[wiki:EvaluationPages Back to the main Evaluation pages]
We present here a list of the objectives from ESP-GRID as well as the [http://www.brc.dcs.gla.ac.uk/projects/bridges/ BRIDGES] project for completeness. (We have decided not to extend this to the DyVOSE and VOTES projects as most of the benefits of the ESP-GRID project should be reflected in the evaluation of the BRIDGES project).
The organisation of this page
- Firstly we present the aims and objectives for the ESP-GRID project ([#espAimsObjs ESP-GRID project aims and objectives]).
- This is followed by an evaluation of the project against those aims and objectives ([#espEvalAim Evaluation of Overall Aim (ESP-GRID)] and [#espEvalObjs Evaluation of Objectives (ESP-GRID)])
- Clickable links from the former (statement of aim/objectives) also take you to the latter (the evaluation)
- Secondly, we present the [#goalsBridges Goals for the BRIDGES project]
And an evaluation (where appropriate) of the [#EvalBridges ESP-GRID project activities against those objectives]
- Again, clickable links from the former (statement of goals) also take you to the latter (the evaluation)
ESP-GRID project aims and objectives
Overall aim
The overall aim of the project was to "achieve a deeper understanding of the potential role that Shibboleth can play in grid authentication, authorization and security".
Objectives
- [#obj1 To formulate a picture of current and future requirements of grid security.]
- [#obj2 To postulate the relevance of Shibboleth to grids and its possible relationships with PKI.]
- [#obj3 If/where Shibboleth is relevant, to examine possible interfaces between existing information environments and grid computing environments using Shibboleth, and PKI where appropriate.]
- [#obj4 (If and) Where Shibboleth has been shown to be able to play a beneficial role in grid access management, a prototype grid should be modelled and developed.]
- [#obj5 Building on the above, routes for migration and/or integration should be proposed in order to achieve interoperability with regard to access controls between existing PKI-based grids and information environments.]
Evaluation of Overall Aim (ESP-GRID)
"To achieve a deeper understanding of the potential role that Shibboleth can play in grid authentication, authorization and security".
This aim was fulfilled as it became obvious that there will be many applications that can be delivered by the grid and where the simplified security (access management) made possible by Shibboleth is appropriate - and possibly necessary - and relatively easy to deliver. With the Customer-SP modelFootNote(See the RequirementsDoc page and our [:AllHandsPapers2006: All Hands Paper (2006)]) of grid provision, Shibboleth is clearly of value but there will still be a need for the direct authentication/assertion provided by client digital certificates.
Regarding authentication, the ESP-GRID project has achieved a deeper understanding with regard to grid computing, and much of the findings of the project concern authentication in particular.
Regarding authorisation, the project reached a deeper understanding but highlighted relatively few solutions via Shibboleth. Simplistically, if grid resources are able to make use of roles, status and local group membership, as the [:Information_Environment:Information Environment] applications - and the DyVOSE grid application - are able, then Shibboleth can provide solutions. However authorisation requirements of many grid resources are likely to be more complex than this and we will have to wait for both later versions of Shibboleth, and for the grid community itself, to provide mechanisms of Virtual Organisation (VO) membership (etc.) assertion to take sophisticated solutions forward. Both Shibboleth and the more mainstream grid are relatively immature in this area, although much work is now being undertaken, on many fronts, to remedy this.
With regard to security, any mechanism that improves the management of - and the user experience of - access management will improve overall security. In addition, a more standards-based approach will similarly improve security.
Evaluation of Objectives (ESP-GRID)
To formulate a picture of current and future requirements of grid security
This objective proved far more difficult to achieve for the following reasons:
Despite an apparent wealth of documentattion (see RequirementsBibliography) on grid requirements for access management, an overall picture was difficult to obtain and requirements were often project-specific or overly general.
- There was a great gulf between the sophisticated designs for solutions (e.g. for VO support) and that which was actually favoured or employed by grid communities. Therefore, it took much time to make judgements between abstract designs and real-world implementations.
Finally, we took what was apparently the most comprehensive document in this field (from [https://forge.gridforum.org/projects/saaa-rg/document/Draft_5_of_Requirements_Doc/en/1 Shawn Mullen et al.]) and examined it for relevance to the need for access management without the total reliance on current mechanisms (i.e. client digital certificates). This was a useful process but one which may suffer from the lack of active engagement of the grid community with the original document. During the lifetime of the ESP-GRID project, the January 2004 (draft) document has not been revised to our knowledge and the original authors may not have a great interest in so doing.
To postulate the relevance of Shibboleth to grids and its possible relationships with PKI.
When the ESP-GRID project began - in summer 2004 - there was no widespread acceptance that Shibboleth had any relevance to grid computing. Indeed, there was active opposition in some quarters. During the intervening period, however, attitudes have changed (and it is our opinion that the position may have moved too far in some instances!). We have certainly postulated the relevance of Shibboleth to grids, especially where the existence of the Customer-SP modelFootNote(Ditto previous footnote.) seems likely. We have written less specifically about the "possible relationships with PKI" as we believe that the majority of future grid users will interact with the grid via the Customer-SP model (and the [http://www.brc.dcs.gla.ac.uk/projects/bridges/ BRIDGES] portal is an excellent example of this). Within this model the portal uses a host digital certificate in the same way as if it were an end-user. Therefore very little has changed regarding PKI with the existing grid.
