DCache, towards Federated Identities & Anonymized Delegation

A Ashish,D Litvintsev,T Mkrtchyan,O S Adeyemi,Ap Millar,J Starek,M Sahakyan,G Behrmann,A Rossi,P Fuhrmann

doi:10.1088/1742-6596/898/10/102009

A Ashish, D Litvintsev + Show 8 more

Open Access

https://doi.org/10.1088/1742-6596/898/10/102009

Copy DOI

Abstract

For over a decade, dCache has relied on the authentication and authorization infrastructure (AAI) offered by VOMS, Kerberos, Xrootd etc. Although the established infrastructure has worked well and provided sufficient security, the implementation of procedures and the underlying software is often seen as a burden, especially by smaller communities trying to adopt existing HEP software stacks [1]. Moreover, scientists are increasingly dependent on service portals for data access [2]. In this paper, we describe how federated identity management systems can facilitate the transition from traditional AAI infrastructure to novel solutions like OpenID Connect. We investigate the advantages offered by OpenID Connect in regards to ‘delegation of authentication’ and ‘credential delegation for offline access’. Additionally, we demonstrate how macaroons can provide a more fine-granular authorization mechanism that supports anonymized delegation.

Full Text