identity management for the ligo project
play

Identity Management for the LIGO Project Scott Koranda for LIGO - PowerPoint PPT Presentation

Jan 25, 2023 •359 likes •792 views

Identity Management for the LIGO Project Scott Koranda for LIGO LIGO and University of Wisconsin-Milwaukee September 6, 2012 LIGO-XXXXXXXX-v1 1 / 43 LIGO Science Mission LIGO, the Laser Interferometer Gravitational-wave Observatory, seeks to

  1. Identity Management for the LIGO Project Scott Koranda for LIGO LIGO and University of Wisconsin-Milwaukee September 6, 2012 LIGO-XXXXXXXX-v1 1 / 43

  2. LIGO Science Mission LIGO, the Laser Interferometer Gravitational-wave Observatory, seeks to detect gravitational waves – ripples in the fabric of spacetime. First predicted by Einstein in his theory of general relativity, gravitational waves are produced by exotic events involving black holes, neutron stars and objects perhaps not yet discovered. 2 / 43

  3. LIGO Hanford, WA 3 / 43

  4. LIGO Livingston, LA 4 / 43

  5. LIGO Laboratory LIGO Laboratory = LIGO Caltech + LIGO MIT + LIGO Hanford Observatory + LIGO Livingston Observatory 5 / 43

  6. LIGO India! Anticipated to be operational 2020 6 / 43

  7. Network Without LIGO India 7 / 43

  8. Network WITH LIGO India 8 / 43

  9. LIGO Scientific Collaboration The LIGO Scientific Collaboration (LSC) is a self-governing collaboration seeking to detect gravitational waves, use them to explore the fundamental physics of gravity, and develop gravitational wave observations as a tool of astronomical discovery. The LIGO Scientific Collaboration was founded in 1997 and currently has just over 1000 members from 70 institutions worldwide. 9 / 43

  10. 10 / 43

  11. Broader GW Community GW community is larger than LIGO... 11 / 43

  12. Virgo interferometer, Cascina, Italy 12 / 43

  13. KAGRA, Japan 13 / 43

  14. LSC Today Today... ◮ ∼ 1000 current and active members ◮ Single authoritative roster (registry) ◮ Single LIGO identity for each member ◮ SSO for LIGO web, grid, shell resources ◮ Federated access to LIGO resources 14 / 43

  15. How we got here It wasn’t always this way... 15 / 43

  16. The mess we made on the Grid LIGO Data Grid (LDG) ◮ 20000+ cores ◮ 10 sites ◮ Many flavors of data and metadata services ◮ > 300 users 16 / 43

  17. The mess we made on the Grid ◮ LDG emerged in 2001 ◮ Sought single sign-on and promise of Grid utopia ◮ Most Grid tools require PKI and GSI 17 / 43

  18. The mess we made on the Grid ◮ User must request, retrieve, manage X.509 cert ◮ Not all web browsers do PKI well ◮ Grid tools require PEM but web browsers write PKCS12 ◮ “17, but steps 6) have 9) have 12 or 13 subitems each” ◮ Turns out Ph.D. physicists on average cannot do this ◮ Command line tools don’t help much 18 / 43

  19. The mess we made on the Grid ◮ No registry of who is/is not member of LIGO ◮ Each cert request must be vetted ◮ Requires “secure communication” with each group PI ◮ Getting attention of PIs can be difficult ◮ SMIME email difficult for most PIs ◮ Loop not closed when people leave group 19 / 43

  20. The mess we made on the Grid After X.509 cert issued user must be authorized ◮ Cumbersome ◮ Each user added by hand to ACL file(s) at each site ◮ Only grid-specific solutions available for managing ACLs ◮ Not uncommon for new member to wait weeks for credentials and access to LDG resources 20 / 43

  21. The mess we made on the Grid Managing access to LDG was one of the first hints we needed better identity management... ...we didn’t take the hint... 21 / 43

  22. The mess we made on the Web ◮ Early use case: eLogs at the sites ◮ Web based electronic notebooks ◮ Email “the” admin for access (hopefully he knows you) ◮ Unique accounts, but... ◮ All accounts use the same password ◮ Loop not closed when people leave collaboration 22 / 43

  23. The mess we made on the Web ◮ Multiple sites deploying web tools ◮ GNATS, Bugzilla, Redmine, Trac, Gitorious? ◮ Moin, Twiki/Foswiki, Docuwiki, MediaWiki,... ◮ Each requiring new login/password for user 23 / 43

