RDO-121 Compliance Check
Introduction
Pre-release access to Date Preview or Data Release files (including intermediate files that are used to create DP and DR files) is restricted to sites that have fulfilled the requirements of RDO-121.
On this page, we capture evidence and information to support the UK Data Facility claim of compliance.
Staff who will have access to the pre-release files need to complete the Rubin Staff Access Form.
Signatury on behalf of LSST:UK: Professor Bob Mann (U. of Edinburgh, Project Leader for LSST:UK Science Centre)
Storage configuration
The storage on which Data Release and Data Preview files will be hosted is as described below:
Site | Storage Endpoint (identifier and technology) | Access Methods |
|---|---|---|
Lancaster (DRP) | CephFS mounted on XRootD gateways | https/root, posix on limited hosts. |
RAL (DRP) | Ceph Object store accessed through XRootD gateways | https/root/davs |
Edinburgh (IDAC) | CephFS mounted on XRootD gateways | Via UK deployment of RSP (i.e., Gafaelfawr) or, via Rucio, on an external ip/domain for data ingestion. |
Authentication/ Authorisation
The services that make up the UK contribution to Data Release Processing are restricted to specific, approved individuals by the Rubin Data Management team, via membership of the LSST VO. Specifically, a member of the UK DRP team requests an X.509 personal certificate from the UK e-Science Certification Authority and then applies for membership of the LSST VO. Further, to access DRP datasets, they need to be included in the `lsst/usdf`` subgroup by an authorised Rubin Data Management team member.
The UK IDAC plans, in the medium term (that is, by the end of 2025), to implement an authentication/ authorisation solution that is compliant with DMTN-253.
Effectively, the UK IDAC would host a local user database (built with LDAP) and run an authentication proxy (using either Keycloak or SAFE (tbc)) to consult with the Rubin Identity Provider (exposed via the Rubin instance of Gafaelfawr service) regarding each userβs data rights credentials.
In the short term (through until above solution is implemented and approved), access to the UK IDAC is restricted to a small number of Rubin Data Rights holders, who use their GitHub credentials to authenticate to UK IDAC services and then have authorisation to access datasets that we host (typically, via the UK instance of the Rubin Science Platformm using the Rubin Gafaelfawr, or generating a short-lived token in the UK RSP which they can use to run RSP API queries). Users who apply for access to the UK IDAC are manually confirmed to have Rubin Data Rights or to be a member of the Rubin Observatory Slack, and are then added to a dedicated team within the LSP-UK GitHub organisation (https://github.com/orgs/LSP-UK/teams/dev). This list is reviewed periodically (as part of six-monthly refresh of UK Data Rights Holders) to identify and remove any users for whom data rights have lapsed.
Designated LSST:UK Staff
Designated staff in LSST:UK with access to data hosted at sites, as described below:
Name (Institution) | Email (as registered with Rubin) | Completed Rubin Staff Access Form | Read and agreed to RDO-121 |
Matt Doidge (Lancaster) | m.doidge@lancaster.ac.uk | YES | YES |
Tim Noble (RAL) | timothy.noble@stfc.ac.uk | YES | YES |
Peter Love (Lancaster) | YES | YES | |
Dave McKay (Edinburgh) | d.mckay@epcc.ed.ac.uk | YES | YES |
James Mullaney (Sheffield) | j.mullaney@sheffield.ac.uk | YES | YES |
Manu Antony (Edinburgh) | mantony@roe.ac.uk | YES | YES |
The local system-administration staff at each site do, in theory, have access to the storage via their root credentials. However, such access is only for use when dealing with a significant incident β e.g., a cybersecurity attack or in response to a request from a legal authority.
If you require this document in an alternative format, please contact the LSST:UK Project Managers lusc_pm@mlist.is.ed.ac.uk or phone +44 131 651 3577