ARCSAuthorisa.onServices

NeilWitheridgeManager,ARCSAuthorisa7onServices

APAN29,Sydney,February2010

Overview

•  ARCS&PlaEormsforCollabora7on

•  ARCSMission&Structure

•  ResearchGroupNeeds•  ARCSServicesandTools•  Authorisa7onServices’Role•  ARCSAuthorisa7onInfrastructure•  Strategy,Challenges&Futuredirec7on

AustralianGovernmenteResearchInvestment

•  Na7onalCollabora7veResearchInfrastructureStrategy‐PlaEormsforCollabora7on(PfC)investment(2007‐11)

•  SuperScienceIni7a7veeResearchComponents(2009‐13)

•  …cri7calimportanceofeResearchInfrastructuretofutureresearchcompe77veness

•  …intendedtoenhanceresearchcollabora7ons,assistresearcherstomanagemassivedatasets,andprovidesuper‐compu7ngandanalysistoolsthatenableAustralianresearcherstotacklethecomplex,na7onalandglobalissuesneededtosecureAustralia'sfuture.Source:hXps://www.pfc.org.au/bin/view/Main

PlaEormsforCollabora7onPfCcomponentinvestments:•  AustralianResearchCollabora7onService(ARCS)

–  Developandoperateserviceslinkingsystemsandresourcesna7onwide

–  Developandoperatecollabora7onandworkflowtoolsforresearchers

–  Includes“Authorisa7onServices”•  AustralianNa7onalDataService(ANDS)•  Na7onalComputa7onalInfrastructure(NCI)•  AustralianAccessFedera7on(AAF)andResearchNetworks(AARNET)

Source:hXp://www.ivec.org/ForumAug09/02_Francis.ppt

ARCSMissionToprovidelong‐termeResearchsupportservicesincluding,butnotlimitedto,interoperabilityand

collabora9oninfrastructureandservices

throughacon9nuousandopenprocessofconsulta9onandengagementwiththe

Australianresearchcommunity.

ARCSisanunincorporatedcollabora.veventureoftheMembersofARCS:ANU,CSIRO,eRSA,Intersect,QCIF,iVEC,TPAC,VPAC…servesasthevehicleforthecoordinateddeliveryofna.onaleResearchsupport,servicesandtools.

Source:hXp://www.arcs.org.au/about

ResearchGroupNeeds

CMS/Wiki InstrumentDataStorage

HPCGridServices

Repository

AnalyseData

Write&PublishReport

StoreData

RunExperimentGenerateData

Collabora9velyCreatewebcontent

VOconfiguredforaccessingGridresources

CollaborateCommunicate

Meet

Authen.ca.onandauthorisa.onforprotec.onofvaluableresources

Researcher

Principal Investigator Researchers

ResearchGroup

IdP

Iden9tyMgntinAAFIdP(s)

IdP

IdP

AAF

ARCS’CurrentToolsandServices•  ComputeCloud*•  GridServicesInfrastructure*•  VirtualMachineHos7ng

•  DataFabric*•  DatabaseService•  DataTransferService

*Immediatelyaccessible,othersrequirerequestandcoordinatedprovisiontoresearchgroup.

•  Web‐basedCollabora7on–  Sakai–  Plone–  Jabber–  Joomla–  Twiki

•  VideoCollabora7on–  Desktopsolu7on:EVO*–  Roomsolu7on:AccessGrid

•  SecurityServices–  GridCer7ficates*–  AccessService

ARCSAuthorisa7onServicesRole•  SupportResearchGroupsandServiceProvidersindelivering

servicesrequiringauthen7ca7onandauthorisa7on(authNZ)

•  Analyserequirements,andprovideexper7se,advice,exemplars•  Exemplars(demonstratewhatcanbedonetoprotectresources)

•  Implement(procure/develop)anddeployauthNZsolu7ons•  sa7sfyingresearchgroups’andserviceprovider’ssecurityrequirements

•  ProvidecustomersupportforARCSAuthorisa7onServices•  ARCSCA’s,ARCSIdP,ARCSSLCSServer&Clients,ARCSAccessService

•  Developandpursuea‘unifiedstrategy’forauthNZ•  Applysecuritytechnologiesandprotocols&trackinterna7onaltrends

•  RelyontheAAFforFederatedAccess(i.e.useShibboleth)•  IntegratewithGridSecurityInfrastructure

•  Analyseaccessscenariosandiden7fypaXerns&solu7ons

ARCSAccessService•  ProvidesaGatewaytoARCSServices•  Registra7on(assignmentofDefaultAuthorisa7onRights)

•  Trackingusercommuni7es(auEduPersonSharedToken)

•  AllocateARCSUsername(ARCSServicesuniqueiden7fier)•  consistentusernamingacrossARCSServices

•  CachingaXributesat7meofregistra7on• Allowdetec7onofaXributechange(e.g.IdP,affilia7on)

•  Authorisa7onRightsManagement•  RegisterAuthorisa7onRightstokens

•  urn:<ServiceIdentifier>:<Token value>

CurrentfocusonAuthen7ca7on

IdP

ARCSCMS/Wiki

Instrument

ARCSDataFabric

HPC(Grid)

ARCSRepository

researcher

BelongstoFedera9onIdP

AnalyseData

ResearchGroup

MemberofResearchGroup

Write&PublishReport

StoreData

RunExperimentGenerateData

Collabora9velyCreatewebcontent

VOconfiguredforaccessingGridresources

SPARCS

SLCSService

SPARCS

IdPCheck

SPARCS

AccessServiceRegisterviaAccessServiceforSLCS,DataFabric,Wiki,

Repository

GenerateGrid(SLCS)Creden9al

ConfirmARributesReleasedbyIdP

SP GSISP

GSI

GSI

SP

LDAP

webDAV

AAF Identity Provider

Authenticate

ARCS SLCS CA

SP ARCS SLCS Service

Grid Cert enabled Service

ARCS internal/ backend

processing

Get SLCS Certificate

Access using IdP username and password via AAF Login

Access using ARCS SLCS cert or proxy

(e.g. Grid Services, iRODS via iCommands)

ARCS MyProxy

Get Proxy Certificate

Arbitrary username & password

ARCS LDAP

Access using ARCS username and password

ARCS username & password

Register

ARCS internal/ backend

processing

SP (12 wks timeout) ARCS Access Service

ARCS Cred’s enabled Service

Access using IdP username and password via AAF Login

(e.g. Data Fabric via webDAV)

SP AAF- enabled Service

ARCS internal/ backend

processing Access using IdP username and password via AAF Login (e.g. Data Fabric, Plone, TWiki)

ARCSAuthSvcsFutureDirec7ons•  Authen7ca7on

•  IGTFAccredita7onforSLCS(Level‐2)CA• ExploreMICS(Long‐livedGridcreden7alsfromIdPs)

•  UnderstandAAF&ShibbolethRoadmapimplica7ons• NewShibbolethprofiles(ECP,Key‐holder)• AusCERTPKIandimplica7ons

•  UnderstandGridServicestrendsandimplica7ons

•  Authorisa7on•  Developandu7lisetheARCSAccessService

•  ImplementAuthorisa7onRightsManagement

•  Developauthorisa7onexemplars(e.g.useofXACML)

Thankyou

Ques.ons?