  24. The mess we made on the Web Users frustrated First response is “well known login/password” ◮ shared login and password collaboration wide ◮ used for protecting “low risk” information ◮ who monitors what is low risk? ◮ found login/password in the wild 24 / 43

  25. The mess we made on the web As the number of web tools and services grew we knew we had a problem... ...but we were in production, busy doing science, and didn’t take the hint... 25 / 43

  26. The mess we made on the command line Version control repositories ◮ CVS, SVN, git ◮ Distributed across multiple sites ◮ Each requiring yet another login/password ◮ People leave collaboration but still have access Same issues for other command line tools 26 / 43

  27. The mess we made on the command line Managing access for hundreds of people to multiple code repositories was a nightmare...we knew we had a problem... ..but we were in production, busy doing science, and couldn’t take the hint... 27 / 43

  28. We had a mess ◮ No single event precipitated new approach ◮ It really came down to two things: 1. Sustained whining from frustrated users 2. Chatting with Ken Klingenstein over drinks 28 / 43

  29. LIGO Identity Management Project Knit together existing technologies and tools Goals: ◮ Single identity for each LIGO person ◮ Single source of membership info ◮ Single credential for each LIGO person ◮ SSO across web, grid, command-line 29 / 43

  30. LIGO Identity Management Project Found we had two building blocks: 1. The nascent “LIGO Roster” project ◮ PHP + Apache + MySQL 2. Kerberos principal for each LIGO member ◮ unused at the time ◮ scott.koranda@LIGO.ORG ◮ users call it their “at LIGO.ORG login” ◮ also known as their “albert.einstein” login ◮ roster drives creation of principal for each member ◮ roster pushes principal and details into LDAP 30 / 43

  31. Single authoritative source of membership Decided to leverage Grouper from I2 ◮ Flexible enough to reflect community structure ◮ Ready-to-use web front-end ◮ SOAP and RESTful WS APIs ◮ Privilege, Role, Attribute support ◮ Reflect into LDAP 31 / 43

  32. 32 / 43

  33. LIGO Roster (Registry) ◮ Students, post-docs, can apply for membership ◮ Managers approve & add/remove members ◮ Access control derived from Grouper privileges ◮ Members manage password for LIGO identity (Kerberos principal) 33 / 43

  34. 34 / 43

  35. Single identity and authoritative membership is key LIGO Roster, Grouper, and Kerberos a powerful combination ◮ Kerb principal enables single identity ◮ Roster enables management of those identities ◮ Grouper enables management of memberships With this foundation we could tackle web, grid, and command line spaces... 35 / 43

  36. Single sign-on for LIGO web space Deploy I2 Shibboleth System ◮ Single sign-on across LIGO web tools/pages ◮ LIGO Identity Provider (IdP) ◮ Authenticate via REMOTE USER and mod auth kerb ◮ Attributes pulled from LDAP master server ◮ Focus mainly on IsMemberOf (via Grouper) ◮ Consume federated identities ◮ LIGO joined InCommon for many U.S. institutions ◮ Will purusue European federations (UK, DFN-AAI) ◮ Pilot with GakuNin and U. of Tokyo IdP ◮ No Indian identity federation? 36 / 43

  37. LIGO and InCommon: External Collaborators 37 / 43

  38. Managing Collaboration with COmanage 38 / 43

  39. CILogon integrates LIGO Data Grid 39 / 43

  40. CILogon integrates LIGO Data Grid 40 / 43

  41. Integrating the command line CVS, SVN, git tunnel through HTTPS or SSH ◮ curl works well with SAML2(Shib)/ECP ◮ Most Linux OpenSSH sshd GSS-API + Kerberos ◮ Grid-enabled OpenSSH also deployed ◮ NCSA “mechglue” enables Kerb + GSI ◮ PAM also work with Kerberos This pattern same for other command line tools 41 / 43

  42. Putting it all together Within 15 minutes of joining LIGO Albert Einstein using his albert.einstein@LIGO.ORG credential can... 1. Access LIGO wikis to find HOWTOs 2. Download and install client tools 3. Login to cluster 4. Checkout code from git repository 5. Email analysis discussion list for help 6. Build code, submit analysis jobs From 0 to science with one @LIGO.ORG credential 42 / 43

