A Concept for Attribute-Based Authorization on D-Grid Resources

In Germany's D-Grid project numerous Grid communities are working together to provide a common overarching Grid infrastructure. The major aims of D-Grid are the integration of existing Grid deployments and their interoperability. The challenge lies in the heterogeneity of the current implementations: three Grid middleware stacks and different Virtual Organization management approaches have to be embraced to achieve the intended goals. In this article we focus oil the implementation of an attribute-based authorization infrastructure that not only leverages the well-known VO attributes but also campus attributes managed by a Shibboleth federation

MOSAiC goes O2A - Arctic Expedition Data Flow from Observations to Archives

During the largest polar expedition in history starting in September 2019, the German research icebreaker Polarstern spends a whole year drifting with the ice through the Arctic Ocean. The MOSAiC expedition takes the closest look ever at the Arctic even throughout the polar winter to gain fundamental insights and most unique on-site data for a better understanding of global climate change. Hundreds of researchers from 20 countries are involved. Scientists will use the in situ gathered data instantaneously in near-real time modus as well as long afterwards all around the globe taking climate research to a completely new level. Hence, proper data management, sampling strategies beforehand, and monitoring actual data flow as well as processing, analysis and sharing of data during and long after the MOSAiC expedition are the most essential tools for scientific gain and progress. To prepare for that challenge we adapted and integrated the research data management framework O2A “Data flow from Observations to Archives” to the needs of the MOSAiC expedition on board Polarstern as well as on land for data storage and access at the Alfred Wegener Institute Computing and Data Center in Bremerhaven, Germany. Our O2A-framework assembles a modular research infrastructure comprising a collection of tools and services. These components allow researchers to register all necessary sensor metadata beforehand linked to automatized data ingestion and to ensure and monitor data flow as well as to process, analyze, and publish data to turn the most valuable and uniquely gained arctic data into scientific outcomes. The framework further allows for the integration of data obtained with discrete sampling devices into the data flow. These requirements have led us to adapt the generic and cost-effective framework O2A to enable, control, and access the flow of sensor observations to archives in a cloud-like infrastructure on board Polarstern and later on to land based repositories for international availability. Major roadblocks of the MOSAiC-O2A data flow framework are (i) the increasing number and complexity of research platforms, devices, and sensors, (ii) the heterogeneous interdisciplinary driven requirements towards, e. g., satellite data, sensor monitoring, in situ sample collection, quality assessment and control, processing, analysis and visualization, and (iii) the demand for near real time analyses on board as well as on land with limited satellite bandwidth. The key modules of O2A's digital research infrastructure established by AWI are implementing the FAIR principles: SENSORWeb, to register sensor applications and sampling devices and capture controlled meta data before and alongside any measurements in the field Data ingest, allowing researchers to feed data into storage systems and processing pipelines in a prepared and documented way, at best in controlled near real-time data streams Dashboards allowing researchers to find and access data and share and collaborate among partners Workspace enabling researchers to access and use data with research software utilizing a cloud-based virtualized infrastructure that allows researchers to analyze massive amounts of data on the spot Archiving and publishing data via repositories and Digital Object Identifiers (DOI

Design of Shibboleth-based Authorization in C3-Grid

The D-Grid community project C3-Grid is in the process of building a Grid testbed with Shibboleth-based authentication und authorization. This testbed utilizes GridSphere, Globus Toolkit and metadata mechanisms specific to C3-Grid. Shibboleth will be integrated by way of GridShib's solution proposal for Teragrid Science Gateways. It shall be shown that portal-generated proxy certificates with embedded SAML statements, asserted by distributed Identity Providers, may be used for resource authorization in a production grid. Building blocks and the roadmap for this approach are presented

Shibboleth - Infrastruktur für das Grid

Mit Shibboleth-basierten Systemen zeichnet sich ein föderales Verfahren zur Bildung von AAIs in Grid-Infrastrukturen ab. In aktuellen Grid Middlewares sind diese Ansätze noch nicht vollständig etabliert, verschiedene laufende Entwicklungen und das hohe Interesse der Communities belegen jedoch, dass mittelfristig mit Shibboleth eine alternative AAI verfügbar sein wird.Der Vortrag grenzt Shibboleth zu herkömmlichen AAI-Ansätzen ab und stellt die Komponenten einer Shibboleth-basierten AAI, sowie den Stand der Entwicklung, dar

Trust Issues in Shibboleth-Enabled Federated Grid Authentication and Authorization Infrastructures Supporting Multiple Grid Middleware

In Germany's D-Grid project numerous Grid communities are working together to develop a common overarching Grid. One major aim of D-Grid is thus to integrate the existing Grid deployments and make them interoperable. The major challenge in this endeavor lies in the heterogeneity of the current implementations: Three Grid middleware and different VO management approaches have to be orchestrated to achieve the intended interoperability. This paper presents some of the findings of the IVOM project regarding VO management technologies. Furthermore, options are discussed for making Shibboleth federations and VO management systems interoperable so that attributes from both sources can be used for authentication and authorization in Grids. Finally two approaches, one using a so called "trust proxy" and one without trust proxying, are presented and support by current Grid middleware is discussed