EGI Checkin
(from EOSC-Synergy perspective)

Marcus Hardt

November 2020

EOSC-Synergy

EOSC-Synergy Overview:

“EOSC-5b” Project
10 Thematic Services
- O3AS, WORSICA, gCORE, LAGO, MSWSS, OPENEBENCH, SAPS, SCIPION, SDSWAS, UMSA
- + Covid19 + “Catch-All”
Repository Services (dataverse, dspace)
Infrastructure: Mix of traditional and modern
- EGI Federated Cloud
- UPV Infrastructure Manager enables virtual infrastructures:
  - Kubernetes
  - Galaxy
  - Ophidia
  - …
- High Performance Computing (HPC)
- Grid Computing (HTC)

Check-In – What and Why

We use EGI Check-In for accessing our infrastructure
- Mostly OpenID Connect
  - Web portals
  - API access with Bearer-Tokens
- But also:
  - X.509
  - local (ssh) accounts
EGI Check-In for authorisation
- eduperson_entitlement, aarc-g002 schema
- One Virtual Organisation (VO) per thematic service
  - 4/12 done
- Groups and Roles for authorisation inside VO
  - vm-operator may manager virtual machines in EGI FedCloud

Integration with EGI Check-in

Integration of Infrastructure

EGI Federated Cloud (OpenStack):
- ✓ (Near-Trivial)
UPV Infrastructure Manager:
- ✓ (Easy)
Kubernetes
- ✓ !#&@$ (Doable)
- via kube-authoriser component and ID-Tokens

Integration of Grid

Grid
- Requires X.509 certificates with VOMS extensions
  - VOMS extensions can carry a subset of EGI Check-in entitlements
- Integration with check-in via this toolchain:
- WaTTS + wattson + oidc-agent
✓ (Just Finished 😄)
short demo

Integration of HPC

HPC
- Typically requires login via ssh (requires local account)
- Plan: “make-it-feel-like-normal”
  - Authorisation via entitlements (VO-Group-Role Memberships)
  - Use OpenId Connect (OIDC) as a basis
  - Unmodified client and server
  - Dynamic local-account generation
    - pool accounts and more
    - very similar backends to lcas and lcmaps
  - Remove the need for usernames
- Good news
  - It can (very likely) be done
  - We have an architecture
  - We have a proof of concept: pam module + ssh wrapper
    - See
      - #186 | pam_ssh | 3 Nov 16:10 | https://indico.egi.eu/event/5000/sessions/4505/#20201103
- Bad news
  - We’re not there (yet)

Feedback

Organisational Points

VO Creation process
- Is a complex process
- Procedure 14 does help
- Experience helps…
Service integration
- Goes via development instance (and the ticket system)
- No client self-management in the prod instance
- Feels overly bureaucratic (probably a tribute do SAML)

VO Management

Performance was improved a bit
- But still everything is horribly slow
CO Manage is a [~~censored~~] tool
- Misguiding navigation
- Dead ends:
  - I can click on links, they load forever, then I’m shown “permission denied”, then I have to go back and wait for the first page to load forever again
- CO Manage is very powerful
  - Yet: only the (great EGI) documentation got me doing what I wanted
  - I really like this documentation. But I wish it wasn’t necessary

Technical Points

Slow attribute update cycle
- It may take several (5-10) minutes until new attributes are released
Deprecated claims exist for too long
- We still have edu_person_* claims
  - This is misleading people and support creation of new implementations that use wrong standards
Good development support
- profound expertise always available for help
I cannot create groups inside my own VO
- go via the ticket system, loose days instead of a minute

Wishlist

I’m missing the Refeds Assurance Framework in eduperson_assurance

    "eduperson_assurance": [
        "https://refeds.org/assurance/IAP/medium",
        "https://refeds.org/assurance/IAP/local-enterprise",
        "https://refeds.org/assurance/ID/eppn-unique-no-reassign",
        "https://refeds.org/assurance/ATP/ePA-1m",
        "https://refeds.org/assurance/ATP/ePA-1d",
        "https://refeds.org/assurance/ID/unique",
        "https://refeds.org/assurance/profile/cappuccino",
        "https://refeds.org/assurance/IAP/low"
    ]

Summary

Pros:

Large amount of infrastructures support EGI-Checkin
OIDC is quite well supported
- Public clients, Dynamic registration
Extensive documentation
- In particular:
  - https://wiki.egi.eu/wiki/AAI_guide_for_VO_managers
  - https://wiki.egi.eu/wiki/AAI_guide_for_SPs
Excellent level of expertise available!

Cons (quite personal view):

Schema updates should come quicker
Performance should be improved
- Use case: tutorial with 40 people need to be added at event start
Self-Managed Groups
- As an admin of a VO I want to create arbitrary groups and add users and roles to it
Wishlist:
- Remove the egi-internal (non-AARC-G002) entitlements
- Support eduperson_assurance
- Don’t send me claims that I didn’t ask for:
  - asked for eduperson_affiliation
  - obtained eduperson_affiliation and edu_person_affiliation

Bottomline:

Many Thanks for

developing,

running,

maintaining,

extending,

and supporting EGI check-in **

And give me new features faster ;-)

👍

EGI Checkin (from EOSC-Synergy perspective)

EOSC-Synergy

EOSC-Synergy Overview:

Check-In – What and Why

Integration with EGI Check-in

Integration of Infrastructure

Integration of Grid

Integration of HPC

Feedback

Organisational Points

VO Management

Technical Points

Wishlist

Summary

Pros:

Cons (quite personal view):

Bottomline:

Many Thanks for developing, running, maintaining, extending, and supporting EGI check-in ** And give me new features faster ;-)

EGI Checkin
(from EOSC-Synergy perspective)

Many Thanks for

developing,

running,

maintaining,

extending,

and supporting EGI check-in **

And give me new features faster ;-)