150 likes | 279 Views
Dynamic Virtual Organisations for e-Science Education (DyVOSE) project + ESP-Grid Project Prof. Richard Sinnott Technical Director National e-Science Centre ||| Deputy Director (Technical) Bioinformatics Research Centre University of Glasgow ros@dcs.gla.ac.uk. DyVOSE Overview.
E N D
Dynamic Virtual Organisations for e-Science Education (DyVOSE) project+ESP-Grid ProjectProf. Richard SinnottTechnical Director National e-Science Centre|||Deputy Director (Technical) Bioinformatics Research CentreUniversity of Glasgowros@dcs.gla.ac.uk
DyVOSE Overview • Dynamic Virtual Organisations for e-Science Education (DyVOSE) project • Two year project started 1st May 2004 • NeSC at University of Glasgow and University of Kent • Exploring advanced authorisation infrastructures for security in context of education • University of Kent provides authorisation software (PERMIS) and security expertise • Applied in Grid Computing module part of advanced MSc at the University of Glasgow • Provides insight into rolling out authorisation infrastructures/Grid to the masses • Exploration of current state of the art in authorisation infrastructures • Final phase of work involves NeSC Edinburgh • Extensions to the existing PERMIS infrastructure to provide dynamic delegation of authority and recognition of authority
Phase 1- DyVOSE Work in a Piccie Other resources • Applied existing PERMIS technology to establish static Privilege Management Infrastructure at GU National Grid Service GU Condor pools ScotGrid PERMIS based Education authorisation VO policies Authorisation checks Authorisation decisions
Explorations in Course • Students used PERMIS Policy Editor to develop security policy for use in their assignment • Detailed feedback given to PERMIS team • Assignment based on… • Sorting/searching “complete works of Shakespeare” • … run on single PC, • … using training lab Condor pool, • … * as GT3.3/Condor service, • … as GT3.3 service using GSI, • To see how authorisation at service level achieved • service should be accessible by themselves and lecturing staff only • used previously define policy • … using * for GT3.3-PERMIS authorised service • To see how authorisation at method level achieved • Students split into groups (studentteam1, studentteam2) • Sort method available to their group and lecturers only • Search method available to both groups • Performance aspects investigated throughout…
ESP-Grid • ESP-Grid • Exploring how Shibboleth offers solutions to issues of grid authN, authZ and security • Is Shibboleth appropriate and workable for grids? • How appropriate is PKI, even though it has already been adopted? • How can the access management regime between the e-Science Grid and the JISC IE interoperate? • Reappraise use of PKIs within the UK e-Science Grid and grids in general • Involves • Dr Mark Norman, Alun Edwards (Oxford) • NeSC Glasgow joined mid-September 2005
Demonstration • Exploiting initially student scenario • GridSphere enabled (portlet) of GT3.3 service to search/sort works of Shakespeare using Condor pool • PERMIS policies for studentteam1, studenteam2 and lecturing staff • Uses Shibboleth for retrieval of attributes for Glasgow Identity Provider • Uses SDSS Federation (sdss.ac.uk) • Challenge in linking GridSphere (tomcat) and Shibboelth (Apache) and dynamic creation of html pages in portal • Demonstrationturns of GridSphere authN, authZ capabilities and uses Shibboleth and PERMIS instead
Identity Provider Service Provider Application Home Institution Federation Authz WAYF User Grid Portal
Identity Provider Service Provider Application Home Institution Federation Authz WAYF Point browser to portal User Grid Portal
Identity Provider Service Provider Application Home Institution Federation Authz WAYF Shibboleth redirects user to W.A.Y.F service User Grid Portal
Identity Provider Service Provider Application Home Institution Federation Authz User selects their home institution WAYF User Grid Portal
Identity Provider Service Provider AUTHENTICATE LDAP Home confirms user ID in local LDAP and pushes attributes to the service provider Application Home Institution Federation Authz WAYF User Grid Portal
Identity Provider Service Provider Application Home Institution Federation Authz WAYF Portal logs user in and presents attributes to authorisation function User Grid Portal
Identity Provider Service Provider AUTHORISE Portal passes attributes to AuthZ function to make final access control decision Application Home Institution Federation Authz WAYF User Grid Portal
More Information • Dissemination • Posters presented at • JISC meeting in Brighton • AHM 2004 in Nottingham • AHM 2005 in Nottingham • Papers accepted for and presented at • European Grid Conference, Amsterdam, Feb 2005 • NIST 4th Annual PKI Workshop, Gaithersberg, USA, April 2005 • High Performance Computing Systems and Applications Conference, Guelph, Canada, May 2005 • CLAG + Grid Edu workshop at CCGrid conference, Cardiff, May 2005 • UK e-Science AHM 2005 • Paper submitted to • IEEE Transactions on Education and Grid Technology • Course materials and more information available on web site • http://www.nesc.ac.uk/hub/projects/dyvose • Report under development on Grid Security for JCSR • Grid practice, middleware and future…
Questions? More from Sassa now on tools for dynamic privilege management infrastructure (delegation issuing service)