identity management in the european grid infrastructure · egi‐inspire ri‐261323 egi‐inspire...

www.egi.euEGI‐InSPIRE RI‐261323

EGI‐InSPIRE


Identity management in the European Grid Infrastructure

Established solutions, new needs, open questions

Gergely SiposTechnical Outreach Manager

EGI.eu, [email protected]

9/6/2012 1Identity Management for research and collaboration Workshop

Utrecht, 6-7, September 2012http://www.terena.org/activities/vamp/ws1/


Outline

• European Grid Infrastructure - intro• AAI in the ‘grid middleware’

– X509 variants

• FIM in EGI– NGIs’ readiness– Bridging solutions– Pilots, production systems– FIM and the EGI Federated Cloud

• Conclusions

2


EGI‐InSPIRE

The EGI Ecosystem

3

Public Funding Bodies

European Commission

National Research Councils

Resource & service Providers

EGI.eu foundation

National Grid Infrastructures (NGIs) ~45

Technology Providers

Grid middleware software

Cloud provider software

RequirementsPolicies + Funding

Policies + Funding

Strategic Feedback

Requirements + Feedback

User Community

Services + Support

Requirements + Feedback

SW + Support

TRANSfoRm

VRC: Virtual Research CommunityVO: Virtual Organisation


EGI’s Strategic Focushttp://go.egi.eu/EGI2020

• Operational Infrastructure– Operate a European wide infrastructure– Offer its use to other research infrastructures– Build a federated cloud environment

• Virtual Research Environments (VREs)– Support the development, integration & operation of

community/project/domain specific services• Community & Coordination

– Community building through events– Community networking through the NGIs

4


Installed capacity (Apr ‘12)

5

Metric Value (yearly increase)

Sites 326 (+3%)

Nb. of CPU cores 270,800 (+31%)

Disk (PB) 139 PB (+31%)

Tape (PB) 134 PB (+50%)


Capacity usage (May 2011-April 2012)

6

Metric Value (yearly increase)

CPU time Total (Billion HEP‐SPEC 06 hours) 10.5 (+52.91%)

Computing jobs

Total (million) 492.5 (+46.42% )

Average job/day (million) 1.35

% of total consumed CPU time

High‐Energy Physics 93.60%

Astronomy and Astrophysics 2.25%

Life Sciences 1.30%

Various disciplines 1.23%

Remaining disciplines 1.62%

First runs of the Large Hidron Collider


Operations

Provisioning Infrastructure

Software Provisioning

30/05/2012

StagedRollout

CriteriaVerification ProductionCriteria

Definition

External Technology Providers

Deployed Software

SU

Requirements Software

• EGI Technology Roadmap

EMI, IGE, SAGA (cluster grids)EDGI (desktop grids)


AAI in the ‘grid middleware-based EGI’

Grid = federated resources exposed for controlled sharing via middleware services

– X.509 personal certificates• From IGTF CAs• From Terena Certificate Service (Federated request)

– Limited certificates• Restricted in lifetime and/or infrastructure coverage• E.g. GILDA CA (http://gilda.ct.infn.it/certification-authority)

• E.g. Swiss Short Lived Credential Service (SLCS)– Robot certificates

• Identify applications (often portals) instead of users• Growing popularity and availability

https://wiki.egi.eu/wiki/Robot_certificateshttps://wiki.egi.eu/wiki/EGI_robot_certificate_users

8

Tens of thousands

Thousands

Hundreds(<100 robot)

Nb. of users~20.000 in total


AAI Challenges

• EGI requirements for a generic AAI: – Geographical coverage, science discipline coverage,

scalability, robustness, simplicity, sustainability, compatibility with VRE & EGI operations services

• X.509 meets all, but one: SimplicityHow can X.509 based infrastructures simplified for users? – MyProxy, online CAs, Terena CAs, robot certificates,...

and ...federated identity management

9


Solutions - issues

10

Solution to simplify access Problem with the solution

MyProxy • Certificate management issues remain

Terena CAs • (Most of the) certificate management issues remain• Limited coverage (geographycal & discipline)

Robot certificates • Auth & logging responsibilities move to portals• Users become invisible to the infrastructure• For certain types of applications only

Short lived credential services (SWITCH SLCS, IGI Online CA)

• Limited geographical coverage

• Is Federated Identity Management a better alternative? • User communities say YES (FIM workshops & paper)

• Are the NGIs ready for adopting FIM? EGI Virtual Team project:

Assess the readiness of the NGIs in adopting FIM mechanisms: https://wiki.egi.eu/wiki/VT_Federated_Identity_Providers_Assessment


FIM assessment -EGI Virtual Team project

• Participants from Czech, French, Italian, Irish, Swiss NGIs + EGI.eu

• Defined, then filled a survey:

11

Are personal e‐sciencecertificates from TerenaCertificate Service (TCS)available in the NGI?

