Back to the main Evaluation pages
Presented here is a list of the objectives from ESP-GRID as well as the BRIDGES project for completeness. (We have decided not to extend this to the DyVOSE and VOTES projects as most of the benefits of the ESP-GRID project should be reflected in the evaluation of the BRIDGES project). We also consider the JISC Core Middleware Programme aims.
The organisation of this page
Firstly we present the aims and objectives for the ESP-GRID project (ESP-GRID project aims and objectives).
This is followed by an evaluation of the project against those aims and objectives (Evaluation of Overall Aim (ESP-GRID) and Evaluation of Objectives (ESP-GRID))
- Clickable links from the former (statement of aim/objectives) also take you to the latter (the evaluation)
Secondly, we present the Goals for the BRIDGES project
And an evaluation (where appropriate) of the ESP-GRID project activities against those objectives
- Again, clickable links from the former (statement of goals) also take you to the latter (the evaluation)
Finally we examine the JISC Core Middleware Programme Aims and Objectives
And look at how the ESP-GRID project fits in with these (JISC) Aims and Objectives
ESP-GRID project aims and objectives
Overall aim
The overall aim of the project was to "achieve a deeper understanding of the potential role that Shibboleth can play in grid authentication, authorization and security".
Objectives
To formulate a picture of current and future requirements of grid security.
To postulate the relevance of Shibboleth to grids and its possible relationships with PKI.
Evaluation of Overall Aim (ESP-GRID)
"To achieve a deeper understanding of the potential role that Shibboleth can play in grid authentication, authorization and security".
This aim was fulfilled as it became obvious that there will be many applications that can be delivered by the grid and where the simplified security (access management) made possible by Shibboleth is appropriate - and possibly necessary - and relatively easy to deliver. With the Customer-SP model1 of grid provision, Shibboleth is clearly of value but there will still be a need for the direct authentication/assertion provided by client digital certificates.
Regarding authentication, the ESP-GRID project has achieved a deeper understanding with regard to grid computing, and much of the findings of the project concern authentication in particular.
Regarding authorisation, the project reached a deeper understanding but highlighted relatively few solutions via Shibboleth. Simplistically, if grid resources are able to make use of roles, status and local group membership, as the Information Environment applications - and the DyVOSE grid application - are able, then Shibboleth can provide solutions. However authorisation requirements of many grid resources are likely to be more complex than this and we will have to wait for both later versions of Shibboleth, and for the grid community itself, to provide mechanisms of Virtual Organisation (VO) membership (etc.) assertion to take sophisticated solutions forward. Both Shibboleth and the more mainstream grid are relatively immature in this area, although much work is now being undertaken, on many fronts, to remedy this.
With regard to security, any mechanism that improves the management of - and the user experience of - access management will improve overall security. In addition, a more standards-based approach will similarly improve security.
Evaluation of Objectives (ESP-GRID)
To formulate a picture of current and future requirements of grid security
This objective proved far more difficult to achieve for the following reasons:
Despite an apparent wealth of documentattion (see RequirementsBibliography) on grid requirements for access management, an overall picture was difficult to obtain and requirements were often project-specific or overly general.
- There was a great gulf between the sophisticated designs for solutions (e.g. for VO support) and that which was actually favoured or employed by grid communities. Therefore, it took much time to make judgements between abstract designs and real-world implementations.
Finally, we took what was apparently the most comprehensive document in this field (from Shawn Mullen et al.) and examined it for relevance to the need for access management without the total reliance on current mechanisms (i.e. client digital certificates). This was a useful process but one which may suffer from the lack of active engagement of the grid community with the original document. During the lifetime of the ESP-GRID project, the January 2004 (draft) document has not been revised to our knowledge and the original authors may not have a great interest in so doing.
To postulate the relevance of Shibboleth to grids and its possible relationships with PKI.
When the ESP-GRID project began - in summer 2004 - there was no widespread acceptance that Shibboleth had any relevance to grid computing. Indeed, there was active opposition in some quarters. During the intervening period, however, attitudes have changed (and it is our opinion that the position may have moved too far in some instances!). We have certainly postulated the relevance of Shibboleth to grids, especially where the existence of the Customer-SP model2 seems likely. We have written less specifically about the "possible relationships with PKI" as we believe that the majority of future grid users will interact with the grid via the Customer-SP model (and the BRIDGES portal is an excellent example of this). Within this model the portal uses a host digital certificate in the same way as if it were an end-user. Therefore very little has changed regarding PKI with the existing grid.
