Skip to content

Project description, estimated resources requirement

Paolo Tedesco, Emmanuel Ormancey, IT-CDA Supported by Tim Smith, IT-CDA Group Leader

Executive Summary

Our ever more complex environment requires new authentication and authorization systems to manage users, resources and their access control: a Federated environment where physicists are accessing CERN resources using their home institute credentials, a CERN environment where retirees are accessing CHIS and pension information using their preferred external authentication systems, a secure environment where the possession of a CERN account does not grant all privileges, these are simple use cases where the current set of tools requires an upgrade.

The total effort to complete the following projects is estimated to 4 FTE years of work, that can be split in three distinct parts.

Project Description

The new Authorization Service project aims at providing granular access to CERN resources for any kind of stakeholder and to manage the lifecycle of the provided authorizations. To achieve these, 3 main components are required:

  • The Authorization Service itself, which provides authorization tools and a verification system.
  • The Single Sign-On which provides the authorization information to applications through standard interfaces.
  • The Computing Resources Management, which handles the resource assignments and lifecycle following the granted authorizations.

Top priority is the Authorization Service itself, followed by the Single Sign-On upgrade to facilitate adoption and largescale deployment. Finally, the Computing Resource Management system will also require an upgrade to utilize the new authorization service in resource allocation, such as mailboxes, network access, etc.

See “Annex” to detail the three components and their interaction with applications and resources.

Authorization Service

The goal of the new Authorization Service is to allow application owners to define authorization schemes in a federated environment, in contrast to the current authorization schemes which requires everyone to hold a CERN computing account.

Users will be able to authenticate with any account (CERN, federated or social) associated to their identity to access the applications.

With this scheme it will be possible, for example, to allow retirees and ex-employees to access tax declaration documents, or to allow club members to access club resources, without the need to create a CERN account for them.

Moreover, with such an authorization scheme, ownership of a CERN account will not automatically grant access to most of the CERN resources, as it is now. Resource estimates: - Development: 6 months - Migration: 6 months

Single Sign-on

The identities-based model used by the new Authorization Service will require special support from the Single Sign-On authentication service.

Because of the significant modifications to the current service architecture that are required, and because of the recent major price increase in Microsoft product licenses, it is necessary to investigate a single sign-on solution based on a different product than the current one. Resource estimates:

  • Investigating alternative solutions: 4 months
  • Development: 8 months
  • Migration: 6 months

Computing Resources Management

The Computing Resources Management service will provide more flexible resource policies and lifecycles, building on top of the new authentication and authorization services.

This will allow, for example, to assign CERN mailboxes or phone numbers only to members of CERN personnel, or to allow federated accounts to own OpenStack projects.

A restructuring of the service will also decrease the costs for Microsoft licenses. Resource estimates:

  • Development: 1 year
  • Migration: 6 months

Annex: System overview