Abstract
Outside the HEP computing ecosystem, it is vanishingly rare to encounter user X509 certificate authentication (and proxy certificates are even more rare). The web never widely adopted the user certificate model, but increasingly sees the need for federated identity services and distributed authorization. For example, Dropbox, Google and Box instead use bearer tokens issued via the OAuth2 protocol to authorize actions on their services. Thus, the HEP ecosystem has the opportunity to reuse recent work in industry that now covers our needs. We present a token-based ecosystem for authorization tailored for use by CMS. We base the tokens on the SciTokens profile for the standardized JSON Web Token (JWT) format. The token embeds a signed description of what capabilities the VO grants the bearer; the site-level service can verify the VO’s signature without contacting a central service. In this paper, we describe the modifications done to enable token-based authorization in various software packages used by CMS, including XRootD, CVMFS, and HTCondor. We describe the token-issuing workflows that would be used to get tokens to running jobs in order to authorize data access and file stageout, and explain the advantages for hosted web services. Finally, we outline what the transition would look like for an experiment like CMS.
Highlights
At the core of today’s grid security infrastructure is the concept of identity and impersonation through grid certificates
Accessing remote storage is a requirement for most HEP experiments
Accessing remote storage from a worker node is common in HEP workflows
Summary
At the core of today’s grid security infrastructure is the concept of identity and impersonation through grid certificates. Accessing remote storage is a requirement for most HEP experiments. Accessing remote storage from a worker node is common in HEP workflows. The majority of access to remote storage is secured with an impersonation grid certificate. If the impersonation certificate is compromised, the attacker would have all of the authorizations that are available to the user. A capability-based authorization is a restricted token that gives access to only a limited set of authorizations. This token can be restricted to only allow reading of certain paths from certain hosts. Rather than allowing an attacker access to all authorizations that are allowed for the user, the capability-based token only allows access to a very limited set of authorizations. Box, Dropbox and many others use capability tokens to access storage and other resources
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