Other projects have now emerged that are looking at combining the use of Shibboleth with the obtaining and invoking of client digital certificates by, or on behalf of, the end user. With regard to security this could be problematic (the combining of the two security paradigms of user-to-machine and machine-to-machine trust), but it is too early to judge whether the approaches of these new projects will avoid or exacerbate these problems. The ESP-GRID project decided - at a relatively early stage - that as long as only 'Power Users' needed to handle digital certificates directly, Shibboleth (and therefore the local institutional single sign-on mechanisms) could be used in their stead for the vast majority of users.
If/where Shibboleth is relevant, to examine possible interfaces between existing information environments and grid computing environments using Shibboleth, and PKI where appropriate.
The text for the previous section is equally relevant here. Where grid applications or services decide to employ Shibboleth for (at least) authentication, the "interface" is Shibboleth. Arguably, the interface in the Customer-SP model is the trust between the 'grid' and the portal, and the use of the host certificate by the portal.
(If and) Where Shibboleth has been shown to be able to play a beneficial role in grid access management, a prototype grid should be modelled and developed.
This was achieved fully. See NeSC_Shibbolized_Resources.
Building on the above, routes for migration and/or integration should be proposed in order to achieve interoperability with regard to access controls between existing PKI-based grids and information environments.
This objective was predicated upon the idea of a Shibboleth-mediated grid and a PKI-mediated grid. With the use of a Customer-SP model of grid applications, such a schism need not exist. Therefore recommendations of migration/integration are not altogether relevant. However, our recommendation of the Customer-SP model and the development of the demonstrators at NeSC_Shibbolized_Resources may - arguably - imply a "route for integration".
Back to the main Evaluation pages
Goals for the BRIDGES project
Original Project Overview
Biomedical Research Informatics Delivered by Grid Enabled Services (BRIDGES) is developing and exploring database integration over six geographically distributed research sites within the framework of the large Wellcome Trust biomedical research project Cardiovascular Functional Genomics. Three classes of integration are being developed to support a sophisticated bioinformatics infrastructure supporting: data sources (both public and project generated), bioinformatics analysis and visualisation tools, and research activities combining shared and private data. The inclusion of patient records and animal experiment data means that privacy and access control are particular concerns. Both OGSA-DAI and IBM Information Integrator technology are being employed and a report will identify how each performed in this context.
Project goals
The project was to deliver the following results:
An effective environment for biomedical bioinformatics supporting the work of the Wellcome Trust Cardiovascular Functional Genomics project. This will include federated access to data, analysis and visualisation across at least the UK centres with appropriate authorisation and privacy.
An improved understanding of the requirements for the support of academic biomedical research virtual organisations. This will be published as a final project report and exemplified with publicly available re-usable data access and integration components.
An evaluation of the utility of various existing and emerging federation tools (e.g. replication tools such as GIGGLE, query tools such as DiscoveryLink and platforms such as OGSA-DAI) in this class of application. A particular issue is whether Grid-based technology can assist with the management of the bioinformatics infrastructure and processes.
A demonstration of the use of specialised platforms for resource-critical steps in bioinformatics analyses, such as the construction of multi-genome indexes to support the translation of functional genomics research between model species and humans.
Back to the main Evaluation pages
Evaluation of BRIDGES project goals (with respect to ESP-GRID)
An effective environment/federated access to data...
An effective environment for biomedical bioinformatics supporting the work of the Wellcome Trust Cardiovascular Functional Genomics project. This will include federated access to data, analysis and visualisation across at least the UK centres with appropriate authorisation and privacy.
The key words here, regarding ESP-GRID, are "effective environment", "appropriate authorisation" and "privacy".
The access management mechanisms and usability (from an end-user's point of view) that Shibboleth provides will enable an "effective environment" for use of such databases and applications by bioinformatics researchers. Using existing (digital certificate mediated) security is clearly a great barrier for the existence of this "effective environment".
Shibboleth enables "appropriate authorisation" far more than the use of digital certificates alone. The use of lists of distinguished names in grid mapfiles is difficult to scale and even more difficult to manage for currency of data. The use of Shibboleth in this context is highly desirable.
Shibboleth also enables "privacy" for the researcher in that the solution may be implemented so that the database cannot easily detect the identity of the (authorised) user accessing and querying the data. This is very difficult when using client digital certificates alone.
Improved understanding of requirements...
An improved understanding of the requirements for the support of academic biomedical research virtual organisations. This will be published as a final project report and exemplified with publicly available re-usable data access and integration components.
Much of the implications of this objective lie outside of the scope of the ESP-GRID project. However, it became obvious that to support the biomedical research community, the access management (security) demands on the end-users must be presented to them very simply. The use of client digital certificates was too onerous and Shibboleth (and therefore the local institutional single sign-on mechanisms) provides a solution.
