Slide 1Slide 1

Easing Access for Researchers

Slide 2

Collaborators wants an environment where managing members & access to resources is FAST and EASY

Not This!

This! Not This!

Slide 3

Introductions

• Moderator: Jill Gemmill, Clemson University

• Nathaniel Mendoz, TACC

• Tracy Futhey, Duke University

• Mike Kirgan, Florida International University

Slide 4

TACC Snapshot Today

• Personnel– ~135 Full time staff (~50 PhD), 15 students

• Funding– Roughly 85% externally funded, through 7 major projects and more than

20 smaller grants.– TACC Represents (mostly NSF and UT) cumulative investment of more

than $300M in buildings, systems, and staffing• Facilities

– Datacenter upgrade to 10MW completed in 2012.– New office facility to be completed by end of 2015 (accommodating

~150 staff total).• Services

– HPC, HTC, Visualization, Large scale data storage, curation and analysis, Web portals and Gateways, API design, consulting, etc.

Slide 5

TACC Provides a Comprehensive Computational Science Ecosystem

Computation: Stampede, LonestarVisualization: Maverick, Stallion.Storage and Archive: Corral, Ranch (160 PB) Cloud: Rodeo, Chameleon, Jetstream

Data Driven Computing: Wrangler, RustlerReasoning Systems: YellowhatConnectivity: 100Gb/s to Internet2Tools, APIs, Algorithms, Consulting, and Team

Slide 6

Enabling New Modes of Computing

• ~3k projects, ~10k direct users through SSH• But we have ~35k+ (maybe 50-60k) users who access

us through various APIs – web gateways– Galaxy, iPlant, DesignSafe, etc.– Many don’t even know they use TACC – we’re just “the

cloud”. • Data: ~3PB per month move in and out of the Center

– More than 1PB through REST API, and that volume is increasing 20% *per month*.

Slide 7

Enabling Apps in Non-traditional ways

• In collaboration with Stanley Watowich at UTMB, TACC developed a web portal to provide a graphical interface for conducting a screen for identifying small molecules that bind to a target protein. – Users can screen against libraries of

ligands up to 642k in size. – Basic screening is done, and results are

collated and best matches returned in a simple download.

• 70 researchers have used more than 5 million hours on Lonestar through the portal

• “We report the discovery of a novel small-molecule inhibitor of the dengue virus (DENV) protease (NS2B-NS3pro) using a newly constructed Web-based portal (DrugDiscovery@TACC) for structure-based virtual screening.” Journal of Chemical Information and Modeling

“Identification of a Novel Inhibitor of Dengue Virus Protease through Use of a Virtual Screening Drug Discovery Web Portal”

Slide 8

Data at the Speed of Trust 1440588Overall Goal & Primary Use Case• Facilitate and ease research collaboration on campus and

off campus, including – access to protected and sensitive data via flexible

computational resources, and – through the enablement and simplification of identity

and access management and provision of access to local resources.

• Duke interdisciplinary and inter-institutional collaboration (NSF DIBBs ACI-1443014) to develop and utilize synthetic data techniques for analysis of highly sensitive data (20+ years of OPM data on 30,000+ federal employees).

Slide 9

Data at the Speed of Trust 1440588 Preconditions: Pain Points & Opportunities• Enabling secure access to datasets and analytic tools

without requiring researchers double as sys admins– SDN enabled environment (NSF OCI-1246042; CNS

1243315) on an MPLS network with extensive VRF deployment (xxx VRFs)

– Mature virtualized environment not just in data center but enabling public labs functionality, student development, etc

• Sponsoring and managing Guest Accounts for collaborators– Extensive use of Shib (1900 enabled applications)– Extensive use of Grouper (740,000 groups)

Slide 10

Data at the Speed of Trust 1440588 Approaches: Technical and Social• Use SDN, Switchboard and simple controller to provision

bypass networks for researchers with servers/data in departmental locations and/or central data centers. 

• Enable remote access via web based services, virtualization, and container technologies to simplify access and improve performance to protected network resources and to other services (both Windows and X based services; “no VNC”)

• Extend federation and access via Shib'ed resources and negotiate and extend rich attribute release for broad or narrow access rights (all graduate students at Princeton vs. Research Collaborator Y at University X)

Slide 11

Secure Access for Everyone (SAFE) 1440728

• The Secure Access for Everyone (SAFE) project is about building a standards-based integrated Identity and Access Management (IAM) system that supports trusted collaboration and sharing of CI resources across multiple institutions

• Drivers– Slow process for collaborators to get access resources– Sharing data and accessing systems were too

cumbersome, especially for infrequent users– The amount of research requiring collaboration across

multiple institutions keeps increasing

– Increasingly research requires collaborations across multiple institutions

• Many collaborations required the sharing of data and joint access to FIU’s Cyber Infrastructure (CI) resources– Such as High Performance Computing (HPC), Data

Repositories and other instruments.

