Presentation is loading. Please wait.

Presentation is loading. Please wait.

ASPiS - Architecture for a Shibboleth-Protected iRODS System Mark Hedges, Tobias Blanke Centre for e-Research, Kings College London Adil Hasan, Jens Jensen.

Published byAngelina Bradshaw Modified over 10 years ago

Similar presentations

Presentation on theme: "ASPiS - Architecture for a Shibboleth-Protected iRODS System Mark Hedges, Tobias Blanke Centre for e-Research, Kings College London Adil Hasan, Jens Jensen."— Presentation transcript:

1 ASPiS - Architecture for a Shibboleth-Protected iRODS System Mark Hedges, Tobias Blanke Centre for e-Research, Kings College London Adil Hasan, Jens Jensen Science and Technology Facilities Council Andrea Weise STFC / University of Reading Building data grids with iRODS, e-Science Institute, Edinburgh, 27 th May 2008

2 Overview of ASPiS Funded by JISC e-Infrastructure programme Partners: –Centre for e-Research, Kings College London –Science and Technology Facilities Council –(University of Reading - very helpful PhD student) Strand 1: access management in iRODS - integration with Shibboleth (and authorisation systems such as PERMIS) Strand 2: integration of iRODS with provenance capture systems

3 AuthN, AuthZ and iRODS Current authentication in iRODS (username/password, GSI). Current authorisation in iRODS. Issues with current mechanisms Shibboleth and federation Shibboleth and iRODS integration

4 Username/password AuthN IRODS + iCAT irodsEnv client iCAT contains list of usernames and passwords irodsA Contains username iinit Store hashed pw Username/hashed pw AuthN response Password

5 GSI AuthN IRODS client iCAT contains list of usernames and DNs User cert on client machine iinitChallenge/response AuthN response IRODS + iCAT Proxy server Get proxy cert compare DN in iCAT

6 Authorisation iCAT stores information on: –Users –Domains –Groups –Access Control Lists (ACLs) Access managed according to: –Mode of access (read / write / delete / annotate) –By user, domain, group Information held centrally.

7 Issues Centralised management of user identities and access rights Doesnt scale well Different organisations cannot maintain their own lists of users in data grid - duplication, lists can get out of synch Inflexible authorisation system - no locally managed admin of access rights Certificates a barrier to uptake of grids in some communities

8 Shibboleth Architecture for federated access to web based resources Based on circle of trust among organisations User identities managed locally to their institution Access to resources managed locally to the owning institution Adopted by JISC as solution for managing access to distributed web resources (UK Access management Federation)

9 Shibboleth Information Flow

10 Shibboleth & iRODS Apache mod_ shib access request iRODS+RE PIP Rule PDP μ-service attributes admin PEP response Capture & store attributes

11 Shib: Work so far & plans Gathering use-cases for access management (SRB users, NGS users, Diamond users and others). Setting up iRODS and Shibboleth test environments (including one for NGS users) Investigate, prototype and evaluate a number of options: –How a micro-service will call PDP/PEP –How to pass attributes through iRODS –Interaction with web-browser

12 Provenance How the data was derived affects the interpretation of the data. So, important to record how data is derived (i.e. provenance of the data). – derived includes the process of creation and subsequent modification and manipulation of the data. –we must store as much information as necessary to understand the data – depends on context of subsequent use. –implies that provenance is open-ended.

13 Provenance & iRODS Data to be stored in iRODS should also have provenance information attached to it. Requirements for provenance metadata will depend on the purpose and context of its use: –Implies that we must interoperate flexibly with existing (& future) provenance systems. Must also record the manipulations on the data once stored in iRODS: –Versions of rules operating on data. –Versions of micro-services operating on data. –Date when data manipulated, host data manipulated on. –Who did it.

14 Provenance & Data Curation Internal: store provenance information in iRODS itself: –In iCAT or part of iRODS that can be queried from iCAT –Capture all iRODS manipulations in rules and microservices. Rules cause micro-services to access external provenance systems. –Different micro-services for different external provenance systems. –Can configure rule to be executed using conditional rule execution (as for AuthZ).

15 Provenance & iRODS IRODS + iCAT + RE IRODS +RE IRODS + RE External Provenance System Internal Provenance System IRODS System Rule engine runs, manipulations recorded Rule causes micro- service to access external system client Client stores data in iRODS Update iCAT file metadata Update iCAT file metadata

16 Provenance: Work so far & Plans Gathering use-cases for what to store/access. Already working on how to query PASOA through iRODS (Andrea Weise). Starting to investigate how to capture information from iRODS system. –Need to understand how we can version rules and micro-services.

17 Contacts mark.hedges at kcl.ac.uk tobias.blanke at kcl.ac.uk a.hasan at rl.ac.uk j.Jensen at rl.ac.uk

Download ppt "ASPiS - Architecture for a Shibboleth-Protected iRODS System Mark Hedges, Tobias Blanke Centre for e-Research, Kings College London Adil Hasan, Jens Jensen."

Similar presentations

Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
Www.ogf.org OGF-23 iRODS Metadata Grid File System Reagan Moore San Diego Supercomputer Center.

OGF-23 iRODS Metadata Grid File System Reagan Moore San Diego Supercomputer Center.
Federated Identity for Grid Architects Tom Scavo NCSA

Federated Identity for Grid Architects Tom Scavo NCSA
Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.

Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.

Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.
Options for integrating the JANET Roaming Service (JRS) and Shibboleth Tim Chown University of Southampton (UK) JISC Access Management.

Options for integrating the JANET Roaming Service (JRS) and Shibboleth Tim Chown University of Southampton (UK) JISC Access Management.
FAME-PERMIS Project University of Manchester University of Kent London, July 2006.

FAME-PERMIS Project University of Manchester University of Kent London, July 2006.
The National Grid Service and OGSA-DAI Mike Mineter

The National Grid Service and OGSA-DAI Mike Mineter
MyProxy Guy Warner NeSC Training.

MyProxy Guy Warner NeSC Training.
VO Support and directions in OMII-UK Steven Newhouse, Director.

VO Support and directions in OMII-UK Steven Newhouse, Director.
Spatial Data e-Infrastructure UK e-Science ALL HANDS MEETING 2008 8-11 September, Edinburgh, UK Higgins, C., Koutroumpas, M., Sinnott, R.O., Watt, J.,

Spatial Data e-Infrastructure UK e-Science ALL HANDS MEETING September, Edinburgh, UK Higgins, C., Koutroumpas, M., Sinnott, R.O., Watt, J.,
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Contrail and Federated Identity Management

Contrail and Federated Identity Management
Www.consequence-project.eu ICAT Developer Workshop : Consequence Shirley Crompton, ESC, STFC Daresbury Laboratory.

ICAT Developer Workshop : Consequence Shirley Crompton, ESC, STFC Daresbury Laboratory.
ACET The ASPiS project UK e-Science AHM Oxford, 08 Dec 2009 Jens Jensen, STFC.

ACET The ASPiS project UK e-Science AHM Oxford, 08 Dec 2009 Jens Jensen, STFC.
A Very Brief Introduction to iRODS

A Very Brief Introduction to iRODS
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
Copyright JNT Association 20051Optional www.ukfederation.org.uk Copyright JNT Association 2007 1 Joining the UK Access Management Federation 4th April.

Copyright JNT Association 20051Optional Copyright JNT Association Joining the UK Access Management Federation 4th April.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.

Similar presentations

Ads by Google