Climate Sciences: Use Case and Vision Summary

Philip Kershaw [philip.kershaw@stfc.ac.uk]CEDA, RAL Space, STFC

Overview

• Update on developments since last workshop• Federated Identity for the Cloud

– Use case from two contrasting scenarios

• Vision Summary– What is the vision for this community– What are the issues we face and challenges we wish to address

Philip Kershaw [philip.kershaw@stfc.ac.uk]

Update from Last Workshop

• Earth System Grid Federation (ESGF): – a software infrastructure deployed in the first instance to support CMIP5

• CMIP5, a globally co-ordinated set of climate model experiments organised under the WCRP

• ESGF– Globally federated archive ~2.5Pb– 25k users worldwide (not just CMIP5)

• Security Architecture– Dual SSO methods supported: OpenID and MyProxyCA– SAML interfaces for attribute and authorisation queries

• ESGF now being deployed for other Earth science data– Earth observation and regional model data

• EGI – INSPIRE:– Project to enable access to ESGF resources via EGI– An inter-federation trust challenge

Philip Kershaw [philip.kershaw@stfc.ac.uk]

Federated Identity for Cloud: two contrasting scenarios

• CEMS (Climate and Environmental Monitoring from Space)– A UK facility for climate change and

environmental science using satellite data and services.

– Builds on ISIC (International Space Innovation Centre) public private partnership

– A focal point for science, government and commercial user communities.

– Data quality and integrity services and expertise

– Data hosting and processing facilities

• FP7 funded project over three years• Develop Federated cloud

infrastructure:– An abstraction layer to manage

resources over multiple cloud providers

• Platform as a Service solutions• Virtual Infrastructure Networks• Federated file system• SLA negotiation• Federated security• Build on Open Source cloud

solutionsPhilip Kershaw [philip.kershaw@stfc.ac.uk]

CEMS Architecture

Public and Commercial Cloud Infrastructure

Hardware – data storage [NCEO and Commercial Data] and processing

App 2 App 3 App NApp 1…

Business and researchuser communities

Data Access Quality Services

Core

Se

rvic

esAp

plic

ation

s

Clou

d M

anag

emen

t Se

rvic

es

Data Processing

CEMS: Federated Identity Challenges

• Access control is needed to enforce:– Licence agreements– Project restrictions– pay-for services?

• Federate identity needed to bridge:– academic and commercial organisations

• Bridging independent domains:– How to manage trust?– Communication of levels of assurance– Middleware to bridge independent access control infrastructures

• Integration with off-the-shelf cloud infrastructure

Philip Kershaw [philip.kershaw@stfc.ac.uk]

CONTRAIL: Federated Identity Challenges

• Layered architecture: federation abstracts individual providers and their resources• Single sign-on on two axes: external to federation and federation to provider• Credential management challenge: Resources may be long lived (e.g. a VM) but

dynamically provisioned– Virtual infrastructure networks may require dynamic creation of CAs

Philip Kershaw [philip.kershaw@stfc.ac.uk]

Climate Sciences: Vision Statement

• Project-oriented vs. ‘national’ federated identity management infrastructure– Projects require attributes scoped within the project’s domain covering multiple IdPs and possibly

federations– Can IdPs be expected to support attributes needed for multiple projects?– Project-wide attribute authorities needed to manage project attributes– Challenging to leverage national infrastructure for international projects!

• Inter-federation and bridging technologies– Management of levels of assurance between independent domains– Provenance of credentials

• Policies and trust– The lack of clear policy statements can inhibit the ability to interoperate with other established

systems.– Newer communities need to see the value of policies

• Cloud and virtualisation are creating new challenges– Dynamic provision of credentials for long lived resources

Philip Kershaw [philip.kershaw@stfc.ac.uk]