Diamond Moonshot Pilot Participation
Presentation to Networkshop43 Bill Pulford,
Scientific I.T. Coordinator Diamond Light Source Exeter, April 1st 2015
Acknowledgements Stefan Paetow (Janet/UK), DLS System Administrators
Examples of science
Structure of the Histamine H1 receptor Understand rejection in
hip implants
Improving nutritional quality in wheat
Bio-mimetics
Tunable polymers
Casting aluminium
Some Diamond Statistics
Data points from February 2015
No. users with fedids
Exp. Sessions 2014
Unique Users 2014 User sessions 2014
~8500 > 2000 ~ 2800 > 7700
Evolution of data volumes - current volume = 3.012Pb, number of files = 782,921,258
Diamond Single Sign On Requirements
The principal base requirements of any system chosen should include: • Our users should see no degradation of the services that we already
provide; i.e. both authenticate via web interfaces and actually login to beamlines to collect or analyse data. .
• Scientists can work together in teams with each member choosing their own SSO method.
• Involve minimal coding or infrastructure changes on the part of the facility • Provide adequate security from external interference. • Enable transparent access to remote computing and other resources and
eliminate unnecessary data transfers • Facilitate integration of external proposal submission schemes into the local
User Office administration software.
Web login using the added IdP: • Umbrella allows provides users with a unique, persistent iden<ty allows
them login to the web sites at any of the par<cipa<ng facili<es and have access to the services offered.
Interac<ve session crea<on with added IdP and Moonshot (now JISC Assent) • Service now provided live by Janet UK in associa<on with a number of
interna<onal educa<onal networks and with such EU projects such as GEANT. This allows the use of your Umbrella ID actually to login to beamline computers. i.e. I could use [email protected] to login to a beamline at DLS and perhaps another simultaneously at a collabora<ng facility and acquire and/or analyse data
Diamond SSO - Web and Interactive Session
Future Authentication 1) Fedid -Diamond, CLF and ISIS - The users do not like the usernames and password. 2) Umbrella - Part of PANdata involving most large facilities in Europe. 3) EDURoam - . Uses the Radius server – not Moonshot – but limited security. Chargeable User Identifier or CUI must be returned to identify requesting user.
Diamond’s Moonshot progress history
Completed: • Connected Moonshot point of contact with eduroam authentication (June 2013) • Added Umbrella as additional authentication source to PoC (late Aug 2013) • Published Jasig CAS ABFAB authenticator on Maven Central (Nov 2013) • Built Shibboleth ECP client together with DARIAH-DE (Dec 2013/Jan 2014) • Launched pilot beamline with Moonshot + Umbrella using above (March 2014) • Joined trust router network (September 2014)
To do: Adapt the UAS to allow users to add/remove/modify account mappings (between home organisation and fedid).
1. Allow users possibly to pre-authorise themselves with their home account so that when a fedid is assigned, it is automatically assigned to all user mappings that have been added
2. Allow User Office admins to delete/de-authorise mappings directly 3. Enable search on mappings (e.g. to allow administrators to find a user rapidly.)
Update the Diamond CAS ABFAB Authentication client to bring it to comply with the Moonshot specifications.
1. Needs to be able to do channel bindings and assure internal security such as destroying username/password combo as soon as possible.
2. Exposure of all the attributes that are sent by a SAML assertion to the client if necessary 3. Correct the ownership of ABFAB client and Shibboleth ECP clients with DARIAH-DE.to DLS
Exploiting SSO
Data Store
Central CPU cluster
Data Store
Central CPU cluster
Diamond Beamline
User
User System
Linux Intrument Control
Linux
User PC
1000BaseT or
faster
Wireless
Access Point
Local Processing
(Cluster)
Disk array
Computer
Computer
User
User
User System
Linux Intrument Control
Linux
User PC
1000BaseT or faster
Wireless
Access Point
Local Processing
(Cluster)
Disk array
Computer
Computer
User
ESRF Beamline
Data Store
Central CPU cluster
Authenticate Once Only
Soleil Beamline
User
User System
Linux Intrument Control
Linux
User PC
1000BaseT or
faster
Wireless
Access Point
Local Processing
(Cluster)
Disk array
Computer
Computer
User
A user can perform the entire experimental process from proposal submission through data acquisition, data analysis to publication using one set of credentials. The diagram shows data acquisition at one facility while consulting data at another and using CPU resources of a third.
Soleil France
PSI Switzerland
Diamond UK
Futures
15
Site
Facility 1
Cloud
Site
Facility 2
Academic
Dept.
Industrial
Dept.
Site
PublisherORCHID/Openaire
Interact Data Repository High Power
Cluster
The Umbrella Project Authentication The minimum user information possible is stored centrally to avoid Data Protection issues. The Authentication is done by the user logging into the Umbrella central site – currently umbrellaid.org – to generate a Shibboleth token. Authorization is delegated to the facility site.
Minimum information necessary
Moonshot work at Diamond
• RADIUS uses username@realm for authentication • PaNdata Umbrella IDs become ‘[email protected]’ • DLS FedIds become ‘[email protected]’ • Optionally, allow access as ‘FedId’ as usual (no realm)
• SSH access with either Moonshot ID card UI or file-based user credentials • Web access through CAS with username@realm format + password
• Eventual console access same as CAS
What is ABFAB?
• Federated Identity for AuthN/AuthZ for any application/service
• Designed to take the best of breed of existing technologies, giving: – Security – Flexibility / wide scope – Ease of integration – Scaling
Fundamentals of ABFAB
• ABFAB builds on AAA technologies – EAP (RFC 3748): strong & extensible mutual
authentication – RADIUS (RFC 2865) / RadSec (RFC 6614): federation
between domains • To this, ABFAB adds
– SAML (OASIS standard), for rich authorisation semantics – Integration using operating system security APIs
• SSPI: Windows • GSS-API (RFC 2078): Other operating systems • SASL (RFC 4422): Windows and other operating
systems