Title: The e
1The eInfrastructure AAI roadmap in
EuropeTrends in European AA policy
8th EUGridPMA Meeting, Karlsruhe, 2006
- EUGridPMA Karlsruhe meeting
- David Groep, NIKHEF
2Aims of the Integrated AAI
- Roadmap for the European e-Infrastructures
create a single seamless AA experience for the
user - Spans
- the authentication/ID provisioning domain
- as well as the authorisation area
- across any kind of application
- grids like we know today
- network access (eduroam)
- web resource access
- (m)any other services
3e-IRG integrated AAI Roadmap
- Trans-disciplinary (Grid projects, NRENs, other
user communities) and trans-continental forums
that move towards the establishment of a global,
seamless AA infrastructure for e-Science
applications should be encouraged. - The e-IRG wishes to acknowledge the efforts made
in this direction by the IGTF and the open
information exchange point provided by TERENA
task forces. - Recommendation to the e-IRGAustrian EU
Presidency 2006
4e-IRG mandate
- The main objective of the e-IRG is to support on
the political, advisory and monitoring level, the
creation of a policy and administrative framework
for the easy and cost-effective shared use of
electronic resources in Europe (focusing on
Grid-computing, data storage, and networking
resources) across technological, administrative
and national domains. - The e-IRG consists of official delegations from
the ministries of Education of the various
European countries. It has an important role in
assigning funding priorities for EU framework
programmes and the strategy for e-Europe.
5Contributors
- Roadmap contributors and actors in the field
- e-IRG (high-level policy)
- TERENA TF-EMC2, TF-Mobility
- IGTF
- eduroam
- GEANT2 JRA5 (eduGAIN)
- REFEDs
- many national federations (CH, ES, NL, NO, UK, )
- software providers Shibboleth, A-Select, PAPI,
6Grid Authorization
- user centric communities
- either grass-roots or infrastructure-based
- primary applications today in compute/data/databas
e access
7Grid AuthZ status
- User-centric community management today
- for (virtually) all grids based on authentication
by IGTF accredited authorities - these assertions are used for authorization,
where - there is far greater variety in mechanisms and
concepts - software in a continuous transition phase
- actual user communities are expert and
relatively small,i.e., O(100 000) users
8Grid Authorization
- Current (deployed) models in most compute/data
grids - all based on proxies, implementing SSO and
delegation - Identity-based authorization
- lists of authorized users, possibly organised on
a VO basis - model is being deprecated in larger deployments
- Attribute-based authorization
- VO-managed databases, directories issuing
VO-signed assertions - VO identity itself based on IGTF certificates
- resource providers grant access based on these VO
attributes - pushed down with the service request (typically
as ACs embedded as an extension in the proxy
certificate), VOMS - in part supported by (proxy) credential caches
MyProxy
9Grid Characteristics
- Special characteristics
- rights delegation (typically to processes)
- rights/role selection based on the session,
and not the target resource per se - on-demand creation of new sources of authority
(VOs) - grid communities cut through organisations
10Software developments in AA
- (grid) software has become flexible over the past
few years - most software now supports both push and pull of
attributes and assertions - its slowly becoming syntax-agnostic (X509 (AC),
SAML, )
Pull
Push
4
2
1
3
11OGSA AA model
- Grid (OGSA) AA architecture
- explicitly acknowledges multiple sources of
authority in the authorization chain
graphic OGSA 1.0, GGF standard track document
12Grid Middleware AA support
runtime graphic Globus Toolkit 4, Frank
Siebenlist et al.
PERMIS/XACML PDP, or a SAML PIP, or
13More initiatives
- eduGAIN summary with too many experts in the
room ? - based on federation connectors to mediate
between federations (domains, realms) - common services
- Home Location Service
- (can be extended with others)
- basic interactions
- (AccessReq/AccesResp)
- AuthNDataReq/ AuthNDataResp
- HomeLocationReq/ HomeLocationResp
- AttrReq/ AttrResp
- AuthZReq/ AuthZResp
- using WS and SAML
- see links provided by Reimer and Diego
14What is happing now?
