Presentation is loading. Please wait.

Presentation is loading. Please wait.

Federated Identity in the Earth Science Domain: the Earth System Grid Federation, EGI-Inspire and GENESI-DEC Federated Identity System for Scientific Collaborations.

Published byKarin Lloyd Modified over 8 years ago

Similar presentations

Presentation on theme: "Federated Identity in the Earth Science Domain: the Earth System Grid Federation, EGI-Inspire and GENESI-DEC Federated Identity System for Scientific Collaborations."— Presentation transcript:

1 Federated Identity in the Earth Science Domain: the Earth System Grid Federation, EGI-Inspire and GENESI-DEC Federated Identity System for Scientific Collaborations Workshop CERN 9-10 June 2011 Philip Kershaw [philip.kershaw@stfc.ac.uk] (STFC Rutherford Appleton Laboratory, NCAS/BADC, UK) Sébastien Denvil, Jérôme Raciazek, Monique Petitdidier (CNRS / IPSL France)philip.kershaw@stfc.ac.uk Horst Schwichtenberg, André Gemünd (SCAI, Germany) L. Fusco, R. Cossu, (ESA / ESRIN, Italy)

2 Overview Background and drivers for federated access control in the Earth Science domain the Earth System Grid Federation (ESGF) – A distributed infrastructure for the discover, access and analysis of Earth science data – CMIP5 as a motivator for the development Inter-federation trust – EGI-Inspire EU FP7 Project – ESGF  EGI – GENESI-DEC  EGI Philip Kershaw [philip.kershaw@stfc.ac.uk]philip.kershaw@stfc.ac.uk

3 Data Challenge for the Earth Science Community Data! Environmental scientists use numerous sources of data The ability to combine and compare diverse datasets is critical to furthering our understanding of the Earth system. but the integration of such datasets can be difficult, largely due to inherent technical complexities. Increasing data volumes necessitate distributed infrastructures Organisational domains, trust, licensing, identity management As a result, many valuable environmental datasets are underused.

4 CMIP5 and the Earth System Grid WCRP (World Climate Research Programme) CMIP5 (Coupled Model Intercomparison Project, Phase 5) Data produced at ~ 25 Centres 50 Distinct Numerical Experiments 100 000 years of simulated climate Corresponding to 6500 years real world climate > 2.5 Petabytes of data Global activity, access to Petascale archive hosted on multiple continents ESG-CET, Earth System Curator, Metafor, IS-ENES Earth System Grid Federation IPCC Assessment Report Drivers for federated Approach Deliver Science PCMDI co-ordinating Role Philip Kershaw [philip.kershaw@stfc.ac.uk]philip.kershaw@stfc.ac.uk Size of prospective archive + distribution challenge => centralised approach will not work Federated archive => federated security High profile and real deadlines mean a solution must work Collaboration involving European projects

5 ESGF Requirements and Challenges Requirements – Low level of assurance required for CMIP5 access – PCMDI (Lawrence Livermore National Laboratory) to administer registration of access rights – Audit access – Register users to keep them up-to-date with changes to data and services – Protect finite resources at service providers (compute, bandwidth …) How to apply access control in a heterogeneous environment of data access services and tools in this domain? – OPeNDAP, Live Access Server/Ferret, OGC web services, GridFTP, CDAT, Matlab, IDL, Ferret … Multiple technologies in the field of access control and security – Grid, Shibboleth, SAML, OpenID, OAuth, Kerberos …

6 A Solution in Modular Design Principles Organisational Boundaries: SOA (Service Oriented Architecture): Defined interfaces with web services with profiled specs : OpenID, SAML, PKI => interoperability Slicing up the Server Side: AOP – Aspect Oriented Programming: Maintain a separation of concerns between access control functionality and application to be protected A standard interface between the two enables access control middleware to be configured to protect any app which supports that interface Slicing up the Client Side: Simple interface suited to Wget and Curl Rich clients: Security integrated at a base level in the client software stack: into NetCDF client libraries Philip Kershaw [philip.kershaw@stfc.ac.uk]philip.kershaw@stfc.ac.uk Divide and Conquer approach applying SOA, AOP, REST and NetCDF NetCDF dependent Client Package OPeNDAP / Other HTTP Application OPeNDAP / Other HTTP Application Security Extension [NetCDF Libraries] Security Extension [NetCDF Libraries] Security Filters [Server Middleware] Security Filters [Server Middleware] HTTP/HTTPS Interface Server-side NetCDF-based Client Wget / Curl HTTP and SSL Client libraries HTTP/HTTPS Interface Web HTTP/HTTPS Interface Web Browser REST based access policy: Restrict Policy to properties of the interface: URI, HTTP Action – GET, POST etc.

