Versions Compared

Old Version 4

changes.mady.by.user Marina Adomeit

Saved on

compared with

New Version Current

changes.mady.by.user Marina Adomeit

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

A. Generic

1.Which Research Infrastructure (RI) are you representing? 

PUHURI is a resource allocation system for compute services. It also provides reporting and access management to compute services. 

LUMI is  is the main user of PUHURI services. PUHURI is exploring expansion for other use cases such as for quantum and for national HPC systems (Karolina?).

2. Which field of science are you serving ? (Frascati manual of Fields of Research and Development (FORD)) (can we compile a list!?)

Puhuri serves This depends entirely of which filed of science Services using PUHURI are supporting. From that perspective Puhuri is agnostic and Puhuri can serve any field of science. Covering all sciences.

3. Please provide description about the research infrastructure (e.g. which kind of instrastructure infrastructure and related services are delivered and by whoom, is there a formalised collaboration etc.)

...

The architecture and services provided are  described at https://puhuri.io/architecture. Puhuri provides resource allocation and authentication infrastructure for service providers. Puhuri is using  MyAccessID  for user identification which is GEANT provided service. The diagram below summarises the architecture of the Puhuri consisting of two layers: identity layer and Infrastructure Service Domain (ISD) layer, which is where Puhuri lives.
Architecture PNGImage Added

Puhuri is currently running as a project funded by NeIC and is developed and operated as collaboration of Sigma 2 (.no), DeIC (.dk), NAIC (.se), Etais (.es), CSC (.fi), Uni of Iceland (.is), and observers SUNET(.se). There is an ongoing process to handover the puhuri system to a permanent host. 

...

Users are any eligible users accessing the Services such as HPCs connected to the PUHURI.

With LUMI being the main user atmat the moment, most of the users are researchers coming through the national allocators in LUMI consortium https://www.lumi-supercomputer.eu/lumi-consortium/ . EuroHPC is also an allocator in the system. Industry users and citizen scientists are also in scope. Currently, users are coming mostly from the LUMI consortium countries, but the user base is global. Currently there is more then 7000 users who have accessed LUMI.

Using MyAccessID.


6. Is the RI member of European Open Science Cloud (EOSC)?

...

Puhuri is not, but the RIs connected to PUHURI could be. 

B. AAI solution

(probaly 2 sets of question based on the BPA knowledge level - BPA begineer/rookie vs BPA savvy/advanced user)

.se


1.Describe the currently running solution for authentication and authorisation infrastructure (AAI).( Which specific authentication methods being used to cater for different user audience (e.g Institutional accounts (eduGAIN), ORCID, Social media, Others - please specify))

Puhuri uses MyAccessID as identity layer. It uses eduGAIN IdPs and other specific community IdPs that are connected to MyAccessID. It also uses eIDs (eIDAS1.0) and recommends eduid.se as a last resort IdP. ORCID is making things complicated. 

No Social media ids or ORCID IdPs used, as  as users typically need to be identified at  REFEDS LoAEach  LoA medium or high for access to HPC resources.

...

NA - question should be asked to MyAccessID


C. Policy for access managementmanagement 

1.Does the Research Infrastructures have an access policy? (the access policy governs who can access the infrastructure, under what conditions)

...

Puhuri is at the moment also building an review and allocation portal, that will be offered to service owners and allocation bodies to perform the call for applications and review process. 

3. How do you implement the policy for access managementWhat are the requirements for identification of the users (e.g. how is the individual who can access the research research data/measurement data/your research instrument identified and authorised)? First of users need to be eligible to apply for the resources, and then they will be granted access if the proposed project they participate in was accepted. In practice, this is what is needed:required information, LoA, authentication method)? 

4. How do you implement the policy for access management (e.g. how is the individual who can access the research research data/measurement data/your research instrument identified and authorised)? 

For users that are part of the approved

...

projects they will be

...

assigned memberships in appropriate groups or specific role attributes.

...

  • Please select any of the following options that apply (try first without asking the list)
    • (a) Based on the user's membership in group(s). If YES, do these groups need to be managed within your RI or within external RIs? 
    • (b) Based on user attributes required to access specific resources a user is allowed to access or perform certain actions. If YES, do these capabilities need to be managed within your RI or within external RIs? - ask Nicolas for the example ? e.g ESI?
    • (c) Based on affiliation of the user with their home institute
    • (d) Based on identity assurance (e.g. level of identity proofing, freshness of affiliation information),
    • (e) Based on the authentication method (e.g. Multi-Factor Authentication - MFA),
    • (f) Other

 


D. Security

1.Is there a GDPR Data Controller designated for the AAI?

Yes, GEANT for MyAccessID

2.Has the AAI designated a security contact to handle security incidents?

Yes, defined for MyAccessID. Puhuri is working as well on establishing CSIRT function.

3.Does the AAI adhere to SIRTFI or other recognised security frameworks?

Yes, MyAccessID does. Puhuri has defined an incident response procedure that adheres to SIRTFI.

E.

