ASPiS Security

1. ASPiS Security Jens Jensen <j.jensen @ rl ac uk> Science and Technology Facilities Council AHM, 8-11 Sep 2008 Edinburgh

2. ASPiS collaborators Mark Hedges, CeRch KCL Adil Hasan, Liverpool Andrea Weise, STFC/Reading Eric .., → CeRch KCL Jens Jensen, STFC JISC-funded project

3. Project Overview “New data grid technology with new authentication technology”

4. Project Overview What is ASPiS? Access to iRODS via Shibboleth Collaboration between CeRch (KCL) and STFC What is Shibboleth UK Access Management Federation What is iRODS? “data grid” for provenance, digital libraries Successor to SRB Open Source

5. ASPiS goals Access to iRODS via Shibboleth IRODS offers rule-based data management via microservices Positioned as data grid solution for preservation, curation, digital libraries Primary use cases: Arts and Humanities data storage Diamond Light Source NGS data storage services

6. ASPiS goals Use Shibboleth attrs for access control Can use attrs for AuZ decisions ePEntitlement Or extended attrs, e.g. from SARoNGS Prototype secure data management Can be expanded later into trusted services Open for adding security capabilities Interface with provenance management

7. User Security Enable access for security non-experts X.509 considered “complicated” Broaden user base via Shibboleth IdPs Users' VOs supported Simple attribute-based Simple gridmap style user mapping Using VOMS? Via SARoNGS?

8. Shibboleth and NGS Other projects to enable access to NGS SARoNGS Production deployment of ShibGrid and SHEBANGS Certificates generated dynamically – users don't know they have them! ~75% of NGS user base with IdP ~95% by members of Federation (Not all members have IdPs)‏ (Rough numbers, could have changed)‏

9. Architecture ACL Provenance Metadata Management Usual Shib Stuff SP iRODS rule μservice μservice IdP μservice (Tape Store at RAL)‏ Disk Store

10. Implementing Security Make attributes available To rule engine, microservices, provenance Microservices reporting back to rule engine to alter workflow Other issues Using AC and SAML (SARoNGS)‏ Libraries iRODS in C, preservation systems in Java (Pasoa, RDF/OWL)‏ Availability, maturity, support, interoperation

11. Security Considerations Use of Shib 1.3, vs Shib 2.0 Must work with existing Federation Use of institutional attributes How useful are they? Avoid bilateral negotiations Not sharing attributes between SPs Single SP, federated iRODS? Non-Federation (or no IdP) users Considered local config or LDAP managed

12. Security Considerations User to local mapping LCMAPS or VPMan? Or something simpler? Delegation of authentication IRODS users/groups/domains/zones? Use or combined use with GSI For users with certificates already, exisitng NGS accounts Consistency and portal access Supported in iRODS 1.1 Needs account management

13. Preservation Issues Persistency of ePTID Federation rules permit recycling if not used for 2yrs APSiS: do not permit login if account idle for 2yrs Except if IdP guarantees uniqueness forever? Who is the ePTID? Non-persistency of IdP logs Verification of user-supplied attrs?

14. Other Issues QoS: priority mappings for some users? iRODS needs rebuild (or at least relink) when μservice changes

15. Current Status iRODS deployed at Reading, RAL Shibboleth IdP at RAL DLS did not join the Federation at this time Not quite ready for testing yet

16. Conclusion Datastore for libraries, preservation Interfacing to provenance mgmt Replacing SRB Single sign-on access via Shib Usable Secure