globus online
Globus Nexus
Steve TueckeComputation InstituteUniversity of Chicago and Argonne National Laboratory
www.globusonline.org
Promulgatevia new educational
methods
Apply to challenging problems
Computation Institute (CI)
Accelerateby building the research cloud
www.globusonline.org
Apply computation: Examples
Create better models for climate & energypolicy CIM-EARTH
ASC FLASHUnderstand supernovae to
measure universe
ARTFL Conte Center
Map human knowledge in the humanities and science
Transformdigital media into art
CMTS
Explaincellular structur
Center for multiscale theory and simulation
Extract meaning fromscientificimages
DTI for TBIDiffusion tensor imaging
www.globusonline.org
The Research Cloud
Accelerate discovery via research cloud
Millions of researchers worldwide need advanced IT to tackle important and urgent problems
Accelerate discovery and innovation worldwide by providing research IT as a service
www.globusonline.org
Why SaaS?
• Deliver advanced functionality that:– Requires no user software installation or operation
• Minimal IT proficiency required
– Can be cheaply and incrementally adopted• Usage-based subscription pricing; no big up-front costs
– Consolidates troubleshooting and support• An expert group can proactively detect and correct problems
– Utilizes an efficient software delivery lifecycle• Updates developed, tested and deployed quickly
• Dominates commercial & consumer markets– What about the research market?
Software-as-a-Service (SaaS)
Platform-as-a-Service (PaaS)
Infrastructure-as-a-Service (IaaS)
www.globusonline.org
• Transfer and synchronize files– Easy “fire-and-forget” transfers– Automatic fault recovery– High performance– Across multiple security domains
• Minimize IT costs– Software as a Service (SaaS)
• No client software installation• New features automatically available
– Consolidated support & troubleshooting– Simple endpoint installation with Globus Connect and GridFTP
>5,000 registered users, 6PB / 500M files transferred
Globus Transfer: For when you want to…
7
www.globusonline.org
Commercial storage service
provider
National research center
Campus computing center
• Place your data where you want
• Access it from anywhere via different protocols
• Update it, version it,and take snapshots
• Share versions with who you want
• Synchronize among locations
Globus Storage: For when you want to …
Globus Storage volume
Globus Transfer, HTTP/REST, Desktop sync
www.globusonline.org
Join with a few or many people to:• Share documents• Track tasks• Communicate• Share data • Work togetherWith:• Common groups• Delegated
management
Globus Collaborate: For when you want to…
www.globusonline.org
• No one SaaS provider can deliver it all• Must create ecosystem that:
– Allows any SaaS provider to easily participate– Dramatically reduces the cost of creating and
operating services within the ecosystem– Provides seamless user experience across services– Agnostic to / works across any cloud IaaS provider– Integrates with (existing) research infrastructure
• Ecosystem requires Platform as a Service– Target the unique needs of the research community
PaaS for Research
10
Software-as-a-Service (SaaS)
Platform-as-a-Service (PaaS)
Infrastructure-as-a-Service (IaaS)
www.globusonline.org
• Integrate with the Globus research cloud ecosystem• Write programs that leverage:
– user identities, profiles, groups (Globus Nexus)– data, compute and collaboration
… via REST APIs and command line programs
Globus Integrate
Globus Integrate: For when you want to…
Globus Transfer
Globus Storage
Globus Collaborate
Globus Connect Multi User
Globus Connect
Globus NexusGlobus Toolkit
Globus Compute
www.globusonline.org
Globus Nexus: For when you want to…
12
Manage groups
Manage identities
Manage profiles
www.globusonline.org
• Nexus is a federated identity relying party– Multiple federated identities linked to Globus account– Supports: InCommon/CILogon, OpenID, MyProxy,
OAuth for MyProxy• Nexus is a (federated) identity provider
– Native or federated identity providerto Globus and 3rd party services
– User authenticates to Globus account with username/password or via 3rd party federated identity provider
– Uses OAuth 2 profile (future: SAML, OpenID?)• Auth provider for Globus REST APIs
Globus Nexus: Manage Identities
13
www.globusonline.org14
www.globusonline.org
• User authentication – Web browser:
• Globus account name and password• Federated identity providers linked to Globus account
– Native application:• RSA (using SSL key)• X.509 client auth• Username/password (Globus account, SAML ECP?)