  43. There is no distinction between web and grid ◮ Scientists just want to use tools ◮ Don’t care if “web” or “grid” ◮ Typical use case: ◮ Submit large workflow to grid ◮ Jobs run for week analyzing data ◮ Workflow generates 1000’s of summary images ◮ Need to POST summary into analysis wiki ◮ Seamless cred management across grid, web, cloud ◮ Delegation is important ◮ Workflow management systems need to cache and refresh credentials during lifetime of workflow ◮ LIGO working closely with UW Condor team ◮ Need Higher Ed and Grid communities to build together 43 / 43

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

LIGO Identity Management: Some Status and Trends Scott Koranda for LIGO LIGO and University of

LIGO Identity Management: Some Status and Trends Scott Koranda for LIGO LIGO and University of

LIGO Identity Management: Some Status and Trends Scott Koranda for LIGO LIGO and University of Wisconsin-Milwaukee March 8, 2010 LIGO-XXXXXXXX 1 / 12 Why the LIGO Identity Management Project? Unburden users from requesting, retrieving,

425 views • 13 slides
LIGO Identity Management: Questions I Wish We Would Have Asked Scott Koranda for LIGO LIGO and

LIGO Identity Management: Questions I Wish We Would Have Asked Scott Koranda for LIGO LIGO and

LIGO Identity Management: Questions I Wish We Would Have Asked Scott Koranda for LIGO LIGO and University of Wisconsin-Milwaukee September 6, 2012 LIGO-XXXXXXXX-v1 1 / 39 We had a mess Late in 2007 and we stopped scaling Collaboration

734 views • 39 slides
Identity and Access Management Using Identity Management and Identity Governance to increase

Identity and Access Management Using Identity Management and Identity Governance to increase

Identity and Access Management Using Identity Management and Identity Governance to increase Automation and Security. Identity Management (IAM, IdM) defining and managing the roles and access privileges of individual network users, and the

2.89k views • 13 slides
Title LIGO-G1100174 DC Readout in Enhanced LIGO 1 Enhanced LIGO Try out Advanced LIGO

Title LIGO-G1100174 DC Readout in Enhanced LIGO 1 Enhanced LIGO Try out Advanced LIGO

Title LIGO-G1100174 DC Readout in Enhanced LIGO 1 Enhanced LIGO Try out Advanced LIGO technologies Bet that increased sensitivity outweighs the downtime exposure = time * (range)^3 New Laser More Power New input optics New

711 views • 36 slides
Status of LIGO Keita KAWABE, LIGO Hanford Observatory/Caltech for the LIGO Scientific

Status of LIGO Keita KAWABE, LIGO Hanford Observatory/Caltech for the LIGO Scientific

LIGO Status of LIGO Keita KAWABE, LIGO Hanford Observatory/Caltech for the LIGO Scientific Collaboration LIGO-G070617-00-D: KAWABE K., 2007/Sep/11 TAUP2007, Sendai Insert Name of the Meeting LIGO TOC Who we are Introduction to LIGO

828 views • 39 slides
Identity Management Scaling Out and Up Jan Pazdziora Principal Software Engineer Identity

Identity Management Scaling Out and Up Jan Pazdziora Principal Software Engineer Identity

Identity Management Scaling Out and Up Jan Pazdziora Principal Software Engineer Identity Management Engineering, Red Hat jpazdziora@redhat.com 15 th October 2014 Identity Users; user groups. Hosts; host groups; services. Identities

700 views • 18 slides
Observing Gravitational Waves with Advanced LIGO Laura Nuttall on behalf of the LIGO Scientific

Observing Gravitational Waves with Advanced LIGO Laura Nuttall on behalf of the LIGO Scientific

Observing Gravitational Waves with Advanced LIGO Laura Nuttall on behalf of the LIGO Scientific Collaboration and Virgo Collaboration Syracuse University LIGO-G1602189 LIGO Laser Interferometer Gravitational-wave Observatory LIGO-Livingston

651 views • 41 slides
Status of LIGO Data Analysis Status of LIGO Data Analysis Gabriela Gonzlez Department of

Status of LIGO Data Analysis Status of LIGO Data Analysis Gabriela Gonzlez Department of

Status of LIGO Data Analysis Status of LIGO Data Analysis Gabriela Gonzlez Department of Physics and Astronomy Louisiana State University for the LIGO Scientific Collaboration Dec 17, 2003 GWDAW -8 meeting LIGO schedule LIGO schedule Goal

