Start / Home Aktuelles / News Veranstaltungen / Events Kontakt / Contact Übersicht / Sitemap Deutsch / German Englisch / English
  Pfad/Path D-Grid Initiative / D-Grid Projects / Gap Projekte / IVOM / 

Interoperability und Integration of VO-Management Technologies in D-Grid

 

An Authentication and Authorization Infrastructure (AAI) is required to support users to transparently access pooled resources of a Grid. In Virtual Organizations (VOs) scientists spread across different countries and institutes work together in projects and working groups. These VOs are key elements for the efficient usage of Grid infrastructures. In common Grid infrastructures security issues (e.g. data security) play a major role and have to be considered on all layers of VO creation and management. Both tasks are already handled in the D-Grid Infrastructure (DGI) projects (FG 1.10 VO Management and FG 3.4 Building an AA Infrastructure for the D-Grid.

A requirements analysis carried out in the first months of the two projects mentioned before indicated, that different Communities have different requirements with respect to VO and AA management. The different Communities follow several distinct approaches:

  • Communities already collaborating in Grid-projects with international partners for years prefer an approach for a central VO-Management as provided by VOMS. The High Energy Physics Community for example prefers this approach.
  • Communities where the majority of users do not currently collaborate based on Grids, prefer the Shibboleth approach, which utilizes the institutional identity management systems. This approach facilitates a fast provisioning of Grid environments for these users. The Climate Research Community for example prefers this approach.
  • UNICORE based Communities currently only make use of the UNICORE internal authorization mechanisms, which do not support VOs.

DGI will create a common, sustainable Grid platform for e-science in Germany and support the Communities according to their requirements. The establishment and use of different VO-Management systems contradict the goal of a common and universal Grid infrastructure. Based on the current resources of the DGI work packages FG 1.10 and FG 3.4 it is impossible to develop interoperable services for VOMS and Shibboleth.

The project “Interoperability and Integration of VO-Management Technologies in D-Grid” will develop services that enable the integration of VOMS and Shibboleth-based VO-Management systems in D-Grid. This project will be carried out in close cooperation between the DGI and the Community projects.

 

Project Description

The different D-Grid Communities utilize both different Grid middleware and different authentication and authorization techniques (or interfaces, i.e. AAI). D-Grid features three middleware systems: gLite, Globus Toolkit 4 (GT4) and UNICORE 5, which are supported by DGI. The authentication mechanisms in D-Grid are based on Shibboleth and X.509. VOMS is used for authorization (in case of X.509 authentication) and supports the usage of Shibboleth attributes. The UNICORE version currently utilized in D-Grid does not support Virtual Organizations.

Multiple German national projects currently examine the usage of Shibboleth-based infrastructures to provide uniform and comprehensive authentication and authorization of users. Shibboleth uses a distributed and decentralized approach that tightly couples a user to his home organization. The general advantages of Shibboleth compared to other approaches include:

  • Shibboleth is highly scalable and provides a simplified management through its distributed approach,
  • It ensures privacy by storing and administrating all user data solely at his home organization while providing full user control of all data, which is forwarded for authorization,
  • High reliability of the stored information, if this are provided by a well-defined and well managed Identity Management System of the home organization,
  • Direct integration of large user databases into Shibboleth-based services without high integration effort.

For these reasons a Shibboleth-based AAI is also expedient for usage in D-Grid. A comprehensive VO-Management is a requirement for a sustainable integration, which utilizes well-defined processes for both the centralized and the decentralized administration of users and their rights.

 

Project Goals

The superior goals of the integration of Shibboleth into the D-Grid infrastructure and the enhancement of the corresponding VO-Management are:

  • The implementation of a comprehensive VO-Management, including the integration into Globus Toolkit 4, gLite and UNICORE, enables a uniform management of users and their rights. It will be used for authentication and authorization in the Communities, independent of the utilized Grid middleware.
  • The authentication of users in Shibboleth Grid environments is directly performed with the users' home organizations and therefore tightly coupled to these organizations' practices for accession and leaving. Here the home organizations will be able to define the technical approaches for the users’ authentication. The common PKI-based approaches are disburdened when using alternative approaches.
  • Communities with existing user databases can provide a larger number of users access to Grid services by using Shibboleth. The previously required mass rollout of user certificates is no longer necessary.
  • The administrative overhead of renewal or potential revocation of user certificates is no longer necessary. Moreover, the user does not need to renew his certificate on a regular basis any more.

Furthermore, the integration of Shibboleth in D-Grid benefits from similar projects in other application areas, for example the emerging DFN-AAI or on a European level the work of JRA5 in GÉANT2.

 

Goals of the individual Work Packages

AP1 Evaluation of International Shibboleth-based VO-Management projects:

  1. to evaluate the results or intermediate results of these projects conceptual and by performing practical tests,
  2. to summarize advantages and disadvantages of centralized and decentralized VO architectures,
  3. to participate in and contribute to the international discussion on VO-Management,
  4. to provide the basis for the selection of suitable technologies and products for D-Grid. This is required to avoid redundant developments and incompatible infrastructures.

AP2 Requirements on VO-Management from a Community Grid View:

  1. to identify quantitative requirements (size, amount, duration) of Community VOs, especially from the Earth-Sciences (C3-Grid, Geogrid), the humanities (Text-Grid), the engineering Community (InGrid) and the medical Community (MediGrid).
  2. to identify qualitative requirements on VOs, e.g. complexity, modelling of roles and rights, and embedding in international Shibboleth federations and existing VO-Management structures
  3. to describe the acceptable and necessary way of utilisation for users and administrators of this area as Use-Cases, also, to capture the resulting requirements.
    1. This especially implies requirements for a dynamical and federated User Provisioning, which is designed for comprehensive Communities and thus independent of the infrastructure.
    2. Requirements towards VO-Management architecture (VOs as managed objects) and its subparts.

AP3 Conception of Authorization on Grid Resources:

  1. Definition of rights based on roles and capabilities of the VO-Management and the requirements stated in AP2.
  2. Conception of resource specific authorization modules for the mapping of defined rights to functionalities.
  3. Definition of an information and communication model designed for federated authorizations.
  4. Definition of a set of atomic VO-Management services and adequate aggregation and composition services.

AP4 Integration and Development, Test:

  1. to verify and merge suitable technologies for D-Grid based on the evaluation of AP1,
  2. to provide user and administration interfaces for the realization of the VO-Management, as well as components for authorization,
  3. to provide a user interface for the selection of attributes and VO properties,
  4. realization of the VO administration architecture,
  5. authorization management and decision on resources,
  6. integration and test in Grid middleware.
    1. UNICORE - VOMS
    2. UNICORE - Shibboleth
    3. Liberty - Shibboleth
    4. UNICORE - Liberty

AP5 Preparation of the Transition to a D-Grid Service:

  1. to present and document the complete solution for the D-Grid,
  2. to provide a platform for the enhancement and evaluation by real users,
  3. to identify and to document missing, inefficient, ineffective, or not scalable functionalities,
  4. to provide the required deployment services for D-Grid.

 

Contributing project partners:

  • Alfred Wegener Institute (AWI)
  • DAASI International GmbH
  • Fraunhofer Institute SCAI
  • Leibniz Rechenzentrum (LRZ)
  • Regionales Rechenzentrum für Niedersachen (RRZN) and Forschungszentrum L3S


Associated partners:

DFN-Verein
Forschungszentrum Jülich
SUN Microsystems GmbH
Universität Göttingen