TY - GEN
T1 - SciTokens
T2 - 2018 Practice and Experience in Advanced Research Computing Conference: Seamless Creativity, PEARC 2018
AU - Withers, Alex
AU - Brown, Duncan
AU - Bockelman, Brian
AU - Gaynor, Jeff
AU - Weitzel, Derek
AU - Basney, Jim
AU - Tannenbaum, Todd
AU - Miller, Zach
N1 - Publisher Copyright:
© 2018 Copyright held by the owner/author(s). Publication rights licensed to the Association for Computing Machinery.
PY - 2018/7/22
Y1 - 2018/7/22
N2 - The management of security credentials (e.g., passwords, secret keys) for computational science workflows is a burden for scientists and information security officers. Problems with credentials (e.g., expiration, privilege mismatch) cause workflows to fail to fetch needed input data or store valuable scientific results, distracting scientists from their research by requiring them to diagnose the problems, re-run their computations, and wait longer for their results. In this paper, we introduce SciTokens, open source software to help scientists manage their security credentials more reliably and securely. We describe the SciTokens system architecture, design, and implementation addressing use cases from the Laser Interferometer Gravitational-Wave Observatory (LIGO) Scientific Collaboration and the Large Synoptic Survey Telescope (LSST) projects. We also present our integration with widely-used software that supports distributed scientific computing, including HTCondor, CVMFS, and XrootD. SciTokens uses IETF-standard OAuth tokens for capability-based secure access to remote scientific data. The access tokens convey the specific authorizations needed by the workflows, rather than general-purpose authentication impersonation credentials, to address the risks of scientific workflows running on distributed infrastructure including NSF resources (e.g., LIGO Data Grid, Open Science Grid, XSEDE) and public clouds (e.g., Amazon Web Services, Google Cloud, Microsoft Azure). By improving the interoperability and security of scientific workflows, SciTokens 1) enables use of distributed computing for scientific domains that require greater data protection and 2) enables use of more widely distributed computing resources by reducing the risk of credential abuse on remote systems.
AB - The management of security credentials (e.g., passwords, secret keys) for computational science workflows is a burden for scientists and information security officers. Problems with credentials (e.g., expiration, privilege mismatch) cause workflows to fail to fetch needed input data or store valuable scientific results, distracting scientists from their research by requiring them to diagnose the problems, re-run their computations, and wait longer for their results. In this paper, we introduce SciTokens, open source software to help scientists manage their security credentials more reliably and securely. We describe the SciTokens system architecture, design, and implementation addressing use cases from the Laser Interferometer Gravitational-Wave Observatory (LIGO) Scientific Collaboration and the Large Synoptic Survey Telescope (LSST) projects. We also present our integration with widely-used software that supports distributed scientific computing, including HTCondor, CVMFS, and XrootD. SciTokens uses IETF-standard OAuth tokens for capability-based secure access to remote scientific data. The access tokens convey the specific authorizations needed by the workflows, rather than general-purpose authentication impersonation credentials, to address the risks of scientific workflows running on distributed infrastructure including NSF resources (e.g., LIGO Data Grid, Open Science Grid, XSEDE) and public clouds (e.g., Amazon Web Services, Google Cloud, Microsoft Azure). By improving the interoperability and security of scientific workflows, SciTokens 1) enables use of distributed computing for scientific domains that require greater data protection and 2) enables use of more widely distributed computing resources by reducing the risk of credential abuse on remote systems.
KW - Capabilities
KW - Distributed computing
KW - OAuth
UR - http://www.scopus.com/inward/record.url?scp=85051435969&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85051435969&partnerID=8YFLogxK
U2 - 10.1145/3219104.3219135
DO - 10.1145/3219104.3219135
M3 - Conference contribution
AN - SCOPUS:85051435969
SN - 9781450364461
T3 - ACM International Conference Proceeding Series
BT - Practice and Experience in Advanced Research Computing 2018
PB - Association for Computing Machinery
Y2 - 22 July 2017 through 26 July 2017
ER -