Research and NeSC Applications Prof Richard Sinnott Technical Director National e-Science Centre 26 th October 2006

The Context There are many Grids There are many ways to build Grids There are many different middleware competing in this space People say Grid in grants and then build web services because Grid middleware is too hard There are many agendas –big business, academic, … There are many moving targets –changing middleware, changing standards, changing sciences resources/questions/funding streams… There is a lot of hype There is a lot of money available There are lots of projects and big scientific challenges There is an urgent need to build user communities There needs to have much more research pull than middleware push –… there are many more things that could go here!

Data Grids for High Energy Physics Tier2 Centre ~1 TIPS Online System Offline Processor Farm ~20 TIPS CERN Computer Centre FermiLab ~4 TIPSFrance Regional Centre Italy Regional Centre Germany Regional Centre Institute Institute ~0.25TIPS Physicist workstations ~100 MBytes/sec ~622 Mbits/sec ~1 MBytes/sec There is a “bunch crossing” every 25 nsecs. There are 100 “triggers” per second Each triggered event is ~1 MByte in size Physicists work on analysis “channels”. Each institute will have ~10 physicists working on one or more channels; data for these channels should be cached by the institute server Physics data cache ~PBytes/sec ~622 Mbits/sec Tier2 Centre ~1 TIPS Caltech ~1 TIPS ~622 Mbits/sec Tier 0 Tier 1 Tier 2 Tier 4 1 TIPS is approximately 25,000 SpecInt95 equivalents LCG/gLite middleware (Large scale data management, large scale compute resource management, resource broking…!!!)

Challenges of NanoCMOS Design 3D + Statistical OMII-UK middleware (workflows, security, data management, resource management, …)

The e-Health Future… Nucleotide sequences Nucleotide structures Gene expressions Protein Structures Protein functions Protein-protein interaction (pathways) Cell Cell signalling Tissues Organs PhysiologyOrganisms Populations Globus/WS- middleware (fine grained security, data access/integration, exponential data growth, keep it simple!)

NeSC Research… Most NeSC Glasgow research is on security and ease of use across various application domains NeSC Edinburgh focus is on middleware development especially Grid data access/integration (OGSA-DAI, DAIT, OMII-UK, eDIKT), high performance networking, data curation ….

Ease of Use (…and setting the scene for some of the later demonstrations) For Grids/e-Research to be truly successful –have to be made as seamless to access and use as the internet Forget training, education for some (most?) users! –have to be based on research pull and not middleware push –experiences in various projects have shown that users don’t like digital certificates The majority most certainly won’t jump through hoops to get on the Grid

Single Sign-On X.509 certificate based PKI common to many Grid efforts (including UK) –Step 1. Get a certificate –Step 2. Get your DN registered at places you expect to use –Step 3. Read the manuals (Globus, gLite, …) for how to submit/run a job

Step 1 In UK e-Science community X.509 PKI based on centralised CA with direct single hierarchy to users –Typical scenario for getting Grid certificate CA User RA 1.Request certificate ( 2. Check details of request 3. Ok? 4. Download and install certificate in browser 5. Download and install CRL 6. Export certificate to various formats e.g. as Grid certificate $> openssl pkcs12 -in cert.p12 -clcerts -nokeys -out usercert.pem!!!! This is off-putting for end users!!! Typically not available on Windows!!! Root access? Local sys-admin?

But… Identity management issues –Certificate Revocation Lists –When revoked? By whom? How timely? Strong passwords for private keys –Users write them down, share them, forget them Privilege Management –Numerous domains where never get access to local account to “do stuff” User classification –Tinkerers vs much larger e-Research Community they want services to point their browser at and point click to run things on the Grid –I don’t want an account on a cluster to compile/run code, I’m a biologist who wants to run BLAST on a free National Grid resource

As a result… ~3500 UK e-Science certs –1000 for Manchester cluster But over 3 Million Athens accounts in UK HE/FE Iceberg is not to scale!!!!

How Can we Improve Things? We don’t want each domain reinventing their own security solutions Best to exploit local authentication –Sites know best if users still at institution and are best placed to state what their privileges are/should be

Shibboleth ( Definition Shibboleth [Hebrew for an ear of corn, or a stream or flood] 1. A word which was made the criterion by which to distinguish the Ephraimites from the Gileadites. The Ephraimites, not being able to pronounce sh, called the word sibboleth. See --Judges xii. 2. Hence, the criterion, test, or watchword of a party; a party cry or pet phrase. ] Shibboleth will replace Athens as access mgt system across UK academia –Federations based on trust or more accurately trust but verify numerous international federations exist MAMS, SWITCH, HAKA, SDSS… Introducing Shibboleth

Typical Shibboleth Scenario Service provider 5. User accesses resource Grid resource / portal Identity Provider Home Institution W.A.Y.F. Federation User 1.User points browser at Grid resource/portal (or non-Grid resource) 2. Shibboleth redirects user to W.A.Y.F. service 3.User selects their home institution 4. Home site authenticates user AuthN LDAP

It’s a start, but… Benefit from local authentication but really want finer grained control… –I know you have authenticated, but I need to know that you have sufficient/correct privileges to access my VO resources –can also return various other information needed to support authorisation decisions

Authorization Technologies Various technologies for authorization including –PERMIS PrivilEge and Role Management Infrastructure Standards Validation – –Community Authorisation Service –AKENTI –CARDEA abstract.htmlhttp:// 020-abstract.html –VOMS At NeSC we have been working extensively with PERMIS

