A History of the Next Five Years: (the rise of indoor plumbing)
2/22/2019
Topics Hooking applications to the plumbing Role and rule based authorization Work flow Virtual organizations Privacy managers Global issues 2/22/2019
Hooking applications to the plumbing The importance of presence in real time communications Externalizing from the application as more of the plumbing gets created E.g authentication, group management, privilege management Integration, integration, integration Fine-grain access control is attractive and dangerous; beware of complexity 2/22/2019
Role and rule based authorization Role-based is the only scalable approach Requires campus business process reengineering Roles have standard modifiers, such as limits, prerequisites, expiration dates, etc. Delegation of roles desirable but tricky Rule-based allows lots of real-time exceptions Doctors in the emergency room Visitors with laptops in the library When processor use drops below 10% 2/22/2019
Work Flow Closely related to authorization, in technology and practice Applies to a wide variety of situations, from business uses to job scheduling in grids to message handling. May be a common architecture across those use cases, and perhaps tools of relatively broad scope to build. 2/22/2019
Virtual Organizations (VO’s) Examples, differentiators, current challenges The common requirements Background on recent middleware work The virtual organization support space Role of enterprise and of federation Role of virtual organization support center Role of virtual organization The business case for/against the model How do we know if it is viable… 2/22/2019
Virtual Organizations Geographically distributed, enterprise distributed community that shares real resources as an organization. Examples include team science (NEESGrid, HEP, BIRN, NEON), digital content managers (library cataloguers, curators, etc), a state-based life-long learning consortia, a group of researchers coordinating a launch vehicle payload, etc. On a continuum from interrealm groups (no real resource management, few defined roles) to real organizations (primary identity/authentication providers) Want to leverage enterprise middleware and external trust fabrics, as well as support centers 2/22/2019
Virtual Organizations have… Real resources that they share and manage May be computational resources May be scientific instruments May be bandwidth May be shared data and content Economic data Museum materials Cultural and artistic works A relatively small set of users who tend to travel in common circles Often the need to have some accounting and regulatory compliance 2/22/2019
Not Virtual Organizations University of Colorado, Boulder. LBL. Fred Hutchinson Cancer Center. etc. – these are enterprises, doing primary identity management services for faculty, students and staff the Beverly PTA wiki, Alt.gerbils-in-leather – these are groups, a set of people with a common interest but not managing real resources AOL, MSN, IdentityCommons, etc. – these are commercial identity service providers 2/22/2019
Looking at V.O.s from a plumber’s view 2/22/2019
National Science Digital Library Content Managers 2/22/2019
The TeraGrid 2/22/2019
The Hadron Collider cluster of experiments 2/22/2019
Virtual organizations vary… By lifetime of VO Some are relatively short-term, perhaps 1-2 years Some may persist for extended periods By size By cluster – at any one time, 15-20 experiments (virtual orgs) are active at Fermi Lab, CERN. A shuttle launch may need coordination among several vo’s that have equipment aboard. By type of domain-specific tools A number are using Grids A number subscribe to major scientific data streams Some have no domain-specific tools 2/22/2019
Being a VO is hard… There are new requirements for security There is the need for development of operational models that integrate requirements from sites with requirements from science Simplified end-user tools that are consistent with the rest of a user’s experience would be very helpful. Diagnostics across so many systems is difficult and getting significantly worse 2/22/2019
Being a VO is hard… Many resources use geographically-oriented access controls Regulatory requirements might span countries The local IT infrastructure of members of a VO may vary widely Tools are not designed to work together, present a common management infrastructure, etc. 2/22/2019
The Common Requirements Communications support Multiple options for real-time and asynchronous intraVO work Integrated into the rest of one’s “presence” Collaboration support Transparent web content access control Workflow Diagnostics Plumbing the control plane into the domain science systems and virtual organization software Plumbing the vo technologies into the local enviroment 2/22/2019
Support services VO Service Center Collaboration services Plumbing Into domain applications Collaboration services Communication services Enterprise based virtual organization shims Core middleware federation 2/22/2019
Communication support Add this address book to my desktop video client as a vo setup Shared calendar access: Grant the following roles in my vo permission to read my calendar at a campus-equivalent level A “transparently manageable” mail list for the vo. Provide and maintain an IM buddy list for the vo Diagnostics 2/22/2019
Collaboration support A transparent and managed wiki A transparent and managed set of web access controls Role based authorization Workflow A p2p trust fabric for vo use Data models Of the data Of the meta-data – what are the privileges, rights. Etc Management of international issues in privacy, copyright, etc. 2/22/2019
Plumbing the control plane Management of the management aspects of the domain tools Domain tools include Globus for Grids, Chemistry workbench, a historical data archive manager, etc. Management aspects deal largely with managing users and uses, but can have initial configuration components “2% of the science, 50% of the pain …” Providing a common user experience for both enterprise and vo systems Today, each app believes it is the only one in your life… Common models, terminology, controls, etc. Distinct privileges being managed Integration of vo and enterprise Students in class X can run vo experiment Y VO and enterprise requirements can be joined 2/22/2019
Example University financials 1 2/22/2019
Example University financials 2 2/22/2019
Example University financials 3 2/22/2019
VO authorization 1 2/22/2019
VO authorization 2 2/22/2019
VO authorization 3 2/22/2019
The Middleware Work… The Basic Approach Focus and manner of work The role of Mace The work at the enterprise level Directories Web SSO, namespace and basic authentication Signet The work at the federation level Shibboleth The work at the virtual organization level Bits and pieces 2/22/2019
The Model: Enterprises, Federations, VO’s Given the strong collaborations within the academic community, there is an urgent need to create inter-realm tools, so Build consistent campus and enterprise middleware infrastructure deployments, with outward facing objectclasses, service points, etc. and then Federate those enterprise deployments, using the outward facing campus infrastructure, with interrealm attribute transports, trust services, etc. and then Leverage that federation to enable a variety of applications from network authentication to instant messaging, from video to web services, and then, going forward Create tools and templates that support the management and collaboration of virtual organizations by building on the federated campus infrastructures. 2/22/2019
Middleware Axioms Work the core areas Focus on interrealm and collaborative needs Use federated administration as the lever; have the enterprise broker most services (authentication, authorization, resource discovery, etc.) in inter-realm interactions Develop a consistent directory infrastructure within R&E Provide security while not degrading privacy. Foster interrealm trust fabrics: federations and virtual organizations Leverage campus expertise and build rough consensus Support for heterogeneity and open standards Influence the marketplace; develop where necessary 2/22/2019
RL “Bob” and Keith 2/22/2019
The Virtual Organization Support Space Role of enterprise and of federation Role of virtual organization support center Role of virtual organization The business case for/against the model 2/22/2019
Enterprise and federation Collaboration and communications infrastructure Common plumbing interface Storage of VO attributes in enterprise object classes Hosting VO services for some VO Federation Trust fabric for enterprise assertions Dissemination of VO objectclasses International trust fabric 2/22/2019
VO Service Centers To provide infrastructure services for users whose enterprises can’t play To coordinate the dissemination of enterprise shims relative to the vo’s supported in the area To coordinate international efforts for multi-national vo’s To help train vo’s in the use of the tools and the organizational issues 2/22/2019
Virtual organization Data and metadata models Attribute and role definition Domain specific infrastructure 2/22/2019
Privacy Managers 2/22/2019
Global Issues Privacy Discrepancies Government trust peering And, sigh, time zone issues 2/22/2019