ARCSAuthorisa.onServices NeilWitheridge - - PowerPoint PPT Presentation

arcs authorisa on services
SMART_READER_LITE
LIVE PREVIEW

ARCSAuthorisa.onServices NeilWitheridge - - PowerPoint PPT Presentation

May 25, 2023 446 likes •593 views

ARCSAuthorisa.onServices NeilWitheridge Manager,ARCSAuthorisa7onServices APAN29,Sydney,February2010 Overview ARCS&PlaEormsforCollabora7on

slide-1
SLIDE 1

ARCS
Authorisa.on
Services


Neil
Witheridge 
 Manager,
ARCS
Authorisa7on
Services 
 APAN29,
Sydney,
February
2010 


slide-2
SLIDE 2

Overview 


  • ARCS
&
PlaEorms
for
Collabora7on

  • ARCS
Mission
&
Structure

  • Research
Group
Needs

  • ARCS
Services
and
Tools

  • Authorisa7on
Services’
Role

  • ARCS
Authorisa7on
Infrastructure

  • Strategy,
Challenges
&
Future
direc7on

slide-3
SLIDE 3

Australian
Government
eResearch
Investment 


  • Na7onal
Collabora7ve
Research
Infrastructure
Strategy
‐


PlaEorms
for
Collabora7on
(PfC)
investment

(2007‐11)


  • Super
Science
Ini7a7ve
eResearch
Components


(2009‐13)


  • …
cri7cal
importance
of
eResearch
Infrastructure
to
future


research
compe77veness



  • …
intended
to
enhance
research
collabora7ons,
assist


researchers
to
manage
massive
data
sets,
and
provide
super‐ compu7ng
and
analysis
tools
that
enable
Australian
 researchers
to
tackle
the
complex,
na7onal
and
global
issues
 needed
to
secure
Australia's
future.



Source:
hXps://www.pfc.org.au/bin/view/Main



slide-4
SLIDE 4

PlaEorms
for
Collabora7on 



PfC
component
investments:


  • Australian
Research
Collabora7on
Service
(ARCS)


– Develop
and
operate
services
linking
systems
and
 resources
na7onwide
 – Develop
and
operate
collabora7on
and
workflow
tools
for
 researchers
 – Includes
“Authorisa7on
Services”


  • Australian
Na7onal
Data
Service
(ANDS)

  • Na7onal
Computa7onal
Infrastructure
(NCI)

  • Australian
Access
Federa7on
(AAF)
and



Research
Networks
(AARNET)


Source:
hXp://www.ivec.org/ForumAug09/02_Francis.ppt





slide-5
SLIDE 5

ARCS
Mission

To
provide
long‐term
eResearch
support
services 
 
including,
but
not
limited
to,
interoperability
and
 collabora9on
infrastructure
and
services
 
 through
a
con9nuous
and
open
process
of
 consulta9on
and
engagement
with
the
 Australian
research
community. 


ARCS
is
an
unincorporated
collabora.ve
venture
of
the
Members
of
ARCS:


ANU,
CSIRO,
eRSA,
Intersect,
QCIF,
iVEC,
TPAC,
VPAC




…
serves
as
the
vehicle
for
the
coordinated
delivery
of
na.onal
eResearch

 support,
services
and
tools.



Source:
hXp://www.arcs.org.au/about






slide-6
SLIDE 6

Research
Group
Needs 


CMS
/
Wiki
 Instrument
 Data
Storage
 HPC
 Grid
Services
 Repository


Analyse
Data
 Write
&

 Publish
Report
 Store
 Data
 Run
Experiment
 Generate
Data
 












Collabora9vely
 Create
web
content
 VO
configured
for
 accessing
Grid

 resources
 Collaborate
 Communicate
 Meet


Authen.ca.on
and
authorisa.on
for
protec.on
of
valuable
resources


Researcher Principal Investigator Researchers

Research
 Group
 IdP


Iden9ty

 Mgnt
in
 AAF
IdP(s)


IdP
 IdP
 AAF


slide-7
SLIDE 7

ARCS’
Current
Tools
and
Services 


  • Compute
Cloud*

  • Grid
Services
Infrastructure*

  • Virtual
Machine
Hos7ng

  • Data
Fabric*

  • Database
Service

  • Data
Transfer
Service


*
Immediately
accessible,


  • thers
require
request
and


coordinated
provision
to
 research
group.


