Case 1: TERRA-REF
The ARPA-E TERRA-REF project currently uses the ROGER system to host what will eventually be ~2PB of data. Additional software components for TERRA-REF include Clowder, Labs Workbench, BETYdb (all deployed via OpenStack) as well as integration with external services such as the CyVerse Data Commons and Discovery Environment. Data transfer is available via Globus via the Terraref endpoint on ncsa#roger. Currently, NCSA LDAP is used for authentication into the ROGER system. Some users may have local logins on VMs. Clowder, Workbench, and BETYdb all have independent user databases. Workbench launches Docker containers on behalf of users that mount the TERRA-REF dataset via NFS and user scratch space on ROGER. ROGER users belong to the group "prj_cg_arpae".
We can imagine this or similar projects using single sign-on across Clowder, Workbench, ROGER, Globus, and BETYdb – as well as possibly with CyVerse. Using a single identity and shared authorization model, we could control whether the use has access to run jobs on ROGER, transfer data via Globus, launch applications via Workbench, and access subsets of data in Workbench, Clowder, BETYdb.
Case 2: SciServer + Whole Tale
The SciServer system (JHU) uses OpenStack Keystone for authentication. Whole Tale uses Globus Auth.