Presentation on theme: "Case Study 2: User Registration for the Earth System Grid."— Presentation transcript:
Case Study 2: User Registration for the Earth System Grid
VOiG June 2007The Globus Toolkit in Cyberinfrastructure2 The Earth System Grid
VOiG June 2007The Globus Toolkit in Cyberinfrastructure3 ESG Project Goals l Improve productivity/capability for the simulation and data management team (data producers). l Improve productivity/capability for the research community in analyzing and visualizing results (data consumers). l Enable broad multidisciplinary communities to access simulation results (end users). l The community needs an integrated cyberinfrastructure to enable smooth workflow for knowledge development: compute platforms, collaboration & collaboratories, data management, access, distribution, and analysis.
VOiG June 2007The Globus Toolkit in Cyberinfrastructure4 The Challenge l ESG is a distributed system that genuinely requires Grid-style distributed authentication. l ESG is used by scientists who dont need to be bothered with certificates. l CHALLENGE: Provide Grid security for the system but do it in such a way that end users dont have to manage certificates themselves.
VOiG June 2007The Globus Toolkit in Cyberinfrastructure5 Issues - Social l Ease of Use u ESG users shouldnt have to manage their own certificates. u Its too complicated, intrusive. u They dont do it well (securely). l Support u Certificate management generates a lot of user support work. l Use cases u Most ESG users are data readers, not writers. u Data producers and project funders want to know who the users are (registration), but access control among registered users is not a major requirement.
VOiG June 2007The Globus Toolkit in Cyberinfrastructure6 Issues - Technical l Distributed System u ESG has four major data centers, each with its own security system. u Users should not have to keep track of four sets of credentials and know when to use each. u The ESG web portal needs users credentials to perform work on their behalf, so a secure mechanism for doing that is important. l Integration u ESG uses GridFTP, RLS, OpenDAPg, and GRAM to meet other system requirements, so GSI has to be supported.
VOiG June 2007The Globus Toolkit in Cyberinfrastructure7 MyProxy l MyProxy is a remote service that stores user credentials. u Users can request proxies for local use on any system on the network. u Web Portals can request user proxies for use with back-end Grid services. l Grid administrators can pre- load credentials in the server for users to retrieve when needed. l Greatly simplifies certificate management!
VOiG June 2007The Globus Toolkit in Cyberinfrastructure8 Simple CA l A convenient method of setting up a certificate authority (CA). u The Certificate Authority can then be used to issue certificates for users and services that work with GSI and WS-Security. u Simple CA is intended for operators of small Grid testing environments and users who are not part of a larger Grid. l Most production Grids will not accept certificates that are not signed by a well-known CA, so the certificates generated by Simple CA will usually not be sufficient to gain access to production services.
VOiG June 2007The Globus Toolkit in Cyberinfrastructure9 Scenario 1 - User Registration l The user fills out the registration web page, establishes an ID/password, and the information is stored in a database. l The administrator is sent email.
VOiG June 2007The Globus Toolkit in Cyberinfrastructure10 Scenario 2 - Administrator Approval l Administrator visits the registration website and retrieves the registration data. l If the administrator approves the request, PURSE uses SimpleCA to generate a certificate and stores it in MyProxy. l The user is sent email.
VOiG June 2007The Globus Toolkit in Cyberinfrastructure11 Scenario 3 - User Login l The user logs into the application website using the ID/password established during registration. l The application obtains a proxy using MyProxy. l The application uses the proxy to authenticate to Grid services.
VOiG June 2007The Globus Toolkit in Cyberinfrastructure12 Sample email messages (a) Email confirmation step: message sent to user Date: Thu, 1 Jul 2004 14:25:47 -0600 (MDT) From: firstname.lastname@example.org To: email@example.com Subject: ESG Registration The Earth System Grid (ESG) Portal received a request for a new user account that uses your email address. Click on the link below to confirm your request (NOTE: you will not be able to login until you receive an email from the portal administrator indicating your request has been approved): http://www.earthsystemgrid.org/security/confirmRequest.do?tok en=000000fd-7c62-605c-ffffdea0-766ad9819840 If you did not request this account, please inform us at esg- firstname.lastname@example.org. Thank you, ESG System Administrator (b) Email sent to CA operator for approval From: email@example.com Date: July 1, 2004 12:17:07 AM MDT To: firstname.lastname@example.org Subject: ESG Registration A request has been made for user account on the ESG Portal. You may access the details of the request by clicking on the following link. http://www.earthsystemgrid.org/administration/account RequestData.do?token=000000fd-2e0e-5d33-00006ac0- 8387f64897be http://www.earthsystemgrid.org/administration/account RequestData.do?token=000000fd-2e0e-5d33-00006ac0- 8387f64897be Customizable
VOiG June 2007The Globus Toolkit in Cyberinfrastructure13 RA/CA Form Customizable
VOiG June 2007The Globus Toolkit in Cyberinfrastructure14 Results - ESG l Four data centers (LBNL, LLNL, NCAR, ORNL) l 700 registered users by May 2005, 2500 users in 2006, ~4000 now l Four major datasets are available, with associated code and metadata l Datasets added as they are produced l >200 journal articles published 2005-2006 from analyses of data delivered by the ESG
VOiG June 2007The Globus Toolkit in Cyberinfrastructure15 Results - Science l ESG allows ~4000 people to work with climate model datasets. l PURSE is available from dev.Globus u Generic version for re-use u Includes portlet code developed by OGCE u Allows users to import existing credentials u Supported by dev.Globus PURSE incubator project, with funding from NSF (CDIGS, OGCE) u Used in ESG, NVO, SWEGrid l GAMA is available from SDSC. u Portlet implementation hosted by GridSphere u Allows sharing by multiple portal applications u Currently used by GEON and BIRN projects
VOiG June 2007The Globus Toolkit in Cyberinfrastructure16 A Few PURSE Lessons l It is possible (and desirable) to hide Grid security from users. u Online repositories are one way to do this. u Others options include online CAs (e.g., KCA and KX.509). l Requirements and use cases are important. u Need to know exactly what the community concerns are: what needs to be protected. u Need to clearly identify roles. l Generalizing to PURSE was not trivial. u New requirements (e.g., credential import) u Documentation and usability testing l Community support was essential. u Addition of JSR-168-compliant portlets by OGCE made a big difference in usability. u Broader community of supporters.