Are the Grid institutionsof the NGI in nationalTCS federation?

Are the institutions ofthe potential users ofyour NGI eligible forcertificates from TCS?

Are there other relevant‘federated identity’based authenticationservices available in theNGI?

Ireland No(but server certificates are)

N.A. N.A. Exploring possibilities of aSLCS CA

Czech Rep. Yes All major but one (ongoing) Partly No

France No N.A. N.A. No

Switzerland No N.A. N.A. SLCS (IGTF accredited)

Italy Yes Most Partly Preparing a MICS CA

https://wiki.egi.eu/wiki/VT_Federated_Identity_Providers_Assessment

The Identity Federations of the NRENs are similarly exclusive


Possibilities for FIM integration with EGI

1. Middleware services ‘speak’ FIM (accept SAML assertions)

• External technology providers!EMI & IGE plans are under development

– EMI MJRA1.12 (Common Security Architecture Assessment)

• Accounting systems must be also adapted (SAML certificate DN)

2. FIM-X509 bridging – Mapping SAML idenity to X509Various solutions, routine useage:

1. GridCertLib & SLCS (Swiss portals)2. Online CA (portal for the Italian Grid Infrastructure)3. Catania Science Gateway framework (various science gateways)

12


GridCertLib & SLCS

13

GridCertLib(Java library)

SAML assertionfrom FIM login

SLCS certificate+

grid proxy(with VOMS)~11 days

VOMS

SLCS

Some web portalfor example WS‐PGRADE

Fix VO,unique user ID

Contact: Sergio Maffioletti ([email protected]) – GridCertLibZoltán Farkas ([email protected]) – WS‐PGRADE


Online CA for the IGI Portal

14

Browseruser

IGI Portal

CA bridge

CA backend

Web page

pop‐upwindow

IDEM Federation(Italian)

MyProxy

IGIVOMS

Alternative: Certificate into the browser

Contact: Marco Bencivenni ([email protected])

MICS certificate(13 months)

Fix VO,unique user ID

Plan: IGTF accreditation


Catania Science Gateway framework

15

SAML assertionfrom FIM login

SLCS certificate+

grid proxy(with VOMS)

VOMS

PortalFix VO,

Fix user ID

eToken server

User tracking & logging

Robot certificate

Contact: Roberto Barbera ([email protected])


EGI-InSPIRE activities 1.

• Make NGIs aware of available (bridging) solutions and the existing gaps – so these can get filled!– June 2012: ‘Authentication solutions in EGI’ report

https://documents.egi.eu/document/1178– August 2012: Blog post series

http://www.egi.eu/blog/2012/08/09/federated_identity_management.html– September 2012: AAI workshop

• Prague, 19th of September: http://go.egi.eu/aaiworkshop– December 2012 (approx): Science Gateway Primer

• ‘Manual for portal developers’ – witten by an EGI Virtual Team project• Chapter on integrating science gateways with identity federations• https://wiki.egi.eu/wiki/VT_Science_Gateway_Primer

16


AAI workshop

17

+ Discussion (16:00‐17:30)


EGI-InSPIRE activities 2.• Facilitate federated services – pilot & production

services– AAI pilot for EGA– GrIDP federation– FIM authentication in the EGI Federated Cloud

18


AAI Pilot: European Genome-phenome Archive (EGA)

19

EGA portal

Request access to dataset X

Data Access Committee

Grant access

Argus

Update policy (SPL)

PAP CLI

EGA

Request dataset

PEP API

Obtain autz info

Provide dataset

Logged in from the HAKA identity

federation

administration

execution Obtain authz info


Grid Identity Pool (GrIDP)federation

20

EGI.eu Single Sign On(~1700 users at the moment)


GrIDP plans

• Join various (web based) services from the NGIs (e.g. EGI Applications Database)– This is also a training for the NGIs!

