Identity management in the European Grid Infrastructure Established - - PowerPoint PPT Presentation

www.egi.eu EGI‐InSPIRE RI‐261323

EGI‐InSPIRE

www.egi.eu EGI‐InSPIRE RI‐261323

Identity management in the European Grid Infrastructure

Established solutions, new needs, open questions

Gergely Sipos Technical Outreach Manager EGI.eu, Amsterdam

gergely.sipos@egi.eu

9/6/2012 1 Identity Management for research and collaboration Workshop Utrecht, 6-7, September 2012 http://www.terena.org/activities/vamp/ws1/

www.egi.eu EGI‐InSPIRE RI‐261323

Outline

• European Grid Infrastructure - intro
• AAI in the ‘grid middleware’

– X509 variants

• FIM in EGI

– NGIs’ readiness – Bridging solutions – Pilots, production systems

– FIM and the EGI Federated Cloud

• Conclusions

2

www.egi.eu EGI‐InSPIRE RI‐261323

EGI‐InSPIRE

The EGI Ecosystem

3

Public Funding Bodies

European Commission National Research Councils

Resource & service Providers

EGI.eu foundation

National Grid Infrastructures (NGIs) ~45

Technology Providers

Grid middleware software Cloud provider software

Requirements Policies + Funding Policies + Funding Strategic Feedback Requirements + Feedback

User Community

Services + Support Requirements + Feedback SW + Support

TRANSfoRm

VRC: Virtual Research Community VO: Virtual Organisation

www.egi.eu EGI‐InSPIRE RI‐261323

EGI’s Strategic Focus http://go.egi.eu/EGI2020

• Operational Infrastructure

– Operate a European wide infrastructure – Offer its use to other research infrastructures – Build a federated cloud environment

• Virtual Research Environments (VREs)

– Support the development, integration & operation of community/project/domain specific services

• Community & Coordination

– Community building through events – Community networking through the NGIs

4

www.egi.eu EGI‐InSPIRE RI‐261323

Installed capacity (Apr ‘12)

5

Metric Value (yearly increase)

Sites 326 (+3%)

• Nb. of CPU cores

270,800 (+31%) Disk (PB) 139 PB (+31%) Tape (PB) 134 PB (+50%)

www.egi.eu EGI‐InSPIRE RI‐261323

Capacity usage

(May 2011-April 2012)

6

Metric Value (yearly increase) CPU time Total (Billion HEP‐SPEC 06 hours) 10.5 (+52.91%) Computing jobs Total (million) 492.5 (+46.42% ) Average job/day (million) 1.35 % of total consumed CPU time High‐Energy Physics 93.60% Astronomy and Astrophysics 2.25% Life Sciences 1.30% Various disciplines 1.23% Remaining disciplines 1.62% First runs of the Large Hidron Collider

www.egi.eu EGI‐InSPIRE RI‐261323

Operations Provisioning Infrastructure

Software Provisioning

30/05/2012

Staged Rollout Criteria Verification Production Criteria Definition External Technology Providers Deployed Software SU

Requirements Software

• EGI Technology Roadmap

EMI, IGE, SAGA (cluster grids) EDGI (desktop grids)

www.egi.eu EGI‐InSPIRE RI‐261323

AAI in the ‘grid middleware-based EGI’

Grid = federated resources exposed for controlled sharing via middleware services

– X.509 personal certificates

• From IGTF CAs
• From Terena Certificate Service (Federated request)

– Limited certificates

• Restricted in lifetime and/or infrastructure coverage
• E.g. GILDA CA (http://gilda.ct.infn.it/certification-authority)
• E.g. Swiss Short Lived Credential Service (SLCS)

– Robot certificates

• Identify applications (often portals) instead of users
• Growing popularity and availability

https://wiki.egi.eu/wiki/Robot_certificates https://wiki.egi.eu/wiki/EGI_robot_certificate_users

8

Tens of thousands Thousands Hundreds (<100 robot)

• Nb. of users

~20.000 in total

www.egi.eu EGI‐InSPIRE RI‐261323

AAI Challenges

• EGI requirements for a generic AAI:

– Geographical coverage, science discipline coverage, scalability, robustness, simplicity, sustainability, compatibility with VRE & EGI operations services

• X.509 meets all, but one: Simplicity

How can X.509 based infrastructures simplified for users?

– MyProxy, online CAs, Terena CAs, robot certificates,... and ...federated identity management

9

www.egi.eu EGI‐InSPIRE RI‐261323

Solutions - issues

10

Solution to simplify access Problem with the solution MyProxy

• Certificate management issues remain

Terena CAs

• (Most of the) certificate management issues remain
• Limited coverage (geographycal & discipline)

Robot certificates

• Auth & logging responsibilities move to portals
• Users become invisible to the infrastructure
• For certain types of applications only

Short lived credential services (SWITCH SLCS, IGI Online CA)

• Limited geographical coverage
• Is Federated Identity Management a better alternative?
• User communities say YES (FIM workshops & paper)
• Are the NGIs ready for adopting FIM?