The utility of federation tools...
An evaluation of the utility of various existing and emerging federation tools (e.g. replication tools such as GIGGLE, query tools such as DiscoveryLink and platforms such as OGSA-DAI) in this class of application. A particular issue is whether Grid-based technology can assist with the management of the bioinformatics infrastructure and processes.
This objective lies outside the scope of the ESP-GRID project.
A demonstration of the use of specialised platforms...
A demonstration of the use of specialised platforms for resource-critical steps in bioinformatics analyses, such as the construction of multi-genome indexes to support the translation of functional genomics research between model species and humans.
This objective lies outside the scope of the ESP-GRID project.
Back to the main Evaluation pages
JISC Core Middleware Aims and Objectives
Note: Overall Aims and Objectives
These aims and objectives were taken from the overall Core Middleware Aims and Objectives: Where do we want to be? page (URL possibly subject to change). These objectives covered both Core Middleware Programmes (both Technical Development and Infrastructure). Therefore the ESP-GRID project has more relevance to some objectives than to others.
Aims and Objectives
Click on any of the links to take you to the evaluation section below.
AIM ONE: To create a better understanding of core middleware potential and application within HE and FE.
AIM TWO: To build a working Federated Access Management infrastructure.
AIM THREE: To ensure that project developments are embedded with the UK HE and FE community.
AIM FOUR: To support take-up and use of Federated Access Management within UK HE and FE community.
AIM FIVE: To ensure join-up across JISC Development, in relation to middleware.
- Objective: Organise appropriate cross-development events at all joint programme meetings throughout lifetime of the programme.
Evaluation of JISC CM Programme goals (with respect to ESP-GRID)
AIM ONE: To create a better understanding of core middleware potential and application within HE and FE.
Apart from the (possibly inescapable) fact that e-Research and grids will be used far more heavily in Higher than in Further Education, we believe that the ESP-GRID project has furthered the understanding of core middleware potential, especially in linking between practices in the Information_Environment and in grids. The project has been heavily concerned with potential, in deliberately considering future use of grids, and giving rise to our notion of the Customer-Service Provider Model of grid use. We therefore believe that the project has delivered relatively more strongly regarding this aim than regarding many of the other aims listed below.
AIM TWO: To build a working Federated Access Management infrastructure
At the beginning of our projects, the ESP-GRID project was working alongside the SPIE project and one of the first achievements was to set up a test Shibboleth Identity Provider (IdP). This was also achieved at the University of Glasgow under the ESP-GRID project. This, effectively, helped to test this component of the Shibboleth infrastructure and to achieve the JISC objective (within this aim) to:
Install and test origin infrastructure at 5 UK HE institutions by December 2005.
To establish this infrastructure without many test installations would have been very difficult indeed and the collective experience of the projects in this area must have assisted the 'early adopter' projects in meeting this objective.
AIM THREE: To ensure that project developments are embedded with the UK HE and FE community
One of the successes of the ESP-GRID project has been our advocacy role within our institution (University of Oxford) and within the community in informing those who should know that 'Shibboleth is on the way'. A great benefit of the project to Oxford in particular is that there have been people here who could explain the fundamentals of Shibboleth to local staff responsible for registration, authentication and authorisation practices. The development outputs of Shibboleth access to BRIDGES should be of use to the bioinformaticians at Glasgow, and hopefully, eventually beyond.
AIM FOUR: To support take-up and use of Federated Access Management within UK HE and FE community
As with aim three, we feel that the future of Federated Access Management within Oxford is a little nearer because of our (and the SPIE project's) activities. Those planning developments in identity management, the handling of metadata, etc. have asked for our input on many occasions. With the complexity of, and ownership and access to, data due to the loosely federated nature of Oxford, it was likely that Shibboleth would appear here in production far later than in other institutions. The presence here, of the development projects SPIE and ESP-GRID has helped promote the take-up of Shibboleth and Federated Access Management at Oxford.
AIM FIVE: To ensure join-up across JISC Development, in relation to middleware
An informal outcome to our work on ESP-GRID has been to talk to people running different (existing) applications. This has had the benefit of us passing on 'awareness' to other development projects, such as those in the VLE area. Many developers, over the last two years, have shown an interest in Shibboleth and we have been well placed to assist with the growth in understanding.
We hope that we have played an active part in the JISC objective within this aim to:
Organise appropriate cross-development events at all joint programme meetings throughout lifetime of the programme
The ESP-GRID project team has been active in such events and the project has also gained insights upon attendance.
Back to the main Evaluation pages
See the RequirementsDoc page and our [:AllHandsPapers2006: All Hands Paper (2006)] (1)
Ditto previous footnote. (2)