Building from Bedrock: Tailoring Technology to Collaboration
Topics • Updates on the bedrock • Internet identity • In. Common today • In. Common the next twelve months • Collaboration Management Platforms • Virtual Organizations and their Id. M and access control needs • Building from Bedrock • The activities • The early lessons • Next steps kjk@internet 2. edu
In the last few years… • Internet identity has become pervasive, in two flavors • A rapidly growing, but still maturing federated identity infrastructure, particularly in the R&E sector globally. • A set of theoretically interoperable social identity providers serving large masses of social and low-risk applications • Federated uses vary by country and sector • In some countries, 100% of citizens, using for government, research, educational and other uses • In the US, R&E and extensive federal/state government use • Verticals (medical, real estate, etc) building federated corporate identities kjk@internet 2. edu
SAML federations worldwide - scope kjk@internet 2. edu
Where We Headed • The trust infrastructure • An international peering of SAML R&E federations, with common attributes and LOA, with some careful integration of other identity approaches (e. g. Social 2 SAML). • Privacy preserving real time interrealm authentication and attribute exchange across all applications • The collaboration/VO Id. M overlay • Services that provide integrated VO identity and access management to both domain and collaboration apps • Leverages trust infrastructure, enterprise and VO attributes, etc kjk@internet 2. edu
It is a work in progress • Still immature • Not all institutions are in a federation • Not all institutions populate all base-level attributes • User-managed attribute release beginning • Still gaps being worked • Non-web apps just getting standardized by IETF (GSSAPI enhancements, enabling federated SSH) • Interfederation • Social 2 SAML kjk@internet 2. edu
In. Common today • 200+universities, 350+total participants, growth still rapid • Traditional uses continue to grow: • Outsourced testing services, outsourced travel, access to software, access to licensed content, etc. • New uses bloom: • Access to wikis, shared services, cloud services, calendaring, command line apps, etc. • Certificate services: • You’ll come for the cheap SSL, you’ll stay for the personal certs – signing, encryptions, wireless kjk@internet 2. edu
In. Common – the next year • Growth and managing growth • Silver – higher levels of assurance • u. Approve – end user attribute management • Personal certificates • Powerful old technology • Authentication, signed email, signed documents, encryption, etc. • Solidifying campus participation kjk@internet 2. edu
Collaboration Management Platforms • An integrated “collaboration identity management system” • Provides basic group and role management for a group of federated users • Plugs into federated infrastructure to permit automatic data management • A growing set of applications that derive their authentication and authorization needs from such external systems • Collaboration apps – wikis, lists, calendaring, netmeeting • Domain apps – instruments, databases, computers, storage kjk@internet 2. edu
FROM THE COLLABORATION PERSPECTIVE • Scalable actions expected (or at least hoped for) in a CMP: • Create and delete/archive users, accounts, keys • Group management on an individual and CMP-wide scale • Permit or deny access control to wiki pages, calendars, computing resources, version control systems, domain apps, etc. • Domesticated applications to meet the needs of the VO • Usage reporting • Metering and throttling 10 – 3/15/2018, © 2011 INTERNET 2
CMP from the technical perspective • A combination of enterprise tools refactored for VO’s • Shib, Grouper, Directories, etc • A person registry with automated life-cycle maintenance • Includes provisioning and deprovisioning • A place to create, maintain local attributes • Using Groups and Roles • A place to combine local and institutional attributes for access to applications • A place to push/pull attributes to domesticated applications • Collaboration apps – wikis, lists, net meetings, calendars, etc • Domain apps – SSH, Clusters, Grids, i. Rods, etc. • Attributes delivered via SAML, LDAP, X. 509, etc kjk@internet 2. edu
Deployment options for a CMP • Proprietary approaches – Google Apps, MS Live • Embedded in a portal or gateway • As a stand-alone platform, assembled from components, with application servers around it • In a cloud, with apps in the cloud • As a national service • Surfnet – • http: //www. surfnet. nl/en/Thema/coin/Pages/Default. aspx kjk@internet 2. edu
http: //www. internet 2. edu/comanage/ • A set of replaceable modules: user console, person registry, Shibboleth Id. P and SP, Grouper, provisioning and deprovisioning, etc. • A set of domesticated apps • A kit, not a VM or a service • Funded by an NSF-SDCI grant and Internet 2 • API developed for the platform now in use at LIGO 13 – 3/15/2018, © 2011 INTERNET 2
kjk@internet 2. edu
Domesticated Applications • Wikis, Chats, Lists, Jabber, etc. • Drupal, Moodle, Sakai, etc • Audioconferencing and netmeeting • Ad hoc and group event calendaring • Sharepoint, Webex, Adobe Connect, etc • File sharing, drop boxes, etc kjk@internet 2. edu
VO’S • Multi-institutional, usually multi-national collaborations • Frequently centered on unique instruments (e. g. CERN, Sloan), data repositories (e. g. medical records, economic data), etc • Examples: • hard sciences – LIGO, NEON, OOI, i. Plant, GENI • social sciences and humanities - Bamboo, CLARIN • Use standard collaboration tools and domain tools, often in an integrated fashion • SSH to manage an instrument that populated a DB that a web browser accesses 16 – 3/15/2018, © 2011 INTERNET 2
