Virtual Organisations
description
Transcript of Virtual Organisations
24/04/2324/04/23META ACCESS MANAGEMENT SYSTEM
11
Virtual OrganisationsVirtual OrganisationsAccomodating Research GroupsAccomodating Research Groups
in a Shibboleth Federationin a Shibboleth Federation
Peter SchendzielorzPeter Schendzielorz
Macquarie University’s E-Learning Centre of Excellence Macquarie University’s E-Learning Centre of Excellence (MELCOE)(MELCOE)
24/04/2324/04/23 22META ACCESS MANAGEMENT SYSTEM
ContentsContentsBusiness CaseBusiness CaseTrusted Virtual OrganisationsTrusted Virtual Organisations
24/04/2324/04/23META ACCESS MANAGEMENT SYSTEM
33
Business CaseBusiness Case
What problem are we What problem are we trying to solve?trying to solve?
24/04/2324/04/23 44META ACCESS MANAGEMENT SYSTEM
Current R&D Project StartupCurrent R&D Project Startup Publish funding schemePublish funding scheme Write grant application and submitWrite grant application and submit Review and selection of applications……………………….Review and selection of applications………………………. MP informs successful applications………………………...MP informs successful applications………………………... Contract negotiations start… and get signed……………...Contract negotiations start… and get signed……………... Recruitment starts… Jobs are published… deadline… Recruitment starts… Jobs are published… deadline…
closes… interviewing… offering jobs… starting to closes… interviewing… offering jobs… starting to work….work….
Established a web presence (server, URL, portal)………..Established a web presence (server, URL, portal)……….. Membership adminMembership admin
Added collaboration SW (CMS, Wiki, forum, mailing lists, Added collaboration SW (CMS, Wiki, forum, mailing lists, IM/VoIP/AV)…………………………………………………...IM/VoIP/AV)…………………………………………………...
Added research specific tools (GTK, Grid/HPC, etc.)…….Added research specific tools (GTK, Grid/HPC, etc.)……. Really start research (environment is working OK)……….Really start research (environment is working OK)………. Project ends (18m-36m)Project ends (18m-36m)
TimelineTimeline
-1m-1m0m0m2m2m
6m6m8m8m
11m11m
13m13m13m
24/04/2324/04/23 55META ACCESS MANAGEMENT SYSTEM
Proposed R&D Project StartupProposed R&D Project Startup Publish funding schemePublish funding scheme Contract gets signed before being allowed to submitContract gets signed before being allowed to submit Write grant application and submit: Write grant application and submit:
New: HR forms (people profiles), 1p executive summary, 1p New: HR forms (people profiles), 1p executive summary, 1p deliverable summary, infrastructure requirements checklist (e.g. deliverable summary, infrastructure requirements checklist (e.g. CMS, Wiki, etc.)CMS, Wiki, etc.)
Review and selection of applications ……………………………..Review and selection of applications …………………………….. Project infrastructure set up……………………….……………….Project infrastructure set up……………………….……………….
Project URL, Shibbolized Portal (with summary descriptions, for Project URL, Shibbolized Portal (with summary descriptions, for anonymous and authN users), Collab.env: CMS, Wiki, forum, anonymous and authN users), Collab.env: CMS, Wiki, forum, mailing list server, IM/VoIP/AV, MyProxy (if needed); Self-mailing list server, IM/VoIP/AV, MyProxy (if needed); Self-registration through Shibbolethregistration through Shibboleth
MP informs successful applications……………………….............MP informs successful applications………………………............. Recruitment starts… Jobs are published… deadline… closes… Recruitment starts… Jobs are published… deadline… closes…
interviewing… offering jobs… starting to work……………………interviewing… offering jobs… starting to work…………………… Added research specific tools (GTK, Grid/HPC, etc.)……………Added research specific tools (GTK, Grid/HPC, etc.)…………… Really start research (environment is working OK)………………Really start research (environment is working OK)……………… Project ends (18m-36m)Project ends (18m-36m)
Timeline
-1m-3w
0m
3m5m5m
24/04/2324/04/23META ACCESS MANAGEMENT SYSTEM
66
Virtual OrganisationsVirtual Organisations
Grouping identities in order to Grouping identities in order to collaborate with resourcescollaborate with resources
24/04/2324/04/23 77META ACCESS MANAGEMENT SYSTEM
Possible MiddlewarePossible MiddlewareHE Infrastructure for CollaborationHE Infrastructure for Collaboration
WAYF<<SP>>
CA?<<SP>>
MyProxyserver
Federation Services
IdP1@UQ IdP2@UTS IdPn@MQ…<<SP>>
IR…
MyProxy Client
SP: Wiki
SP: Forum
SP: CMS
GTK: Grid
GTK: HPC
GTK: Store
VO-AA
Federation Level
Institutions Level
Virtual Org. Level(intra-institution,
eResearch project)
Gateway(CTS)
<<SP>>CMS
<<SP>>VO Portal
24/04/2324/04/23 88META ACCESS MANAGEMENT SYSTEM
IAM SuiteIAM Suite
GridSphereFederation SP
GroupModuleVO-IdP
VO-WAYF
AuthN IM
Fedora(internal or external, e.g. IR)
VO-SP
Forum
Federation
FedoraWeb
ShARPEAutograph
PresencePeoplePicker
Calendar
MyProxy
AuthZ Mgnr VO-SP
LMS
VO-SP
Wiki
VO-SP
Etc.