7 Federated Security Architecture Single sign on with OpenID and MyProxy – Dual authentication mechanisms link to the same credentials Applications simultaneously support the dual authentication methods – The server-side access control layer is agnostic to the authentication approach employed by the client – The underlying application is kept independent – Access control filters can be assembled in different configurations to suit different application scenarios Attribute propagation: – Pull-based model with SAML Attribute Services – Push-based also supported with OpenID AX (Attribute Exchange) and embedding of SAML assertions in user certificates Authorisation: – Authorisation Service with SAML interface – Can accept queries from a range of PEPs fronting services – GridFTP, OPeNDAP – XACML Policy engine used in Python implementation at the BADC/CEDA Service Discovery with Yadis protocol: XRDS over HTTP(S) – Introspect IdP services from a user’s OpenID URI – Discover Attribute Service and MyProxy server endpoints from a user’s OpenID Authorisation Filters Application OpenID Provider MyProxy Online CA Authorisation Service Authentication Filters Attribute Service Data Node Identity Provider SAML/SOAP HTTP(S)

8 Multiple Authentication Methods

9 Successes A standard solution for securing OPeNDAP and other HTTP-based services – Access for simple HTTP clients: Wget/Curl – Integrated into new NetCDF filters down to all the dependent packages: CDAT, Ferret … – Access for Grid based infrastructure: SSL-based authentication – Delegation capability for securing workflows Interface Control Document – Python and Java implementations Highly configurable access control middleware – Easy to support multiple security paradigms e.g. OpenID and SSL based Security is built on trust – relationships between organisations – The importance of a strong common goal in CMIP5 – The close collaboration required has in turn fostered more partnerships – ESGF Open Source development effort Philip Kershaw [philip.kershaw@stfc.ac.uk]philip.kershaw@stfc.ac.uk

10 Philip Kershaw [philip.kershaw@stfc.ac.uk]philip.kershaw@stfc.ac.uk Issues Security is inherently complex – PKI (Public Key Infrastructure), a fundamental building block to anchor trust but difficult to manage and administer Does the level of security required justify effort needed? – Need to support Levels of Assurance for authentication mechanisms Federation management, SLAs must not be overlooked Remember who are the stakeholders – Users: do they understand Single sign-on?! – Deployers: can organisations easily deploy? – Developers: A need to pass on knowledge and expertise

11 ESGF Integration with EGI Objective: enable access for Grid services to CMIP5 Data through ESGF OPeNDAP services How to solve trust between grids: exchange of PKI trust roots or credential translation? Exchange of trust roots ESGF credentials trusted in EGI Make ESGF MyProxy Online CAs subordinate to IGTF trust roots Add respective EGI trust roots to ESGF infrastructure Proxy certificate support Certificate lifetime and CRLs OpenID in X.509 Subject Name Credential translation Convert from ESGF to EGI certificate Removes need for EGI to hold ESGF trust roots Preserves separation between domains But, reverse mapping needed EGI -> ESGF? ESGF certificates hold a SAML assertion, if signed this could be used as the authentication credential and passed in different certificate ‘containers’ Extensions [SAML Artifact] Extensions [SAML Artifact] Subject Name [OpenID] X.509 Certificate EGI ESGF EGI Trustroots ESGF Trustroots MyProxy Online CA Worker Node OPeNDAP Credential Translation

12 GENESI-DEC Goal: harmonisation of satellite data access – FP7 project successor to GENESI-DR – Completes in 2012 – Portal and search services to interface with other applications – Standards work with OGC (Open Geospatial Consortium) and OpenSearch – Uses Grid-based security model – PKI/Proxy certificates Handling of VOs in federated infrastructures Cloud IaaS (Infrastructure as a Service) and OGC WPS (Web Processing Services) More developments underway with security model …