General VO Characteristics • Cluster around distinctive resources – instruments, databases, computational resources, historical records, etc. • A VO is distinct from a general collaboration by formal roles, ownership of resources, real budgets, scholarly deliverables, accountability and audit requirements, etc. • International by nature • Less privilege crust than enterprises • Some VO’s are deep in science and less wide in outreach • Some are as much wide as deep kjk@internet 2. edu
VO Requirements for Identity Management • Permit or deny access control to wiki pages, calendars, computing resources, version control systems, file sharing and drop boxes, etc • Add or remove people from groups • Create new subgroups, identify overlapping memberships, etc. • Add people to mailing lists, wikis, etc • Ad hoc calendaring • Create and delete/archive users, accounts, keys • Identify group membership on a given date • Usage reporting kjk@internet 2. edu
More on the collaboration space • How VO and Enterprise Id. M differ • • • VO often have greater federation needs VO generally built around unique data sets, instruments VO often multi-institutional, multi-national Enterprise Id. M (usually) has a stronger Lo. A Enterprise Id. M (usually) have a stronger infrastructure kjk@internet 2. edu
The “Bedrock” Grant • Building from Bedrock: Infrastructure Improvements for Collaboration and Science – an NSF OCI grant (Fall, 2010) • Focus on further developing and integrating tools to allow collaborations to operate efficiently in the Id. M space • COmanage • Grouper • Shibboleth • Beginning the art of tailoring technology to collaboration http: //www. internet 2. edu/bedrock/ kjk@internet 2. edu
The art of tailoring • Fitting identity and access management systems to collaborations • Serve both the collaboration and domain apps • Leverage and plumb into emergent federated identity infrastructure • Collaborations are like snowflakes – no two are alike. A big variety in the needs and styles of collaborations • Work with the collaboration to analyze their needs – for most, “gee, we never thought about things this way…” kjk@internet 2. edu
Engaged VO’s • LIGO – www. ligo. org - high profile international gravitional physics • i. Plant – www. iplantcollaborative. org - comprehensive cyberinfrastructure for Plant Biology • Bamboo - http: //projectbamboo. org/ - comprehensive cyberinfrastructure for Arts and Humanities • GENI – www. geni. net - NSF next generation Internet research • Earth Science Women’s Network http: //www. sage. wisc. edu/eswn/ - international peer-mentoring for women in earth sciences kjk@internet 2. edu
VO Requirements distilled: Identity and Access Control • Leverage federated identity • Use groups for primary access control – understandable to most • Integrate with campus processes (identity management, course memberships, citizenship and other attributes) • Emphasis on some unusual functions • Historical views of group memberships • Usage reporting for funders consumption kjk@internet 2. edu
Integration of identity and access control • Identity and access control (groups) need to integrate across three science environments • Command-line-managed instruments generate data feeds that populate data bases • Using web browsers, scientists access the database, mark events, set data feeds, etc. • Other communities come in through science gateways and portals • Federated identity and domestication of applications is needed • Automated provisioning and deprovisioning a big win kjk@internet 2. edu
VO Requirements: Applications • Collaborative • Federated, Access controlled wikis • File shares and Drop Boxes • Lists, Chats, Ad hoc calendaring, • Netmeetings, Audioconferences, etc. • Domain • VO Databases • Tera. Grid, Open Science Grid • Command line apps kjk@internet 2. edu
Single Profile • As VO’s get more data-centric in nature, profiles are the automated way to match users with new data sources, and a simple access control mechanism • The controlled vocabulary/ontology aspects of profiles needs active management tools as well as storing the profiles and managing releases. • Some of the new NSF data nets are using multiple profiles; single profile is the next single sign-on…. • VIVO is an important building block for answers here http: //www. vivoweb. org/ kjk@internet 2. edu
Tailoring dimensions - 1 • Breadth of outreach • Depth of science • Size of the collaboration and capabilities of IT staff • Locus of collaborators • Global scheduling, availability of identities, etc. kjk@internet 2. edu
Tailoring dimensions - 2 • Dataness of collaboration • Management style of collaboration • Nature of collaborators • Balance of tools, communicating styles, etc • Autonomy of collaborations • When to include vs federate kjk@internet 2. edu
Next Steps • Enhanced collaboration management – prerequisites, thresholds, cross-application quotas, etc. • Continued domestication of applications, including nonweb apps • Improved user interfaces – Open. Social, etc • Integration with other international collaboration platforms • Directly plumbing into infrastructure • Class lists dynamically into VO permissions • Higher assurance authentication of secure applications • VAMP (VO Camp) kjk@internet 2. edu
Скачать презентацию Building from Bedrock Tailoring Technology to Collaboration
541bab690342868678fb3e70eb887c52.ppt