ASPiS Security - PowerPoint PPT Presentation

1 / 16
About This Presentation
Title:

ASPiS Security

Description:

IRODS offers rule-based data management via microservices ... APSiS: do not permit login if account idle for 2yrs. Except if IdP guarantees uniqueness forever? ... – PowerPoint PPT presentation

Number of Views:40
Avg rating:3.0/5.0
Slides: 17
Provided by: katie69
Category:
Tags: aspis | apsis | security

less

Transcript and Presenter's Notes

Title: ASPiS Security


1
ASPiS Security
Jens Jensen ltj.jensen _at_ rl ac ukgt Science and
Technology Facilities Council AHM, 8-11 Sep
2008 Edinburgh
2
ASPiS collaborators
  • Mark Hedges, CeRch KCL
  • Adil Hasan, Liverpool
  • Andrea Weise, STFC/Reading
  • Eric .., ? CeRch KCL
  • Jens Jensen, STFC
  • JISC-funded project

3
Project Overview
  • New data grid technology
  • with new authentication technology

4
Project Overview
  • What is ASPiS?
  • Access to iRODS via Shibboleth
  • Collaboration between CeRch (KCL) and STFC
  • What is Shibboleth
  • UK Access Management Federation
  • What is iRODS?
  • data grid for provenance, digital libraries
  • Successor to SRB
  • Open Source

5
ASPiS goals
  • Access to iRODS via Shibboleth
  • IRODS offers rule-based data management via
    microservices
  • Positioned as data grid solution for
    preservation, curation, digital libraries
  • Primary use cases
  • Arts and Humanities data storage
  • Diamond Light Source
  • NGS data storage services

6
ASPiS goals
  • Use Shibboleth attrs for access control
  • Can use attrs for AuZ decisions
  • ePEntitlement
  • Or extended attrs, e.g. from SARoNGS
  • Prototype secure data management
  • Can be expanded later into trusted services
  • Open for adding security capabilities
  • Interface with provenance management

7
User Security
  • Enable access for security non-experts
  • X.509 considered complicated
  • Broaden user base via Shibboleth IdPs
  • Users' VOs supported
  • Simple attribute-based
  • Simple gridmap style user mapping
  • Using VOMS? Via SARoNGS?

8
Shibboleth and NGS
  • Other projects to enable access to NGS
  • SARoNGS
  • Production deployment of ShibGrid and SHEBANGS
  • Certificates generated dynamically users don't
    know they have them!
  • 75 of NGS user base with IdP
  • 95 by members of Federation
  • (Not all members have IdPs)?
  • (Rough numbers, could have changed)?

9
Architecture
ACL
Provenance Metadata Management
SP
Usual Shib Stuff
iRODS
rule
µservice
µservice
IdP
µservice
(Tape Store at RAL)?
Disk Store
10
Implementing Security
  • Make attributes available
  • To rule engine, microservices, provenance
  • Microservices reporting back to rule engine to
    alter workflow
  • Other issues
  • Using AC and SAML (SARoNGS)?
  • Libraries
  • iRODS in C, preservation systems in Java (Pasoa,
    RDF/OWL)?
  • Availability, maturity, support, interoperation

11
Security Considerations
  • Use of Shib 1.3, vs Shib 2.0
  • Must work with existing Federation
  • Use of institutional attributes
  • How useful are they?
  • Avoid bilateral negotiations
  • Not sharing attributes between SPs
  • Single SP, federated iRODS?
  • Non-Federation (or no IdP) users
  • Considered local config or LDAP managed

12
Security Considerations
  • User to local mapping
  • LCMAPS or VPMan? Or something simpler?
  • Delegation of authentication
  • IRODS users/groups/domains/zones?
  • Use or combined use with GSI
  • For users with certificates already, exisitng NGS
    accounts
  • Consistency and portal access
  • Supported in iRODS 1.1
  • Needs account management

13
Preservation Issues
  • Persistency of ePTID
  • Federation rules permit recycling if not used for
    2yrs
  • APSiS do not permit login if account idle for
    2yrs
  • Except if IdP guarantees uniqueness forever?
  • Who is the ePTID?
  • Non-persistency of IdP logs
  • Verification of user-supplied attrs?

14
Other Issues
  • QoS priority mappings for some users?
  • iRODS needs rebuild (or at least relink) when
    µservice changes

15
Current Status
  • iRODS deployed at Reading, RAL
  • Shibboleth IdP at RAL
  • DLS did not join the Federation at this time
  • Not quite ready for testing yet

16
Conclusion
  • Datastore for libraries, preservation
  • Interfacing to provenance mgmt
  • Replacing SRB
  • Single sign-on access via Shib
  • Usable
  • Secure
Write a Comment
User Comments (0)
About PowerShow.com