egi technical forum 2010, september 14, 2010, amsterdam h.j. weyer toc photon facilities and...

EGI Technical Forum 2010, September 14, 2010, Amsterdam H.J. Weyer

TOCPhoton Facilities and Authentication

The environment General boundary conditions IT requests and characteristics Umbrella concept Authentication and authorization Coaching Roadmap Status and Outlook


The environmentPhoton Facilities and Authentication

Photon facilities Synchrotrons and Free Electron Lasers (FELs) Produce light of highest brightness Typical range from infra-red to Xrays Size hundreds of meters

Wide range of research areas in EU about 30’000 visiting scientists/year small teams, visit for

Few hours (structural biology) to Few weeks (superconductivity, nano investigations)

About 15 synchrotrons in EU ESRF Grenoble National facilities (DESY, PSI, …)

Neutron facilities Complementary Similar user community

FELs, 103 to 106 times brighter SLAC/Stanford, DESY/Hamburg, PSI/Villigen Membrane proteins; microscopic movies of chemical reactions


Photon Facilities and Authentication

EuroFEL is one of 44 pan-European research infra-structures listed in the ESFRI roadmap

The European FEL Landscape


General boundary conditions


In EU in the order of several 10’000 user visits / year Large overbooking (≥3:1) Large administrative load

On-site visits Short duration In part spontaneous (keep that bonus)

Decentralized structure (compare to CERN) Various research fields Various facilities

National facilities Report to national governments

‘Part-time’ users E.g. structural biology: 10% of time

Research teams Patchwork In general low IT background

User at facilities produce excellent results 2009 Nobel prizes in chemistry


More boundary conditions


Totally impossible to develop any new tool in one step Totally impossible to migrate to any new system in one step; → parallel realization → Develop a prototype by EuroFEL, implement at other facilities later Base on Federated Single-Sign-On System by Shibboleth (SAML), widely used in the academic world; expertise at SWITCH Introduce photon/neutron community as new domain Only one identity provider + one new fedaration

- universities + facilities

EU-unique user identification


Role of Facility Partners


are national institutes are eager to preserve their autonomy are competing for the best users see user data and proposals as “theirs” have strong reservations against central data storage in general and will never agree to central proposal storage!


Confidentialityo High competition, especially structural biologyo Time-window structured access to experiments and data

User friendlinesso Part-time users, small teams, no guru

Flexible, diverse solutionso Responding to diverse requests

Facility friendliness o Limited resourceso Prevent any ‘bypass’ solutions

Keep local as much as possible Distributed actions

o Users: manage their personal entrieso Facilities: manage their authorizations

Required Solution Characteristics



IT Projects Authentication (EU-unique (identification)

Proposal handling (thousands of proposals / year) Coaching (support of novice users)

Remote experiment login (young scientists; Fedex-style experiments)

But more than authentication (e.g. fire wall, experiment standardization, component protocols …)

Remote data access (terabytes of data) But more than authentication (e.g. data format, catalogues …)


EuroFELUmbrellaprototype

Nextgeneration



The Central / Local Issue

Central: Unique EU-wide identification Central: Common access portal Central: Update of user info on one place

Facility-local: proposal storage Facility-local: local authorization issues Facility-local: storage of experimental data


The Umbrella Concept

User

UOffice2 UOffice1UOffice3

Fig.1


The Umbrella components I, EAAAuthentication


Single sign on Unique user identification on EU scale Dual EAA and local-WUO operation Local WUOs stay fully autonomous No cross-facility information exchange User controls his/her personal info Authorization info = local No specific local software Flexible (two-level: soft, hard) Prevent ‘special’ databases

UnamePasswEmailBirthday

PhoneSmail…RegistrationsFacility Roles…

Fac A B CLo

cal

Cen

tral

AAA ≡ Authentication+Authorization+AccountingEAA ≡ European AAA


The Umbrella components II, EUUProposal handling


EUU: export, modify it and submit Local (facility-specific) and general (scientific) part Flexibility and confidentiality Export-type mechanism: up-to-date format Work on formal agreement Local WUOs stay fully autonomous No specific local software

UUU ≡ Unified User UmbrellaEUU ≡ EuroFEL UUU = prototype

Proposer infoTime request…BeamlineSample

GoalMethodResultsPrev. Work…G

ener

al

Loca

l


The Umbrella components IIICoaching


Support of novice users via FAQ (static) and Coaching (dynamic) Coaches give only advice, responsibility is always fully with the user On entry a question category tree is offered to the user Experienced coaches needed

o Must be protected against excessive loado They are, however, free to identify themselves o Limited number of iterations

Coaches are honored on a peer basis, like proposal referees Interesting question can be added to the FAQ, if the questioner agrees


User User User

User

AAA AAA

AA

AAA

AA AA

A

Authentication

Authorization

Accounting

Authentication

Separate

Single Sign On

Common User Access Control

UOffice2

UOffice2

UOffice1

UOffice1

UOffice3

UOffice3

Authorization

Accounting

WP2 Face to Face Meeting, August 26/27 2010, PSI H.J. Weyer

User

EUU

CoachingRef. Database

ProposalsEuroFELbranded

WUO1

Cen

tral P

art

Loca

l Par

t

Shibboleth IdPUser db

Affiliation db Facility neutral

EAA

WUO2 WUO3

A

A

A A A

A


EuroFEL Authentication and

Authorization(EAA)

Interface toCentral DB

Central EAATool

Interfaceto Affiliation

DB

Interfaceto WUO DB

Parallel WUOAnd EAAOperation

Adaption ofWUO part

User Updateservice

Authentication and Authorization

BasicCommunication

Protocol

Local WUO Updateservice

WUO ≡ Web-Based User Office, existing local user officeEAA ≡ EuroFEL Authentication


EuroFEL Unified User Umbrella

(EUU)

Communicationprotocol

Interfaceto DUOWUO‘s


DB

Interfaceto EAA

DialogWith user

TransferProposal to

WUO Export proposalFrom WUO

Unified User Umbrella and Coaching

EuroFEL Coaching


DB


DB


DB

Interfaceto SMISWUO‘s

WUO ≡ Web-Based User Office, existing local user officeDUO ≡ WUO as developed at PSISMIS ≡ WUO as developed at ESRFEAA ≡ EuroFEL Authentication


Proposed EUU/EAA Roadmap

1.06

.10

EAA (European

Authenticati

on and Authoriz

ation

)1.

10.1

0

1.10

.10

1.01

.11

1.04

.11

1.04

.12

1.04

.13

Planning / Desi

gn

EUU (European

User Umbrel

la)

Prototype ready

Implem

entation

0.5 FTE 0.1 FTE

EuroFEL / WP2

0.5 FTE


Status and Outlook(September 2010)

Architecture document + road map for prototype ready Start development of 1st- generation Umbrella prototype

Shibboleth deadline March 31, 2011

Discussion 2nd-generation Umbrella (remote functionalities) ‘Actors’:

o PaN-Datao EuroFELo ESFRI-Clustero HDRI Helmholtz

Tools:o GRID?o Specific development?

Type:o Facility-friendly + user-friendlyo Two-level?

Slim, simple Strong, full-beauty IT


egi technical forum 2010, september 14, 2010, amsterdam h.j. weyer toc photon facilities and...

Documents