VO Architecture

8/6/2019 VO Architecture

1/20

Lukas Hmmerle

[email protected]

Bern, 13. January 2011

Architecture
mailto:[email protected]:[email protected]


2/20

2011 SWITCH

Main Ideas And Goals

SWITCH provides the architecture to implement VOsArchitecture should be based on AAI

Easy to add new services to a VO

No additional protocol should be required

VOs are only usable if there are services

SWITCH initially operates a three basic services

Solves the chicken and egg problem

2


3/20

2011 SWITCH

Architectural Problems to Solve

Membership: Users are from different Home OrganisationsAuthentication already is solved by AAI

Authorization: Only members of a VO should be able to

access their servicesHow to determine whether somebody is a member of a VO?

This is the main problem to solve!

Services: Should be able to use VO informationAdapting existing services may require further efforts

3


4/20

VO authorization is easy for groups of people who share

common attribute values

2011 SWITCH

Easy Virtual Organization Scenario

4

AuthType Shibboleth

ShibRequireSession On

ShibRequireAll

require homeOrg idpX.ch idpY.ch idpZ.ch

require affiliation student

require studyBranch medicine

Medicine students

Other users

IdP X IdP Z

IdP Y

VO


5/20

2011 SWITCH

General Authorization Scenario

5

In general VO members dont share a common attribute!

IdP X IdP Z

IdP Y

VO1 VO2 VO3

Thats a challenge and thats the problem to solve


6/20

Idea: Members of a VO are given a common attribute.

This (VO) attribute represents membership in a VO.

2011 SWITCH 6

Approach for VO Authorization

VO Attribute:

isMemberOf=VO1

isMemberOf=VO1;VO2;VO3

isMemberOf=VO2

isMemberOf=VO1;VO3

AuthType Shibboleth

ShibRequireSession On

require isMemberOfVO2

VO1

VO2

VO3


7/20

2011 SWITCH 7

How to Add a Common Attribute?

VO Service Provider must aggregate attributes!

1. Users Home Organisation

Attributes are set by users

Home Organisation

2. VO Platform(s)

Attributes are set by

VO administrator

Home Organisation

User

IdP

Attributes

Attributes

SP receives aggregated set of attributes

1.

3.

2.

VO Platform

VO

IdP

VO Service

SP Application


8/20

2011 SWITCH 8

The Involved Components

Home Organisation

UserIdP

Home Organisation:

Authenticates user and asserts basicidentity information

Virtual Organization Services:

Used by VO members in order to performtheir work. Could be wikis, calendars, etc.

Virtual Organization Platform:Set of software to manage VOs and their

members. Interacts with Virtual

Organization Services.

SP ApplicationSP Application

VO Service

SP Application

VO Platform

VO1

IdPAA

SP

VO2 VON

...

PlatformLogic DB

VO GUI


9/20

2011 SWITCH

VO Platform: The Missing Piece

Is the key component forVO administration

Basically manages the

membership information in DB

No custom-tailored solution

has existed yet

9

VO Platform

VO1

IdP

AA

SP

VO2 VON

...

Platform

LogicDB

VO GUI


10/20

2011 SWITCH

VO Services

SWITCH provides four basic services Wiki: Domesticated Dokuwiki (one instance per VO)

Mailinglist: Domesticated Sympa

Document management system: Modified LetoDMS

Attribute Viewer: For debugging

Goal was to choose very simple web applications.

No interface harmonization has been done yet.

10


11/20

Lukas Hmmerle

[email protected]


Demo


12/20

2011 SWITCH

https://test.collaboration.switch.ch

12
https://test.collaboration.switch.ch/https://test.collaboration.switch.ch/


13/20


14/20

2011 SWITCH

About the Pilot

Goals Verify that approach is working and accepted by users

Find out how it feels to work in a VO

Get user feedback to extend and improve the software

Current Status

24 Virtual Organizations (many of them by SWITCH)

4 available services (1 non-public VO Service at HEFR)

31 users from 14 different organizations

14


15/20

2011 SWITCH

Current Experiences and Issues

GeneralConcept and technology of our approach are complex

It took quite some time for all involved people to understand it

OrganizationalHandling of homeless users is not that easy

A VO admin cannot know if an invited user has an AAI account or not

UsabilityConsistency of VO Services

All services look different, which might be confusing for users

15


16/20

2011 SWITCH

More Information

Pilot home page

http://www.switch.ch/vo

Public Project web pagehttps://forge.switch.ch/redmine/projects/vo-pilot/

Contact

[email protected]

16
mailto:[email protected]://forge.switch.ch/redmine/projects/vo-pilot/wikimailto:[email protected]:[email protected]://forge.switch.ch/redmine/projects/vo-pilot/wikihttps://forge.switch.ch/redmine/projects/vo-pilot/wikihttp://www.switch.ch/vohttp://www.switch.ch/vo


17/20

Lukas Hmmerle

[email protected]


Discussion


18/20

2011 SWITCH

Questions on SWITCHs VO Approach

Do you think this approach for implementing VirtualOrganizations could be useful for you or your users?

Do you see problems with this approach?

Which features are you missing?

Do you know of use-cases or specific groups or projects

that would benefit from this approach?

18


19/20

2011 SWITCH

Your Contribution

Your short presentation/speak about:AAA Project ideas in the VO area

Finding project partners

19


20/20

2011 SWITCH

General AAA Questions

Do you have new project ideas?

Do you need partners or testers for your project idea?

How can the sustainability of AAA projects be ensured?

20

Documents

VO Architecture