Other projects have now emerged that are looking at combining the use of Shibboleth with the obtaining and invoking of client digital certificates by, or on behalf of, the end user. With regard to security this could be problematic (the combining of the two security paradigms of user-to-machine and machine-to-machine trust), but it is too early to judge whether the approaches of these new projects will avoid or exacerbate these problems. The ESP-GRID project decided - at a relatively early stage - that as long as only 'Power Users' needed to handle digital certificates directly, Shibboleth (and therefore the local institutional single sign-on mechanisms) could be used in their stead for the vast majority of users.
If/where Shibboleth is relevant, to examine possible interfaces between existing information environments and grid computing environments using Shibboleth, and PKI where appropriate.
The text for the [#obj2 previous section] is equally relevant here. Where grid applications or services decide to employ Shibboleth for (at least) authentication, the "interface" is Shibboleth. Arguably, the interface in the Customer-SP model is the trust between the 'grid' and the portal, and the use of the host certificate by the portal.
(If and) Where Shibboleth has been shown to be able to play a beneficial role in grid access management, a prototype grid should be modelled and developed.
This was achieved fully. See ["NeSC Shibbolized Resources"].
Building on the above, routes for migration and/or integration should be proposed in order to achieve interoperability with regard to access controls between existing PKI-based grids and information environments.
This objective was predicated upon the idea of a Shibboleth-mediated grid and a PKI-mediated grid. With the use of a Customer-SP model of grid applications, such a schism need not exist. Therefore recommendations of migration/integration are not altogether relevant. However, our recommendation of the Customer-SP model and the development of the demonstrators at ["NeSC Shibbolized Resources"] may - arguably - imply a "route for integration".
[wiki:EvaluationPages Back to the main Evaluation pages]
Goals for the BRIDGES project
Original Project Overview
Biomedical Research Informatics Delivered by Grid Enabled Services (BRIDGES) is developing and exploring database integration over six geographically distributed research sites within the framework of the large Wellcome Trust biomedical research project [http://www.brc.dcs.gla.ac.uk/projects/cfg/ Cardiovascular Functional Genomics]. Three classes of integration are being developed to support a sophisticated bioinformatics infrastructure supporting: data sources (both public and project generated), bioinformatics analysis and visualisation tools, and research activities combining shared and private data. The inclusion of patient records and animal experiment data means that privacy and access control are particular concerns. Both [http://www.ogsadai.org.uk/ OGSA-DAI] and IBM [http://www-306.ibm.com/software/data/integration/ Information Integrator] technology are being employed and a report will identify how each performed in this context.
Project goals
The project was to deliver the following results:
- [#objB1 An effective environment] for biomedical bioinformatics supporting the work of the Wellcome Trust Cardiovascular Functional Genomics project. This will include federated access to data, analysis and visualisation across at least the UK centres with appropriate authorisation and privacy.
- [#objB2 An improved understanding of the requirements] for the support of academic biomedical research virtual organisations. This will be published as a final project report and exemplified with publicly available re-usable data access and integration components.
[#objB3 An evaluation of the utility of various existing and emerging federation tools] (e.g. replication tools such as GIGGLE, query tools such as DiscoveryLink and platforms such as OGSA-DAI) in this class of application. A particular issue is whether Grid-based technology can assist with the management of the bioinformatics infrastructure and processes.
- [#objB4 A demonstration of the use of specialised platforms] for resource-critical steps in bioinformatics analyses, such as the construction of multi-genome indexes to support the translation of functional genomics research between model species and humans.
[wiki:EvaluationPages Back to the main Evaluation pages]
Evaluation of BRIDGES project goals (with respect to ESP-GRID)
An effective environment/federated access to data...
An effective environment for biomedical bioinformatics supporting the work of the Wellcome Trust Cardiovascular Functional Genomics project. This will include federated access to data, analysis and visualisation across at least the UK centres with appropriate authorisation and privacy.
The key words here, regarding ESP-GRID, are "effective environment", "appropriate authorisation" and "privacy".
The access management mechanisms and usability (from an end-user's point of view) that Shibboleth provides will enable an "effective environment" for use of such databases and applications by bioinformatics researchers. Using existing (digital certificate mediated) security is clearly a great barrier for the existence of this "effective environment".
Shibboleth enables "appropriate authorisation" far more than the use of digital certificates alone. The use of lists of distinguished names in grid mapfiles is difficult to scale and even more difficult to manage for currency of data. The use of Shibboleth in this context is highly desirable.
Shibboleth also enables "privacy" for the researcher in that the solution may be implemented so that the database cannot easily detect the identity of the (authorised) user accessing and querying the data. This is very difficult when using client digital certificates alone.
Improved understanding of requirements...
An improved understanding of the requirements for the support of academic biomedical research virtual organisations. This will be published as a final project report and exemplified with publicly available re-usable data access and integration components.
Much of the implications of this objective lie outside of the scope of the ESP-GRID project. However, it became obvious that to support the biomedical research community, the access management (security) demands on the end-users must be presented to them very simply. The use of client digital certificates was too onerous and Shibboleth (and therefore the local institutional single sign-on mechanisms) provides a solution.
The utility of federation tools...
An evaluation of the utility of various existing and emerging federation tools (e.g. replication tools such as GIGGLE, query tools such as DiscoveryLink and platforms such as OGSA-DAI) in this class of application. A particular issue is whether Grid-based technology can assist with the management of the bioinformatics infrastructure and processes.
This objective lies outside the scope of the ESP-GRID project.
A demonstration of the use of specialised platforms...
A demonstration of the use of specialised platforms for resource-critical steps in bioinformatics analyses, such as the construction of multi-genome indexes to support the translation of functional genomics research between model species and humans.
This objective lies outside the scope of the ESP-GRID project.
[wiki:EvaluationPages Back to the main Evaluation pages]