ACCESS Resource Provider Communication - July 13, 2022
July 13, 2022
SUBJECT: Important information for ACCESS Resource Providers
Please forward to resource provider (RP) staff that need to know this information. Please note that in ACCESS, we will use the term “resource provider” (RP) instead of “service provider.”
ACCESS Identity and Access Management
ACCESS is taking over the XSEDE Kerberos and XSEDE DUO services to ensure continuity for authentication. XSEDE usernames and passwords will carry over to ACCESS IDs and passwords in ACCESS. Web services currently configured to authenticate people via idp.xsede.org will need to point to idp.access-ci.org instead. For authentication via CILogon with XSEDE credentials, people will select ACCESS as their identity provider instead of XSEDE.
XSEDE services to be retired on August 31, 2022, include the SSOHub (login.xsede.org). This means that users of RP systems who currently login to RP login hosts via the XSEDE SSOHub will need to do so directly to RP login hosts via other ssh methods instead. ACCESS will work with RPs to implement alternate ssh login methods.
ACTION FOR EXISTING RESOURCE PROVIDERS UTILIZING THE XSEDE SSO HUB:
By August 1, 2022: Please email links to your RP site documentation for ssh access to help@xsede.org with the subject “How to SSH directly to ACCESS <resource_name>” so that ACCESS can help direct customers accordingly.
Another XSEDE service that will be retired on August 31, 2022, is the OAuth-for-MyProxy (oa4mp.xsede.org) service. Some RPs and science gateways use this service in websites (gateways, etc.) and legacy GridFTP endpoints to enable authentication with XSEDE username and password. For similar authentication with ACCESS IDs, RPs and science gateways will need to update and/or reconfigure their services to authenticate via idp.access-ci.org instead. For Globus data access using ACCESS identities, RPs may use Globus Connect Server version 5.4. (Earlier versions will not work with ACCESS identities.) ACCESS is working to have idp.access-ci.org up and documentation available for testing by August 1, 2022.
Integrating Allocated Resources with ACCESS
ACCESS is introducing a new approach for integrating resources with ACCESS, called Integration Roadmaps. Over the life of the ACCESS program, Integration Roadmaps for various kinds of cyberinfrastructure will provide a more flexible and transparent way to describe how both traditional and innovative cyberinfrastructure can integrate operationally in ACCESS and into other research infrastructures. In a nutshell, each integration roadmap details the tasks that RP operators need to perform to make a specific class of cyberinfrastructure reach a specified operational status.
This approach will first be used in July and August of 2022 with the rollout of version 1.0 of the roadmap for “ACCESS-allocated production compute/storage/cloud” resources. This roadmap describes how existing XSEDE-allocated resources can become operational in ACCESS by September 1, 2022. This roadmap should also be used by new RPs who become an ACCESS-allocated resource after September 1, 2022. As new integration opportunities develop, updated versions of this roadmap—and roadmaps for other kinds of cyberinfrastructure resources—will be made available.
Globus data transfer endpoints
Configuring a Globus endpoint to enable ACCESS authentication will require Globus Connect Server version 5.4 (GCS 5.4). ACCESS will not be providing the OAuth-for-MyProxy interface that enabled older GridFTP and Globus Connect Server version 4 Globus endpoints to authenticate using XSEDE identities. (See “ACCESS Identity and Access Management” for more information about OAuth-for-MyProxy.)
XSEDE has provided configuration guidance and supporting materials for GCS 5.4 since 2021. Three RPs (Delaware, Purdue, and Texas A&M) are using GCS 5.4 for their XSEDE Globus endpoints. Configuring GCS 5.4 for ACCESS will be essentially the same as configuring it for XSEDE, and support for ACCESS can be added to an existing GCS 5.4 endpoint without disrupting XSEDE access. Beyond support for ACCESS’s new IAM services, GCS 5.4 also adds support for several new features, including browser upload/download, a much-improved administrative interface, and modular data access policy configuration.
ACCESS’s new IAM services, Globus endpoint documentation, and supporting materials will be available by August 1, 2022 for testing. RPs who wish to begin planning and testing new GCS 5.4 endpoints before then may do so using XSEDE’s existing GCS 5.4 guidance and supporting materials. (See link above.)
Finally, ACCESS will continue the Globus subscription through August 2023 under the XSEDE model, where all ACCESS-allocated resource providers will be able to deploy managed Globus endpoints under an ACCESS-provided Globus subscription. The ACCESS CONECT team will be working to evaluate the best path forward in this space for the ACCESS program, however stand-alone Globus endpoints are expected to continue to be recommended even after the ACCESS-provided Globus subscription expires.
For any other questions or feedback, please email help@xsede.org with a subject line “ACCESS Feedback.”