EGI Virtual Team project:

Assess the readiness of the NGIs in adopting FIM mechanisms:

https://wiki.egi.eu/wiki/VT_Federated_Identity_Providers_Assessment

www.egi.eu EGI‐InSPIRE RI‐261323

FIM assessment - EGI Virtual Team project

• Participants from Czech, French, Italian, Irish, Swiss

NGIs + EGI.eu

• Defined, then filled a survey:

11

Are personal e‐science certificates from Terena Certificate Service (TCS) available in the NGI? Are the Grid institutions

• f the NGI in national

TCS federation? Are the institutions of the potential users of your NGI eligible for certificates from TCS? Are there other relevant ‘federated identity’ based authentication services available in the NGI?

Ireland No (but server certificates are) N.A. N.A. Exploring possibilities

• f

a SLCS CA Czech Rep. Yes All major but one (ongoing) Partly No France No N.A. N.A. No Switzerland No N.A. N.A. SLCS (IGTF accredited) Italy Yes Most Partly Preparing a MICS CA

https://wiki.egi.eu/wiki/VT_Federated_Identity_Providers_Assessment

The Identity Federations of the NRENs are similarly exclusive

www.egi.eu EGI‐InSPIRE RI‐261323

Possibilities for FIM integration with EGI

1.Middleware services ‘speak’ FIM (accept SAML assertions)

• External technology providers!

EMI & IGE plans are under development

– EMI MJRA1.12 (Common Security Architecture Assessment)

• Accounting systems must be also adapted

(SAML  certificate DN)

2.FIM-X509 bridging – Mapping SAML idenity to X509

Various solutions, routine useage:

• 1. GridCertLib & SLCS (Swiss portals)
• 2. Online CA (portal for the Italian Grid Infrastructure)
• 3. Catania Science Gateway framework (various science gateways)

12

www.egi.eu EGI‐InSPIRE RI‐261323

GridCertLib & SLCS

13

GridCertLib (Java library)

SAML assertion from FIM login SLCS certificate + grid proxy (with VOMS) ~11 days VOMS SLCS

Some web portal for example WS‐PGRADE Fix VO, unique user ID

Contact: Sergio Maffioletti (sergio.maffioletti@gc3.uzh.ch) – GridCertLib Zoltán Farkas (zoltan.farkas@sztaki.mta.hu) – WS‐PGRADE

www.egi.eu EGI‐InSPIRE RI‐261323

Online CA for the IGI Portal

14

Browser user

IGI Portal

CA bridge CA backend

Web page pop‐up window

IDEM Federation (Italian) MyProxy IGI VOMS

Alternative: Certificate into the browser Contact: Marco Bencivenni (marco.bencivenni@cnaf.infn.it)

MICS certificate (13 months)

Fix VO, unique user ID

Plan: IGTF accreditation

www.egi.eu EGI‐InSPIRE RI‐261323

Catania Science Gateway framework

15

SAML assertion from FIM login SLCS certificate + grid proxy (with VOMS) VOMS

Portal

Fix VO, Fix user ID

eToken server User tracking & logging

Robot certificate Contact: Roberto Barbera (roberto.barbera@ct.infn.it)

www.egi.eu EGI‐InSPIRE RI‐261323

EGI-InSPIRE activities 1.

• Make NGIs aware of available (bridging) solutions and the

existing gaps – so these can get filled!

– June 2012: ‘Authentication solutions in EGI’ report

https://documents.egi.eu/document/1178

– August 2012: Blog post series

http://www.egi.eu/blog/2012/08/09/federated_identity_management.html

– September 2012: AAI workshop

• Prague, 19th of September: http://go.egi.eu/aaiworkshop

– December 2012 (approx): Science Gateway Primer

• ‘Manual for portal developers’ – witten by an EGI Virtual Team project
• Chapter on integrating science gateways with identity federations
• https://wiki.egi.eu/wiki/VT_Science_Gateway_Primer

16

www.egi.eu EGI‐InSPIRE RI‐261323

AAI workshop

17

+ Discussion (16:00‐17:30)

www.egi.eu EGI‐InSPIRE RI‐261323

EGI-InSPIRE activities 2.

• Facilitate federated services – pilot & production

services

– AAI pilot for EGA – GrIDP federation – FIM authentication in the EGI Federated Cloud

18

www.egi.eu EGI‐InSPIRE RI‐261323

AAI Pilot:

European Genome-phenome Archive (EGA)

19

EGA portal

Request access to dataset X Data Access Committee Grant access

Argus

Update policy (SPL) PAP CLI

EGA

Request dataset PEP API Obtain autz info Provide dataset Logged in from the HAKA identity federation

administration execution

Obtain authz info

www.egi.eu EGI‐InSPIRE RI‐261323

Grid Identity Pool (GrIDP) federation

20

EGI.eu Single Sign On (~1700 users at the moment)

www.egi.eu EGI‐InSPIRE RI‐261323

GrIDP plans

• Join various (web based) services from the NGIs (e.g.

