Abstract
The WLCG is modernizing its security infrastructure, replacing X.509 client authentication with the newer industry standard of JSON Web Tokens (JWTs) obtained through the Open ID Connect (OIDC) protocol. There is a wide variety of software available using the standards, but most of it is for Web browser-based applications and doesn’t adapt well to the command line-based software used heavily in High Throughput Computing (HTC). OIDC command line client software did exist, but it did not meet our requirements for security and convenience. This paper discusses a command line solution we have made based on the popular existing secrets management software from Hashicorp called vault. We made a package called htvault-config to easily configure a vault service and another called htgettoken to be the vault client. In addition, we have integrated use of the tools into the HTCondor workload management system, although they also work well independent of HTCondor. All of the software is open source, under active development, and ready for use.
Highlights
When the Worldwide LHC Computing Grid (WLCG) was built, X.509 client authentication was chosen as the basic method of distributing authorization around the world, in particular X.509 proxy certificates
JSON Web Tokens (JWTs) have the scalability needed by High Throughput Computing (HTC) in that, like X.509 proxy certificates, they can be fully verified by the end clients
We found that we could use an existing, popular general purpose and open source secrets management software package called vault [9] from Hashicorp to store the refresh tokens of all the users from multiple Virtual Organizations (VOs)
Summary
When the Worldwide LHC Computing Grid (WLCG) was built, X.509 client authentication was chosen as the basic method of distributing authorization around the world, in particular X.509 proxy certificates. Our current system for obtaining and storing X.509 proxy certificates [6] is completely hidden from most of the users, authenticating with Kerberos, and it stores relatively long-lived credentials in a separate secured server called MyProxy [7]. Those longer-lived credentials are used by the HTCondor [8] workload management system to send updated short-lived credentials with computing jobs. That means that in addition to the web browser interaction always required by OIDC to obtain a refresh token, with oidc-agent each user has to keep the encrypted refresh token secure and enter in a passphrase whenever a background process needs to be restarted. The solution has very similar security as our existing system, and its convenience is very similar to our existing system except that users are required to authenticate with their web browsers once
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
