research-article

Custos: Security Middleware for Science Gateways

Authors:

Isuru Ranawaka,

Dimuthu Wannipurage,

Marcus Christie,

Alexandru Mahmoud,

Marlon PierceAuthors Info & Claims

PEARC '20: Practice and Experience in Advanced Research Computing 2020: Catch the Wave

Pages 278 - 284

https://doi.org/10.1145/3311790.3396635

Published: 26 July 2020 Publication History

Abstract

Science gateways represent potential targets for cybersecurity threats to users, scientific research, and scientific resources. In this paper, we introduce Custos, a software framework that provides common security operations for science gateways, including user identity and access management, gateway tenant profile management, resource secrets management, and groups and sharing management. The goals of the Custos project are to provide these services to a wide range of science gateway frameworks, providing the community with an open source, transparent, and reviewed code base for common security operations; and to operate trustworthy security services for the science gateway community using this software base. To accomplish these goals, we implement Custos using a scalable microservice architecture that can provide highly available, fault tolerant operations. Custos exposes these services through a language-independent Application Programming Interface that encapsulates science gateway usage scenarios.

Supplemental Material

MP4 File

Presentation video

Download
113.22 MB

References

[1]

Enis Afgan, Dannon Baker, Bérénice Batut, Marius Van Den Beek, Dave Bouvier, Martin Čech, John Chilton, Dave Clements, Nate Coraor, Björn A Grüning, 2018. The Galaxy platform for accessible, reproducible and collaborative biomedical analyses: 2018 update. Nucleic acids research 46, W1 (2018), W537–W544.

[2]

Enis Afgan, Andrew Lonie, James Taylor, and Nuwan Goonasekera. 2019. CloudLaunch: discover and deploy cloud applications. Future Generation Computer Systems 94 (2019), 802–810.

Digital Library

[3]

Apache Airavata. [n.d.]. Custos Security. Retrieved May 18, 2020 from https://github.com/apache/airavata-custos

[4]

Jim Basney, Heather Flanagan, Terry Fleury, Jeff Gaynor, Scott Koranda, and Benn Oshrin. [n.d.]. CILogon: Enabling Federated Identity and Access Management for Scientific Collaborations. ([n. d.]).

[5]

Jim Basney and Von Welch. 2013. Science gateway security recommendations. In 2013 IEEE International Conference on Cluster Computing (CLUSTER). IEEE, 1–3.

[6]

Jim Basney, Von Welch, and Nancy Wilkins-Diehr. 2010. TeraGrid Science Gateway AAAA Model: implementation and lessons learned. In Proceedings of the 2010 TeraGrid Conference. 1–6.

Digital Library

[7]

A Biancini, L Florio, M Haase, Markus Hardt, M Jankowski, Jens Jensen, C Kanellopoulos, N Liampotis, Slavek Licehammer, S Memon, 2016. AARC: first draft of the blueprint architecture for authentication and authorisation infrastructures. arXiv preprint arXiv:1611.07832(2016).

[8]

Eric A Brewer. 2000. Towards robust distributed systems. In PODC, Vol. 7. Portland, OR.

[9]

Kyle Chard, Ian Foster, and Steven Tuecke. 2017. Globus: Research data management as service and platform. In Proceedings of the Practice and Experience in Advanced Research Computing 2017 on Sustainability, Success and Impact. 1–5.

Digital Library

[10]

Marcus A Christie, Anuj Bhandar, Supun Nakandala, Suresh Marru, Eroma Abeysinghe, Sudhakar Pamidighantam, and Marlon E Pierce. 2019. Managing authentication and authorization in distributed science gateway middleware. Future Generation Computer Systems(2019).

[11]

Rion Dooley, Steven R Brandt, and John Fonner. 2018. The Agave Platform: An open, science-as-a-service platform for digital science. In Proceedings of the Practice and Experience on Advanced Research Computing. 1–8.

Digital Library

[12]

Hector Garcia-Molina and Kenneth Salem. 1987. Sagas. ACM Sigmod Record 16, 3 (1987), 249–259.

Digital Library

[13]

Dave Hudak, Doug Johnson, Alan Chalker, Jeremy Nicklas, Eric Franz, Trey Dockendorf, and Brian McMichael. 2018. Open OnDemand: a web-based client portal for HPC centers. Journal of Open Source Software 3, 25 (2018), 622.

[14]

Kasun Indrasiri and Prabath Siriwardena. 2018. Microservices for the enterprise. Apress, Berkeley (2018).

[15]

Internet2. [n.d.]. Custos Security. Retrieved May 18, 2020 from http://www.internet2.edu/comanage

[16]

Internet2. [n.d.]. Grouper. Retrieved May 18, 2020 from https://github.com/internet2/grouper

[17]

M Jones, J Bradley, M Machulak, and P Hunt. 2015. OAuth 2.0 Dynamic Client Registration Protocol. Technical Report. IETF RFC 7591, July.

