Scitokens: Demonstrating Capability-Based Access to Remote Scientific Data using HTCondor

Alexander Withers, Duncan Brown, James Alan Basney, Brian Bockelman, Jason Patton, Todd Tannenbaum, Zach Miller, Derek Weitzel, Jeff Gaynor, You Alex Gao

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

The management of security credentials (e.g., passwords, secret keys) for computational science workflows is a burden for scientists and information security officers. Problems with credentials (e.g., expiration, privilege mismatch) cause workflows to fail to fetch needed input data or store valuable scientific results, distracting scientists from their research by requiring them to diagnose the problems, re-run their computations, and wait longer for their results. SciTokens introduces a capabilities-based authorization infrastructure for distributed scientific computing, to help scientists manage their security credentials more reliably and securely. SciTokens uses IETF-standard OAuth JSON Web Tokens for capability-based secure access to remote scientific data. These access tokens convey the specific authorizations needed by the workflows, rather than general-purpose authentication impersonation credentials, to address the risks of scientific workflows running on distributed infrastructure including NSF resources (e.g., LIGO Data Grid, Open Science Grid, XSEDE) and public clouds (e.g., Amazon Web Services, Google Cloud, Microsoft Azure). By improving the interoperability and security of scientific workflows, SciTokens 1) enables use of distributed computing for scientific domains that require greater data protection and 2) enables use of more widely distributed computing resources by reducing the risk of credential abuse on remote systems. In this extended abstract, we present the results over the past year of our open source implementation of the SciTokens model and its deployment in the Open Science Grid, including new OAuth support added in the HTCondor 8.8 release series.

Original languageEnglish (US)
Title of host publicationProceedings of the Practice and Experience in Advanced Research Computing
Subtitle of host publicationRise of the Machines (Learning), PEARC 2019
PublisherAssociation for Computing Machinery
ISBN (Electronic)9781450372275
DOIs
StatePublished - Jul 28 2019
Event2019 Conference on Practice and Experience in Advanced Research Computing: Rise of the Machines (Learning), PEARC 2019 - Chicago, United States
Duration: Jul 28 2019Aug 1 2019

Publication series

NameACM International Conference Proceeding Series

Conference

Conference2019 Conference on Practice and Experience in Advanced Research Computing: Rise of the Machines (Learning), PEARC 2019
CountryUnited States
CityChicago
Period7/28/198/1/19

Fingerprint

Distributed computer systems
Natural sciences computing
Data privacy
Security of data
Interoperability
Web services
Authentication

Keywords

  • Capabilities
  • Distributed computing
  • OAuth

ASJC Scopus subject areas

  • Human-Computer Interaction
  • Computer Networks and Communications
  • Computer Vision and Pattern Recognition
  • Software

Cite this

Withers, A., Brown, D., Basney, J. A., Bockelman, B., Patton, J., Tannenbaum, T., ... Gao, Y. A. (2019). Scitokens: Demonstrating Capability-Based Access to Remote Scientific Data using HTCondor. In Proceedings of the Practice and Experience in Advanced Research Computing: Rise of the Machines (Learning), PEARC 2019 [3333258] (ACM International Conference Proceeding Series). Association for Computing Machinery. https://doi.org/10.1145/3332186.3333258

Scitokens : Demonstrating Capability-Based Access to Remote Scientific Data using HTCondor. / Withers, Alexander; Brown, Duncan; Basney, James Alan; Bockelman, Brian; Patton, Jason; Tannenbaum, Todd; Miller, Zach; Weitzel, Derek; Gaynor, Jeff; Gao, You Alex.

Proceedings of the Practice and Experience in Advanced Research Computing: Rise of the Machines (Learning), PEARC 2019. Association for Computing Machinery, 2019. 3333258 (ACM International Conference Proceeding Series).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Withers, A, Brown, D, Basney, JA, Bockelman, B, Patton, J, Tannenbaum, T, Miller, Z, Weitzel, D, Gaynor, J & Gao, YA 2019, Scitokens: Demonstrating Capability-Based Access to Remote Scientific Data using HTCondor. in Proceedings of the Practice and Experience in Advanced Research Computing: Rise of the Machines (Learning), PEARC 2019., 3333258, ACM International Conference Proceeding Series, Association for Computing Machinery, 2019 Conference on Practice and Experience in Advanced Research Computing: Rise of the Machines (Learning), PEARC 2019, Chicago, United States, 7/28/19. https://doi.org/10.1145/3332186.3333258
Withers A, Brown D, Basney JA, Bockelman B, Patton J, Tannenbaum T et al. Scitokens: Demonstrating Capability-Based Access to Remote Scientific Data using HTCondor. In Proceedings of the Practice and Experience in Advanced Research Computing: Rise of the Machines (Learning), PEARC 2019. Association for Computing Machinery. 2019. 3333258. (ACM International Conference Proceeding Series). https://doi.org/10.1145/3332186.3333258
Withers, Alexander ; Brown, Duncan ; Basney, James Alan ; Bockelman, Brian ; Patton, Jason ; Tannenbaum, Todd ; Miller, Zach ; Weitzel, Derek ; Gaynor, Jeff ; Gao, You Alex. / Scitokens : Demonstrating Capability-Based Access to Remote Scientific Data using HTCondor. Proceedings of the Practice and Experience in Advanced Research Computing: Rise of the Machines (Learning), PEARC 2019. Association for Computing Machinery, 2019. (ACM International Conference Proceeding Series).
@inproceedings{12db277debd145c8bf9fd79c1bb41972,
title = "Scitokens: Demonstrating Capability-Based Access to Remote Scientific Data using HTCondor",
abstract = "The management of security credentials (e.g., passwords, secret keys) for computational science workflows is a burden for scientists and information security officers. Problems with credentials (e.g., expiration, privilege mismatch) cause workflows to fail to fetch needed input data or store valuable scientific results, distracting scientists from their research by requiring them to diagnose the problems, re-run their computations, and wait longer for their results. SciTokens introduces a capabilities-based authorization infrastructure for distributed scientific computing, to help scientists manage their security credentials more reliably and securely. SciTokens uses IETF-standard OAuth JSON Web Tokens for capability-based secure access to remote scientific data. These access tokens convey the specific authorizations needed by the workflows, rather than general-purpose authentication impersonation credentials, to address the risks of scientific workflows running on distributed infrastructure including NSF resources (e.g., LIGO Data Grid, Open Science Grid, XSEDE) and public clouds (e.g., Amazon Web Services, Google Cloud, Microsoft Azure). By improving the interoperability and security of scientific workflows, SciTokens 1) enables use of distributed computing for scientific domains that require greater data protection and 2) enables use of more widely distributed computing resources by reducing the risk of credential abuse on remote systems. In this extended abstract, we present the results over the past year of our open source implementation of the SciTokens model and its deployment in the Open Science Grid, including new OAuth support added in the HTCondor 8.8 release series.",
keywords = "Capabilities, Distributed computing, OAuth",
author = "Alexander Withers and Duncan Brown and Basney, {James Alan} and Brian Bockelman and Jason Patton and Todd Tannenbaum and Zach Miller and Derek Weitzel and Jeff Gaynor and Gao, {You Alex}",
year = "2019",
month = "7",
day = "28",
doi = "10.1145/3332186.3333258",
language = "English (US)",
series = "ACM International Conference Proceeding Series",
publisher = "Association for Computing Machinery",
booktitle = "Proceedings of the Practice and Experience in Advanced Research Computing",

