globus online Globus Nexus Steve Tuecke Computation Institute - - PowerPoint PPT Presentation

globus online globus nexus
SMART_READER_LITE
LIVE PREVIEW

globus online Globus Nexus Steve Tuecke Computation Institute - - PowerPoint PPT Presentation

Sep 15, 2023 752 likes •1.01k views

globus online Globus Nexus Steve Tuecke Computation Institute University of Chicago and Argonne National Laboratory Computation Institute (CI) Apply to challenging problems Accelerate Promulgate by building the via new educational research

slide-1
SLIDE 1

globus online Globus Nexus

Steve Tuecke Computation Institute University of Chicago and Argonne National Laboratory

slide-2
SLIDE 2

www.globusonline.org

Promulgate

via new educational methods

Apply

to challenging problems

Computation Institute (CI) Accelerate

by building the research cloud

slide-3
SLIDE 3

www.globusonline.org

Apply computation: Examples

Create better models for climate & energy policy

CIM-EART CIM-EARTH

ASC FLASH

Understand supernovae to measure universe

ARTFL Conte Center

Map human knowledge in the humanities and science Transform digital media into art

CMTS

Explain cellular structur

Center for multiscale theory and simulation

Extract meaning from scientific images

DTI for TBI

Diffusion tensor imaging

slide-4
SLIDE 4

www.globusonline.org

The Research Cloud

Accelerate discovery via research cloud

Millions of researchers worldwide need advanced IT to tackle important and urgent problems Accelerate discovery and innovation worldwide by providing research IT as a service

slide-5
SLIDE 5
slide-6
SLIDE 6

www.globusonline.org

Why SaaS?

  • Deliver advanced functionality that:

– Requires no user software installation or operation

  • Minimal IT proficiency required

– Can be cheaply and incrementally adopted

  • Usage-based subscription pricing; no big up-front costs

– Consolidates troubleshooting and support

  • An expert group can proactively detect and correct problems

– Utilizes an efficient software delivery lifecycle

  • Updates developed, tested and deployed quickly
  • Dominates commercial & consumer markets

– What about the research market?

Software-as-a-Service (SaaS) Platform-as-a-Service (PaaS) Infrastructure-as-a-Service (IaaS)

slide-7
SLIDE 7

www.globusonline.org

  • Transfer and synchronize files

– Easy “fire-and-forget” transfers – Automatic fault recovery – High performance – Across multiple security domains

  • Minimize IT costs

– Software as a Service (SaaS)

  • No client software installation
  • New features automatically available

– Consolidated support & troubleshooting – Simple endpoint installation with Globus Connect and GridFTP

>5,000 registered users, 6PB / 500M files transferred

Globus Transfer: For when you want to…

7

slide-8
SLIDE 8

www.globusonline.org

Commercial storage service provider National research center Campus computin g center

  • Place your data

where you want

  • Access it from

anywhere via different protocols

  • Update it, version it,

and take snapshots

  • Share versions with

who you want

  • Synchronize among

locations

Globus Storage: For when you want to …

Globus Storage volume

Globus Transfer, HTTP/REST, Desktop sync

slide-9
SLIDE 9

www.globusonline.org

Join with a few or many people to:

  • Share documents
  • Track tasks
  • Communicate
  • Share data
  • Work together

With:

  • Common groups
  • Delegated

management

Globus Collaborate: For when you want to…

slide-10
SLIDE 10

www.globusonline.org

  • No one SaaS provider can deliver it all
  • Must create ecosystem that:

– Allows any SaaS provider to easily participate – Dramatically reduces the cost of creating and

  • perating services within the ecosystem

– Provides seamless user experience across services – Agnostic to / works across any cloud IaaS provider – Integrates with (existing) research infrastructure

  • Ecosystem requires Platform as a Service

– Target the unique needs of the research community

PaaS for Research

10

Software-as-a-Service (SaaS) Platform-as-a-Service (PaaS) Infrastructure-as-a-Service (IaaS)

slide-11
SLIDE 11

www.globusonline.org

  • Integrate with the Globus research cloud ecosystem
  • Write programs that leverage:

– user identities, profiles, groups (Globus Nexus) – data, compute and collaboration … via REST APIs and command line programs

Globus Integrate

Globus Integrate: For when you want to…

Globus Transfer Globus Storage Globus Collaborate

Globus Connect Multi User Globus Connect Globus Nexus Globus Toolkit

Globus Compute

slide-12
SLIDE 12

www.globusonline.org

Globus Nexus: For when you want to…

12

Manage groups Manage identities Manage profiles

slide-13
SLIDE 13

www.globusonline.org

  • Nexus is a federated identity relying party

– Multiple federated identities linked to Globus account – Supports: InCommon/CILogon, OpenID, MyProxy, OAuth for MyProxy

  • Nexus is a (federated) identity provider

– Native or federated identity provider to Globus and 3rd party services – User authenticates to Globus account with username/password or via 3rd party federated identity provider – Uses OAuth 2 profile (future: SAML, OpenID?)

