Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Identity Access and Management with Globus
1. Identity Access and Management
with Globus
Rachana Ananthakrishnan
rachana@globus.org
2. Globus Auth: Foundational IAM service
• Protects REST API communications between and
among apps and services
• Federated login for diverse app ecosystem
• Based on OAuth2 and OpenID Connect
– Least privileges security model: scopes/consents
– Access via OAuth2 and OIDC libraries of your choice
– Programming language and framework agnostic
4
3. Globus Auth: Identity broker for research apps
Brokers authentication and authorization among…
• End-users
• Identity providers: enterprise, external (e.g. Google)
• Services: resource servers with REST APIs
• Apps: web, mobile, desktop, command line clients
• Services acting as clients to other services
5
4. Use Case: Log in with Globus
• Similar to:
“Log in with Google”
“Log in with Facebook”
• Using existing identities
• Providing access to community services
6
5. Use Case: App calling service on user’s behalf
8
Authorization Code Grant
6. Use Case: Native Apps calling services
High performance, high throughput,
computing workflows
Globus command line client application
Native App Code Grant
7. Use Case: Apps that need offline access
Recurring transfers with sync option
Copy /ingest
Daily @ 3:30am
High performance, high throughput,
computing workflows
Refresh tokens
8. Use Case: Apps invoking service as itself
Client Credential Grant
10. Use case: Invoking dependent services
Concierge Service
Identifier
Mint
persistent
identifiers
Transfer
Transfer data
Groups
Manage
groups
FAIR Research
Data Portal
Concierge
Service
Manage data
bags
Restricted delegation down the call chain
11. High Assurance support in Globus Auth
• Determine which identities in a user’s identity set have
been used to authenticate and when
• Session context = app instance, device
• Information returned via token introspection
• Services make access control decisions
• Failed operation app generates specific redirect URL
docs.globus.org/api/auth/sessions
12. Services using high assurance features
• Globus transfer and groups
• Additional authentication assurance
– Enforce user authentication with specific identity within session
with specific timeframe
• Application instance isolation
– Authentication context is per app, per session
18. More information
• Documentation
– docs.globus.org
• Globus Auth documentation
– docs.globus.org/api/auth/
• Python SDK
– globus-sdk-python.readthedocs.io/en/stable/
• Support
– support@globus.org
• Subscribe to blog posts and news/announcements
– www.globus.org/contact-us
Editor's Notes
Jetstream, FaceBase (Globus groups service), GPCR (DERIVA USC based projects use login and calling Groups), WholeTale (Groups and transfer)
Recurring replication, Pasrl using refresh tokens
RDA manages user permissions when data is ready for user download. Invokes Globus transfer/sharing as the portal to set permissions. WholeTale does the same (Whole Tale uses its client to create and manage shared endpoints for transferring data in to the system. We use this so that we create a shared endpoint for each user who deposits data.)
NIH Data Commons Object Resolution Service (As part of the commons the DataCite Object Registration Service was registered with its own scope for allowing programmatic access by other commons services and we have a Jupyter notebook that does the auth flow for creating new identifiers: https://ors.datacite.org/ (this is somewhat like our identifiers service).
For the Data Commons, we implemented and secured the Workflow Execution Service (WES) API using Globus Auth and ran several demos with our clients and others accessing it. This was a way to provide a common API across several workflow engines (e.g., Galaxy). https://fair-research.org/deliverables/cross-stack-4m.html
Access Control
Identities provided and managed by institution
Globus acts as identity broker only, does not access or store any institutional user credentials
Institution controls all access policies (at multiple levels)
who can access what data and with what permissions
who can share what data and with what permissions
all access policies can be changed or revoked at any time