EGI Applications Database)

– This is also a training for the NGIs!

• Establish identity providers that can perform strong

identity validation (e.g. Link X509 from the browser to SAML ID)

• Extend the federation with an 'attribute provider service‘

– For simpler and fine grain autz. – To enable VOs in federation(s) – What service?

• VOMS (EMI-gLite), UVOS (EMI-Unicore), Grouper (Internet2),

COIP (Nordunet)

21

www.egi.eu EGI‐InSPIRE RI‐261323

The big challenge for EGI

• Sustainability

– 20K (X509) users at the moment but 1.8M publicly funded researchers in Europe – How do we engage with and support the long-tail of researchers?

• Technology

– The 99% want other services (e.g. not jobs!) – How do we enable these services to be deployed?

• Customers or Users?

– There are integration costs…. but who pays? – PRACE & XSEDE: application process provides strong ties – EGI & OSG: virtual organisations a barrier to strong ties

22

VRCs

# of users

VOs

www.egi.eu EGI‐InSPIRE RI‐261323

EGI’s answer: Platform architecture

• Core infrastructure platform

– Management and uniform delivery of services

• Cloud infrastructure platform

(EGI Federated Cloud: http://go.egi.eu/cloud)

– Hosting custom technologies for communities

• Collaborative infrastructure platform

– Visibile and reusable community services

• EGI Applications Database, Training Marketplace,

VM Image repository, etc.

23

www.egi.eu EGI‐InSPIRE RI‐261323

The platform based EGI

https://documents.egi.eu/document/1094

EGI infrastructure platform (clusters, storage,...) 3rd party platforms (dedicated or shared) e.g. Clusters; private grids, commercial cluds, GPUs, etc. Research facilities e.g. sensor networks, detectors, etc.

SW VM DB

Research Communities

Grid middleware services

Cloud infrastructure platform

(EGI Federated Cloud)

24

Virtual machine Virtual machine Virtual machine

job job job

‘Grid mw’ EGI: batch processing

Collaborative platform

Virtual Research Environment

‘Cloud’ EGI: applications in Virtual Machines

www.egi.eu EGI‐InSPIRE RI‐261323

AAI in the EGI cloud

25

IaaS

Institutional cloud Institutional cloud

VM Mgmt VM Mgmt Data Data Informat ion Informat ion

Monitoring Monitoring Accounting Accounting

Notification Notification

EGI‐wide message bus

Commercial cloud Commercial cloud

VM Mgmt VM Mgmt Data Data Informa tion Informa tion

Monitoring Monitoring Accounting Accounting Notification Notification

Personalised environments for individual research communities in the European Research Area NGI cloud NGI cloud

VM Mgmt VM Mgmt

Data Data Informati

• n

Informati

• n

Monitoring Monitoring Accounting Accounting

Notification Notification

PaaS SaaS Project/community specific services Project/community specific services Project/community specific services

Custom AAI X.509 AAI Sites are already available for scientific use cases

www.egi.eu EGI‐InSPIRE RI‐261323

EGI FedCloud - timeline

• Sept 2011 – March 2013: Federated Cloud Task Force

https://wiki.egi.eu/wiki/Fedcloud-tf:FederatedCloudsTaskForce

– Write a blueprint document – Deploy a testbed – Identify issues from non-technical/non-user areas (policy, operations, dissemination)

• August 2012 – March 2013: Pilot use cases

http://go.egi.eu/cloud

– Support early adopters using the testbed – Collect and investigate requirements from early adopters – Establish processes and tools for user-facing services

• Replacing X509 with FIM at the IaaS level?

– Collaboration with the Contrail project (Oct 2010 – Sep 2013)

http://contrail-project.eu

26

www.egi.eu EGI‐InSPIRE RI‐261323

Conclusions

EGI’s requirements for a generic AAI: Geographical coverage, science discipline coverage, scalability, robustness, simplicity, sustainability, compatibility with EGI platforms.

• X509 certificates is not perfect, but NGIs ‘got used to it’
• FIM is gaining momentum

– GrIDP federation – Grid portals and X509 bridges – Contrail FIM solution in EGI FedCloud

• Open questions

– Community federations (e.g. ELIXIR)  NREN/NGI federations ? – How could EGI and the NGIs best support federations? E.g.

• A global online CA by EGI/Terena?
• A global attribute service by EGI/Terena for research federations?
• Training events?, Outreach?

– Is FIM really needed in the middleware, or bridges do the job? – E-infrastructure accounting in the ‘FIM-world’

27

www.egi.eu EGI‐InSPIRE RI‐261323

EGI‐InSPIRE

www.egi.eu EGI‐InSPIRE RI‐261323

Questions

28

EGI Technical Forum 2012, Prague, Czech Republic, 17–21 September http://tf12.egi.eu