The e - PowerPoint PPT Presentation

About This Presentation
Title:

The e

Description:

... the ministries of Education of the various European countries. ... membership list. of FQAN. 2006-10-05. 8th EUGridPMA Meeting - trends in European AA policy ... – PowerPoint PPT presentation

Number of Views:23
Avg rating:3.0/5.0
Slides: 26
Provided by: david2676
Category:
Tags: countries | european | list | of

less

Transcript and Presenter's Notes

Title: The e


1
The eInfrastructure AAI roadmap in
EuropeTrends in European AA policy
8th EUGridPMA Meeting, Karlsruhe, 2006
  • EUGridPMA Karlsruhe meeting
  • David Groep, NIKHEF

2
Aims of the Integrated AAI
  • Roadmap for the European e-Infrastructures
    create a single seamless AA experience for the
    user
  • Spans
  • the authentication/ID provisioning domain
  • as well as the authorisation area
  • across any kind of application
  • grids like we know today
  • network access (eduroam)
  • web resource access
  • (m)any other services

3
e-IRG integrated AAI Roadmap
  • Trans-disciplinary (Grid projects, NRENs, other
    user communities) and trans-continental forums
    that move towards the establishment of a global,
    seamless AA infrastructure for e-Science
    applications should be encouraged.
  • The e-IRG wishes to acknowledge the efforts made
    in this direction by the IGTF and the open
    information exchange point provided by TERENA
    task forces.
  • Recommendation to the e-IRGAustrian EU
    Presidency 2006

4
e-IRG mandate
  • The main objective of the e-IRG is to support on
    the political, advisory and monitoring level, the
    creation of a policy and administrative framework
    for the easy and cost-effective shared use of
    electronic resources in Europe (focusing on
    Grid-computing, data storage, and networking
    resources) across technological, administrative
    and national domains.
  • The e-IRG consists of official delegations from
    the ministries of Education of the various
    European countries. It has an important role in
    assigning funding priorities for EU framework
    programmes and the strategy for e-Europe.

5
Contributors
  • Roadmap contributors and actors in the field
  • e-IRG (high-level policy)
  • TERENA TF-EMC2, TF-Mobility
  • IGTF
  • eduroam
  • GEANT2 JRA5 (eduGAIN)
  • REFEDs
  • many national federations (CH, ES, NL, NO, UK, )
  • software providers Shibboleth, A-Select, PAPI,

6
Grid Authorization
  • user centric communities
  • either grass-roots or infrastructure-based
  • primary applications today in compute/data/databas
    e access

7
Grid AuthZ status
  • User-centric community management today
  • for (virtually) all grids based on authentication
    by IGTF accredited authorities
  • these assertions are used for authorization,
    where
  • there is far greater variety in mechanisms and
    concepts
  • software in a continuous transition phase
  • actual user communities are expert and
    relatively small,i.e., O(100 000) users

8
Grid Authorization
  • Current (deployed) models in most compute/data
    grids
  • all based on proxies, implementing SSO and
    delegation
  • Identity-based authorization
  • lists of authorized users, possibly organised on
    a VO basis
  • model is being deprecated in larger deployments
  • Attribute-based authorization
  • VO-managed databases, directories issuing
    VO-signed assertions
  • VO identity itself based on IGTF certificates
  • resource providers grant access based on these VO
    attributes
  • pushed down with the service request (typically
    as ACs embedded as an extension in the proxy
    certificate), VOMS
  • in part supported by (proxy) credential caches
    MyProxy

9
Grid Characteristics
  • Special characteristics
  • rights delegation (typically to processes)
  • rights/role selection based on the session,
    and not the target resource per se
  • on-demand creation of new sources of authority
    (VOs)
  • grid communities cut through organisations

10
Software developments in AA
  • (grid) software has become flexible over the past
    few years
  • most software now supports both push and pull of
    attributes and assertions
  • its slowly becoming syntax-agnostic (X509 (AC),
    SAML, )

Pull
Push
4
2
1
3
11
OGSA AA model
  • Grid (OGSA) AA architecture
  • explicitly acknowledges multiple sources of
    authority in the authorization chain

graphic OGSA 1.0, GGF standard track document
12
Grid Middleware AA support
runtime graphic Globus Toolkit 4, Frank
Siebenlist et al.
PERMIS/XACML PDP, or a SAML PIP, or
13
More initiatives
  • eduGAIN summary with too many experts in the
    room ?
  • based on federation connectors to mediate
    between federations (domains, realms)
  • common services
  • Home Location Service
  • (can be extended with others)
  • basic interactions
  • (AccessReq/AccesResp)
  • AuthNDataReq/ AuthNDataResp
  • HomeLocationReq/ HomeLocationResp
  • AttrReq/ AttrResp
  • AuthZReq/ AuthZResp
  • using WS and SAML
  • see links provided by Reimer and Diego