GTK
Storage
GTKSpecific
tools
GTK
Cluster
GTK
Equipm.
SearchLogin via IdP
Receiveassertions
ReceiveassertionsReceiveproxy cert.
AFS adaptor
24/04/2324/04/23 99META ACCESS MANAGEMENT SYSTEM
TVO Conceptual ModelTVO Conceptual Model
Trust Virtual Organization
Identity Provider Management
Service Provider Management
Trust Relationship Management
User / Group Management
Resource&Service Management
Trust-based Access Control
Goal-oriented Workspaces
User
Identity Provider 1
Identity Provider 2
Identity Provider m
……
Service Provider 1
Service Provider 2
Service Provider m
……
24/04/2324/04/23META ACCESS MANAGEMENT SYSTEM
1010
DemoDemo
Current MAMS development in Current MAMS development in the VO spacethe VO space
https://vo.mams.org.au/tvohttps://vo.mams.org.au/tvo
24/04/2324/04/23 1212META ACCESS MANAGEMENT SYSTEM
VO-SP ManagerVO-SP ManagerVO-SP Mngr
Data storeForumWiki
1. Create SP description• Name, description, URL
2. Add service levels (ARP)
3. Add SP-Roles for authZ
4. Default provisioning• Based on VO-Role
5. Publish SP
SP Wizard
Add SP
• SP name
• SP description
• Contact name
• Contact email
• ACS URL
Step 1: Create SP description
24/04/2324/04/23 1313META ACCESS MANAGEMENT SYSTEM
RBAC within IAM SuiteRBAC within IAM SuiteNew member is invited to join (by email)New member is invited to join (by email)
VO-Role is setVO-Role is setProvisioningProvisioning
Automatic: based on VO-RoleAutomatic: based on VO-RoleAutomatic: based on VO-Group membershipAutomatic: based on VO-Group membershipManually: added to VO-SP-RoleManually: added to VO-SP-Role
24/04/2324/04/23 1414META ACCESS MANAGEMENT SYSTEM
Example of RBACExample of RBACVO-SP AzMan
Data storeForumWiki
GS-Role:Guest
GS-Role:MemberJohn Doe@MQAlice@ANU
GS-Role:AdministratorBob@Monash
Readers
Editors
Managers
Who are you looking for?
Current selection: Your buddy: Carol
PeoplePicker portlet
Within Federation
Select your buddy
Member/group/role
24/04/2324/04/23 1515META ACCESS MANAGEMENT SYSTEM
VOs Across FederationsVOs Across FederationsA use/business case for connecting A use/business case for connecting
federations?federations?VO-WAYF can act as WAYF for IdPsVO-WAYF can act as WAYF for IdPsVO-bridge possibly scalable to connect VO-bridge possibly scalable to connect
federationsfederations
24/04/2324/04/23 1616META ACCESS MANAGEMENT SYSTEM
Final SummaryFinal Summary VO:VO:
Leverages primary IdP for authN & identityLeverages primary IdP for authN & identity VO-AA manages VO-specific (group, authZ) attributesVO-AA manages VO-specific (group, authZ) attributes VO-WAYF manages trusted IdPsVO-WAYF manages trusted IdPs Any Shibbolized Web App can be plugged inAny Shibbolized Web App can be plugged in JSR168 Portlets can be plugged into GridSphereJSR168 Portlets can be plugged into GridSphere Shibbolized MyProxy server creates proxy certificates Shibbolized MyProxy server creates proxy certificates
for access to the Gridfor access to the Grid A development challenge, not researchA development challenge, not research
Requires collaboration within the sector (!reinvent) Requires collaboration within the sector (!reinvent) Solutions should be open source (funding body’s role)Solutions should be open source (funding body’s role)
24/04/2324/04/23META ACCESS MANAGEMENT SYSTEM
1717
Virtual OrganisationsVirtual OrganisationsAccomodating Research GroupsAccomodating Research Groups
in a Shibboleth Federationin a Shibboleth Federation
Peter SchendzielorzPeter Schendzielorz
Macquarie University’s E-Learning Centre of Excellence Macquarie University’s E-Learning Centre of Excellence (MELCOE)(MELCOE)