}

TY - GEN

T1 - Scitokens

T2 - Demonstrating Capability-Based Access to Remote Scientific Data using HTCondor

AU - Withers, Alexander

AU - Brown, Duncan

AU - Basney, James Alan

AU - Bockelman, Brian

AU - Patton, Jason

AU - Tannenbaum, Todd

AU - Miller, Zach

AU - Weitzel, Derek

AU - Gaynor, Jeff

AU - Gao, You Alex

PY - 2019/7/28

Y1 - 2019/7/28

N2 - The management of security credentials (e.g., passwords, secret keys) for computational science workflows is a burden for scientists and information security officers. Problems with credentials (e.g., expiration, privilege mismatch) cause workflows to fail to fetch needed input data or store valuable scientific results, distracting scientists from their research by requiring them to diagnose the problems, re-run their computations, and wait longer for their results. SciTokens introduces a capabilities-based authorization infrastructure for distributed scientific computing, to help scientists manage their security credentials more reliably and securely. SciTokens uses IETF-standard OAuth JSON Web Tokens for capability-based secure access to remote scientific data. These access tokens convey the specific authorizations needed by the workflows, rather than general-purpose authentication impersonation credentials, to address the risks of scientific workflows running on distributed infrastructure including NSF resources (e.g., LIGO Data Grid, Open Science Grid, XSEDE) and public clouds (e.g., Amazon Web Services, Google Cloud, Microsoft Azure). By improving the interoperability and security of scientific workflows, SciTokens 1) enables use of distributed computing for scientific domains that require greater data protection and 2) enables use of more widely distributed computing resources by reducing the risk of credential abuse on remote systems. In this extended abstract, we present the results over the past year of our open source implementation of the SciTokens model and its deployment in the Open Science Grid, including new OAuth support added in the HTCondor 8.8 release series.

AB - The management of security credentials (e.g., passwords, secret keys) for computational science workflows is a burden for scientists and information security officers. Problems with credentials (e.g., expiration, privilege mismatch) cause workflows to fail to fetch needed input data or store valuable scientific results, distracting scientists from their research by requiring them to diagnose the problems, re-run their computations, and wait longer for their results. SciTokens introduces a capabilities-based authorization infrastructure for distributed scientific computing, to help scientists manage their security credentials more reliably and securely. SciTokens uses IETF-standard OAuth JSON Web Tokens for capability-based secure access to remote scientific data. These access tokens convey the specific authorizations needed by the workflows, rather than general-purpose authentication impersonation credentials, to address the risks of scientific workflows running on distributed infrastructure including NSF resources (e.g., LIGO Data Grid, Open Science Grid, XSEDE) and public clouds (e.g., Amazon Web Services, Google Cloud, Microsoft Azure). By improving the interoperability and security of scientific workflows, SciTokens 1) enables use of distributed computing for scientific domains that require greater data protection and 2) enables use of more widely distributed computing resources by reducing the risk of credential abuse on remote systems. In this extended abstract, we present the results over the past year of our open source implementation of the SciTokens model and its deployment in the Open Science Grid, including new OAuth support added in the HTCondor 8.8 release series.

KW - Capabilities

KW - Distributed computing

KW - OAuth

UR - http://www.scopus.com/inward/record.url?scp=85070991066&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85070991066&partnerID=8YFLogxK

U2 - 10.1145/3332186.3333258

DO - 10.1145/3332186.3333258

M3 - Conference contribution

AN - SCOPUS:85070991066

T3 - ACM International Conference Proceeding Series

BT - Proceedings of the Practice and Experience in Advanced Research Computing

PB - Association for Computing Machinery

ER -