The ASPiS project will integrate the iRODS data grid middleware with Shibboleth, to support rule-based access management for resources in iRODS data grids, and the capture of provenance metadata recording access to resources

ASPiS (Architecture for a Shibboleth-Protected iRODS System)


Start date: 1 March 2008

End date: 31 December 2009

Funding programme: e-Infrastructure programme

JISC theme(s): e-Research, Access management

Committees: JISC Support of Research committee

Overview

Research is increasingly both driven by and a generator of data on a large scale, and this data is often managed using data grid middleware, such as Storage Resource Broker (http://www.sdsc.edu/srb) or its successor (with significantly enhanced functionality) iRODS (http://irods.sdsc.edu). In such dynamic grid environments, access management is of key importance. Identity-based authorisation does not scale well, and does not easily support role-based access. Moreover, the complexities of using certificates discourage uptake of grids among some researchers. If a broader community is to engage with grids, access management must be addressed to their satisfaction.

Aims and objectives

The project will address two complementary aspects of access management for virtualised resources in iRODS data grids:

  • access control that allows fine-grained access rights to be defined for roles, not just user identities.
  • capture and recording of provenance metadata that tracks access to resources.

These issues will be addressed by integrating Shibboleth with iRODS, enabling authentication of a user to be devolved onto the user’s home institution, and authorisation to be based on Shibboleth attributes. The enhanced software will be incorporated into a prototype data grid and made available for evaluation by users, and in particular by the NGS.

Project methodology

The project will have three broad phases:

  • Requirements definition, in liaison with stakeholders in various disciplines, to ensure that the implementation is grounded in authentic user needs.
  • A modular approach to development, so that the enhancements can be incorporated with minimal change to the core software, and are decoupled from the iRODS architecture, to enable different implementations of authorisation or provenance services to be used by different iRODS systems.
  • An iterative approach to evaluation in collaboration with potential users, and in particular with the NGS. This implies that the development and evaluation phases will overlap to a significant degree.

Anticipated outputs and outcomes

The main outputs will be:

  • Use cases and requirements.
  • Software modules for iRODS that support capture of Shibboleth attributes, use of Shibboleth attributes for determining access to iRODS data resources, and capture of provenance metadata.
  • A prototype Shibboleth-enabled iRODS data grid, based at STFC and KCL, available as a test bed for NGS and other users.
  • Case study.

ASPiS will demonstrate the utility of iRODS for managing research data, will simplify access management for iRODS data grids, and will enable data grids to be more easily integrated within the UK Access Management Federation.

Technology / Standards used

Name of standard or specification

Version

Notes

SAML

1.1

Security Assertion Markup Language

RDF Specifications

Latest

W3C Recommendations

OWL

1

W3C Recommendation

Technologies: iRODS, Shibboleth

 

Lead Institution
Project partners

project staff

Project Manager
  • Mark Hedges, Deputy Director, Centre for e-Research, King’s College London, Tel: 020-7848-1970, Fax: 020-7848-1989, mark.hedges@kcl.ac.uk
Project Team
Developers
  • Roger Downing, Science and Technology Facilities Council.
  •  TBA, Centre for e-Research, King’s College London.
  • Last updated on 08/01/09 by Lisa Clifford