Back to Search Start Over

Capability-Based Authorization for HEP

Authors :
Jeff Gaynor
Zach Miller
Derek Weitzel
Todd Tannenbaum
Brian Bockelman
Jim Basney
Source :
EPJ Web of Conferences, Vol 214, p 04014 (2019)
Publication Year :
2019
Publisher :
EDP Sciences, 2019.

Abstract

Outside the HEP computing ecosystem, it is vanishingly rare to encounter user X509 certificate authentication (and proxy certificates are even more rare). The web never widely adopted the user certificate model, but increasingly sees the need for federated identity services and distributed authorization. For example, Dropbox, Google and Box instead use bearer tokens issued via the OAuth2 protocol to authorize actions on their services. Thus, the HEP ecosystem has the opportunity to reuse recent work in industry that now covers our needs. We present a token-based ecosystem for authorization tailored for use by CMS. We base the tokens on the SciTokens profile for the standardized JSON Web Token (JWT) format. The token embeds a signed description of what capabilities the VO grants the bearer; the site-level service can verify the VO’s signature without contacting a central service. In this paper, we describe the modifications done to enable token-based authorization in various software packages used by CMS, including XRootD, CVMFS, and HTCondor. We describe the token-issuing workflows that would be used to get tokens to running jobs in order to authorize data access and file stageout, and explain the advantages for hosted web services. Finally, we outline what the transition would look like for an experiment like CMS.

Details

Language :
English
Volume :
214
Database :
OpenAIRE
Journal :
EPJ Web of Conferences
Accession number :
edsair.doi.dedup.....e23cd5c7c4df7aa98fe05a71de7836e6