• Client authentication using RSA (SSL key)– Globus account name is valid client id
• Bearer access token for resource access
Globus Nexus use of OAuth 2
15
www.globusonline.org
• Various (Globus) services require delegated X.509 client credentials to access resources
• Nexus federated authentication supports X.509 credential retrieval from Oauth for MyProxy– Authenticate with OAuth– Use access token to get X.509 credentials– E.g., CILogon, GCMU, XSEDE
• Nexus REST API allows authorized services (OAuth clients) to get credential
Delegated X.509 credential management
16
www.globusonline.org
Integration of new and old
MyProxyOnline CA
PAM
Local Authentication System(LDAP, RADIUS, Kerberos etc)
Usernamepassword
Certifficate 1
Transfer request
Certificate 1
Step 5
Step 7 Step 8
Step 9
Local Storage
GridFTP Server
certificates
Access files
Step 10
Step 11
Authentication & Data Transfer
Authorization
Step 1Access Endpoints
GridFTP Server
Campu
s Cluster
Globus Connect Multi‐User
Globus Online (Hosted Service)
Campus 2
OAuthServer
Username password
Certificate 1
Certificate 1
RedirectStep 3
Step 4
Step 6
Username password
Step 2Transfer request
Certificate 2
Redirect
Certificate 2
CILogon(OAuth)
SAML
InCommonIdP
www.globusonline.org18
www.globusonline.org
• Globus Transfer is– OAuth client to Globus Nexus– OAuth resource provider to 3rd party client
• Goal: Allow full participation by 3rd parties– Use Globus Online services as OAuth client– Use Globus Nexus OAuth as resource server
• How to implement resource servers as a relying party to the Nexus OAuth service?– OAuth is silent on resource and OAuth server interaction– Make it easy for SaaS developers to use Nexus OAuth
OAuth client vs resource
19
www.globusonline.org
• Ecosystem of communicating services– Any service can be client to any other service’s resource– Communication may be chained: user->s1->s2->s3
• Use OAuth scope to limit resources accessible by an access token– Must maintain scope dependency tree
• Delegation: client1 delegating to client2– Bearer access token can be passed from client1 to
client2 for full delegation– Or, allow client1 access token to be used to retrieve a
new authorization code with narrow scope that is passed to client2, which client2 uses to get its own access token
Delegated, scoped OAuth access
20
www.globusonline.org
• User centric group management– Create group– Set policies (e.g., visibility, admins)– Control admission workflows
• Approach:– Keep identity issuance light-weight– Move vetting from identity creation to group admission– Allow each group to control own admission policy
• REST APIs– Manage, query, etc.– Import/export (into specified identity namespace)
Globus Nexus: Manage Groups
21
www.globusonline.org
• Attribute/value information associated with Globus account
• Group admission can require an extensible set of attributes, which are drawn from and stored in the user profile
• REST APIs• Future: Integrate with SAML attribute release
and social network profiles
Globus Nexus: Manage User Profiles
22
www.globusonline.org
• Goal: Common tools should be able to leverage federated identities, groups, profiles– Wikis, issue tracking, science gateways, etc.
• Community effort to domesticate applications and services?
• What APIs?– Identity: OAuth 2, SAML?, X.509 certs?– Groups: LDAP? REST?– Profile: OpenID Connect?
Domestication
23
www.globusonline.org
• Visit https://www.globusonline.org/signup to:– Get a free account and start moving files
• Visit www.globusonline.org for:– Tutorials, FAQs, Pro Tips, Troubleshooting– Papers, Case Studies
• Contact [email protected] for:– Help getting started & using the service
• Follow us at @globusonline on Twitterand Globus Online on Facebook
For More Information
24