Update ds_eoscpilot.tex

contributions/ds_eoscpilot/ds_eoscpilot.tex

@@ -119,7 +119,11 @@ under the umbrella of the EOSCpilot project, during the first year of the projec
 Although originally designed for the Compact Muon Solenoid (CMS)  Experiment at 
 LHC, DODAS has been quickly adopted by the Alpha Magnetic Spectrometer (AMS) 
 astroparticle physics experiment mounted on the ISS as a solution to exploit 
-opportunistic computing, nowadays an extremely important topic for research domains where computing needs constantly increase. Given its flexibility and efficiency, DODAS was selected as one of the Thematic Services that will provide multi-disciplinary solutions in the EOSC-hub project. An integration and management system of the European Open Science Cloud starting in January 2018.
+opportunistic computing, nowadays an extremely important topic for research 
+domains where computing needs constantly increase. Given its flexibility and 
+efficiency, DODAS was selected as one of the Thematic Services that will provide 
+multi-disciplinary solutions in the EOSC-hub project. An integration and management 
+system of the European Open Science Cloud starting in January 2018.
 During the integration pilot the usage of any cloud (both public and private) 
 to seamlessly integrate existing Grid computing model of CMS  was demonstrated.
 Overall, integration has been successful and much experience has been gained 
@@ -151,6 +155,70 @@ of IaaS ranking.
 
 \subsection{Interoperability pilots: AAI}
 
+The EOSCpilot and AARC (add reference) projects  started a collaboration activity
+in the field of authorization and authentication, policies and recommendations 
+regarding their design, that took shape, in the scope of the WP6 activities, 
+under the form of an AAI interoperability demonstrator setup as part of the 
+AARC pilots Task 1: {\bf Pilots with research communities based on use cases 
+provided  - the WLCG use case}, regarding the {\it “Implementation of IdP/SP Proxy, 
+mainly to provide Token Translation Services to allow end users to login without 
+the need of manually managing X.509 certificates”}. A team of people was formed, 
+under the WLCG coordination, to deal with the various activities – the {\bfWLCG 
+ Authorization WorkingGroup  (WG)}, motivated by:
+\begin{itemize}
+ \item Evolving Identity Landscape
+ \begin{itemize}
+  \item User-owned x509 certificates -> Federated Identities
+  \item Federated Identities linkage with existing VOMS authorizations not supported
+  \item Maintaining assurance and identity vetting for federated users not supported
+ \end{itemize}
+ \item Central User Blocking
+ \begin{itemize}
+  \item Retirement of glexec removes blocking capability (& traceability)
+  \item VO-level blocking not a realistic sanction
+ \end{itemize}
+ \item Data Protection
+ \begin{itemize}
+  \item Tightening of data protection (GDPR) requires fine-grained user level 
+access control
+ \end{itemize}
+\end{itemize}
+
+federated identities and the adoption of new authorization standards by industry 
+is a strong signal for WLCG to adapt its authorization infrastructure, of which 
+we can see the schema in (Figure~\ref{fig:2}) 
+
+\begin{figure}
+  \centering
+  \includegraphics[width=\textwidth]{aai_anrepo2018.png}
+  \caption{WLCG AAI system}
+  \label{fig:2}
+\end{figure}
+
+After an initial requirements gathering , and analysis of how existing solutions
+functionalities match the requirements , two main activities started:
+\begin{enumerate} 
+\item Design and testing of a WLCG Membership Management and Token Translation 
+service, facilitated by pilot projects with the support of AARC (AAI Pilot Projects) 
+\item Definition of a token based authorization schema for downstream WLCG 
+services and token issuers (JWT) 
+\end{enumerate}
+
+The activities done during 2018 regarded the: 
+\begin{itemize}
+ \item IAM instance deployed @ INFN-CNAF since January 2018 to showcase
+  main features and integration capabilities
+ \begin{itemize}
+  \item https://wlcg-authz-wg.cloud.cnaf.infn.it/login
+ \end{itemize} 
+ \item This deployment is being migrated to CERN infrastructure for further 
+ validation & feedback on
+\begin{itemize}
+  \item RCAuth.eu and CERN HR database integration
+  \item Registration & administration management functionality
+\end{itemize}
+
+
 TOCHANGE
 The software development lifecycle (SDL) process (Figure~\ref{fig:1}) in INDIGO has been supported by a continuous 
 software improvement process that regarded the software quality assurance, software maintenance,