Diamond Moonshot Pilot Participation

Presentation to Networkshop43 Bill Pulford,

Scientific I.T. Coordinator Diamond Light Source Exeter, April 1st 2015

Acknowledgements Stefan Paetow (Janet/UK), DLS System Administrators

The Diamond Light Source Outside

Inside

Diamond Beamlines

Examples of science

Structure of the Histamine H1 receptor Understand rejection in

hip implants

Improving nutritional quality in wheat

Bio-mimetics

Tunable polymers

Casting aluminium

Some Diamond Statistics

Data points from February 2015

No. users with fedids

Exp. Sessions 2014

Unique Users 2014 User sessions 2014

~8500 > 2000 ~ 2800 > 7700

Evolution of data volumes - current volume = 3.012Pb, number of files = 782,921,258

Common users between facilities (2012)

Umbrella

Diamond Single Sign On Requirements

The principal base requirements of any system chosen should include: •  Our users should see no degradation of the services that we already

provide; i.e. both authenticate via web interfaces and actually login to beamlines to collect or analyse data. .

•  Scientists can work together in teams with each member choosing their own SSO method.

•  Involve minimal coding or infrastructure changes on the part of the facility •  Provide adequate security from external interference. •  Enable transparent access to remote computing and other resources and

eliminate unnecessary data transfers •  Facilitate integration of external proposal submission schemes into the local

User Office administration software.

Web  login  using  the  added  IdP:    •  Umbrella  allows  provides  users  with  a  unique,  persistent  iden<ty  allows  

them  login  to  the  web  sites  at  any  of  the  par<cipa<ng  facili<es  and  have  access  to  the  services  offered.

Interac<ve  session  crea<on  with  added  IdP  and  Moonshot  (now  JISC  Assent)    •  Service  now  provided  live  by  Janet  UK  in  associa<on  with  a  number  of  

interna<onal  educa<onal  networks  and  with  such  EU  projects  such  as  GEANT.    This  allows  the  use  of  your  Umbrella  ID  actually  to  login  to  beamline  computers.  i.e.  I  could  use  bpjep1@umbrellaid.org  to  login  to  a  beamline  at  DLS  and  perhaps  another  simultaneously  at  a  collabora<ng  facility  and  acquire  and/or  analyse  data

Diamond SSO - Web and Interactive Session

Future Authentication 1) Fedid -Diamond, CLF and ISIS - The users do not like the usernames and password. 2) Umbrella - Part of PANdata involving most large facilities in Europe. 3) EDURoam - . Uses the Radius server – not Moonshot – but limited security. Chargeable User Identifier or CUI must be returned to identify requesting user.

Diamond’s Moonshot progress history

Completed: •  Connected Moonshot point of contact with eduroam authentication (June 2013) •  Added Umbrella as additional authentication source to PoC (late Aug 2013) •  Published Jasig CAS ABFAB authenticator on Maven Central (Nov 2013) •  Built Shibboleth ECP client together with DARIAH-DE (Dec 2013/Jan 2014) •  Launched pilot beamline with Moonshot + Umbrella using above (March 2014) •  Joined trust router network (September 2014)

To do: Adapt the UAS to allow users to add/remove/modify account mappings (between home organisation and fedid).

1.  Allow users possibly to pre-authorise themselves with their home account so that when a fedid is assigned, it is automatically assigned to all user mappings that have been added

2.  Allow User Office admins to delete/de-authorise mappings directly 3.  Enable search on mappings (e.g. to allow administrators to find a user rapidly.)

Update the Diamond CAS ABFAB Authentication client to bring it to comply with the Moonshot specifications.

1.  Needs to be able to do channel bindings and assure internal security such as destroying username/password combo as soon as possible.

2.  Exposure of all the attributes that are sent by a SAML assertion to the client if necessary 3.  Correct the ownership of ABFAB client and Shibboleth ECP clients with DARIAH-DE.to DLS

Exploiting SSO

Data Store

Central CPU cluster

Data Store

Central CPU cluster

Diamond Beamline

User

User System

Linux Intrument Control

Linux

User PC

1000BaseT or

faster

Wireless

Access Point

Local Processing

(Cluster)

Disk array

Computer

Computer

User

User

User System

Linux Intrument Control

Linux

User PC

1000BaseT or faster

Wireless

Access Point

Local Processing

(Cluster)

Disk array

Computer

Computer

User

ESRF Beamline

Data Store

Central CPU cluster

Authenticate Once Only

Soleil Beamline

User

User System

Linux Intrument Control

Linux

User PC

1000BaseT or

faster

Wireless

Access Point

Local Processing

(Cluster)

Disk array

Computer

Computer

User

A user can perform the entire experimental process from proposal submission through data acquisition, data analysis to publication using one set of credentials. The diagram shows data acquisition at one facility while consulting data at another and using CPU resources of a third.

Soleil France

PSI Switzerland

Diamond UK

Integrating External Proposal Submission

Possible project hierarchy

Futures

15

Site

Facility 1

Cloud

Site

Facility 2

Academic

Dept.

Industrial

Dept.

Site

PublisherORCHID/Openaire

Interact Data Repository High Power

Cluster

Thank you all

The Umbrella Project Authentication The minimum user information possible is stored centrally to avoid Data Protection issues. The Authentication is done by the user logging into the Umbrella central site – currently umbrellaid.org – to generate a Shibboleth token. Authorization is delegated to the facility site.

Minimum information necessary

Umbrella

Moonshot work at Diamond

•  RADIUS uses username@realm for authentication •  PaNdata Umbrella IDs become ‘UmbrellaUser@umbrellaid.org’ •  DLS FedIds become ‘FedId@diamond.ac.uk’ •  Optionally, allow access as ‘FedId’ as usual (no realm)

•  SSH access with either Moonshot ID card UI or file-based user credentials •  Web access through CAS with username@realm format + password

•  Eventual console access same as CAS

What is ABFAB?

•  Federated Identity for AuthN/AuthZ for any application/service

•  Designed to take the best of breed of existing technologies, giving: –  Security –  Flexibility / wide scope –  Ease of integration –  Scaling

Fundamentals of ABFAB

•  ABFAB builds on AAA technologies –  EAP (RFC 3748): strong & extensible mutual

authentication –  RADIUS (RFC 2865) / RadSec (RFC 6614): federation

between domains •  To this, ABFAB adds

–  SAML (OASIS standard), for rich authorisation semantics –  Integration using operating system security APIs

•  SSPI: Windows •  GSS-API (RFC 2078): Other operating systems •  SASL (RFC 4422): Windows and other operating

systems