13 Future and Related Work OAuth for delegation – MashMyData Project Proxy Certificate based Delegation in workflow with WPS and OPeNDAP services – ExArch Project G8 funded collaboration, US, Canadian and European partners WPS: keep the processing near the data IS-ENES (InfraStructure for the European Network for the Earth System Modelling) EU FP7 – Delegation use case is important e.g. Portal  WMS client  WMS access control ISIC (International Space Innovation Centre), RAL – Create critical mass for space-related activities – Earth observation hub – ESA also now located at RAL Shibboleth support? Philip Kershaw [philip.kershaw@stfc.ac.uk]philip.kershaw@stfc.ac.uk

14 Any Questions? More information on ESGF security: – ESGF Security paper for GCA2011, Las Vegas, July – http://philipkershaw.blogspot.com/ http://philipkershaw.blogspot.com/

Download ppt "Federated Identity in the Earth Science Domain: the Earth System Grid Federation, EGI-Inspire and GENESI-DEC Federated Identity System for Scientific Collaborations."

Similar presentations

MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Contrail and Federated Identity Management

Contrail and Federated Identity Management
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 EGI - Identity Management Steven Newhouse Director, EGI.eu Federated Identity.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI - Identity Management Steven Newhouse Director, EGI.eu Federated Identity.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
H The MashMyData Project MashMyData [1] is a NERC (Natural Environment Research Council) funded Technology Proof of Concept project whose aim is to enable.

H The MashMyData Project MashMyData [1] is a NERC (Natural Environment Research Council) funded Technology Proof of Concept project whose aim is to enable.
The MashMyData project Combining and comparing environmental science data on the web Alastair Gemmell 1, Jon Blower 1, Keith Haines 1, Stephen Pascoe 2,

The MashMyData project Combining and comparing environmental science data on the web Alastair Gemmell 1, Jon Blower 1, Keith Haines 1, Stephen Pascoe 2,
Web-based Portal for Discovery, Retrieval and Visualization of Earth Science Datasets in Grid Environment Zhenping (Jane) Liu.

Web-based Portal for Discovery, Retrieval and Visualization of Earth Science Datasets in Grid Environment Zhenping (Jane) Liu.
FIM-ig Federated Identity Management Interest Group.

FIM-ig Federated Identity Management Interest Group.
Federated A(A(A))I Jens Jensen hepsysman, RAL, 20110701.

Federated A(A(A))I Jens Jensen hepsysman, RAL,
ESA EO Federated Identity Management Initiatives A. Baldi ESA: M. Leonardi RHEA:

ESA EO Federated Identity Management Initiatives A. Baldi ESA: M. Leonardi RHEA:
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
IS-ENES [ees-enes] InfraStructure for the European Network for Earth System Modelling IS-ENES will develop a virtual Earth System Modelling Resource Centre.

IS-ENES [ees-enes] InfraStructure for the European Network for Earth System Modelling IS-ENES will develop a virtual Earth System Modelling Resource Centre.
Authentication and Authorization in a federated environment Jules Wolfrat (SARA)

Authentication and Authorization in a federated environment Jules Wolfrat (SARA)
FIM-related activities and issues being discussed in Japan 1.GEO Grid Yoshio Tanaka (AIST) 2.HPCI, GakuNin Eisaku Sakane, Kento Aida (NII)

FIM-related activities and issues being discussed in Japan 1.GEO Grid Yoshio Tanaka (AIST) 2.HPCI, GakuNin Eisaku Sakane, Kento Aida (NII)
1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!

1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!
Climate Sciences: Use Case and Vision Summary Philip Kershaw CEDA, RAL Space, STFC.

Climate Sciences: Use Case and Vision Summary Philip Kershaw CEDA, RAL Space, STFC.
National Earth Science Infrastructure Program AuScope Limited Headquarters School of Earth Sciences University of Melbourne Victoria 3010 Tel 03 8344 8351.

National Earth Science Infrastructure Program AuScope Limited Headquarters School of Earth Sciences University of Melbourne Victoria 3010 Tel

Similar presentations

Ads by Google