Participants

Name

Organisation

Infrastructure / Project / Community Represented

Member Status

Here

Christos Kanellopoulos

GEANT

GEANT, AARC, EOSC EU Node

Chair

Y

Rudolf Dimper

EOSC-A

EOSC-A

Member

Y

Wolfgang Pempe

DFN

DFN-AAI, NFDI

Member

Y

Lukas Vojacek

IT4I

HPC, EOSC - ENTRUST

Member

Y

Jonas Söderberg

Uppsala University

SciLifeLab NBIS

Member

Y

David Groep

Nikhef & Maastricht University

AARC

Member

Y

Peter Balcirak

CESNET

AARC, LSAAI, e-INFRA CZ

Member


Marina Adomeit

SUNET

SUNET, AARC, GEANT, PUHURI

Member


Tomasz Kuczyński

PSNC

PSNC, PIONIER.Id, GEANT

Member

Y

Berk Balci 

CERN

WLCG

Member


Francesco Giacomini

INFN

AARC-TREE, WLCG

Member


Marcus Hardt

KIT

AARC / HIFIS / NFDI

Member


Logan Ayliffe

SURF

SURF Research Access Management

Member

Y

Jean-François Perrin

ESRF

ESRF, PaN Community

Member


Ivan Kanakarakis

SUNET


Member

Y

Eisaku Sakane

NII

HPCI / GakuNin

Observer


Tom Dack

STFC

SKA, IRIS

Member

Apologies

Davide Vaghetti

GARR

GARR, GEANT (eduGAIN)

Member

Y

János Mohácsi

KIFÜ

KIFÜ, AARC TREE, GÉANT

Member

Y

Nicolas Liampotis

GRNET

AARC

Member

Y

Klaas Wierenga

GEANT

GEANT

Member

Y

Licia Florio

NORDUnet

NORDUnet, EOSC, AARC TREE

Member

Y

Mischa Sallé

Nikhef

AARC

Member

Y

Hussein Sherief

AASCTC

AAScTCloud on work (observer)

Observer


Laurence Desnos

EOSC-A


Observer

Y

Michal Stava

GEANT

GEANT

Member

Y

Valeria Ardizzone

EGI

EGI

Member


Johannes Reetz

MPCDF

MPG

Observer

Y

Francesco Giacomini

INFN

AARC TREE, WLCG

Member

Y

Maarten Kremers

SURF

AARC TREE, GEANT, SURF

Member

Y

Ian Collier

UKRI-STFC

AARC-TREE, SKA, IRIS

Member

Y

Tibor Kalman

GWDG

AARC TREE, DARIAH

Observer

Y

Sander Apweiler

FZJ

AARC, HIFIS, NFDI, EUDAT

Member

Y

Agenda

Agenda Overview

Recording Notice

Notice: This video call will be recorded solely to assist in preparing notes. The recording will be used internally for this purpose only and will not be shared with anyone outside of this context.

Approval of minutes from the previous WG meeting

Actions

  • Christos to make the publish the minutes from the call on 2024-10-11 on the wiki
  • Marina and Janos to present the status of the stakeholders interviews at a next meeting.

EOSC EU Node AAI Update II

Projects, Credits and Accounting (from the AAI Perspective)

  • Personal and Group Projects on the EOSC EU Node
  • Authorisation for EOSC EU Node Services

Project-Based Structure for Authorization and Accounting

  • The EOSC EU Node uses a project-based structure for authorisation and accounting, where users are assigned personal projects upon joining.
  • Faculty members have the ability to create group projects and invite collaborators, with projects serving as the basis for accounting and resource allocation.
  • Each project is identified by a unique identifier (UUID) and can be given a user-defined name. The UUID for the personal projects is prefixed with 'pp') and for group projects it is prefixed with 'gp'.
  • Personal projects cannot have subgroups, while group projects may have. all projects contain metadata. One the AAI side all projects have the following metadata:
    • Unique ID (UUID)
    • Display Name
    • Start date
    • End date
    • User membership
    • Owner role
    • Member role

Credit-Based System for Resource Allocation

  • The EOSC node implements a credit-based system where staff/employees receive 100 credits by default, enabling access to application services like Jupiter notebooks and file management.
  • Faculty members are allocated 500 credits, allowing access to infrastructure services such as virtual machines and containers, while group projects can receive 1000 credits.
  • Credits are refreshed on a monthly basis, and users can request additional credits or special projects through a ticketing system, aiming to provide easy initial usage and accommodate advanced requests.

Authorization Implementation

  • Authorisation in the EOSC node encompasses user information, project membership, and credit allocation.
  • The portal manages project creation and credit assignment. Projects are managed on the AAI utilising the SCIM API, while credits are managed by a separate credit management system outside of the AAI.
  • The EOSC EU Node AAI uses AARC-G069 to signal project membership. AARC-G069 entitlements are transferred during user authentication or when service to service access is happening, the protected services are using token introspection.
  • Some services require that information about projects is  pre-provisioned.

Integration of Commercial Services

  • Integrating commercial services posed challenges due to limitations in supporting custom attributes or claims, leading to the introduction of a simplified 'EU node project claim' containing only the project identifier.
  • The system extensively employs service-to-service access using client credential flow for backend operations, addressing these integration issues.

User Interaction with the System

  • The authorization and accounting system remains largely invisible to end-users, who interact with a portal interface to allocate their credits to various services.
  • The system is designed to be elastic, accounting for usage after the fact rather than imposing hard limits, notifying users if they exceed their allocated resources without immediate blocking.
  • Ongoing efforts aim to improve clarity around the access policy and expand FAQs to address user questions about credit management and project persistence.

Affiliation-Based Access Policy

  • The EOSC EU node's affiliation-based access policy determines the user's level based on institutional roles (e.g., faculty vs. staff)..
  • There is a need for better documentation or clearer guidelines on interpreting and validating affiliations to ensure consistent application of this policy.

Future Discussion and Improvement Areas

  • Identified areas for future discussion include cross-node access and interoperability, refining the affiliation-based access policy, improving user documentation and interfaces for credit management, and addressing potential workarounds like creating new projects to bypass credit limits.
  • Additional topics involve exploring how to encode accounting information in authentication assertions, balancing technical requirements with user experience, and ease of use.
  • The group plans to review documents in detail and provide feedback for future meetings, transitioning from information sharing to collaborative improvement of the EOSC node AI architecture.

Cross Node Access - EOSC AAI Federation

  • Did not have time for this topic

AOB

The presentations given during the EOSC Symposium are now online here: https://eosc.eu/eosc-symposium-2024-outcomes-and-resources/

  • No labels