Embed Size (px)
Citation preview
ARCSAuthorisa.onServices
NeilWitheridgeManager,ARCSAuthorisa7onServices
APAN29,Sydney,February2010
Overview
• ARCS&PlaEormsforCollabora7on
• ARCSMission&Structure
• ResearchGroupNeeds• ARCSServicesandTools• Authorisa7onServices’Role• ARCSAuthorisa7onInfrastructure• Strategy,Challenges&Futuredirec7on
AustralianGovernmenteResearchInvestment
• Na7onalCollabora7veResearchInfrastructureStrategy‐PlaEormsforCollabora7on(PfC)investment(2007‐11)
• SuperScienceIni7a7veeResearchComponents(2009‐13)
• …cri7calimportanceofeResearchInfrastructuretofutureresearchcompe77veness
• …intendedtoenhanceresearchcollabora7ons,assistresearcherstomanagemassivedatasets,andprovidesuper‐compu7ngandanalysistoolsthatenableAustralianresearcherstotacklethecomplex,na7onalandglobalissuesneededtosecureAustralia'sfuture.Source:hXps://www.pfc.org.au/bin/view/Main
PlaEormsforCollabora7onPfCcomponentinvestments:• AustralianResearchCollabora7onService(ARCS)
– Developandoperateserviceslinkingsystemsandresourcesna7onwide
– Developandoperatecollabora7onandworkflowtoolsforresearchers
– Includes“Authorisa7onServices”• AustralianNa7onalDataService(ANDS)• Na7onalComputa7onalInfrastructure(NCI)• AustralianAccessFedera7on(AAF)andResearchNetworks(AARNET)
Source:hXp://www.ivec.org/ForumAug09/02_Francis.ppt
ARCSMissionToprovidelong‐termeResearchsupportservicesincluding,butnotlimitedto,interoperabilityand
collabora9oninfrastructureandservices
throughacon9nuousandopenprocessofconsulta9onandengagementwiththe
Australianresearchcommunity.
ARCSisanunincorporatedcollabora.veventureoftheMembersofARCS:ANU,CSIRO,eRSA,Intersect,QCIF,iVEC,TPAC,VPAC…servesasthevehicleforthecoordinateddeliveryofna.onaleResearchsupport,servicesandtools.
Source:hXp://www.arcs.org.au/about
ResearchGroupNeeds
CMS/Wiki InstrumentDataStorage
HPCGridServices
Repository
AnalyseData
Write&PublishReport
StoreData
RunExperimentGenerateData
Collabora9velyCreatewebcontent
VOconfiguredforaccessingGridresources
CollaborateCommunicate
Meet
Authen.ca.onandauthorisa.onforprotec.onofvaluableresources
Researcher
Principal Investigator Researchers
ResearchGroup
IdP
Iden9tyMgntinAAFIdP(s)
IdP
IdP
AAF
ARCS’CurrentToolsandServices• ComputeCloud*• GridServicesInfrastructure*• VirtualMachineHos7ng
• DataFabric*• DatabaseService• DataTransferService
*Immediatelyaccessible,othersrequirerequestandcoordinatedprovisiontoresearchgroup.
• Web‐basedCollabora7on– Sakai– Plone– Jabber– Joomla– Twiki
• VideoCollabora7on– Desktopsolu7on:EVO*– Roomsolu7on:AccessGrid
• SecurityServices– GridCer7ficates*– AccessService
ARCSAuthorisa7onServicesRole• SupportResearchGroupsandServiceProvidersindelivering
servicesrequiringauthen7ca7onandauthorisa7on(authNZ)
• Analyserequirements,andprovideexper7se,advice,exemplars• Exemplars(demonstratewhatcanbedonetoprotectresources)
• Implement(procure/develop)anddeployauthNZsolu7ons• sa7sfyingresearchgroups’andserviceprovider’ssecurityrequirements
• ProvidecustomersupportforARCSAuthorisa7onServices• ARCSCA’s,ARCSIdP,ARCSSLCSServer&Clients,ARCSAccessService
• Developandpursuea‘unifiedstrategy’forauthNZ• Applysecuritytechnologiesandprotocols&trackinterna7onaltrends
• RelyontheAAFforFederatedAccess(i.e.useShibboleth)• IntegratewithGridSecurityInfrastructure
• Analyseaccessscenariosandiden7fypaXerns&solu7ons
ARCSAccessService• ProvidesaGatewaytoARCSServices• Registra7on(assignmentofDefaultAuthorisa7onRights)
• Trackingusercommuni7es(auEduPersonSharedToken)
• AllocateARCSUsername(ARCSServicesuniqueiden7fier)• consistentusernamingacrossARCSServices
• CachingaXributesat7meofregistra7on• Allowdetec7onofaXributechange(e.g.IdP,affilia7on)
• Authorisa7onRightsManagement• RegisterAuthorisa7onRightstokens
• urn:<ServiceIdentifier>:<Token value>
CurrentfocusonAuthen7ca7on
IdP
ARCSCMS/Wiki
Instrument
ARCSDataFabric
HPC(Grid)
ARCSRepository
researcher
BelongstoFedera9onIdP
AnalyseData
ResearchGroup
MemberofResearchGroup
Write&PublishReport
StoreData
RunExperimentGenerateData
Collabora9velyCreatewebcontent
VOconfiguredforaccessingGridresources
SPARCS
SLCSService
SPARCS
IdPCheck
SPARCS
AccessServiceRegisterviaAccessServiceforSLCS,DataFabric,Wiki,
Repository
GenerateGrid(SLCS)Creden9al
ConfirmARributesReleasedbyIdP
SP GSISP
GSI
GSI
SP
LDAP
webDAV
AAF Identity Provider
Authenticate
ARCS SLCS CA
SP ARCS SLCS Service
Grid Cert enabled Service
ARCS internal/ backend
processing
Get SLCS Certificate
Access using IdP username and password via AAF Login
Access using ARCS SLCS cert or proxy
(e.g. Grid Services, iRODS via iCommands)
ARCS MyProxy
Get Proxy Certificate
Arbitrary username & password
ARCS LDAP
Access using ARCS username and password
ARCS username & password
Register
ARCS internal/ backend
processing
SP (12 wks timeout) ARCS Access Service
ARCS Cred’s enabled Service
Access using IdP username and password via AAF Login
(e.g. Data Fabric via webDAV)
SP AAF- enabled Service
ARCS internal/ backend
processing Access using IdP username and password via AAF Login (e.g. Data Fabric, Plone, TWiki)
ARCSAuthSvcsFutureDirec7ons• Authen7ca7on
• IGTFAccredita7onforSLCS(Level‐2)CA• ExploreMICS(Long‐livedGridcreden7alsfromIdPs)
• UnderstandAAF&ShibbolethRoadmapimplica7ons• NewShibbolethprofiles(ECP,Key‐holder)• AusCERTPKIandimplica7ons
• UnderstandGridServicestrendsandimplica7ons
• Authorisa7on• Developandu7lisetheARCSAccessService
• ImplementAuthorisa7onRightsManagement
• Developauthorisa7onexemplars(e.g.useofXACML)
Thankyou
Ques.ons?