339 views • 14 slides
Broadband Search for Continuous-Wave Gravitation Radiation with LIGO Vladimir Dergachev

Broadband Search for Continuous-Wave Gravitation Radiation with LIGO Vladimir Dergachev

Broadband Search for Continuous-Wave Gravitation Radiation with LIGO Vladimir Dergachev (Caltech) for the LIGO Scientific Collaboration and the Virgo Collaboration APS April 30 2011 DCC: LIGO-G1100002-v7 LIGO detectors LIGO Hanford

783 views • 64 slides
Trust, Identity Management and GENI Dr. Ken Klingenstein, Senior Director, Middleware and

Trust, Identity Management and GENI Dr. Ken Klingenstein, Senior Director, Middleware and

Trust, Identity Management and GENI Dr. Ken Klingenstein, Senior Director, Middleware and Security, Internet2 Technologist, University of Colorado at Boulder Topics Internet identity update Technology updates ISOC, IETF Identity,

601 views • 23 slides
Agenda Identity & Access management About company midPoint Clients &

Agenda Identity & Access management About company midPoint Clients &

Agenda Identity & Access management About company midPoint Clients & partners Conclusion Identity management System Requester Users admin Approver Application Application Provisioning system Identity A

826 views • 45 slides
ASTROPHYSICAL IMPLICATIONS OF THE FIRST LIGO AND VIRGO DETECTIONS Tania Regimbau 2 LIGO Current

ASTROPHYSICAL IMPLICATIONS OF THE FIRST LIGO AND VIRGO DETECTIONS Tania Regimbau 2 LIGO Current

ASTROPHYSICAL IMPLICATIONS OF THE FIRST LIGO AND VIRGO DETECTIONS Tania Regimbau 2 LIGO Current Detections LIGO and Virgo have already observed 5 (+1?) BBHs and 1 BNS. 3 Possible Formation Scenarios Field: formed from stars born in a

639 views • 24 slides
LIGO Inspiral Veto Studies Peter Shawhan (LIGO Lab / Caltech) Nelson Christensen (Carleton

LIGO Inspiral Veto Studies Peter Shawhan (LIGO Lab / Caltech) Nelson Christensen (Carleton

LIGO-G030694-00-Z LIGO Inspiral Veto Studies Peter Shawhan (LIGO Lab / Caltech) Nelson Christensen (Carleton College) Gabriela Gonzalez (L.S.U.) For the LSC Inspiral Analysis Group Thanks to Laura Cadonati for providing veto trigger files,

203 views • 16 slides
IDENTITY MANAGEMENT Presentation at EuroCAMP 2009-05-17 by Roland Hedberg

IDENTITY MANAGEMENT Presentation at EuroCAMP 2009-05-17 by Roland Hedberg

IDENTITY MANAGEMENT Presentation at EuroCAMP 2009-05-17 by Roland Hedberg <roland.hedberg@adm.umu.se> Tuesday, May 19, 2009 WHAT IS IDM ? Identity management is the management of the identity life cycle of entities. --- wikipedia

534 views • 26 slides
RECOVERING HARDWARE INJECTIONS IN LIGO S5 DATA Ashley Disbrow Carnegie Mellon University Roy

RECOVERING HARDWARE INJECTIONS IN LIGO S5 DATA Ashley Disbrow Carnegie Mellon University Roy

1 LIGO-G1300859-v4 RECOVERING HARDWARE INJECTIONS IN LIGO S5 DATA Ashley Disbrow Carnegie Mellon University Roy Williams, Michele Vallisneri, Jonah Kanner LIGO SURF 2013 2 LIGO-G1300859-x0 Outline LOSC Open Science Data Release

566 views • 31 slides
EUDAT: Towards a pan-European Collaborative Data Infrastructure Federated Identity Management and

EUDAT: Towards a pan-European Collaborative Data Infrastructure Federated Identity Management and

EUDAT: Towards a pan-European Collaborative Data Infrastructure Federated Identity Management and Access Control Mark van de Sanden SARA, The Netherlands Terena VAMP workshop Utrecht, 6-7 September 2012 Outline Project Core Services

435 views • 16 slides
Related Rates Return to Table of Contents Slide 5 / 101 Related Rates Related Rates is the

