identity management for the ligo project...ligo identity management project found we had two...
TRANSCRIPT
Identity Management for the LIGO Project
Scott Koranda for LIGO
LIGO and University of Wisconsin-Milwaukee
September 6, 2012LIGO-XXXXXXXX-v1
1 / 43
LIGO Science Mission
LIGO, the Laser Interferometer Gravitational-waveObservatory, seeks to detect gravitational waves – ripplesin the fabric of spacetime. First predicted by Einstein inhis theory of general relativity, gravitational waves areproduced by exotic events involving black holes, neutronstars and objects perhaps not yet discovered.
2 / 43
LIGO Hanford, WA
3 / 43
LIGO Livingston, LA
4 / 43
LIGO Laboratory
LIGO Laboratory =
LIGO Caltech + LIGO MIT +
LIGO Hanford Observatory +
LIGO Livingston Observatory
5 / 43
LIGO India!
Anticipated to be operational 2020
6 / 43
Network Without LIGO India
7 / 43
Network WITH LIGO India
8 / 43
LIGO Scientific Collaboration
The LIGO Scientific Collaboration (LSC) is aself-governing collaboration seeking to detectgravitational waves, use them to explore the fundamentalphysics of gravity, and develop gravitational waveobservations as a tool of astronomical discovery. TheLIGO Scientific Collaboration was founded in 1997 andcurrently has just over 1000 members from 70institutions worldwide.
9 / 43
10 / 43
Broader GW Community
GW community is larger than LIGO...
11 / 43
Virgo interferometer, Cascina, Italy
12 / 43
KAGRA, Japan
13 / 43
LSC Today
Today...
I ∼ 1000 current and active members
I Single authoritative roster (registry)
I Single LIGO identity for each member
I SSO for LIGO web, grid, shell resources
I Federated access to LIGO resources
14 / 43
How we got here
It wasn’t always this way...
15 / 43
The mess we made on the GridLIGO Data Grid (LDG)
I 20000+ coresI 10 sitesI Many flavors of data and metadata servicesI > 300 users
16 / 43
The mess we made on the Grid
I LDG emerged in 2001
I Sought single sign-on and promise of Grid utopia
I Most Grid tools require PKI and GSI
17 / 43
The mess we made on the Grid
I User must request, retrieve, manage X.509 certI Not all web browsers do PKI wellI Grid tools require PEM but web browsers write PKCS12I “17, but steps 6) have 9) have 12 or 13 subitems each”I Turns out Ph.D. physicists on average cannot do thisI Command line tools don’t help much
18 / 43
The mess we made on the Grid
I No registry of who is/is not member of LIGOI Each cert request must be vetted
I Requires “secure communication” with each group PII Getting attention of PIs can be difficultI SMIME email difficult for most PIsI Loop not closed when people leave group
19 / 43
The mess we made on the Grid
After X.509 cert issued user must be authorizedI Cumbersome
I Each user added by hand to ACL file(s) at each siteI Only grid-specific solutions available for managing ACLs
I Not uncommon for new member to wait weeksfor credentials and access to LDG resources
20 / 43
The mess we made on the Grid
Managing access to LDG was one of the first
hints we needed better identity
management...
...we didn’t take the hint...
21 / 43
The mess we made on the WebI Early use case: eLogs at the sites
I Web based electronic notebooksI Email “the” admin for access (hopefully he knows you)I Unique accounts, but...I All accounts use the same passwordI Loop not closed when people leave collaboration
22 / 43
The mess we made on the Web
I Multiple sites deploying web toolsI GNATS, Bugzilla, Redmine, Trac, Gitorious?I Moin, Twiki/Foswiki, Docuwiki, MediaWiki,...I Each requiring new login/password for user
23 / 43
The mess we made on the Web
Users frustrated
First response is “well known login/password”
I shared login and password collaboration wide
I used for protecting “low risk” information
I who monitors what is low risk?
I found login/password in the wild
24 / 43
The mess we made on the web
As the number of web tools and services grew weknew we had a problem...
...but we were in production, busy doing science,and didn’t take the hint...
