanks: NSF TC CNS
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.

Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
D u k e S y s t e m s Building the GENI Federation with ABAC: Going Deeper Jeff Chase Duke University Thanks: NSF TC CNS-0910653.

D u k e S y s t e m s Building the GENI Federation with ABAC: Going Deeper Jeff Chase Duke University Thanks: NSF TC CNS
American College of Healthcare Executives ACHE Update Leadership Knowledge Relationships Marketability.

American College of Healthcare Executives ACHE Update Leadership Knowledge Relationships Marketability.
Sponsored by the National Science Foundation Omni: a command line GENI resource reservation tool Niky Riga, Sarah Edwards GENI Project Office 13 March,

Sponsored by the National Science Foundation Omni: a command line GENI resource reservation tool Niky Riga, Sarah Edwards GENI Project Office 13 March,
National Science Foundation Arlington, Virginia January 7-8, 2013 Tom Lehman University of Maryland Mid-Atlantic Crossroads.

National Science Foundation Arlington, Virginia January 7-8, 2013 Tom Lehman University of Maryland Mid-Atlantic Crossroads.

Similar presentations

Ads by Google