Extreme-scale Identity Management for Scientific Collaborations
Transcript of Extreme-scale Identity Management for Scientific Collaborations
Extreme-scale Identity Management for Scientific Collaborations
Von Welch (PI), Bob Cowles, Craig Jackson
2015 DOE NGNS PI Meeting
September 17, 2015
Our Context, Mission, Approach...
The virtual organization (VO)/collaboratory has emerged as key enabler of science. VOs have been incorporated into traditional user-to-resource provider identity management (IdM) in numerous ways.
Atlas, CMS, KBase, NFC, ESGF, etc.
Our mission is to develop a VO-IdM model that (a) expresses and explains observed variations in collaboratory identity architectures and (b) can be leveraged for implementation heuristics.
Approach: Semi-structured interviews with 20+ VO-RP relationships, analysis, publication, and feedback.
Some core findings….
1. The VO nearly always alters the traditional direct trust relationship between users and resource providers (RPs).
2. That alteration manifests itself as the RP-to-VO delegation of IdM tasks based on trust.
E.g. LSST, LCLS, FST, LIGO
Classic DOE Lab
Some core findings….
3. There are a number of factors motivating and demotivating that delegation.
4. Trend is toward transitive trust, utilizing the VO’s capacity to represent its members.
5. Identity Management can be represented as data flows.
● Scaling and Dynamicity of VO● Complex VO roles and policies● VO-run collaboration services● VO using multiple RPs
E.g. OSG
Project Outputs: cacr.iu.edu/collab-idm
Robert Cowles, Craig Jackson, and Von Welch. Identity Management Factors for HEP Virtual Organizations. 20th International Conference on Computing in High Energy and Nuclear Physics (CHEP2013), 2013. http://www.vonwelch.com/pubs/CHEP2013
Robert Cowles, Craig Jackson, and Von Welch. Identity Management for Virtual Organizations: An Experience-Based Model. eScience 2013, 2013. http://doi.ieeecomputersociety.org/10.1109/eScience.2013.47
Robert Cowles, Craig Jackson, Von Welch, and Shreyas Cholia. A Model for Identity Management in Future Scientific Collaboratories International Symposium on Grids and Clouds (ISGC) 2014, 2014. http://pos.sissa.it/archive/conferences/210/026/ISGC2014_026.pdf
Von Welch, Robert Cowles, and Craig Jackson. XSIM OSG IdM Guidance OSG-doc-1199, July 2014. http://osg-docdb.opensciencegrid.org/cgi-bin/ShowDocument?docid=1199
Robert Cowles, Craig Jackson, and Von Welch. Facilitating Scientific Collaborations by Delegating Identity Management: Reducing Barriers & Roadmap for Incremental Implementation, CLHS '15 Proceedings of the 2015 Workshop on Changing Landscapes in HPC Security, 2015. http://hdl.handle.net/2022/20357
Lessons learned...
I assume everyone had plenty of time to study our poster last night.
Team Composition
Brilliant luck on my part.
An ex-DOE Lab CISO.
An ex-practicing lawyer.
Three very different perspectives - plus a ton of great DOE Lab connections.
Knowledge Rather than Code
No technical product - model and heuristics.
We need more broad retrospection outside of our silos.
Learning needs to be captured, disseminated, and absorbed.
Comprehensive andComprehensible Model
“Essentially, all models are wrong,
but some are useful.”-Box, G. E. P., and Draper, N. R., (1987), Empirical Model Building and Response Surfaces, John Wiley & Sons, New York, NY
Comprehensive enough to support a dialog between different communities and capture breadth of DOE science.
Simple enough to be understood and used.Aim to abide by 7±2 rule.
Evidence-based research
Not based on speculation or theory, but real-world experiences.
Challenge to arrange interviews, gather data, develop model.
Studying other models useful.
Getting feedback critical.
Collaboration Engagement at the Right Time
Validation in practice is hard - Projects only have a narrow window when they design!
Too soon and they are writing proposal. Too late and no one wants to revisit.
In retrospect, start finding first user on day one, long before first use.
Reaching the target audience
Target audience is implementors of science collaboratories.
No natural, cross-project gathering place. Closest is IT folks.
Encourage gathering of collaboratories and NGNS PIs at scales greater than 1-to-1?
Areas for Future Research
Work with collaboration from start-to-finish to validate model and heuristics.
Methods to enhance trust of collaboratories?
Scientific data taxonomy for trust and risk?
Thank you
http://cacr.iu.edu/collab-idm
We thank the Department of Energy Next-Generation Networks for Science (NGNS) program (Grant No. DE-FG02-12ER26111) for funding this effort.
The views and conclusions contained herein are those of the author and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of the sponsors or any organization.