- Several domains implemented some integrated AAI
today - evaluationary grid middleware solutions
targeted at expert power users - wireless network access targeted at the
masses, almost irrespective of status - web resources targeted at selected academic
users, but not very selective as resources are
not high value
15Production app eduroam
- transparent (wireless) network access based on
credentials issued by the home organisation - distributed RADIUS infrastructure based on
pair-wise hierarchical trust - no qualified AuthZ
16Production apps examples
- Examples from the Access Management
Infrastructure for the UK - ScienceDirect
- BlackBoard
- BIOSIS
- CAB Abstracts
- Education Image Gallery, Education Media Online
- Index to The Times
- Land, Life Leisure
- Statistical Accounts of Scotland
- Landmap
- Zetoc Alert, Search
- other domains started use similar technology
(such as Dutch government DigID project using
A-Select)
17Issues with integration
- Wider value range of resources to control
- from low-risk wireless access to high-risk
supercomputers - To engage more users, the current model of
user-held credentials, or having disparate
credentials for grid and other activities, not
necessarily sustainable - only scientific power users could maybe manage
- general audience just cannot handle the current
grid AA systems - need integrated models, that respects both local
autonomy, recognises existing credential quality,
and retains the global coordination we have today - note that this is technology-agnostic, its pure
policy - the software stacks we have today can almost do
anything
18Possible interfaces to integration
- indirect AuthN based on existing IdMs
- enable grid AuthN systems (e.g. VOMS) to also
propagate other (home) IdM attributes - enable resource access controls to talk to
multiple SoAs - express VO membership as a function of home IdM
attributes - The reverse can also be considered
- VO membership could entitle you to guest
associate-ship with a real organisationso that
(selected) VO members can use resources that are
available to the real organisation - these scenarios are largely independent of the
middleware (GSI or Shib or A-Select or ) - except that SAML cannot yet well support
(restricted) delegation
19PKI AuthN based on existing IdMs
- see presentation by Christoph Witzig in a moment
202. Propagating other IdP attributes
slide from Chistoph Witzig, SWITCH, EGEE MWSG
2006-09-27
213. Multiple SoA support in access control
- enable resource access controls to talk to
multiple SoAs - based on pluggable authorization framework, such
as in newer middleware like Globus Toolkit 4,
gLite, c
graphic from Chistoph Witzig, SWITCH, GGF16,
February 2006
224. VO membership as function of home attributes
query to resolve membership list of FQAN
?!
role productionmembers- John Doe- the
students of UHOclass 101, 2008- Maggie
23Many interesting issues to be addressed
- Technical issues solvable policy harmonisation
is non-trivial - far wider range of qualities in the attributes
- different incentives for keeping information
current - responsibility for attributes resides with
different parties - VO to manage community membership but can small
VOs maintain such an infrastructure? a task for
an (independent) e-Infrastructure provider - home organisation to manage organic attributes
but not attributes are usually considered
equally valuable, and there is lots of variety
between the UHOs - access rights may suddenly depend on attributes
with different quality
24- encourage work towards a common federation for
academia and research institutes that ensures
mutual recognition of the strength and validity
of their authorization assertions. - e-IRG RecommendationDutch EU Presidency 2004
- how do we go about it?
- what role do we have in this domain?
- we have experience in policy coordination ...
25Proposal possible directions forward
- At the national level, for each authority
- monitor developments towards the creation of
national AAIs and federations - engage in (national) AAI initiatives that support
your current and potential subscriber base - promote the bridging of emerging federations at
the national level - At the European and global level
- ensure awareness of IGTF policy coordination work
and its relevance to developments in the overall
AAI developments - actively foster the definition of levels of
assurance, its expression in all relevant
syntaxes, and engage in the definition of these
levels - ensure that our policies do not inadvertently put
up roadblocks on the way towards an integrated
AAI - promote (national) federations that interface
with our current and future subscriber base at
both the authN and (later) the AuthZ level