LifeWatch Pilot Description
LifeWatch ERIC is a key Research (e-)Infrastructure for EU-Latin America and the Caribbean Cooperation on Research Infrastructures. They provide access to data (from different domains), analytical tools and computational facilities to support environmental research.
The purpose of this pilot is to demonstrate how a LifeWatch user can access a specific service, using the LifeWatch proxy based on AARC BPA. The solution deployed must be able to manage the different types of roles defined: Infrastructure Managers, Developers, Researchers and Citizen Scientists.
In order to support that list of different users, the system need to support both roles and group management.
The LifeWatch AAI will be used for the following things:
- To give access to restricted LifeWatch services. The services may be restricted because of processing power or storage demands.
- To protect user data and scripts that are stored on the infrastructure (e.g. Unix home folders)
- To give access to data not yet in the public domain (data in databases , project moratorium period)
- To distinguish between users uploading data to the system (RvLab, eLab, data explorer)
- To give access to OpenStack configuration interface and computing resources at infrastructure layer
- To manage roles/groups and authorize them to access specific services
At least two components have been identified to be part of the AAI infrastructure: a proxy (one or more components depending on the solution selected, to manage groups/roles, authorization) and a Token Translation System to allow access to non-web services.
The proxy component needs to satisfy the following requirements:
- Federation of 1-N institutions
- Support Citizen Scientists via Social IDs)
- OpenID Connect for LifeWatch services (priority); SAML for LifeWatch services (optional)
- Roles Management. Role mapping (e.g. Google users to Citizen Scientist)
- Group Management
- Identity linking (optional).
- Distributed, clustered. High availability. Via Database.
INDIGO IAM has been tested for supporting this, but there are some limitations in IdP federation.
The intended AARC AAI setup consists of:
- Proxy based on Keycloak or a different solution satisfying the requirements
- WaTTS: configured to link to HPC resources
The current pilot setup consists of:
- Keycloak instance: federates IFCA SSO, Google (for citizen scientists). On going: eduGAIN, VLIZ...
- WaTTS: deployed but not yet configured/tested