Versions Compared

Old Version 5

changes.mady.by.user Hannah Short

Saved on

compared with

New Version Current

changes.mady.by.user Ioannis Igoumenos

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

A priority for WLCG was not to reinvent the wheel, following the FIM4R recommendation to re-use shared components. Two solutions have been identified as possibilities and are currently undergoing developments; EGI-Check-in and INDIGO IAM. Both solutions have multiple reasons for enhancing their services and as such the decision was made to continue with the two options in parallel. The EGI-Check-in pilot is being driven by AARC, with RCAuth integration covered as a collaboration between the developers behind EGI-Check-In and INDIGO IAM.

The goal is to provide a self-contained AAI pilot solution that enables token based authentication and authorisation for WLCG. The two pilot services will be developed in parallel, assessed and a recommendation made to the community. Such a solution will be of wider benefit to user communities also looking to move away from x509 based authentication and authorisation, and developments in INDIGO IAM and EGI-Check-in will be relevant for a larger audience.

...

  • Support the development of shared AAI components to meet the requirements of WLCG
  • Contribute AARC best practices to definition of the JWT Profile for token content

Description

How the This pilot works: it is effectively a full implementation of an advanced AAI in line with the AARC BPA. Scope: the pilot It should cover all aspects of a robust AAI, including membership management and token provisioning.

Why do we need a pilot? WLCG would like to reuse software and contribute to limiting the number of disparate deployments out there, but no tools currently fulfil all of our requirements. There was sufficient interest from EGI-Check-in and INDIGO IAM to enhance their software. The work on EGI-Check-in is officially supported by AARC.

...

The components are as follows:

ComponentDescriptionWhy did we choose it?Link
RCAuthToken Translation. Used to generate x509 certificates for access to legacy servicesEU wide, sustainable infrastructure componenthttps://rcauth.eu
VOMSAttribute Authority & Membership Management. Legacy authorisation database for WLCG, must be integrated for backwards compatibilityPre-existing. Backwards compatibilityhttps://italiangrid.github.io/voms/
CERN HR DBAttribute Authority. CERN's source of identity vetting informationPre-existing. Backwards compatibilityN/A
INDIGO-IAMOne option for the proxy and membership management componentImplements multiple components, easier maintenance. Product used by other communities.https://www.indigo-datacloud.eu/identity-and-access-management
EGI-Check-inThe second option for the proxy and membership management componentImplements multiple components, easier maintenance. Product used by other communities.https://www.egi.eu/services/check-in/


Architecture

The architecture includes every component of the AARC BPA. 

...

AARC BPA version:



Use Cases

Videos for the AARC supported pilot for EGI-Check-in are available at link

User links x509 certificate with federated credentials

Step
Screenshot (TBC)
Screenshots
User registers with the system using a federated account
Admin approves registrationUser adds roles/groups to proxy certificate

Image Added

Image Added

Image Added

Image Added


Image Added


User associates x509 user certificate with their account
User is granted roles/groups

Image AddedImage Added

User submits a physics job

...

StepScreenshot (TBC)
User
registers with the systemAdmin approves registrationUser uploads SSH key
follows registration flow above
User
User
requests token from command line
Token is provisioned transparently
(Device Code Flow)

Image Added

User submits a
physics
job

This section should explain how this pilot works through use cases (at least 2).

in the normal way

Demo EGI Check-in videos

The various functionalities provided by EGI Check-in are available through mini videos demonstrating the below functionalities/flows:

  • Trying to add a non-WLCG experiment member into the system
  • Adding a WLCG Experiment member into the system( Create the user, obtain an RCAuth certificate, register into VOMS)
  • Group management
  • HRDB periodic syncing
  • Invite multiple people via email from an administrator's account
  • SSH key authentication for RCAuth proxy retrieval
  • Token exchange and device code  


Visit the following link to view.


Further information

AARC's specific role in this pilot is to coordinate the efforts, ensure that AARC recommendations are considered and to support the enhancement of EGI-Check-in. 

Was BPA useful to achieve this results? WLCG is looking at two existing AAI solutions that are broadly in line with the BPA already.

Sustainability? The aim of this pilot is to provide a recommendation for WLCG to deploy a BPA compliant AAI. This will be physically hosted at CERN. The pilot is directly useful in providing prototypes, proof of concept, and demonstrations. 

Use cases can be represented in the form of a table, where:
  • The title is the use case
  • Each line is a step
  • 2 columns available, first with text and description, second with a screenshot

(Here's a valid example LINK)

Further information

Last part contain a list of information, link or anything related to the pilot that was not mentioned in ahead seciton.