Abstract
The WLCG Authorisation Working Group was formed in July 2017 with the objective to understand and meet the needs of a future-looking Authentication and Authorisation Infrastructure (AAI) for WLCG experiments. Much has changed since the early 2000s when X.509 certificates presented the most suitable choice for authorisation within the grid; progress in token based authorisation and identity federation has provided an interesting alternative with notable advantages in usability and compatibility with external (commercial) partners. The need for interoperability in this new model is paramount as infrastructures and research communities become increasingly interdependent. Over the past two years, the working group has made significant steps towards identifying a system to meet the technical needs highlighted by the community during staged requirements gathering activities. Enhancement work has been possible thanks to externally funded projects, allowing existing AAI solutions to be adapted to our needs. A cornerstone of the infrastructure is the reliance on a common token schema in line with evolving standards and best practices, allowing for maximum compatibility and easy cooperation with peer infrastructures and services. We present the work of the group and an analysis of the anticipated changes in authorisation model by moving from X.509 to token based authorisation. A concrete example of token integration in Rucio is presented.
Highlights
This paper describes ongoing work by the WLCG Authorisation Working Group [1] to transition the Worldwide LHC Computing Grid’s authorisation model from X.509
The tokens are defined as JSON Web Tokens (JWT) [4], to be provisioned over OpenID Connect (OIDC) [5] and OAuth2 [6] workflows
The Globus Toolkit [7], chosen by WLCG, supported X.509 and provided a functional solution for distributed authentication and authorisation, when coupled with policies controlled by the Interoperable Global Trust Federation (IGTF) [8]
Summary
This paper describes ongoing work by the WLCG Authorisation Working Group [1] to transition the Worldwide LHC Computing Grid’s authorisation model from X.509 Certificates [2] and certificate proxies [3] to tokens. The Globus Toolkit [7], chosen by WLCG, supported X.509 and provided a functional solution for distributed authentication and authorisation, when coupled with policies controlled by the Interoperable Global Trust Federation (IGTF) [8]. Alternative authentication and authorisation technologies have emerged and X.509 is no longer considered the most suitable option. Users are well accustomed to web-based authorisation workflows that use OAuth or OIDC to delegate access rights, meaning that adoption of such technologies would present a more userfriendly experience.
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