• Establish identity providers that can perform strong identity validation (e.g. Link X509 from the browser to SAML ID)

• Extend the federation with an 'attribute provider service‘– For simpler and fine grain autz.– To enable VOs in federation(s)– What service?

• VOMS (EMI-gLite), UVOS (EMI-Unicore), Grouper (Internet2), COIP (Nordunet)

21


The big challenge for EGI• Sustainability

– 20K (X509) users at the moment but 1.8M publicly funded researchers in Europe

– How do we engage with and support the long-tail of researchers?

• Technology– The 99% want other services (e.g. not

jobs!)– How do we enable these services to be

deployed?• Customers or Users?

– There are integration costs…. but who pays?

– PRACE & XSEDE: application process provides strong ties

– EGI & OSG: virtual organisations a barrier to strong ties

22

VRCs

# o

f use

rs

VOs


EGI’s answer: Platform architecture

• Core infrastructure platform– Management and uniform delivery of services

• Cloud infrastructure platform (EGI Federated Cloud: http://go.egi.eu/cloud) – Hosting custom technologies for communities

• Collaborative infrastructure platform– Visibile and reusable community services

• EGI Applications Database, Training Marketplace, VM Image repository, etc.

23


The platform based EGIhttps://documents.egi.eu/document/1094

EGI infrastructure platform(clusters, storage,...)3rd party platforms (dedicated or shared)

e.g. Clusters; private grids, commercial cluds, GPUs, etc.

Research facilities e.g. sensor networks,

detectors, etc.

SWVM

DB

Research Communities

Grid middleware servicesCloud infrastructure platform

(EGI Federated Cloud)

24

Virtual machineVirtual machine

Virtual machine

job job job

‘Grid mw’ EGI: batch processing

Collaborative platformVirtual Research

Environment‘Cloud’ EGI:

applications in Virtual Machines


AAI in the EGI cloud

25

IaaSInstitutional cloudInstitutional cloud

VM MgmtVM

Mgmt DataData Information

Information

MonitoringMonitoring AccountingAccounting NotificationNotification

EGI‐wide message bus

Commercial cloudCommercial cloud

VM MgmtVM

Mgmt DataData Information

Information


Personalised environments for individual research communitiesin the European Research Area

NGI cloudNGI cloud

VM MgmtVM

MgmtDataData Informati

onInformati

on


PaaS

SaaS

Project/community specific servicesProject/communityspecific servicesProject/communityspecific services

CustomAAI

X.509AAI

Sites are already available for scientific use

cases


EGI FedCloud - timeline• Sept 2011 – March 2013: Federated Cloud Task Force

https://wiki.egi.eu/wiki/Fedcloud-tf:FederatedCloudsTaskForce– Write a blueprint document– Deploy a testbed– Identify issues from non-technical/non-user areas

(policy, operations, dissemination)

• August 2012 – March 2013: Pilot use caseshttp://go.egi.eu/cloud– Support early adopters using the testbed– Collect and investigate requirements from early adopters– Establish processes and tools for user-facing services

• Replacing X509 with FIM at the IaaS level?– Collaboration with the Contrail project (Oct 2010 – Sep 2013)

http://contrail-project.eu

26


ConclusionsEGI’s requirements for a generic AAI: Geographical coverage, science discipline coverage, scalability, robustness, simplicity, sustainability, compatibility with EGI platforms.

• X509 certificates is not perfect, but NGIs ‘got used to it’• FIM is gaining momentum

– GrIDP federation– Grid portals and X509 bridges– Contrail FIM solution in EGI FedCloud

• Open questions– Community federations (e.g. ELIXIR) NREN/NGI federations ?– How could EGI and the NGIs best support federations? E.g.

• A global online CA by EGI/Terena?• A global attribute service by EGI/Terena for research federations?• Training events?, Outreach?

– Is FIM really needed in the middleware, or bridges do the job?– E-infrastructure accounting in the ‘FIM-world’

27


EGI‐InSPIRE


Questions

28

EGI Technical Forum 2012,Prague, Czech Republic, 17–21 Septemberhttp://tf12.egi.eu

identity management in the european grid infrastructure · egi‐inspire ri‐261323 egi‐inspire...

Documents