DyVOSEStatus Report

Dr Richard SinnottTechnical Director National e-Science Centre

||| Deputy Director Technical Bioinformatics

Research Centre University of Glasgow

ros@dcs.gla.ac.uk NeSC Review

11th October 2004

Overview

The teamReview goals of DyVOSE project

Brief summary of technical approach

Outline achievements thus farPlans for the future

Project Participants

Dynamic Virtual Organisations in e-Science Education (DyVOSE) team

Principal Investigators Dr Richard Sinnott (NeSC Glasgow) Prof David Chadwick (Salford)

Developers Dr John Watt (NeSC Glasgow) Dr Sassa Otenko (Salford) Mr Tuan Anh Nguyen (Salford)

Other Key People Involved Dr David Berry (NeSC Edinburgh) Dr Sandy Shaw (EDINA)

Dynamic Virtual Organisations for e-Science Education (DyVOSE) project

Two year project started 1st May 2004 funded by JISCExploring advanced authorisation infrastructures for security in context of education

University of Salford provide authorisation software (PERMIS) and security expertise

Applied in Grid Computing module part of advanced MSc at the University of Glasgow

– Will provide insight into rolling out authorisation infrastructures/Grid to the masses

– Exploration of current state of the art in authorisation infrastructures

– Second phase of work will involve NeSC Edinburgh/EDINA– Extensions to the existing PERMIS infrastructure to provide

dynamic delegation of authority and recognition of authority

DyVOSE Overview

Phase 1Looking at applying existing PERMIS technology to establish static Privilege Management Infrastructure at GU

DyVOSE Workplan

ScotGrid

Authorisation decisions

Authorisation checks

PERMIS based authorisation

Education

VO policies

GU Condor pool

Other (known!) Grid resources

Phase 1 DeliverablesD1.1 Design of Educational Case StudiesD1.2 Installation of Software Infrastructure for Static Delegation Based PMID1.3 Detailed Design for Dynamic Delegation and Recognition of Authority

Development of course material Including 20 lectures, 10 tutorials, 3 problem sets, 1 (large ~30hr)

programming assignment To be taught by

– Richard Sinnott – Colin Perkins – John Watt – one lecture by Seamus Ross (National Digital Curation Centre)

DyVOSE Phase 1

Module OutlineWeek 1 Lecture 1 Introduction to Grid Computing

Lecture 2 Scalability and Heterogeneity Aspects of Grid

Week 2 Tutorial 1 Discussion of Seminal Grid Papers

Lecture 3 Open Standards and Architectures

Lecture 4 Implementations of the Grid Architecture

Week 3 Lecture 5 Resource Discovery/Information Services

Lecture 6 Web and Grid Services

Tutorial 2 GT3 Lab work

Week 4 Lecture 7 Grid Security Concepts

Lecture 8 Virtual Organizations

Lecture 9 Security in Practice

Week 5 Tutorial 3 Lab work investigating Grid Security implementations

Lecture 10 Job Scheduling and Management - Theory

Lecture 11 Job Scheduling and Management - Practice

Week 6 Tutorial 4 Discussion of Job Scheduling Papers

Lecture 12 Workflow Management

Tutorial 5 Q&A on Programming Assignment

Taught today

Module Outline …ctdWeek 7 Lecture 13 Data Access, Integration and Management

Lecture 14 Data Provenance and Curation*

Tutorial 6 Discussion of Data Management/Provenance

Week 8 Lecture 15 Data Transfer

Lecture 16 Peer-to-Peer Communication

Tutorial 7 Discussion of Networking Papers

Week 9 Lecture 17 Tools for Collaboration

Tutorial 8 Discussion on the Future of Grid Computing

Lecture 18 The Future of Grid Computing

Week 10 Lecture 19 Sample Applications

Lecture 20 Review of Major Concepts

Tutorial 9 Q & A

* Given by Seamus Ross (DCC at Glasgow)

Current PERMIS based PMI approach

PERMIS allows toDefine roles for who can do what on what

Policy = { Role x Target x Action }– Can user X invoke service Y and access or change data Z?

» Policies created with PERMIS PolicyEditor (output is XML file)

PERMIS based Authorisation

PERMIS based Authorisation ...ctd

PERMIS Privilege Allocator then used to associate roles with specific users

Signed policies are stored as attribute certificates in LDAP server

Exploiting the GGF AuthZ specification Generic way to authorise access to Grid services using SAML

callouts– Based on GT3.3 – PERMIS

» Grid service (WSDD) has policy information associated with it» DN of clients, target and actions checked when attempts made

to invoke services BRIDGES and DyVOSE only projects exploiting this API right now

(Von Welch at AHM 2004)

Phase 2 D2.1 Report on Practical Experiences and Best Practices in Static

Delegation Based PMI D2.2 Software implementing Dynamic Delegation and Authority

Recognition in PERMIS

Phase 3 D3.1 User Manuals and Administrator Guides on Using and Setting

up and Managing Dynamic Delegation Infrastructures D3.2 Report on Practical Experiences in Using Dynamic Delegation

Infrastructures as Part of e-Science Education D 3.3 NMI release of PERMIS that supports dynamic Delegation and

Recognition of Authority

DyVOSE Phase 2 and 3

DyVOSE Phase 2/3

ScotGrid

PERMIS based Authorisation

checks/decisions

Glasgow Education

VO policies

Condor pool

Edinburgh Education VO policies

Shibboleth

Blue Dwarf

Glasgow Edinburgh

Dynamically established VO resources/users

Delegated VO policies

Majority of lecture materials completedFirst lecture had over 50 students

Clear demand for Grid education/teaching materials!!!

Assignment/case study defined exploring authorisation infrastructure (and GT3.3/Condor)

Infrastructure established in NeSC Glasgow training laboratory

Initial design of dynamic PMI complete

Input to wider UK security requirements document(Being drafted by Howard Chivers)

Work Progress

Wrestling with GT3.3 and PERMIS integrationSome delays due to version issues with GT3.3

Basic authorisation complete but more complex authorisation aspects being investigated

Complexity of assignment issues?

Continued feedback on PERMIS tools Policy editor refinements

– Numerous discussions/meetings with Salford team on sorting out PERMIS-GT3.3 issues

Building on experiences of MSc of Anthony Stell (NeSC ETF Grid engineer) comparing different authorisation infrastructures

Work Progress …ctd

Achievements

Web site establishedhttp://www.nesc.ac.uk/hub/projects/dyvose

Poster at JISC meeting in Brighton

Poster at AHM 2004 in Nottingham

Course materials nearing completionProvided to EGEE training team

Future plans

Attendance at JISC Shibboleth training course

Feed experiences into wider Grid community (ETF AAA work)

Continued input to wider security requirements/scenario documents (and to STF?)

Applying experiences in other projects (VOTES)

Course materials to be presented at e-Science Education workshop at NeSC 1-2 November

Conduit for information from JISC Core Middleware projects and wider UK e-Science activities

Questions?