Related Rates Return to Table of Contents Slide 5 / 101 Related Rates Related Rates is the

Slide 1 / 101 Slide 2 / 101 AP Calculus Applications of Derivatives 2015-11-03 www.njctl.org Slide 3 / 101 click on the topic to go to that section Table of Contents Related Rates Linear Motion Linear Approximation & Differentials

639 views • 34 slides
KAGRA overview Takaaki Kajita, Workshop on Gravitational Wave Activities in Taiwan for the

KAGRA overview Takaaki Kajita, Workshop on Gravitational Wave Activities in Taiwan for the

KAGRA overview Takaaki Kajita, Workshop on Gravitational Wave Activities in Taiwan for the KAGRA collaboration Jan. 15, 2017 Institute for Cosmic Ray Research, Univ. of Tokyo Outline Introduction Overview of KAGRA Status of KAGRA

616 views • 30 slides
Classical Quantum Physics Quantum Mechanics over Phase-Space; Feynman-Hibbs Path-Integrals;

Classical Quantum Physics Quantum Mechanics over Phase-Space; Feynman-Hibbs Path-Integrals;

Quantum Mechanics II Classical Quantum Physics Quantum Mechanics over Phase-Space; Feynman-Hibbs Path-Integrals; Quantization and Anomalies Tristan Hbsch Department of Physics and Astronomy, Howard University, Washington DC

494 views • 14 slides
Stephen, Gary, and the first gravita1onal wave detec1ons Bruce Allen Max Planck Ins1tute for

Stephen, Gary, and the first gravita1onal wave detec1ons Bruce Allen Max Planck Ins1tute for

Stephen, Gary, and the first gravita1onal wave detec1ons Bruce Allen Max Planck Ins1tute for Gravita1onal Physics (Albert Einstein Ins1tute, AEI) MIT Undergraduate 1976-80 DAMTP October 1980 Undergrad thesis, June 1980, CMB experiment

752 views • 37 slides
CS 35101 Computer Architecture Spring 2008 Chapter 3 Part 1 (3.1-3.3) Taken from Mary Jane

CS 35101 Computer Architecture Spring 2008 Chapter 3 Part 1 (3.1-3.3) Taken from Mary Jane

CS 35101 Computer Architecture Spring 2008 Chapter 3 Part 1 (3.1-3.3) Taken from Mary Jane Irwin (www.cse.psu.edu/~mji) and Kevin Schaffer [ adapted from D. Patterson slides ] CS35101 Ch3.Part1 1 Steinfadt SP08 KSU Heads Up Last

538 views • 24 slides
AFFLECK-DINE LEPTOGENESIS WITH VARYING PQ SCALE Kyu Jung Bae, Center for Theoretical Physics of

AFFLECK-DINE LEPTOGENESIS WITH VARYING PQ SCALE Kyu Jung Bae, Center for Theoretical Physics of

AFFLECK-DINE LEPTOGENESIS WITH VARYING PQ SCALE Kyu Jung Bae, Center for Theoretical Physics of the Universe, based on JHEP 1702 (2017) 017 with H. Baer, K. Hamaguchi and K. Nakayama "Testing CP-Violation for Baryogenesis"

455 views • 34 slides
EE 109 Unit 10 MIPS Instruction Set MIPS INSTRUCTION OVERVIEW 10.3 10.4 Instruction Set

EE 109 Unit 10 MIPS Instruction Set MIPS INSTRUCTION OVERVIEW 10.3 10.4 Instruction Set

10.1 10.2 EE 109 Unit 10 MIPS Instruction Set MIPS INSTRUCTION OVERVIEW 10.3 10.4 Instruction Set Architecture (ISA) MIPS Processor and Bus Interface The MIPS processor can execute software instructions that will Defines the

225 views • 18 slides
Instruction Set Architecture C P U C oprocessor 1 (FP U ) of R egiste rs R egisters $ 0 $0

Instruction Set Architecture C P U C oprocessor 1 (FP U ) of R egiste rs R egisters $ 0 $0

MIPS Processor CSE 675.02: Introduction to Computer Architecture M em ory Instruction Set Architecture C P U C oprocessor 1 (FP U ) of R egiste rs R egisters $ 0 $0 MIPS Processor $31 $ 31 Control A rithm etic M ultiply Logic unit

70 views • 6 slides

More recommend