• Before SAFE, providing access to external researchers was a time consuming process and the access methods were not conducive to ease of access.

Slide 12

Key Goals of SAFE to Support Multi-Institutional Collaborations• Allow collaborators to use their home institutions

credentials to access campus CI resources, regardless if that resource has a web or command line login (i.e. ssh)

• Access requests must be processed quickly• Provide a user friendly way to access campus CI

resources, including a single portal, easy to use interfaces, and documentation for each system

• Provide a convenient way to share and access data• Provide all of this in a secure fashion

Slide 13

Components of SAFE

1) Federated Web Portal provides a single place that all researchers can go to log-in and connect to any SAFE integrated CI resource. This portal leverages InCommon for federated authentication.

2) Identity and Access Management system was built into the SAFE portal and integrated with the campus IAM system. Together, they process all access requests, automatically provisions accounts, recertify accounts annually when needed and link a user’s InCommon credentials with an internally created FIU account.

Slide 14

Components of SAFE (cont.)

3) Login interfaces - Both customized web and command line interfaces (such as ssh) are provided through the SAFE web portal. This secures connections without requiring the use of VPN. Only VPN and Web Portal connections are allowed to connect directly to many CI resources. Local credentials do not need to be known by the collaborator as the web portal will automatically pass the appropriate credentials

4) Other Components – Shibboleth, CAS, LDAP, AD, Shellinabox, custom IAM & IBM Security Identity Manager

5) Current CI Integrations – HPC, Virtual Computing Lab, Collaborative Data Storage System, Library Databases

Slide 15

Account Approval & Login Process• Access requests are approved by the PI online in the SAFE

IAM system, renewed once a year. Local accounts are created and linked to InCommon credentials.

• The IAM system provisions (and de-provisions when needed) local accounts to the appropriate CI resources

• SSH logins are supported via passing encrypted local credentials to a modified open source web based SSH interface, that then automatically logs the collaborator into a local account on the desired resource.

• Web based resources either support Shibboleth, been modified to do so by the SAFE team or in some cases a customized alternate web interface is being created

Slide 16

FeduShare: A User-Managed Collaboration Framework (ACI-1440609)

We have been modeling and designing campus infrastructure as a closed system with identities & resources we

What if we modeled and designed for open collaboration instead?

Slide 17

The Project: Two Use Cases + a CatalogUse Case 1:  Federated access to a campus HPC cluster via console logon  -- in PRODUCTION SYSTEMS  (Year 1)

Use Case 2:  Federated access to multiple clouds/SDN testbeds (eg: GENi and CloudLab )  (Year 2)

Catalog:  Open Source Software candidates to use for FeduShare framework components (Years 1 & 2)

https://sites.google.com/site/fedushare/

  

Slide 18

Decision Matrix

•  

 

  CILogon ECP SSH

ECP PAM

SSH Keys

Web Portal

No special client software ❌

gsissh❌

ecpssh✔️ ✔️ ✔️

Software exists today ✔️ ✔️ ❌ ✔️ ✔️

Password not exposed to server

✔️ ✔️ ❌ ✔️ ✔️

No extra registration step ❌

cert✔️ ✔️ ❌

key✔️

No new user-managed keys ❌ ✔️ ✔️ ❌ ✔️

Uses SAML for SSH login ❌ ✔️ ✔️ ❌ ✔️

Native SSH client ✔️ ✔️ ✔️ ✔️ ❌

browser

Slide 19

Happy Side Effect: Mobile Logon using Shib-ECP

https://github.com/OpenClemson/SwiftECP

• converting our hybrid mobile web app into a native iOS app (Android next)

• We wanted a login-once paradigm

• Integrate native login with Shibboleth since most other campus services use it

• FeduShare work at Clemson ensured that our IDP supported ECP and was configured properly

Slide 20

Panel Discussion Questions

• How is managing access to resources hosted on campus changing due to the increase in collaboration? How is your organization responding to this change?

• What do you consider to be the most novel or innovative aspect of your project?

• What do you see as the most important barriers to access for researchers that have yet to be solved?