Presentation is loading. Please wait.

Presentation is loading. Please wait.

Identity Management in DEISA/PRACE Vincent RIBAILLIER, Federated Identity Workshop, CERN, June 9 th, 2011.

Published byDerick Caldwell Modified over 9 years ago

Similar presentations

Presentation on theme: "Identity Management in DEISA/PRACE Vincent RIBAILLIER, Federated Identity Workshop, CERN, June 9 th, 2011."— Presentation transcript:

1 Identity Management in DEISA/PRACE Vincent RIBAILLIER, Federated Identity Workshop, CERN, June 9 th, 2011

2 History of European HPC projects DEISA (Distributed European Infrastructure for Supercomputing Applications): May 2004 – April 2008 DEISA2 : May 2008 – April2011 10 countries, 15 centers PRACE (Partnership for Advanced Computing in Europe, Preparatory Phase): started in January 2008 PRACE(-PP) (preparatory phase): January 2008 – June 2010 14 countries PRACE 1-IP (first implementation phase): July 2010 – June 2012 Focuses on “Tier-0” integration 20 countries PRACE-2IP (second implementation phase): September 2011 – July 2013 Focuses on “Tier-1” integration 21 countries

3 The HPC ecosystem Regional resources T0 T1 T2 European resources National resources Addressed by PRACE-RI (PRACE-1IP) Addressed by PRACE-RI (PRACE-2IP)

4 PRACE-RI Association Internationale Sans But Lucratif (created in 2010) Head office installed in Brussels 21 countries members PRACE operates Tier-0 resources JUGENE, FZJ, IBM Blue Gene/P, 1PF, July 2010 CURIE, CEA, BULL, 1.6 PF, end of 2011 HERMIT, HLRS, Cray XE6, 1 PF, November 2011 Funding secured until 2015 > 400 M€ national funding 48 + 20 M€ EC-funding

5 5 Accessing the PRACE RI Access Model for Tier-0 systems Based on peer-review: “the best systems for the best science” Three types of resource allocations T est / evaluation access Only technical peer review Project access – for a specific project, grant period ~ 1 year Both technical and scientific peer review Program access – resources managed by a community Both technical and scientific peer review Access Model for Tier-1 systems Based on DEISA model – review by national committees Current calls: http://www.prace-ri.eu/hpc-accesshttp://www.prace-ri.eu/hpc-access

6 DEISA Model DEISA highly performant continental global file system S1S2S3S4S14S15S16 DEISA Common Production Environment Different Supercomputers Dedicated 10 Gb/s network – via GEANT2 Single Sign-on, Secure login

7 The DEISA/PRACE security model Authentication X.509 certificates (EUGridPMA, IGTF) Services using X.509 authentication : GSI-SSH, UNICORE, GridFTP, GRAM, web services SSO (MyProxy server) Authorization LDAP used as an authorization database Fine grained management Attributes associated to projects (groups of persons) Attributes associated to accounts Accounting Distributed database (DART for access) Accounting records compliant to OGF Usage Record format

8 b) Federated User Administration c) Authorized Access to Resources a) PRACE Project Administration site B site C site A LDAP user DB allowed User authz Review DB Project attributes user DB user DB User registration

9 Federation services in DEISA/PRACE Evaluation of Shibboleth started in 2009 Two scenarios tested: 1.Authorization tokens issued as extensions in certificates by an IdP (Identity Provider) set up by DEISA  Additional certificate attributes obtained from the user administration service (DUAS)  Linking authorization information to IdP services not easy to implement 2.X.509 certificates obtained through a federated service  External IdPs for validating the user  Service successfully tested in Germany  To be successful such a service must be offered in more countries  TERENA Certificate Service is very welcome

10 Planned activities (based also on user survey) Federation facilities for AA Security Token Service (STS): On EMI roadmap is a study on ‘native integration’ of multiple security mechanisms, based around the Security Token Service (STS) Redesign of LDAP schema

11 What can STS do for PRACE LDAP attributes could be translated into SAML assertions (similar to what was tested a year ago in DEISA based on Shibboleth v3) No need to import attribute data locally Middleware must support this Enables collaboration (trust model needed) Interoperability with VOMS communities Use cases must be defined

12 Conclusion X509 certificate model is currently acceptable for PRACE It is part of PRACE technology evaluation program to follow what is going on in the identity federation field Interoperability is the key word PRACE is interested in open standards for the exchange of authentication and authorization information (SAML, XACML) But interoperability is not always easy to achieve: There must be a common understanding of the meaning of credential attributes Progress in general is slow: Middleware products have often their own methods for validation Endpoints must also support open standards

13 Questions? http://www.deisa.eu http://www.prace-ri.eu

Download ppt "Identity Management in DEISA/PRACE Vincent RIBAILLIER, Federated Identity Workshop, CERN, June 9 th, 2011."

Similar presentations

Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
Current status of grids: the need for standards Mike Mineter TOE-NeSC, Edinburgh.

Current status of grids: the need for standards Mike Mineter TOE-NeSC, Edinburgh.
EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
PRACE – The European HPC Infrastructure Liz Sim (EPCC) PRACE WP6 Operations – User Services Subtask Leader.

PRACE – The European HPC Infrastructure Liz Sim (EPCC) PRACE WP6 Operations – User Services Subtask Leader.
EMI Development Plans for Identity Management Henri Mikkonen / HIP Moonshot, Grid and HPC Workshop 7.7.2011 London, UK.

EMI Development Plans for Identity Management Henri Mikkonen / HIP Moonshot, Grid and HPC Workshop London, UK.
The Internet2 NET+ Services Program Jerry Grochow Interim Vice President CSG January, 2012.

The Internet2 NET+ Services Program Jerry Grochow Interim Vice President CSG January, 2012.
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 EGI - Identity Management Steven Newhouse Director, EGI.eu Federated Identity.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI - Identity Management Steven Newhouse Director, EGI.eu Federated Identity.
TechSec WG: Related activities overview Information and discussion TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.

TechSec WG: Related activities overview Information and discussion TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org JRA3 2 nd EU Review Input David Groep NIKHEF.

INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-

TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-
Copyright B. Wilkinson, 2008. This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
Federated A(A(A))I Jens Jensen hepsysman, RAL, 20110701.

Federated A(A(A))I Jens Jensen hepsysman, RAL,
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
EMI INFSO-RI-261611 European Middleware Initiative (EMI) Standardization and Interoperability Florida Estrella (CERN) Deputy Project Director.

EMI INFSO-RI European Middleware Initiative (EMI) Standardization and Interoperability Florida Estrella (CERN) Deputy Project Director.
Distributed Web Security for Science Gateways Jim Basney In collaboration with: Rion Dooley Jeff Gaynor

Distributed Web Security for Science Gateways Jim Basney In collaboration with: Rion Dooley Jeff Gaynor
Authentication and Authorization in a federated environment Jules Wolfrat (SARA)

Authentication and Authorization in a federated environment Jules Wolfrat (SARA)
FIM-related activities and issues being discussed in Japan 1.GEO Grid Yoshio Tanaka (AIST) 2.HPCI, GakuNin Eisaku Sakane, Kento Aida (NII)

FIM-related activities and issues being discussed in Japan 1.GEO Grid Yoshio Tanaka (AIST) 2.HPCI, GakuNin Eisaku Sakane, Kento Aida (NII)

Similar presentations

Ads by Google