Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

EGI AAI integration with ELIXIR AAI

From EGIWiki
Revision as of 12:31, 4 May 2016 by Nliam (talk | contribs)
Jump to navigation Jump to search

EGI AAI: Integration with the ELIXIR AAI

How to use it?

The EGI AAI and ELIXIR AAI systems have been integrated to enable:

  • Write access to the GOCDB service registry for ELIXIR service operators. As result of the integration, 'ELIXIR service operators' can now register and update service entries in GOCDB using their ELIXIR account for login
  • UNDER FINALISATION: Write access to the Applications Database, particularly to the ELIXIR section of this database, which as a catalogue of Virtual Appliances (VMs with or without contextualisation scripts) that are approved for the ELIXIR community. As a result of the integration 'ELIXIR infrastructure managers' can add virtual appliances into the 'ELIXIR set' using their ELIXIR account for login. (Note that the Application Database can be browsed without login and new appliances can be registered in the catalogue by any registered user, not just ELIXIR account holders.)

You can try the integrated system in the following way:

  1. Apply for an ELIXIR account at https://www.elixir-europe.org/intranet (Conditions and restrictions apply. Please check the page for further details)
  2. Join the ELIXIR Virtual Organisation (to connect your account with AppDB, GOCDB and cloud resources): https://perun.cesnet.cz/edugain/registrar/?vo=vo.elixir-europe.org. (This URL will change in a near feature)
  3. Apply for an 'ELIXIR service operator' or 'ELIXIR infrastructure manager' role in email to Steven Newhouse <steven.newhouse@ebi.ac.uk>.
  4. If you have a 'service operator' role, then go to http://gocdb.egi.eu and after login add/edit your services.
  5. UNDER FINALISATION: If you have an 'infrastructure manager' role, then go to http://appdb.egi.eu and after login add/remove VM images in the ELIXIR list: https://appdb.egi.eu/store/vo/vo.elixir-europe.org/imagelist

Architecture

ELIXIR AAI Requirements and Design

https://docs.google.com/document/d/1CMY1np3GyvPD8LcKvXljXcRO04V2zu3n_Jcg19jgNOw/edit?usp=sharing

Current status

ELIXIR groups enabled in EGI

  • Community:Compute:Grid site managers - manager Steven Newhouse <steven.newhouse@ebi.ac.uk>.

Only users from groups listed above will get the entitlement.

GOCDB access

Access to the GOCDB requires substantial (or higher) LoA. Currently, all ELIXIR users who are members of the Grid site managers ELXIR VO group are assigned substantial LoA by the EGI AAI and are thus able to accesse the GOCDB. ELIXIR group membership information is conveyed through the `eduPersonEntitlement` SAML attribute to the EGI AAI. More specifically, when a member of the Grid site managers group signs into the GOCDB using their ELIXIR login, the EGI proxy receives an `eduPersonEntitlement` attribute containg the value "elixir:Community:Compute:Grid site managers". This is mapped to a `eduPersonAssurance` attribute with a value of `"https://aai.egi.eu/LoA#Substantial"` which is then transferred to the GOCDB to denote access with a substantial LoA.

Attribute Value(s)
Input from ELIXIR AAI `eduPersonEntitlement` `"elixir:Community:Compute:Grid site managers"`
Output from EGI AAI `eduPersonAssurance` `"https://aai.egi.eu/LoA#Substantial"`

AppDB access

Integration with the EGI AAI has been finalized.

We are in the process of merging the authorization related attributes (VO roles & membership) acquired from the EGI AAI with the internal authorization mechanism of the AppDB system. Actually, we are in the testing phase of it, which is expected to be finalized by the end of the week (if all goes well, of course). Once testing is done, its a matter of hours to push the changes into the AppDB production instance.  

Plans