14
What is happing now?
  • Several domains implemented some integrated AAI
    today
  • evaluationary grid middleware solutions
    targeted at expert power users
  • wireless network access targeted at the
    masses, almost irrespective of status
  • web resources targeted at selected academic
    users, but not very selective as resources are
    not high value

15
Production app eduroam
  • transparent (wireless) network access based on
    credentials issued by the home organisation
  • distributed RADIUS infrastructure based on
    pair-wise hierarchical trust
  • no qualified AuthZ

16
Production apps examples
  • Examples from the Access Management
    Infrastructure for the UK
  • ScienceDirect
  • BlackBoard
  • BIOSIS
  • CAB Abstracts
  • Education Image Gallery, Education Media Online
  • Index to The Times
  • Land, Life Leisure
  • Statistical Accounts of Scotland
  • Landmap
  • Zetoc Alert, Search
  • other domains started use similar technology
    (such as Dutch government DigID project using
    A-Select)

17
Issues with integration
  • Wider value range of resources to control
  • from low-risk wireless access to high-risk
    supercomputers
  • To engage more users, the current model of
    user-held credentials, or having disparate
    credentials for grid and other activities, not
    necessarily sustainable
  • only scientific power users could maybe manage
  • general audience just cannot handle the current
    grid AA systems
  • need integrated models, that respects both local
    autonomy, recognises existing credential quality,
    and retains the global coordination we have today
  • note that this is technology-agnostic, its pure
    policy
  • the software stacks we have today can almost do
    anything

18
Possible interfaces to integration
  • indirect AuthN based on existing IdMs
  • enable grid AuthN systems (e.g. VOMS) to also
    propagate other (home) IdM attributes
  • enable resource access controls to talk to
    multiple SoAs
  • express VO membership as a function of home IdM
    attributes
  • The reverse can also be considered
  • VO membership could entitle you to guest
    associate-ship with a real organisationso that
    (selected) VO members can use resources that are
    available to the real organisation
  • these scenarios are largely independent of the
    middleware (GSI or Shib or A-Select or )
  • except that SAML cannot yet well support
    (restricted) delegation

19
PKI AuthN based on existing IdMs
  • see presentation by Christoph Witzig in a moment

20
2. Propagating other IdP attributes
slide from Chistoph Witzig, SWITCH, EGEE MWSG
2006-09-27
21
3. Multiple SoA support in access control
  • enable resource access controls to talk to
    multiple SoAs
  • based on pluggable authorization framework, such
    as in newer middleware like Globus Toolkit 4,
    gLite, c

graphic from Chistoph Witzig, SWITCH, GGF16,
February 2006
22
4. VO membership as function of home attributes
query to resolve membership list of FQAN
?!
role productionmembers- John Doe- the
students of UHOclass 101, 2008- Maggie
23
Many interesting issues to be addressed
  • Technical issues solvable policy harmonisation
    is non-trivial
  • far wider range of qualities in the attributes
  • different incentives for keeping information
    current
  • responsibility for attributes resides with
    different parties
  • VO to manage community membership but can small
    VOs maintain such an infrastructure? a task for
    an (independent) e-Infrastructure provider
  • home organisation to manage organic attributes
    but not attributes are usually considered
    equally valuable, and there is lots of variety
    between the UHOs
  • access rights may suddenly depend on attributes
    with different quality

24
  • encourage work towards a common federation for
    academia and research institutes that ensures
    mutual recognition of the strength and validity
    of their authorization assertions.
  • e-IRG RecommendationDutch EU Presidency 2004
  • how do we go about it?
  • what role do we have in this domain?
  • we have experience in policy coordination ...

25
Proposal possible directions forward
  • At the national level, for each authority
  • monitor developments towards the creation of
    national AAIs and federations
  • engage in (national) AAI initiatives that support
    your current and potential subscriber base
  • promote the bridging of emerging federations at
    the national level
  • At the European and global level
  • ensure awareness of IGTF policy coordination work
    and its relevance to developments in the overall
    AAI developments
  • actively foster the definition of levels of
    assurance, its expression in all relevant
    syntaxes, and engage in the definition of these
    levels
  • ensure that our policies do not inadvertently put
    up roadblocks on the way towards an integrated
    AAI
  • promote (national) federations that interface
    with our current and future subscriber base at
    both the authN and (later) the AuthZ level
Write a Comment
User Comments (0)
About PowerShow.com