extended-abstract

Public Access

SciTokens: Demonstrating Capability-Based Access to Remote Scientific Data using HTCondor

Authors:

Zach MillerAuthors Info & Claims

PEARC '19: Practice and Experience in Advanced Research Computing 2019: Rise of the Machines (learning)

Article No.: 118, Pages 1 - 4

https://doi.org/10.1145/3332186.3333258

Published: 28 July 2019 Publication History

PDF eReader

Abstract

The management of security credentials (e.g., passwords, secret keys) for computational science workflows is a burden for scientists and information security officers. Problems with credentials (e.g., expiration, privilege mismatch) cause workflows to fail to fetch needed input data or store valuable scientific results, distracting scientists from their research by requiring them to diagnose the problems, re-run their computations, and wait longer for their results. SciTokens introduces a capabilities-based authorization infrastructure for distributed scientific computing, to help scientists manage their security credentials more reliably and securely. SciTokens uses IETF-standard OAuth JSON Web Tokens for capability-based secure access to remote scientific data. These access tokens convey the specific authorizations needed by the workflows, rather than general-purpose authentication impersonation credentials, to address the risks of scientific workflows running on distributed infrastructure including NSF resources (e.g., LIGO Data Grid, Open Science Grid, XSEDE) and public clouds (e.g., Amazon Web Services, Google Cloud, Microsoft Azure). By improving the interoperability and security of scientific workflows, SciTokens 1) enables use of distributed computing for scientific domains that require greater data protection and 2) enables use of more widely distributed computing resources by reducing the risk of credential abuse on remote systems.

In this extended abstract, we present the results over the past year of our open source implementation of the SciTokens model and its deployment in the Open Science Grid, including new OAuth support added in the HTCondor 8.8 release series.

References

[1]

Brian Bockelman and Derek Weitzel. 2019. scitokens/scitokens-cpp (Version v0.3.0). (May 2019).

Google Scholar

[2]

A. Ceccanti, L. Cornwall, D. Crooks, B. Bockelman, D. Groep, D. Kelsey, N. Liampotis, M. Litmaath, M. Salle, H. Short, and R. Wartel. 2019. WLCG Common JWT Profiles. Technical Report.

Google Scholar

[3]

W. Denniss and J. Bradley. 2017. OAuth 2.0 for Native Apps. RFC 8252. http://www.rfc-editor.org/rfc/rfc8252.txt

Google Scholar

[4]

Jeff Gaynor. 2018. SciTokens for Java. (Nov. 2018).

Google Scholar

[5]

D. Hardt. 2012. The OAuth 2.0 Authorization Framework. RFC 6749. http://www.rfc-editor.org/rfc/rfc6749.txt

Google Scholar

[6]

T. Lodderstedt and M. Scurtescu. 2013. OAuth 2.0 Token Revocation. RFC 7009. http://www.rfc-editor.org/rfc/rfc7009.txt

Google Scholar

[7]

J. Richer, M.Jones, J. Bradley, and M. Machulak. 2015. OAuth 2.0 Dynamic Client Registration Management Protocol. RFC 7592. http://www.rfc-editor.org/rfc/rfc7592.txt

Google Scholar

[8]

J. Richer, M.Jones, J. Bradley, M. Machulak, and P. Hunt. 2015. OAuth 2.0 Dynamic Client Registration Protocol. RFC 7591. http://www.rfc-editor.org/rfc/rfc7591.txt

Google Scholar

[9]

HTCondor Team. 2019. HTCondor 8.8.2. (April 2019).

Google Scholar

[10]

Samantha A Usman, Alexander H Nitz, Ian W Harry, Christopher M Biwer, Duncan A Brown, Miriam Cabero, Collin D Capano, Tito Dal Canton, Thomas Dent, Stephen Fairhurst, Marcel S Kehl, Drew Keppel, Badri Krishnan, Amber Lenon, Andrew Lundgren, Alex B Nielsen, Larne P Pekowsky, Harald P Pfeiffer, Peter R Saulson, Matthew West, and Joshua L Willis. 2016. The PyCBC search for gravitational waves from compact binary coalescence. Classical and Quantum Gravity 33, 21 (2016), 215004. http://stacks.iop.org/0264-9381/33/i=21/a=215004

Crossref

Google Scholar

[11]

Derek Weitzel and Brian Bockelman. 2018. scitokens/scitokens: v1.0.2. (March 2018).

Google Scholar

[12]

Alex Withers, Brian Bockelman, Derek Weitzel, Duncan Brown, Jeff Gaynor, Jim Basney, Todd Tannenbaum, and Zach Miller. 2018. SciTokens: Capability-Based Secure Access to Remote Scientific Data. In Proceedings of the Practice and Experience on Advanced Research Computing (PEARC '18). ACM, New York, NY, USA, Article 24, 8 pages.

