Executive Summary: A researcher or educator (hereafter referred to as “the user”) wants to be able to authenticate once using his/her community identity and subsequently have authenticated access to all of the available OpenStack resources in the community. (These services might include things such as a central object library (e.g. images, date, etc.), objects stored by that user on other service provider's resources, or cloud computing features such as elastic scheduling of instances.)
This use case is highly speculative. At the time this is being written, there is only one XSEDE resource that provides access to the OpenStack APIs to its users, so there is no other system with which "single sign-on" could work. Further, even when additional resources become available, it is unlikely that users will be given allocations that span multiple resources.
No effort or changes are proposed at this time.
Component | User facing? | Component’s role in the capability |
---|---|---|
Globus Auth | yes | Globus Auth is XSEDE's Web Single Sign-On (Web SSO) service. Beyond supporting user authentication for Web browser-based "Web apps," Globus Auth also provided OAuth2-based authentication for use by REST APIs. OpenStack APIs can use OAuth2 access tokens for authentication. Thus, Globus Auth can be used to protect access to OpenStack APIs, including user authentication. |
Service Provider IaaS (Cloud) Services | yes | The OpenStack API-accessible cloud resources provided by XSEDE Service Provider (SPs) are the core of this use case's implementation. It is these resources that will be used once authentication is accomplished via Single Sign-On. The authentication service must provide access tokens that allow authentication to the OpenStack APIs for each resource. |