  • Auth provider for Globus REST APIs

Globus Nexus: Manage Identities

13

slide-14
SLIDE 14

www.globusonline.org 14

slide-15
SLIDE 15

www.globusonline.org

  • User authentication

– Web browser:

  • Globus account name and password
  • Federated identity providers linked to Globus account

– Native application:

  • RSA (using SSL key)
  • X.509 client auth
  • Username/password (Globus account, SAML ECP?)
  • Client authentication using RSA (SSL key)

– Globus account name is valid client id

  • Bearer access token for resource access

Globus Nexus use of OAuth 2

15

slide-16
SLIDE 16

www.globusonline.org

  • Various (Globus) services require delegated

X.509 client credentials to access resources

  • Nexus federated authentication supports X.509

credential retrieval from Oauth for MyProxy

– Authenticate with OAuth – Use access token to get X.509 credentials – E.g., CILogon, GCMU, XSEDE

  • Nexus REST API allows authorized services

(OAuth clients) to get credential

Delegated X.509 credential management

16

slide-17
SLIDE 17

www.globusonline.org

Integration of new and old

MyProxy Online CA PAM

Local Authentication System (LDAP, RADIUS, Kerberos etc)

Username password Certifficate 1 Transfer request Certificate 1

Step 5 Step 7 Step 8 Step 9

Local Storage GridFTP Server

certificates Access files

Step 10 Step 11

Authentication & Data Transfer Authorization

Step 1

Access Endpoints

GridFTP Server

Campus Cluster

Globus Connect Multi‐User

Globus Online (Hosted Service) Campus 2

OAuth Server

Username password Certificate 1 Certificate 1 Redirect

Step 3 Step 4 Step 6

Username password

Step 2

Transfer request Certificate 2 Redirect Certificate 2

CILogon (OAuth)

SAML

InCommon IdP

slide-18
SLIDE 18

www.globusonline.org 18

slide-19
SLIDE 19

www.globusonline.org

  • Globus Transfer is

– OAuth client to Globus Nexus – OAuth resource provider to 3rd party client

  • Goal: Allow full participation by 3rd parties

– Use Globus Online services as OAuth client – Use Globus Nexus OAuth as resource server

  • How to implement resource servers as a relying

party to the Nexus OAuth service?

– OAuth is silent on resource and OAuth server interaction – Make it easy for SaaS developers to use Nexus OAuth

OAuth client vs resource

19

slide-20
SLIDE 20

www.globusonline.org

  • Ecosystem of communicating services

– Any service can be client to any other service’s resource – Communication may be chained: user->s1->s2->s3

  • Use OAuth scope to limit resources accessible

by an access token

– Must maintain scope dependency tree

  • Delegation: client1 delegating to client2

– Bearer access token can be passed from client1 to client2 for full delegation – Or, allow client1 access token to be used to retrieve a new authorization code with narrow scope that is passed to client2, which client2 uses to get its own access token

Delegated, scoped OAuth access

20

slide-21
SLIDE 21

www.globusonline.org

  • User centric group management

– Create group – Set policies (e.g., visibility, admins) – Control admission workflows

  • Approach:

– Keep identity issuance light-weight – Move vetting from identity creation to group admission – Allow each group to control own admission policy

  • REST APIs

– Manage, query, etc. – Import/export (into specified identity namespace)

Globus Nexus: Manage Groups

21

slide-22
SLIDE 22

www.globusonline.org

  • Attribute/value information associated with

Globus account

  • Group admission can require an extensible

set of attributes, which are drawn from and stored in the user profile

  • REST APIs
  • Future: Integrate with SAML attribute release

and social network profiles

Globus Nexus: Manage User Profiles

22

slide-23
SLIDE 23

www.globusonline.org

  • Goal: Common tools should be able to

leverage federated identities, groups, profiles

– Wikis, issue tracking, science gateways, etc.

  • Community effort to domesticate

applications and services?

  • What APIs?

– Identity: OAuth 2, SAML?, X.509 certs? – Groups: LDAP? REST? – Profile: OpenID Connect?

Domestication

23

slide-24
SLIDE 24

www.globusonline.org

  • Visit https://www.globusonline.org/signup to:

– Get a free account and start moving files

  • Visit www.globusonline.org for:

– Tutorials, FAQs, Pro Tips, Troubleshooting – Papers, Case Studies

  • Contact support@globusonline.org for:

– Help getting started & using the service

  • Follow us at @globusonline on Twitter

and Globus Online on Facebook

For More Information

24