Generic User Management for Science Gateways via Virtual Organizations
- Tobias SCHLEMMER
- Richard GRUNZKE
- Sandra GESING
In general, science gateways provide features to access domain-specific applications on distributed computing infrastructures (DCIs). Independent of the technology used for authentication of a user to the science gateway, the membership in a virtual organization (VO) mostly defines which DCIs are available to the user. The MoSGrid project (Molecular Simulation Grid) has developed a workflow-enabled science gateway based on Liferay and WS-PGRADE. It helps users in the complex tasks of configuration and performance of molecular simulations on DCIs. In order to improve the user experience, the login process is being optimized. Currently, a Centralised Authentication Service (CAS) automatically authenticates users according to their X.509 certificate stored in the web browser. To significantly improve the usability, works are underway to authorize users based on their membership in a VO. Thus, users are automatically offered suitable features and DCIs.
Description of the work
The MoSGrid science gateway provides features to intuitively utilize UNICORE DCIs via gUSE services (grid User Support Environment) for domain-specific applications. Many middlewares, and in particular UNICORE, use X.509 certificates for authentication. The certificates are often available in the end users' web browser. Therefore, the security mechanisms in CAS have been extended to improve the automatic login into Liferay via certificates stored in web browsers. This simplifies the authentication for the users. Additionally, the certificates are not only used for the authentication to the science gateway, but also for the creation of short-lived credentials to gain access to suitable DCIs. Each DCI checks whether a credential is valid against its own user management. In German grid infrastructures, user accounts are typically maintained via a central database, which includes information about all valid grid certificates and associated VOs. Portal frameworks like the award-winning Liferay do not support the automatic use of VO membership information. Currently, users have to apply for the MoSGrid user role via an email to gain access to all provided features and all DCIs supporting the MoSGrid VO. Administrators of the science gateway check whether an applying user is member of the VO and, if applicable, assign suitable roles to the associated user account. To improve this situation, another extension to CAS is currently being developed. CAS will check the user provided certificate information and passes it on to Liferay, which checks it against VO membership information, previously fetched from the central database. On the one hand, the list of members of a VO is smaller than all valid certificates. Thus each VO can be efficiently used as a user authorization list. On the other hand, this information will be used by the Liferay user management in order to improve the user experience by showing and hiding features depending on VO membership.
Wider impact of this work
Impact Authentication and authorization via X.509 certificates and VO memberships are standardized for supporting communities with suitable DCIs, not only in Germany but also on international level. The extension of Liferay with CAS to enable logging in via a certificate imported in the browser and to make use of VO membership information is generally applicable. The source code will be published under an open source license and, thus, can be re-used for other Liferay science gateways. So far, users are guided in taking the necessary steps towards first simulations by documentation and authorization involves checking each user individually by the science gateway administrator. In the near future the automatic usage of VO membership information will allow for a more compact documentation, much easier user authorization handling, and the automatic access to suitable DCIs.