[18]

Thejaka Amila Kanewala, Suresh Marru, Jim Basney, and Marlon Pierce. 2014. A credential store for multi-tenant science gateways. In 2014 14th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing. IEEE, 445–454.

Digital Library

[19]

Katherine A Lawrence, Michael Zentner, Nancy Wilkins-Diehr, Julie A Wernert, Marlon Pierce, Suresh Marru, and Scott Michael. 2015. Science gateways today and tomorrow: positive perspectives of nearly 5000 members of the research community. Concurrency and Computation: Practice and Experience 27, 16(2015), 4252–4268.

[20]

Suresh Marru, Lahiru Gunathilake, Chathura Herath, Patanachai Tangchaisin, Marlon Pierce, Chris Mattmann, Raminder Singh, Thilina Gunarathne, Eran Chinthaka, Ross Gardler, 2011. Apache airavata: a framework for distributed applications and computational workflows. In Proceedings of the 2011 ACM workshop on Gateway computing environments. 21–28.

Digital Library

[21]

Michael McLennan and Rick Kennell. 2010. HUBzero: a platform for dissemination and collaboration in computational science and engineering. Computing in Science & Engineering 12, 2 (2010), 48–53.

Digital Library

[22]

Supun Nakandala, Hasini Gunasinghe, Suresh Marru, and Marlon Pierce. 2016. Apache Airavata security manager: Authentication and authorization implementations for a multi-tenant escience framework. In 2016 IEEE 12th International Conference on e-Science (e-Science). IEEE, 287–292.

[23]

Supun Nakandala, Suresh Marru, Marlon Piece, Sudhakar Pamidighantam, Kenneth Yoshimoto, Terri Schwartz, Subhashini Sivagnanam, Amit Majumdar, and Mark A Miller. 2017. Apache airavata sharing service: A tool for enabling user collaboration in science gateways. In Proceedings of the Practice and Experience in Advanced Research Computing 2017 on Sustainability, Success and Impact. 1–8.

Digital Library

[24]

Sean Peisert, Von Welch, Andrew Adams, RuthAnne Bevier, Michael Dopheide, Rich LeDuc, Pascal Meunier, Steve Schwab, and Karen Stocks. 2017. Open Science Cyber Risk Profile (OSCRP). (2017).

[25]

Marlon Pierce, Suresh Marru, Eroma Abeysinghe, Sudhakar Pamidighantam, Marcus Christie, and Dimuthu Wannipurage. 2018. Supporting science gateways using apache airavata and scigap services. In Proceedings of the Practice and Experience on Advanced Research Computing. 1–4.

Digital Library

[26]

Marlon E Pierce, Mark A Miller, Emre H Brookes, Mona Wong, Enis Afgan, Yan Liu, Sandra Gesing, Maytal Dahan, Suresh Marru, and Tony Walker. 2018. Towards a science gateway reference architecture. (2018).

[27]

Chris Richardson. 2014. Pattern: Database per service. Retrieved May 18, 2020 from http://microservices.io/patterns/data/database-per-service.html

[28]

J Richer, M Jones, J Bradley, and M Machulak. 2015. OAuth 2.0 Dynamic Client Registration Management Protocol. Technical Report. IETF RFC 7592. http://www. rfc-editor. org/rfc/rfc7592. txt.

[29]

Alexey Savelyev and Emre Brookes. 2019. GenApp: Extensible tool for rapid generation of web and native GUI applications. Future Generation Computer Systems 94 (2019), 929–936.

Digital Library

[30]

Robert Simpson, Kevin R Page, and David De Roure. 2014. Zooniverse: observing the world’s largest citizen science platform. In Proceedings of the 23rd international conference on world wide web. 1049–1054.

Digital Library

[31]

Steven Tuecke, Rachana Ananthakrishnan, Kyle Chard, Mattias Lidman, Brendan McCollam, Stephen Rosen, and Ian Foster. 2016. Globus Auth: A research identity and access management platform. In 2016 IEEE 12th International Conference on e-Science (e-Science). IEEE, 203–212.

[32]

Von Welch, Jim Barlow, James Basney, Doru Marcusiu, and Nancy Wilkins-Diehr. 2007. A AAAA model to support science gateways with community accounts. Concurrency and Computation: Practice and Experience 19, 6(2007), 893–904.

