PUHURI

A. Generic

1.Which Research Infrastructure (RI) are you representing? 

PUHURI is a resource allocation system for compute services. It also provides reporting and access management to compute services. 

LUMI is the main user of PUHURI services. PUHURI is exploring expansion for other use cases such as for quantum and for national HPC systems (Karolina?).

2. Which field of science are you serving ? (Frascati manual of Fields of Research and Development (FORD)) (can we compile a list!?)

This depends entirely of which filed of science Services using PUHURI are supporting. From that perspective Puhuri is agnostic and Puhuri can serve any field of science.

3. Please provide description about the research infrastructure (e.g. which kind of infrastructure and related services are delivered and by whoom, is there a formalised collaboration etc.)

Puhuri as a broker for resource allocation for allocation bodies. They can be EuroHPC, National allocation committees and local resource allocators. 

The architecture and services provided are  described at https://puhuri.io/architecture. Puhuri provides resource allocation and authentication infrastructure for service providers. Puhuri is using  MyAccessID  for user identification which is GEANT provided service. The diagram below summarises the architecture of the Puhuri consisting of two layers: identity layer and Infrastructure Service Domain (ISD) layer, which is where Puhuri lives.

Puhuri is currently running as a project funded by NeIC and is developed and operated as collaboration of Sigma 2 (.no), DeIC (.dk), NAIC (.se), Etais (.es), CSC (.fi), Uni of Iceland (.is), and observers SUNET(.se). There is an ongoing process to handover the puhuri system to a permanent host. 

5. Please provide description of the user audience -  type of users (research, citizen scientists, industry users), number of users, distribution over the globe and organisations

Users are any eligible users accessing Services such as HPCs connected to the PUHURI.

With LUMI being the main user at the moment, most of the users are researchers coming through the national allocators in LUMI consortium https://www.lumi-supercomputer.eu/lumi-consortium/ . EuroHPC is also an allocator in the system. Industry users and citizen scientists are also in scope. Currently, users are coming mostly from the LUMI consortium countries, but the user base is global. Currently there is more then 7000 users who have accessed LUMI.

6. Is the RI member of European Open Science Cloud (EOSC)?

Puhuri is not, but the RIs connected to PUHURI most likely are.

7. Is the RI participating in Citizen Science Programmes or other initiatives or programmes?

Puhuri is not, but the RIs connected to PUHURI could be. 

B. AAI solution

1.Describe the currently running solution for authentication and authorisation infrastructure (AAI).( Which specific authentication methods being used to cater for different user audience (e.g Institutional accounts (eduGAIN), ORCID, Social media, Others - please specify))

Puhuri uses MyAccessID as identity layer. It uses eduGAIN IdPs and other specific community IdPs that are connected to MyAccessID. It also uses eIDs (eIDAS1.0) and recommends eduid.se as a last resort IdP. 

No Social media or ORCID IdPs used, as users need to be identified at  REFEDS LoA medium or high for access to HPC resources.

On top of that, Puhuri offers a resource allocation services that implements specific access control rights for connected HPC services, that result for the resource allocation process.

2.Is your AAI solution compliant to AARC BPA (blueprint architecture)?

Yes, as MyAccessID is used as the identity layer. 

3.Which AARC guidelines are you implementing? (add the table... )

Yes, based on AARC guidelines implemented by MyAccessID Marina Adomeit TO CHECK!

(introduction material needed to present BPA and the guidelines)

• YES - Guidelines for expressing community user identifiers (AARC-G026)
• YES  - Guidelines on expressing group membership and role information (AARC-G002) (superseded by AARC-G069)
• YES / NO ?- Guidelines on expressing group membership and role information (AARC-G069)
• YES - Specification for expressing resource capabilities (AARC-G027)
• YES - Guidelines for expressing affiliation information (AARC-G025)
• YES/NO ? - Inferring and constructing voPersonExternalAffiliation (AARC-G057)
• YES / NO ? - Exchange of specific assurance information between Infrastructure (AARC-G021)
• YES / NO ?- Guidelines for evaluating the combined assurance of linked identities (AARC-G031)
• YES - A specification for IdP hinting (AARC-G049) (superseded by AARC-G061)
• YES / NO - A specification for IdP hinting (AARC-G061)
• NA - Specification for hinting an IdP which discovery service to use (AARC-G062)
• YES / NO ?- A specification for providing information about an end service (AARC-G063)
• YES / NO ?- Guidelines for Secure Operation of Attribute Authorities (AARC-G071)

4.What  is your comments about BPA implementation? (challenges in implementation, challenges in clarity, technical difficulties etc.)

NA - question should be asked to MyAccessID

C. Policy for access management 

1.Does the Research Infrastructures have an access policy? (the access policy governs who can access the infrastructure, under what conditions)

Puhuri does not have an access policy itself. Each Allocation body and corresponding HPC system using Puhuri has their own access policy. In addition MyAccessID has an access policy as well. 

From users perspective, they will see two Terms of Use - one from MyAccessID and second from HPC system they are accessing.

2. Is there a formalised procedure to manage access rights to services (e.g. cooperation agreement, call for application and evaluation,  ad-hoc individual order/access, member of an organisation, etc.)?

Puhuri does not, but the HPC services connected to puhuri implement their procedures to manage access rights. The procedure for managing access rights for HPC is typically through calls for application and evaluation which are done on based on the national procedures. Which ever procedures allocation bodies use, Puhuri will collect the information regarding the allocations and the corresponding access rights.

Puhuri is at the moment also building an review and allocation portal, that will be offered to service owners and allocation bodies to perform the call for applications and review process. 

3. What are the requirements for identification of the users (e.g. required information, LoA, authentication method)? 

• Attributes required - https://puhuri.neic.no/idp_integration/attributes/
• LoA refeds medium or high will be mandatory 
• Identifier uniqueness is required
• MFA is not required at the moment, but will be in the future. 

4. How do you implement the policy for access management (e.g. how is the individual who can access the research research data/measurement data/your research instrument identified and authorised)? 

For users that are part of the approved projects they will be assigned memberships in appropriate groups or specific role attributes. 

D. Security

1.Is there a GDPR Data Controller designated for the AAI?

Yes, GEANT for MyAccessID

2.Has the AAI designated a security contact to handle security incidents?

Yes, defined for MyAccessID. Puhuri is working as well on establishing CSIRT function.

3.Does the AAI adhere to SIRTFI or other recognised security frameworks?

Yes, MyAccessID does. Puhuri has defined an incident response procedure that adheres to SIRTFI.

E. Workflow

1. Can you describe the research workflows? 

This will depend on the service connected to the PUHURI.

In the case of LUMI, first part is onboarding the user. Assuming that the project was accepted, the user is invited by its PI to join the project. Typically, user accesses the national allocation portal through the provided link and authenticates through MyAccessID. User will be given appropriate access rights. To access HPC resources, at this moment, user needs to upload the public key to MyAccessID. Puhuri will sync all the access related data with LUMI HPC systems. Eventually, user can access HPC through SSH. 

F. Requirements

1.Can you describe further requirements, gaps and challenges?

• Enable access for users without sufficient LoA through an identity vetting solution or wallet
• Federated ssh access (this is already in development in LUMI and MyAccessID)
• Enabling access for industry users
• Enabling last resort IdP
• MFA (no clear usecases atm but we would expect that in the future)