Role Based Access Controls Basic idea is to define: –roles applicable to specific VO roles often hierarchical –Role X ≥ Role Y ≥ Role Z –Manager can do everything (and more) than an employee can do who can do everything (and more) than a trainee can do –actions allowed/not allowed for VO members –resources comprising VO infrastructure (computers, data resources etc) A policy then consists of sets of these rules { Role x Action x Target } –Can user with VO role X invoke service Y on resource Z? Policy itself can be represented in many ways, e.g. XML, XACML, … Tools available for policy editing, associating users with roles, signing policies etc –Policies stored as attribute certificates in LDAP server (New tools/wizards presented at OGF18 Washington)

Finer Grained Shibboleth Scenario Service provider Shib Frontend 5. Pass authentication info and attributes to authZ function Grid Portal 6. Make final AuthZ decision Grid Application Identity Provider Home Institution W.A.Y.F. Federation User 1. User points browser at Grid resource/portal 2. Shibboleth redirects user to W.A.Y.F. service 3.User selects their home institution 4. Home site authenticates user and pushes attributes to the service provider AuthN LDAP

Ok, but… I can do authorisation but I want single-sign on to lots of distributed resources across different organisations (aka Virtual Organisations in Grid speak) –Browser allows to keep session information so can access other resources without signing in again Provided authorisation information valid for different service providers –Each service provider completely autonomous Can configure attribute release/attribute acceptance policies per identity provider/service provider

NeSC Applications

BRIDGES Project More later GEMEPS Project More later VOTES Project More later

Dynamic Virtual Organisations for e-Science Education (DyVOSE) project –Two year project (£289k) started 1 st May 2004 funded by JISC –Exploring advanced authorisation infrastructures for security … in Grid Computing Module as part of advanced MSc at Glasgow –providing insight into rolling Grid out to the masses! DyVOSE Project

Putting the “Dy” in DyVOSE PERMIS based Authorisation checks/decisions Glasgow Education VO policies GlasgowEdinburgh Grid BLAST Data Service Nucleotide + Protein Sequence DB Grid-data Client Grid BLAST Service Edinburgh Education VO policies LDAP Implemented by Students data input Protein/nucleotide data returned based on student team role Glasgow SoA using Glasgow DIS to issue Edin. roles Edinburgh SoA using Glasgow DIS to issue Edin. roles ACs created for Edin. roles Dynamic PMI Case Study

GLASS –JISC funded started March 2006 Exploring early adoption of Shibboleth –Working with Computer Services directly Scenarios based upon teaching and access to NHS resources/data –Includes brain trauma (interest to neuro-folk/CARMEN?) Builds upon university wide unified account management system being rolled out (based on Novell nSure technology) ESP-Grid –JISC/Oxford University funded Developed demonstrator to show how Grid resources can be accessed and used via Shibboleth technology Grid Security Report –JISC/JCSR funded Focus on Grid security practices, middleware and outlook Grid meets Geographical Information Systems –JISC funded with focus on Shibboleth access to GIS data resources Security Related Projects

GEODE –Funded by ESRC lead by University of Stirling Two year project aiming to develop Grid enabled portal for occupational data –includes integration of various existing classification schemes –More later! Grid Enabled Occupational Data Environment (GEODE)

Grid Enabling Biomedical Pathway Simulator To extend software from DTI funding BPS project to benefit from the Grid –Biochemical differential equation solver –Parameter searches –Security aspects important

Scottish Bioinformatics Research Network Four year proposal (£2.4M) started February 2006 –Funded by Scottish Enterprise, Scottish Higher Education Funding Council, Scottish Executive Environment and Rural Affairs Department Involves Glasgow, Dundee, Edinburgh, Scottish Bioinformatics Forum –Aim to provide bioinformatics infrastructure for Scottish health, agriculture and industry Infrastructure support at Dundee, Edinburgh and Glasgow to support first-rate research in bioinformatics at each academic institute Infrastructure support at three institutes, to support inter-institutional sharing of compute and data resources through application of Grid computing Outreach and training activities mediated by the Scottish Bioinformatics Forum

Scottish Family Health Study Five (2+3) year proposal (£4.6M) started January 2006 –Funded by Health Department and Department for Enterprise and Lifelong Learning Involves Glasgow, Dundee, Edinburgh, Aberdeen –focus of genetics as applied to healthcare –first two years emphasis on providing a platform for research into the genetic basis of common complex diseases in Scotland »Mental health, cardiovascular, … »Plan to establish 15,000 family-based intensively-phenotyped cohort recruited from the East and West of Scotland –basis for neutralising heritable (genetic) risk factors in disease surveillance, treatment optimisation, avoidance of adverse drug events and prediction of response to therapy, health care planning and drug discovery, …

Meeting the Design Challenge of nanoCMOS Electronics Toshiba 04 Device diversification 90nm: HP, LOP, LSTP 45nm: UTB SOI 32nm: Double gate £5.3M EPSRC Pilot – kicks off next week 4-year project with lots of international visibility

AHRC Grant proposals –Performance Arts –Scottish Language and Literature OMII proposals –Visualisation service Scottish Enterprise –Production level clinical e-Infrastructure for Scotland Wellcome Trust –Grid based biomedical visualisation infrastructure EPSRC –Grid based brain trauma co-ordination with China Links to CARMEN –Construction Industry and Grids JISC –MANY bids on-going in e-Infrastructure, e-Repositories, … areas And of course the Scottish Grid Service… Current Efforts

There are more opportunities than can be followed up All funding councils, DTI, JISC, Europe FW7, international calls –How long for…? –Often difficult to get the first grant…? –More than happy to work with folk…? Opportunities