Information Technology Reference
In-Depth Information
is often used for this purpose. This can be a computationally expensive
task. The BRIDGES project developed services that support this directly.
12.5.3
BRIDGES Project
The BRIDGES project was successfully completed at the end of 2005. Its
remit was to provide a grid infrastructure to support research into genetic
causes of hypertension, one of the main causes of cardiovascular mortal-
ity. Before BRIDGES, many of the activities that the scientists undertook in
performing their research were done in a time-consuming and largely
nonautomated manner. This was typii ed through “internet hopping”
between numerous life science data sources. To address this, BRIDGES
developed a security-focused data and compute grid infrastructure. The
data grid that was developed within BRIDGES is described in [35,36].
The BRIDGES compute grid used PERMIS to make/enforce distinctions
between different privileged and nonprivileged users. In particular, the
policies dei ned and enforced with PERMIS as follows:
•
If they are
unknown
users the job would only be submitted to the
local “free” Condor pool at NeSC Glasgow.
If we recognized the users but they do not have a local account on
•
HPC resources at Glasgow, the job would only be submitted to the
Condor pool and the NGS.
If we recognized the users and they have an account at Glasgow
•
HPC resources, then the job would be sent to the Condor pool, the
NGS, and ScotGrid.
These decisions on user identity used the DN of the individuals returned
by Shibboleth from their IdP, although it is equally possible to use some
other eduPerson attributes instead. We note that this raises issues in the
application of Shibboleth itself in the grid domain. Shibboleth has been
developed to support user anonymization and privacy when accessing
and using resources across a federation. However, with the grid model,
knowing which user is accessing a resource, especially in the biomedical
domain, is crucial. We also note that while Shibboleth supports user ano-
nymization and privacy it is not mandatory, and free text strings contain-
ing information such as the DN of the user from an IdP to an SP can be
returned. The policies on what information and attributes an SP can ask
for and what information an IdP is prepared to release will form part of
the overall federation contract. There is no obligation on an IdP to release
potentially sensitive information about a given user. However, if an SP
requests certain attributes to be returned, for example, which the IdP
refuses to release, then the SP is completely free to refuse to grant access
to their own resource. SP autonomy is thus assured.
Search WWH ::
Custom Search