Digital Library

Cited By

Tapia VGaona C(2023)Research Opportunities in Microservices Quality Assessment: A Systematic Literature ReviewJournal of Advances in Information Technology10.12720/jait.14.5.991-100214:5(991-1002)Online publication date: 2023
https://doi.org/10.12720/jait.14.5.991-1002
Christie MMarru SPamidighantam SRanawaka IWannipurage D(2023)Airavata Data Catalog: A Multi-tenant Metadata Service for Efficient Data Discovery and Access ControlPractice and Experience in Advanced Research Computing 2023: Computing for the Common Good10.1145/3569951.3597572(181-185)Online publication date: 23-Jul-2023
https://dl.acm.org/doi/10.1145/3569951.3597572
McCaffrey DKelley J(2022)Cybersecurity and Research are not a DichotomyPractice and Experience in Advanced Research Computing 2022: Revolutionary: Computing, Connections, You10.1145/3491418.3535180(1-4)Online publication date: 8-Jul-2022
https://dl.acm.org/doi/10.1145/3491418.3535180
Show More Cited By

Recommendations

Experiences from scaling scale Science Gateway operations
PEARC '19: Practice and Experience in Advanced Research Computing 2019: Rise of the Machines (learning)

Science gateways are distributed computing systems that provide science-centric, end-user environments that simplify and expand the use of scientific software and data on diverse scientific software on backend resources. In this poster we describe the ...
Supporting Science Gateways Using Apache Airavata and SciGaP Services
PEARC '18: Proceedings of the Practice and Experience on Advanced Research Computing: Seamless Creativity

The Science Gateways Platform as a service (SciGaP.org) project provides a rapid development and stable hosting platform for a wide range of science gateways that focus on software as a service. Based on the open source Apache Airavata project, SciGaP ...
Custos Secrets: a Service for Managing User-Provided Resource Credential Secrets for Science Gateways
PEARC '22: Practice and Experience in Advanced Research Computing 2022: Revolutionary: Computing, Connections, You

Custos is open source software that provides user, group, and resource credential management services for science gateways. This paper describes the resource credential, or secrets, management service in Custos that allows science gateways to safely ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

PEARC '20: Practice and Experience in Advanced Research Computing 2020: Catch the Wave

July 2020

556 pages

ISBN:9781450366892

DOI:10.1145/3311790

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 26 July 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

PEARC '20

Sponsor:

PEARC '20: Practice and Experience in Advanced Research Computing

July 26 - 30, 2020

OR, Portland, USA

Acceptance Rates

Overall Acceptance Rate 133 of 202 submissions, 66%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

7
Total Citations
View Citations
134
Total Downloads

Downloads (Last 12 months)16
Downloads (Last 6 weeks)0

Reflects downloads up to 17 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Tapia VGaona C(2023)Research Opportunities in Microservices Quality Assessment: A Systematic Literature ReviewJournal of Advances in Information Technology10.12720/jait.14.5.991-100214:5(991-1002)Online publication date: 2023
https://doi.org/10.12720/jait.14.5.991-1002
Christie MMarru SPamidighantam SRanawaka IWannipurage D(2023)Airavata Data Catalog: A Multi-tenant Metadata Service for Efficient Data Discovery and Access ControlPractice and Experience in Advanced Research Computing 2023: Computing for the Common Good10.1145/3569951.3597572(181-185)Online publication date: 23-Jul-2023
https://dl.acm.org/doi/10.1145/3569951.3597572
McCaffrey DKelley J(2022)Cybersecurity and Research are not a DichotomyPractice and Experience in Advanced Research Computing 2022: Revolutionary: Computing, Connections, You10.1145/3491418.3535180(1-4)Online publication date: 8-Jul-2022
https://dl.acm.org/doi/10.1145/3491418.3535180
Ranawaka IGoonasekara NAfgan EBasney JMarru SPierce M(2022)Custos Secrets: a Service for Managing User-Provided Resource Credential Secrets for Science GatewaysPractice and Experience in Advanced Research Computing 2022: Revolutionary: Computing, Connections, You10.1145/3491418.3535177(1-4)Online publication date: 8-Jul-2022
https://dl.acm.org/doi/10.1145/3491418.3535177
Hancock DFischer JLowe JSnapp-Childs WPierce MMarru SCoulter JVaughn MBeck BMerchant NSkidmore EJacobs G(2021)Jetstream2: Accelerating cloud computing via JetstreamPractice and Experience in Advanced Research Computing 2021: Evolution Across All Dimensions10.1145/3437359.3465565(1-8)Online publication date: 17-Jul-2021
https://dl.acm.org/doi/10.1145/3437359.3465565
Marru SKuruvilla TAbeysinghe EMcMullen DPierce MMorgan DTait SInnes R(2021)User-Centric Design and Evolvable Architecture for Science Gateways: A Case Study2021 IEEE/ACM 21st International Symposium on Cluster, Cloud and Internet Computing (CCGrid)10.1109/CCGrid51090.2021.00036(267-276)Online publication date: May-2021
https://doi.org/10.1109/CCGrid51090.2021.00036
Pierce MMarru S(2020)Integrating Science Gateways with Secure Cloud Computing Resources: An Examination of Two Deployment Patterns and Their Requirements2020 IEEE/ACM International Workshop on HPC User Support Tools (HUST) and Workshop on Programming and Performance Visualization Tools (ProTools)10.1109/HUSTProtools51951.2020.00010(19-26)Online publication date: Nov-2020
https://doi.org/10.1109/HUSTProtools51951.2020.00010

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View Table of Contents