ARCS Authorisa.on Services Neil Witheridge Manager, ARCS Authorisa7on Services APAN29, Sydney, February 2010
Overview • ARCS & PlaEorms for Collabora7on • ARCS Mission & Structure • Research Group Needs • ARCS Services and Tools • Authorisa7on Services’ Role • ARCS Authorisa7on Infrastructure • Strategy, Challenges & Future direc7on
Australian Government eResearch Investment • Na7onal Collabora7ve Research Infrastructure Strategy ‐ PlaEorms for Collabora7on (PfC) investment (2007‐11) • Super Science Ini7a7ve eResearch Components (2009‐13) • … cri7cal importance of eResearch Infrastructure to future research compe77veness • … intended to enhance research collabora7ons, assist researchers to manage massive data sets, and provide super‐ compu7ng and analysis tools that enable Australian researchers to tackle the complex, na7onal and global issues needed to secure Australia's future. Source: hXps://www.pfc.org.au/bin/view/Main
PlaEorms for Collabora7on PfC component investments: • Australian Research Collabora7on Service (ARCS) – Develop and operate services linking systems and resources na7onwide – Develop and operate collabora7on and workflow tools for researchers – Includes “Authorisa7on Services” • Australian Na7onal Data Service (ANDS) • Na7onal Computa7onal Infrastructure (NCI) • Australian Access Federa7on (AAF) and Research Networks (AARNET) Source: hXp://www.ivec.org/ForumAug09/02_Francis.ppt
ARCS Mission To provide long‐term eResearch support services including, but not limited to, interoperability and collabora9on infrastructure and services through a con9nuous and open process of consulta9on and engagement with the Australian research community. ARCS is an unincorporated collabora.ve venture of the Members of ARCS: ANU, CSIRO, eRSA, Intersect, QCIF, iVEC, TPAC, VPAC … serves as the vehicle for the coordinated delivery of na.onal eResearch support, services and tools. Source: hXp://www.arcs.org.au/about
Research Group Needs Research Group Repository IdP Principal Write & Researchers Investigator Publish Report Collaborate IdP Communicate Meet Iden9ty Mgnt in HPC AAF IdP(s) Analyse Data IdP Grid Services VO configured for Researcher Store accessing Grid AAF Data resources Collabora9vely Run Experiment Create web content Generate Data Data Storage CMS / Wiki Instrument Authen.ca.on and authorisa.on for protec.on of valuable resources
ARCS’ Current Tools and Services • Compute Cloud* • Web‐based Collabora7on – Sakai • Grid Services Infrastructure* – Plone • Virtual Machine Hos7ng – Jabber – Joomla • Data Fabric* – Twiki • Database Service • Video Collabora7on • Data Transfer Service – Desktop solu7on: EVO* – Room solu7on: Access Grid * Immediately accessible, • Security Services others require request and – Grid Cer7ficates* coordinated provision to – Access Service research group.
ARCS Authorisa7on Services Role • Support Research Groups and Service Providers in delivering services requiring authen7ca7on and authorisa7on (authNZ) • Analyse requirements, and provide exper7se, advice, exemplars • Exemplars (demonstrate what can be done to protect resources) • Implement (procure/develop) and deploy authNZ solu7ons • sa7sfying research groups’ and service provider’s security requirements • Provide customer support for ARCS Authorisa7on Services • ARCS CA’s, ARCS IdP, ARCS SLCS Server & Clients, ARCS Access Service • Develop and pursue a ‘unified strategy’ for authNZ • Apply security technologies and protocols & track interna7onal trends • Rely on the AAF for Federated Access (i.e. use Shibboleth) • Integrate with Grid Security Infrastructure • Analyse access scenarios and iden7fy paXerns & solu7ons
ARCS Access Service • Provides a Gateway to ARCS Services • Registra7on (assignment of Default Authorisa7on Rights) • Tracking user communi7es (auEduPersonSharedToken) • Allocate ARCS Username (ARCS Services unique iden7fier) • consistent user naming across ARCS Services • Caching aXributes at 7me of registra7on • Allow detec7on of aXribute change (e.g. IdP, affilia7on) • Authorisa7on Rights Management • Register Authorisa7on Rights tokens • urn:<ServiceIdentifier>:<Token value>
Current focus on Authen7ca7on SP SP SP SP ARCS ARCS ARCS ARCS SLCS Service Access Service IdP Check Repository Confirm ARributes Register via Access Write & Generate Released by IdP Service for SLCS, Publish Report Grid (SLCS) Data Fabric, Wiki, Creden9al Repository Belongs to GSI Federa9on IdP IdP Analyse Data HPC (Grid) Member of Research Group VO configured for researcher Research Store accessing Grid Data resources Group Collabora9vely Run Experiment Create web content SP Generate Data SP GSI ARCS webDAV ARCS Data Fabric Instrument CMS / Wiki GSI LDAP
AAF ARCS internal/ AAF- Identity backend SP enabled processing Service Provider Access using IdP username and password via AAF Login (e.g. Data Fabric, Plone, TWiki) Authenticate ARCS username & password ARCS (12 wks timeout) Access SP ARCS Register Service LDAP Access using IdP username and password via AAF Login ARCS internal/ ARCS Cred’s Access using ARCS username and password backend enabled processing Service (e.g. Data Fabric via webDAV) Access using IdP username and password via AAF Login Get SLCS ARCS ARCS ARCS SP Certificate SLCS SLCS CA MyProxy Service Get Proxy Arbitrary username Certificate & password Grid Cert ARCS internal/ enabled backend processing Service Access using ARCS SLCS cert or proxy (e.g. Grid Services, iRODS via iCommands)
ARCS Auth Svcs Future Direc7ons • Authen7ca7on • IGTF Accredita7on for SLCS (Level‐2) CA • Explore MICS (Long‐lived Grid creden7als from IdPs) • Understand AAF & Shibboleth Roadmap implica7ons • New Shibboleth profiles (ECP, Key‐holder) • AusCERT PKI and implica7ons • Understand Grid Services trends and implica7ons • Authorisa7on • Develop and u7lise the ARCS Access Service • Implement Authorisa7on Rights Management • Develop authorisa7on exemplars (e.g. use of XACML)
Ques.ons ? Thankyou
Recommend
More recommend