ARCS Authorisation Services Neil Witheridge Manager ARCS Authorisation

Australian Government e. Research Investment • National Collaborative Research Infrastructure Strategy Platforms for Collaboration

Platforms for Collaboration Pf. C component investments: • Australian Research Collaboration Service (ARCS) –

ARCS Mission To provide long-term e. Research support services including, but not limited to,

Research Group Needs Research Group Id. P Principal Investigator Id. P Identity Mgnt in

ARCS’ Current Tools and Services • Compute Cloud* • Web-based Collaboration – Sakai •

ARCS Authorisation Services Role • Support Research Groups and Service Providers in delivering services

ARCS Access Service • • Provides a Gateway to ARCS Services Registration (assignment of

Current focus on Authentication SP SP ARCS Id. P Check Confirm Attributes Released by

AAF Identity Provider SP Access using Id. P username and password via AAF Login

• ARCS Auth Svcs Future Directions Authentication • IGTF Accreditation for SLCS (Level-2)

Questions ? Thankyou Neil Witheridge APAN 29 Sydney February 2010

Slides: 12

Download presentation

ARCS Authorisation Services Neil Witheridge Manager, ARCS Authorisation Services APAN 29, Sydney, February 2010 Neil Witheridge APAN 29 Sydney February 2010

Australian Government e. Research Investment • National Collaborative Research Infrastructure Strategy Platforms for Collaboration (Pf. C) investment (2007 -11) • Super Science Initiative e. Research Components (2009 -13) • … critical importance of e. Research Infrastructure to future research competitiveness • … intended to enhance research collaborations, assist researchers to manage massive data sets, and provide supercomputing and analysis tools that enable Australian researchers to tackle the complex, national and global issues needed to secure Australia's future. Source: https: //www. pfc. org. au/bin/view/Main Neil Witheridge APAN 29 Sydney February 2010

Platforms for Collaboration Pf. C component investments: • Australian Research Collaboration Service (ARCS) – Develop and operate services linking systems and resources nationwide – Develop and operate collaboration and workflow tools for researchers – Includes “Authorisation Services” • Australian National Data Service (ANDS) • National Computational Infrastructure (NCI) • Australian Access Federation (AAF) and Research Networks (AARNET) Source: http: //www. ivec. org/Forum. Aug 09/02_Francis. ppt Neil Witheridge APAN 29 Sydney February 2010

ARCS Mission To provide long-term e. Research support services including, but not limited to, interoperability and collaboration infrastructure and services through a continuous and open process of consultation and engagement with the Australian research community. ARCS is an unincorporated collaborative venture of the Members of ARCS: ANU, CSIRO, e. RSA, Intersect, QCIF, i. VEC, TPAC, VPAC … serves as the vehicle for the coordinated delivery of national e. Research support, services and tools. Source: http: //www. arcs. org. au/about Neil Witheridge APAN 29 Sydney February 2010

Research Group Needs Research Group Id. P Principal Investigator Id. P Identity Mgnt in AAF Id. P(s) Repository Write & Publish Report Researchers Collaborate Communicate Meet Analyse Data Researcher Store Data AAF Collaboratively Create web content CMS / Wiki HPC Grid Services VO configured for accessing Grid resources Run Experiment Generate Data Instrument Data Storage Authentication and authorisation for protection of valuable resources Neil Witheridge APAN 29 Sydney February 2010

ARCS’ Current Tools and Services • Compute Cloud* • Web-based Collaboration – Sakai • Grid Services Infrastructure* – Plone • Virtual Machine Hosting – Jabber – Joomla – Twiki • Data Fabric* • Database Service • Data Transfer Service • Video Collaboration * Immediately accessible, • Security Services others require request and coordinated provision to research group. – Desktop solution: EVO* – Room solution: Access Grid – Grid Certificates* – Access Service Neil Witheridge APAN 29 Sydney February 2010

ARCS Authorisation Services Role • Support Research Groups and Service Providers in delivering services requiring authentication and authorisation (auth. NZ) Analyse requirements, and provide expertise, advice, exemplars • • • Exemplars (demonstrate what can be done to protect resources) Implement (procure/develop) and deploy auth. NZ solutions • • satisfying research groups’ and service provider’s security requirements Provide customer support for ARCS Authorisation Services • • ARCS CA’s, ARCS Id. P, ARCS SLCS Server & Clients, ARCS Access Service Develop and pursue a ‘unified strategy’ for auth. NZ • Apply security technologies and protocols & track international trends • • • Rely on the AAF for Federated Access (i. e. use Shibboleth) Integrate with Grid Security Infrastructure Analyse access scenarios and identify patterns & solutions Neil Witheridge APAN 29 Sydney February 2010

ARCS Access Service • • Provides a Gateway to ARCS Services Registration (assignment of Default Authorisation Rights) • Tracking user communities (au. Edu. Person. Shared. Token) • Allocate ARCS Username (ARCS Services unique identifier) • consistent user naming across ARCS Services • Caching attributes at time of registration • Allow detection of attribute change (e. g. Id. P, affiliation) • Authorisation Rights Management • Register Authorisation Rights tokens • urn: <Service. Identifier>: <Token value> Neil Witheridge APAN 29 Sydney February 2010

Current focus on Authentication SP SP ARCS Id. P Check Confirm Attributes Released by Id. P Belongs to Federation Id. P SP ARCS Access Service Register via Access Service for SLCS, Data Fabric, Wiki, Repository SP ARCS SLCS Service Write & Publish Report Generate Grid (SLCS) Credential GSI Analyse Data Member of Research Group researcher Collaboratively Create web content SP LDAP ARCS CMS / Wiki GSI ARCS Repository HPC (Grid) VO configured for accessing Grid resources Store Data Run Experiment Generate Data Instrument SP web. DAV GSI ARCS Data Fabric Neil Witheridge APAN 29 Sydney February 2010

AAF Identity Provider SP Access using Id. P username and password via AAF Login (e. g. Data Fabric, Plone, TWiki) Authenticate SP Register ARCS Access Service ARCS internal/ backend processing AAFenabled Service ARCS username & password ARCS LDAP (12 wks timeout) Access using Id. P username and password via AAF Login Access using ARCS username and password ARCS internal/ backend processing ARCS Cred’s enabled Service (e. g. Data Fabric via web. DAV) Access using Id. P username and password via AAF Login Get SLCS Certificate SP Get Proxy Certificate ARCS SLCS Service ARCS SLCS CA ARCS My. Proxy Arbitrary username & password Access using ARCS SLCS cert or proxy Grid Cert enabled Service (e. g. Grid Services, i. RODS via i. Commands) ARCS internal/ backend processing

• ARCS Auth Svcs Future Directions Authentication • IGTF Accreditation for SLCS (Level-2) CA • Explore MICS (Long-lived Grid credentials from Id. Ps) • Understand AAF & Shibboleth Roadmap implications • New Shibboleth profiles (ECP, Key-holder) • Aus. CERT PKI and implications • • Understand Grid Services trends and implications Authorisation • Develop and utilise the ARCS Access Service • Implement Authorisation Rights Management • Develop authorisation exemplars (e. g. use of XACML) Neil Witheridge APAN 29 Sydney February 2010

Questions ? Thankyou Neil Witheridge APAN 29 Sydney February 2010