4. What are the requirements for identification of the users (e.g. required information, LoA, authentication method)? 

        • Please select any of the following options that apply:

          • a) Globally unique persistent identifier,

          • (b) Name (First / Last name),

          • (c) Email,

          • (d) Affiliation with the home institute,

          • (e) Identity assurance (e.g. level of identity proofing, freshness of affiliation information),

          • (f) Authentication method (e.g. Multi-Factor Authentication - MFA),

          • (g) Other

...

Workflow

1. Can you describe the research workflows? 

(consider 2 aspects: producer side and consumer side)

(guidance only - currentlz a bit technical)

  • Would it help to provide options for the service types? E.g. Please select the most appropriate service types for services in your RI:
    a. Browser Accessible Service: A service that provides a web interface that can be accessed by users using their browsers (e.g. A research data visualisation tool accessible through a web browser).

    b. API Consumed by or on behalf of Users: A service that provides an API that can be consumed programmatically by the end users or by other services using user-delegated credentials. (e.g. A data analysis API allowing researchers to programmatically retrieve and analyse datasets).

    c. API Consumed by Services: A service that provides an API meant to be consumed by other services. These services do not act on behalf of the user but have their own access rights to the API (e.g. A workflow management system might offer an API for other services to submit data jobs, monitor progress, and retrieve results.).

    d. Client consuming Service APIs using delegated user identities: A client that uses access tokens authorised/delegated by end users and which can use these access tokens to access “APIs Consumed by or on behalf of Users” (e.g. A research collaboration platform might offer an API for data analysis tools. Researchers can authorise these tools to access their research data stored on the platform using delegated access tokens).

    e. Client consuming other Service APIs using its own client identity: A client that uses its own identity and access token to access “APIs Consumed by Services” (e.g. A tool accessing a storage service API using its own client credentials to transfer data).

    f. Public Access: A service that does not require users to be authenticated and authorised before they can access its resources (e.g. A public dataset repository where anyone can access datasets without needing to log in). - two sides to this question: on ingress of data into a data source, and on egress, which may be un-authenticated. Does your infra need to distinguish between these two cases?

Based on the workflow we could ask sub-quesions such as:

  • Are the research data and databases of the Research Infrastructure accessible
    • yes, they are continuously accessible both inside and outside the institution
    • yes, they are continuously accessible from within the institution
    • Accessible to others on a case-by-case basis
    • Not accessible to others
  • During the access of the Research Infrastructure which method is used (more than one option can be marked):
    • Providing measurement/database access based on research collaboration
    • Provision of measurement/database access for based on a contract
    • Measurements/database access with customer/requester access
    • Taking measurements/database access by providing online/remote access
    • Measurements/database access with data processing and evaluation
    • Other: (describe)
  • We could consider the following questions to understand if their AAI acts as a Community AAI, Infrastructure Proxy or both (alternatively these questions could be moved to Section B - AAI solution):
    • Do users of your Research Infrastructure access services provided by other Infrastructures using your AAI? If yes, can you describe? (Please also mention your future plans in this area)

    • Do users of other infrastructures access services provided by your Research Infrastructure using your AAI? If yes, can you describe? (Please also mention your future plans in this area.)

E. Requirements

(collect generic answers  via E.1 question, then discuss in details with E.2 questions ad quideline)

This will depend on the service connected to the PUHURI.

In the case of LUMI, first part is onboarding the user. Assuming that the project was accepted, the user is invited by its PI to join the project. Typically, user accesses the national allocation portal through the provided link and authenticates through MyAccessID. User will be given appropriate access rights. To access HPC resources, at this moment, user needs to upload the public key to MyAccessID. Puhuri will sync all the access related data with LUMI HPC systems. Eventually, user can access HPC through SSH. 

F. Requirements


1.Can you describe further requirements, gaps and challenges?

  • enabling Enable access for users without sufficient LoA through an identity vetting solution or wallet?
  • Federated ssh access (this is already in development in LUMI and MyAccessID)
  • enabling Enabling access for industry users
  • enabling Enabling last resort IdP
  • MFA (no clear usecases atm but we would expect that in the future)

As we collect the answers, we will try to identify common requirements. We can use the EOSC AAI requirements as basis for this

  • Stronger Authentication Methods → Is the requirement to have stronger authentication methods in general, or is it specifically for accessing sensitive data? Stronger authentication methods could be employed to support the requirement for access to sensitive data.
  • Develop a policy requiring the community participants to provide a centralised point for managing data release decisionas
  • Support for EU Digital Identity Wallets (EUDI Wallet)  —  needs explanation/short presentation what purpose it can be used for.
  • Better user experience for authentication process
  • Scalable solution limiting the number of consent requests in compliance with the GDPR
  • Develop a sustainable solution for managing (de)provisioning rules in the locally deployed solutions of participating entities and transferring them through EOSC AAI to the end-service integration point. (Manage locally and transfer them through the whole flow)
  • Dynamically establishing trust in a distributed environment
  • Provide solutions for an identity beyond the research and education community in support of public sector and private sector services.
  • Scalable authorization model in EOSC AAI - also requires explanation
  • Identity Vetting

What about Policy related questions, e.g.:

  • Is there a GDPR Data Controller designated for the AAI?

GDPR - MyAccessID at GEANT

  • Has the AAI designated a security contact to handle security incidents?
  • Does the AAI adhere to SIRTFI or other recognised security frameworks?