  • Web‐based
Collabora7on


– Sakai
 – Plone
 – Jabber
 – Joomla
 – Twiki


  • Video
Collabora7on


– Desktop
solu7on:
EVO*
 – Room
solu7on:
Access
Grid


  • Security
Services


– Grid
Cer7ficates*
 – Access
Service


slide-8
SLIDE 8

ARCS
Authorisa7on
Services
Role 


  • Support
Research
Groups
and
Service
Providers
in
delivering


services
requiring
authen7ca7on
and
authorisa7on
(authNZ)


  • Analyse
requirements,
and
provide
exper7se,

advice,
exemplars

  • Exemplars
(demonstrate
what
can
be
done
to
protect
resources)

  • Implement
(procure/develop)
and
deploy
authNZ
solu7ons

  • sa7sfying
research
groups’
and
service
provider’s
security
requirements

  • Provide
customer
support
for
ARCS
Authorisa7on
Services

  • ARCS
CA’s,
ARCS
IdP,
ARCS
SLCS
Server
&
Clients,
ARCS
Access
Service

  • Develop
and
pursue
a
‘unified
strategy’
for
authNZ

  • Apply
security
technologies
and
protocols
&
track
interna7onal
trends

  • Rely
on
the
AAF
for
Federated
Access
(i.e.
use
Shibboleth)

  • Integrate
with
Grid
Security
Infrastructure

  • Analyse
access
scenarios
and
iden7fy
paXerns
&
solu7ons

slide-9
SLIDE 9

ARCS
Access
Service 


  • Provides
a
Gateway
to
ARCS
Services

  • Registra7on

(assignment
of
Default
Authorisa7on
Rights)

  • Tracking
user
communi7es
(auEduPersonSharedToken)

  • Allocate
ARCS
Username

(ARCS
Services
unique
iden7fier)

  • consistent
user
naming
across
ARCS
Services

  • Caching
aXributes
at
7me
of
registra7on

  • Allow
detec7on
of
aXribute
change
(e.g.
IdP,
affilia7on)

  • Authorisa7on
Rights
Management

  • Register
Authorisa7on
Rights
tokens


  • urn:<ServiceIdentifier>:<Token value>
slide-10
SLIDE 10

Current
focus
on
Authen7ca7on 


IdP


ARCS
 CMS
/
Wiki
 Instrument
 ARCS
 Data
Fabric
 HPC
(Grid)
 ARCS
 Repository


researcher

Belongs
to
 Federa9on
IdP
 Analyse
Data


Research
 Group


Member
of
 Research
Group
 Write
&

 Publish
Report
 Store
 Data
 Run
Experiment
 Generate
Data
 












Collabora9vely
 Create
web
content
 VO
configured
for
 accessing
Grid

 resources


SP


ARCS
 SLCS
Service


SP


ARCS
 IdP
Check


SP


ARCS
 Access
Service


Register
via
Access
 



Service
for
SLCS,

 Data
Fabric,
Wiki,

 Repository
 






Generate
 



Grid
(SLCS)
 Creden9al
 Confirm
ARributes
 Released
by
IdP


SP
 GSI
 SP
 GSI
 GSI
 SP
 LDAP
 webDAV


slide-11
SLIDE 11

AAF

Identity Provider

Authenticate

ARCS SLCS CA

SP ARCS SLCS Service Grid Cert enabled Service ARCS internal/ backend processing

Get SLCS Certificate

Access using IdP username and password via AAF Login Access using ARCS SLCS cert or proxy (e.g. Grid Services, iRODS via iCommands)

ARCS MyProxy

Get Proxy Certificate

Arbitrary username & password

ARCS LDAP

Access using ARCS username and password

ARCS username & password Register

ARCS internal/ backend processing SP

(12 wks timeout)

ARCS Access Service ARCS Cred’s enabled Service

Access using IdP username and password via AAF Login (e.g. Data Fabric via webDAV)

SP AAF- enabled Service ARCS internal/ backend processing

Access using IdP username and password via AAF Login (e.g. Data Fabric, Plone, TWiki)

slide-12
SLIDE 12

ARCS
Auth
Svcs
Future
Direc7ons 


  • Authen7ca7on

  • IGTF
Accredita7on
for
SLCS
(Level‐2)
CA

  • Explore
MICS
(Long‐lived
Grid
creden7als
from
IdPs)

  • Understand
AAF
&
Shibboleth
Roadmap
implica7ons

  • New
Shibboleth
profiles
(ECP,
Key‐holder)

  • AusCERT
PKI
and
implica7ons

  • Understand
Grid
Services
trends
and
implica7ons

  • Authorisa7on

  • Develop
and
u7lise
the
ARCS
Access
Service

  • Implement
Authorisa7on
Rights
Management

  • Develop
authorisa7on
exemplars
(e.g.
use
of
XACML)

slide-13
SLIDE 13

Thankyou 


Ques.ons
?