We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byAbigail Boyle
Modified over 4 years ago
VO Support and directions in OMII-UK Steven Newhouse, Director
© 2 Our Mission… OMII-UK aims to provide software and support to enable a sustained future for the UK e-Science community and its international collaborators Promote the use of good-quality open-source software Reduce the risk of moving to new e-infrastructure world Recognise distinct user communities: by domain and function
© 3 Primary Concerns Standards driven Need to interoperate Recognise distinct requirements End-user Developer Service Provider Need to federate across multiple containers Provide infrastructures that are usable
© 4 OMII-UK Job Authorisation OMII 1.x: Application execution from GRIA Defined model enforced by PBAC PBAC: Process Based Application Control User registration & account (quota) creation Resource allocation for compute and data Data in Application execution Data out. Application needs to be installed on the machine
© 5 PBAC: Process Based Access Control Specify server side workflow Need to have performed Action Z on Service A before Action Y on Service B Check authorisation policy rather than interaction state State interaction captured within a conversation Authorisation action is related to a particular conversation Client interaction is planned & context dependent
© 6 OMII-UK Job Authorisation OMII 2.x: GridSAM GridSAM: Job Submission and Job Monitoring Uses JSDL to define the job Various back end environments DRMConnector Service specific Authorisation gridmap like Connector specific Authorisation
© 7 Within OMII 3.x Within a web service hosting environment Tomcat, Axis, WSS4J (WS-Security) Primarily Authentication through WS-Security Digital Signature on a signed message Signature MUST be signed by a certificate from a known CA Authentication data available to the service Outgoing message signed
© 8 Need to do better… An Authorisation policy that can be applied across consistently across all services Within a hosting environment A network of hosting environments (e.g. VO) A solution that can be reused: Apply policy for portlet access Service specific policies: Data tables within a database Queues or processor/memory limits within a job Standards driven
© 9 Current Prototype PERMIS: Generate Attribute Certs & Policy Authz Service: SAML 1.1 Assertion port type WS Request/ Response WS Container AXIS Handlers TestService OMIIAuthz OpenSAML LDAP PERMIS Management GUIs PEP = Policy Enforcement Point Due April 07 - OMII 3.4.0
© 10 But what is a VO? About roles, responsibilities and relationships Binding: Contractual Non-Binding: Best-effort End-users: Dynamic & flexible policy around their needs Resource Providers: Focus on users or VOs or real organisations? Usability: Critical need for tooling and integration into software
© 11 OMII-UK Users Applied Technology Specialists e-Infrastructure e-Researchers (domain & generic) Providers
© 12 Emerging Need: Dynamic Service Authorisation On job creation create a job specific policy Stevens job – he can manipulate & delete it But, the administrator can also delete it. But Steven may also want to allow June to be able to manipulate the job Provide an interface to manipulate policies Fine grained dynamic delegation
© 13 Other gaps in AAA… The third A – Accounting Looking at RUS & UR options Account (quota) solution from GRIA Applying for an account (e.g. GAMA, PURSe) The silent A – Audit Attribute Management VOMS Standards?
© 14 Summary Mange authorisation policies across services Accounting (use against quota) is important Pick up on existing standards & tools Authorisation infrastructure User registration & account generation Think about the stakeholders in the system OMII-UK currently a non-GSI world But out-of bound use through MyProxy Emerging need for dynamic policies & VOs
© 15 Where next… For further information, project lists, etc: Web: www.omii.ac.ukwww.omii.ac.uk Downloads: OMII 3.2.0 released last week. Calls: Portlets & GridAPIs For further questions, support issues, etc: Mail: email@example.com@omii.ac.uk For me: Mail: firstname.lastname@example.org@omii.ac.uk
Lousy Introduction into SWITCHaai
Demonstrations at PRAGMA demos are nominated by WG chairs Did not call for demos. We will select the best demo(s) Criteria is under discussion. Notes.
Delivering User Needs: A middleware perspective Steven Newhouse Director.
Security Design and Solution in ARC1 Weizhong Qiang University of Oslo April 9, 2008.
Click to edit Master title style HEALTH INFORMATION 1 Identity & Access Management Presenter: Mike Davis (760) January 09, 2007.
Building Portals to access Grid Middleware National Technical University of Athens Konstantinos Dolkas, On behalf of Andreas Menychtas.
W w w. h p c - e u r o p a. o r g HPC-Europa Portal: Uniform Access to European HPC Infrastructure Ariel Oleksiak Poznan Supercomputing.
MyProxy Jim Basney Senior Research Scientist NCSA
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.
5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK
29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
GT 4 Security Goals & Plans Sam Meder
DyVOSE Status Report Dr Richard Sinnott Technical Director National e-Science Centre ||| Deputy Director Technical Bioinformatics Research Centre University.
The National Grid Service and OGSA-DAI Mike Mineter
Supporting the UK e-Science community and their international collaborators Steven Newhouse.
Current status of grids: the need for standards Mike Mineter TOE-NeSC, Edinburgh.
ASPiS - Architecture for a Shibboleth-Protected iRODS System Mark Hedges, Tobias Blanke Centre for e-Research, Kings College London Adil Hasan, Jens Jensen.
OMII-UK Steven Newhouse, Director. © 2 OMII-UK aims to provide software and support to enable a sustained future for the UK e-Science community and its.
3rd Campus Grid SIG Meeting. Agenda Welcome OMII Requirements document Grid Data Group HTC Workshop Research Computing SIG? AOB Next meeting (AG)
The LHC experiments AuthZ Interoperation requirements GGF16, Athens 16 February 2006 David Kelsey CCLRC/RAL, UK
© 2018 SlidePlayer.com Inc. All rights reserved.