Digital Library

Google Scholar

Cited By

View all

Schultz DSfiligoi IRiedel BAndrijauskas FWeitzel DWürthwein F(2024)IceCube experience using XRootD-based Origins with GPU workflows in PNRPEPJ Web of Conferences10.1051/epjconf/202429511011295(11011)Online publication date: 6-May-2024
https://doi.org/10.1051/epjconf/202429511011
Hossain Faruk MSaha BBasney J(2023)A Comparative Analysis Between SciTokens, Verifiable Credentials, and Smart Contracts: Novel Approaches for Authentication and Secure Access to Scientific DataPractice and Experience in Advanced Research Computing 2023: Computing for the Common Good10.1145/3569951.3597566(302-305)Online publication date: 23-Jul-2023
https://dl.acm.org/doi/10.1145/3569951.3597566
Faruk MBasney JCheng J(2023)Blockchain-Based Decentralized Verifiable Credentials: Leveraging Smart Contracts for Privacy-Preserving Authentication Mechanisms to Enhance Data Security in Scientific Data Access2023 IEEE International Conference on Big Data (BigData)10.1109/BigData59044.2023.10386360(5493-5502)Online publication date: 15-Dec-2023
https://doi.org/10.1109/BigData59044.2023.10386360
Show More Cited By

Index Terms

SciTokens: Demonstrating Capability-Based Access to Remote Scientific Data using HTCondor
1. Security and privacy
  1. Security services
    1. Authorization

Recommendations

SciTokens: Capability-Based Secure Access to Remote Scientific Data
PEARC '18: Proceedings of the Practice and Experience on Advanced Research Computing: Seamless Creativity

The management of security credentials (e.g., passwords, secret keys) for computational science workflows is a burden for scientists and information security officers. Problems with credentials (e.g., expiration, privilege mismatch) cause workflows to ...
An OAuth service for issuing certificates to science gateways for TeraGrid users
TG '11: Proceedings of the 2011 TeraGrid Conference: Extreme Digital Discovery

In this paper, we present a TeraGrid OAuth service, integrated with the TeraGrid User Portal and TeraGrid MyProxy service, that provides certificates to science gateways. The OAuth service eliminates the need for TeraGrid users to disclose their ...
Enhancing the Grid with Cloud Computing

Scientific computing has evolved considerably in recent years. Scientific applications have become more complex and require an increasing number of computing resources to perform on a large scale. Grid computing has become widely used and is the chosen ...

Comments

Information & Contributors

Information

Published In

PEARC '19: Practice and Experience in Advanced Research Computing 2019: Rise of the Machines (learning)

July 2019

775 pages

ISBN:9781450372275

DOI:10.1145/3332186

General Chair:
Tom Furlani
Roswell Park Comprehensive Cancer Center

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 28 July 2019

Check for updates

Author Tags

Qualifiers

Extended-abstract
Research
Refereed limited

Funding Sources

National Science Foundation

Conference

PEARC '19

PEARC '19: Practice and Experience in Advanced Research Computing

July 28 - August 1, 2019

IL, Chicago, USA

Acceptance Rates

Overall Acceptance Rate 133 of 202 submissions, 66%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

6
Total Citations
View Citations
240
Total Downloads

Downloads (Last 12 months)66
Downloads (Last 6 weeks)16

Reflects downloads up to 03 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

View all

Schultz DSfiligoi IRiedel BAndrijauskas FWeitzel DWürthwein F(2024)IceCube experience using XRootD-based Origins with GPU workflows in PNRPEPJ Web of Conferences10.1051/epjconf/202429511011295(11011)Online publication date: 6-May-2024
https://doi.org/10.1051/epjconf/202429511011
Hossain Faruk MSaha BBasney J(2023)A Comparative Analysis Between SciTokens, Verifiable Credentials, and Smart Contracts: Novel Approaches for Authentication and Secure Access to Scientific DataPractice and Experience in Advanced Research Computing 2023: Computing for the Common Good10.1145/3569951.3597566(302-305)Online publication date: 23-Jul-2023
https://dl.acm.org/doi/10.1145/3569951.3597566
Faruk MBasney JCheng J(2023)Blockchain-Based Decentralized Verifiable Credentials: Leveraging Smart Contracts for Privacy-Preserving Authentication Mechanisms to Enhance Data Security in Scientific Data Access2023 IEEE International Conference on Big Data (BigData)10.1109/BigData59044.2023.10386360(5493-5502)Online publication date: 15-Dec-2023
https://doi.org/10.1109/BigData59044.2023.10386360
Aydemir BBasney JBockelman BGaynor JWeitzel D(2022)SciAuth: A Lightweight End-to-End Capability-Based Authorization Environment for Scientific ComputingPractice and Experience in Advanced Research Computing 2022: Revolutionary: Computing, Connections, You10.1145/3491418.3535160(1-5)Online publication date: 8-Jul-2022
https://dl.acm.org/doi/10.1145/3491418.3535160
Gao YBasney JWithers A(2020)SciTokens SSH: Token-based Authentication for Remote Login to Scientific Computing EnvironmentsPractice and Experience in Advanced Research Computing 2020: Catch the Wave10.1145/3311790.3399613(465-468)Online publication date: 26-Jul-2020
https://dl.acm.org/doi/10.1145/3311790.3399613
Alt JAnanthakrishnan RChard KChard RFoster ILiming LTuecke S(2020)OAuth SSH with Globus AuthPractice and Experience in Advanced Research Computing 2020: Catch the Wave10.1145/3311790.3396658(34-40)Online publication date: 26-Jul-2020
https://dl.acm.org/doi/10.1145/3311790.3396658

View Options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Abstract

References

Cited By

Index Terms

Recommendations

SciTokens: Capability-Based Secure Access to Remote Scientific Data

An OAuth service for issuing certificates to science gateways for TeraGrid users

Enhancing the Grid with Cloud Computing

Comments

Information

Published In

Publisher

Publication History

Check for updates

Author Tags

Qualifiers

Funding Sources

Conference

Acceptance Rates

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

PDF

eReader

Login options

Full Access

Share

Share this Publication link

Share on social media

Affiliations