identity management for virtual organizations: a model
TRANSCRIPT
Identity Management for Virtual Organizations:
A Model
Von Welch, Bob Cowles, Craig Jackson
Tech-X October 30th, 2014
2
The “Good Old Days” Scientists were employees or students of the resource provider.
Image credit: Wikipedia
Image credit: Lawrence Livermore National Laboratory (via Wikipedia)
3
Then remote access… Scientists were no longer necessarily affiliated with resource provider. IdM for remote scientists became common. Still managed directly. Image credit: All About Apple Museum
Creative Commons Attribution-Share Alike 2.5 Italy
4
Growth of the scientific collaboration Number of scientists, institutions, resources. Large, expensive, rare/unique instruments. Increasing amounts of data.
The model of resource provider managing all their users eroded. Image credit: Ian Bird/CERN
5
Enter the Virtual Organization The virtual organization has proven itself as the key way of allowing large-scale, multi-organization science collaborations.
ATLAS: 3,000+ members, 177 institutions, 38 countries. CMS: 3000+ members, 172 institutions, 40 countries. ALICE: 1200+ members, 132 institutions, 36 countries. XSEDE: 10000+ users, 16 resources. LIGO: 800+ scientists, 56 institutions, 13 countries. Etc.
6
VO Identity Management
A number of approaches have been tried: VOMS, Glide-ins, Science gateways, COManage, Community/group accounts, etc.
We now have 15 years of applied experimentation in VO IdM.
7
Our Vision Have identity management for
collaboratories and virtual organizations well understood.
And Mission
Develop a model that expresses the different collaboratory identity architectures
and and provides guidance to a collaboratory in the selection.
8
Research and develop a VO-IdM model to express the trust relationships between resource providers (RPs) and collaboratories.
Validate the model and determine the motivations that lead to different choices. Develop guidance to collaboratories and resource providers in architecting their IdM and trust choices.
Extreme Scale Identity Management for Science (XSIM)
9
Interviewees Collaboratories • Atlas • BaBar • Belle-II • CMS • Darkside • Engage • Earth System Grid • Fermi Space Telescope • LIGO • LSST/DESC
Resource Providers • Atlas Great Lakes T2 • FermiGrid • GRIF • U. Nebraska (CMS) • LCLS • RAL • GRIF/LAL • LLNL • NERSC • Blue Waters
VO IdM Model: Data-‐centric Produc'on & Consump'on
Iden&ty data is produced to provide func&onality to other workflows when needed.
Iden&ty data is consumed to perform these func&ons.
Func,onality authen&ca&on authoriza&on
alloca&on/scheduling accoun&ng audi&ng
user support incident response
Model IdM Data (1) User iden,fier (2) User contact info (3) VO membership/role
11
Identity Data Flow in the “Classic Model”
Authn
Authz
Audit
Accounting
Incident R
esponse
User S
upport
User Ids &
Contact info
RP produces and consumes all IdM informa,on.
RP
12
Identity Data Flow in Multi-user Pilot Jobs
User Identity
PKI
RP
Authn
Authz
Allocations /
Scheduling
Incident R
esponse
User S
upport
VO Membership
User contact
info
VO
13
Pros of RP Delegation of IdM • Complexity of
Roles • Scale and
Dynamicity • VO-wide
collaboration services
• Alignment with RP’s mission
• Established Trust Relationships
• VO Expertise and Available Effort
• Traceability Mechanisms
14
Cons • Historical Inertial • Risk Aversion • Compliance and Assurance
Requirements • Technology Limitations
15
Conclusion Virtual Organizations have become essential for scientific computing.
XSIM vision is to improve scientific computing by better understanding how to do identity management for VOs.
Based on 18+ interviews, we have developed a model for describing VO IdM based on IdM data production and consumption.
16
Thank you. Questions?
Von Welch ([email protected])
http://cacr.iu.edu/collab-idm
We thank the Department of Energy Next-Generation Networks for Science (NGNS) program (Grant No. DE-FG02-12ER26111) for
funding this effort.
The views and conclusions contained herein are those of the author and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of the
sponsors or any organization.