25 / 43
The mess we made on the command line
Version control repositories
I CVS, SVN, git
I Distributed across multiple sites
I Each requiring yet another login/password
I People leave collaboration but still have accessSame issues for other command line tools
26 / 43
The mess we made on the command line
Managing access for hundreds of people to multiplecode repositories was a nightmare...we knew we hada problem...
..but we were in production, busy doing science, andcouldn’t take the hint...
27 / 43
We had a mess
I No single event precipitated new approachI It really came down to two things:
1. Sustained whining from frustrated users2. Chatting with Ken Klingenstein over drinks
28 / 43
LIGO Identity Management Project
Knit together existing technologies and tools
Goals:
I Single identity for each LIGO person
I Single source of membership info
I Single credential for each LIGO person
I SSO across web, grid, command-line
29 / 43
LIGO Identity Management Project
Found we had two building blocks:1. The nascent “LIGO Roster” project
I PHP + Apache + MySQL
2. Kerberos principal for each LIGO memberI unused at the timeI [email protected] users call it their “at LIGO.ORG login”I also known as their “albert.einstein” loginI roster drives creation of principal for each memberI roster pushes principal and details into LDAP
30 / 43
Single authoritative source of membership
Decided to leverage Grouper from I2
I Flexible enough to reflect community structure
I Ready-to-use web front-end
I SOAP and RESTful WS APIs
I Privilege, Role, Attribute support
I Reflect into LDAP
31 / 43
32 / 43
LIGO Roster (Registry)
I Students, post-docs, can apply for membershipI Managers approve & add/remove members
I Access control derived from Grouper privileges
I Members manage password for LIGO identity(Kerberos principal)
33 / 43
34 / 43
Single identity and authoritative membership is key
LIGO Roster, Grouper, and Kerberos a powerfulcombination
I Kerb principal enables single identity
I Roster enables management of those identities
I Grouper enables management of memberships
With this foundation we could tackle web, grid, andcommand line spaces...
35 / 43
Single sign-on for LIGO web space
Deploy I2 Shibboleth System
I Single sign-on across LIGO web tools/pagesI LIGO Identity Provider (IdP)
I Authenticate via REMOTE USER and mod auth kerbI Attributes pulled from LDAP master serverI Focus mainly on IsMemberOf (via Grouper)
I Consume federated identitiesI LIGO joined InCommon for many U.S. institutionsI Will purusue European federations (UK, DFN-AAI)I Pilot with GakuNin and U. of Tokyo IdPI No Indian identity federation?
36 / 43
LIGO and InCommon: External Collaborators
37 / 43
Managing Collaboration with COmanage
38 / 43
CILogon integrates LIGO Data Grid
39 / 43
CILogon integrates LIGO Data Grid
40 / 43
Integrating the command line
CVS, SVN, git tunnel through HTTPS or SSH
I curl works well with SAML2(Shib)/ECP
I Most Linux OpenSSH sshd GSS-API + Kerberos
I Grid-enabled OpenSSH also deployed
I NCSA “mechglue” enables Kerb + GSI
I PAM also work with Kerberos
This pattern same for other command line tools
41 / 43
Putting it all together
Within 15 minutes of joining LIGO Albert Einsteinusing his [email protected] credentialcan...
1. Access LIGO wikis to find HOWTOs
2. Download and install client tools
3. Login to cluster
4. Checkout code from git repository
5. Email analysis discussion list for help
6. Build code, submit analysis jobsFrom 0 to science with one @LIGO.ORG credential
42 / 43
There is no distinction between web and grid
I Scientists just want to use tools
I Don’t care if “web” or “grid”I Typical use case:
I Submit large workflow to gridI Jobs run for week analyzing dataI Workflow generates 1000’s of summary imagesI Need to POST summary into analysis wiki
I Seamless cred management across grid, web, cloudI Delegation is important
I Workflow management systems need to cache and refreshcredentials during lifetime of workflow
I LIGO working closely with UW Condor team
I Need Higher Ed and Grid communities to build together
43 / 43