Tool support for security-oriented virtual research collaborations

Collaboration is at the heart of e-Science and e-Research more generally. Successful collaborations must address both the needs of the end user researchers and the providers that make resources available. Usability and security are two fundamental requirements that are demanded by many collaborations and both concerns must be considered from both the researcher and resource provider perspective. In this paper we outline tools and methods developed at the National e-Science Centre (NeSC) that provide users with seamless, secure access to distributed resources through security-oriented research environments, whilst also allowing resource providers to define and enforce their own local access and usage policies through intuitive user interfaces. We describe these tools and illustrate their application in the ESRC-funded Data Management through e-Social Science (DAMES) and the JISC-funded SeeGEO projects

A solution for secure use of Kibana and Elasticsearch in multi-user environment

Monitoring is indispensable to check status, activities, or resource usage of IT services. A combination of Kibana and Elasticsearch is used for monitoring in many places such as KEK, CC-IN2P3, CERN, and also non-HEP communities. Kibana provides a web interface for rich visualization, and Elasticsearch is a scalable distributed search engine. However, these tools do not support authentication and authorization features by default. In the case of single Kibana and Elasticsearch services shared among many users, any user who can access Kibana can retrieve other's information from Elasticsearch. In multi-user environment, in order to protect own data from others or share part of data among a group, fine-grained access control is necessary. The CERN cloud service group had provided cloud utilization dashboard to each user by Elasticsearch and Kibana. They had deployed a homemade Elasticsearch plugin to restrict data access based on a user authenticated by the CERN Single Sign On system. It enabled each user to have a separated Kibana dashboard for cloud usage, and the user could not access to other's one. Based on the solution, we propose an alternative one which enables user/group based Elasticsearch access control and Kibana objects separation. It is more flexible and can be applied to not only the cloud service but also the other various situations. We confirmed our solution works fine in CC-IN2P3. Moreover, a pre-production platform for CC-IN2P3 has been under construction. We will describe our solution for the secure use of Kibana and Elasticsearch including integration of Kerberos authentication, development of a Kibana plugin which allows Kibana objects to be separated based on user/group, and contribution to Search Guard which is an Elasticsearch plugin enabling user/group based access control. We will also describe the effect on performance from using Search Guard.Comment: International Symposium on Grids and Clouds 2017 (ISGC 2017

Flexible And Secure Access To Computing Clusters

The investigation presented in this paper was prompted by the need to provide a manageablesolution for secure access to computing clusters with a federated authentication framework.This requirement is especially important for scientists who need direct access to computingnodes in order to run their applications (e.g. chemical or medical simulations) with proprietary,open-source or custom-developed software packages. Our existing software, whichenables non-Web clients to use Shibboleth-secured services, has been extended to providedirect SSH access to cluster nodes using the Linux Pluggable Authentication Modules mechanism.This allows Shibboleth users to run the required software on clusters. Validationand performance comparison with existing SSH authentication mechanisms confirm that thepresented tools satisfy the stated requirements

Federated identity architecture of the european eID system

Federated identity management is a method that facilitates management of identity processes and policies among the collaborating entities without a centralized control. Nowadays, there are many federated identity solutions, however, most of them covers different aspects of the identification problem, solving in some cases specific problems. Thus, none of these initiatives has consolidated as a unique solution and surely it will remain like that in a near future. To assist users choosing a possible solution, we analyze different federated identify approaches, showing main features, and making a comparative study among them. The former problem is even worst when multiple organizations or countries already have legacy eID systems, as it is the case of Europe. In this paper, we also present the European eID solution, a purely federated identity system that aims to serve almost 500 million people and that could be extended in midterm also to eID companies. The system is now being deployed at the EU level and we present the basic architecture and evaluate its performance and scalability, showing that the solution is feasible from the point of view of performance while keeping security constrains in mind. The results show a good performance of the solution in local, organizational, and remote environments

Interoperable e-Infrastructure Services in Arabia

e-Infrastructures became critical platforms that integrate computational resources, facilities and repositories globally. The coordination and harmonization of advanced e-Infrastructure project developed with partners from Europe, Latin America, Arabia, Africa, China, and India contributed to developing interoperable platforms based on identity federation and science gateway technologies. This paper presents these technologies to support key services in the development of Arabia networking and services platform for research and education. The platform provides scientists, teachers, and students with seamless access to a variety of advanced resources, services, and applications available at regional e-Infrastructures in Europe and elsewhere. Users simply enter the credentials provided by their home institutions to get authenticated and do not need digital certificate-based mechanisms. Twenty applications from five scientific domains were deployed and integrated. Results showed that on average about 35,000 monthly jobs are running for a total of about 17,500 CPU wall-clock hours. Therefore, seamlessly integrated e-Infrastructures for regional e-Science activities are important resources that support scientists, students, and faculty with computational services and linkage to global research communities

Concept, design and initial implementation of the de.NBI Cloud Portal

Wiens M. Concept, design and initial implementation of the de.NBI Cloud Portal. Bielefeld: Universität Bielefeld; 2018.The amount of data produced in life sciences is continuously rising and is impossible to analyze on local computers. For that reason the German network for bioinformatics de.NBI is establishing a cloud computing environment called de.NBI Cloud with the prospect to be integrated into the European life sciences network Elixir. For that process and for the interconnection of compute centers a novel cloud platform “de.NBI Cloud Portal” was developed. It utilizes Elixir’s authentication and authorization infrastructure and connects five OpenStack-driven compute centers together in an abstract manner. This thesis deals with requirements, design and initial implementation of the de.NBI Cloud Portal

How far does it go? Understanding Efficacy of Off-Campus Remote Access Services: Use Case of Knimbus and MyLOFT

E-resources are the backbone of the learner community in this information superfluous era. Digital technology has made remote access to the E-resources more easy, speedy, and comfortable. The advent of technology has made the libraries add new resources to their existing collection. For the academic community, remote access to the e-resources has become a very important part of their education and research, especially in this pandemic period. Library users are keen on searching and retrieving information stored/viewed from a distance or stored in remote locations. Remote login access to online library e-resources is the best practice that helps the users to access their desired information wherever they stay without wasting time which fills the gap between a library and its users being always remained connected. It allows the best easy access to the use of the e-resources of the library through its interface from anywhere. In this study, an attempt has been made to understand the perception of users based on their reviews of the remote access platforms mobile apps, Knimbus and MyLOFT. Sentiment analysis is conducted using Appbot software to derive insights from 73 user reviews of the Knimbus app and 253 reviews of the MyLOFT app from 10th July 2008 to 11th December 2021. The study has identified that the overall sentiment score of Knimbus and MyLOFT is 64% and 62% respectively. The data analytics shows that Knimbus is having a better satisfaction ratio than the MyLOFT and it is better serving the purpose of providing the e-resources and contributing to the teaching and learning process