Fermilab Computing Division

CS Document 460-v1

Building Global HEP Systems on Kerberos

Document #:
CS-doc-460-v1
Document type:
Conference
Submitted by:
JoAnn Larson
Updated by:
Matt Crawford
Document Created:
05 Aug 2004, 11:36
Contents Revised:
23 Sep 2004, 16:17
Metadata Revised:
20 Jan 2005, 10:32
Viewable by:
  • Public document
Modifiable by:
  • Same as Viewable by

Quick Links:
Latest Version

Other Versions:
CS-doc-460-v0
05 Aug 2004, 11:36
Abstract:
As an underpinning of AFS and Windows 2000, and as a formally proven security protocol in its own right, Kerberos is ubiquitous among HEP sites. Fermilab and users from other sites have taken advantage of this and built a diversity of distributed applications over Kerberos v5. We present several projects in which this security infrastructure has been leveraged to meet the requirements of far-flung collaborations. These range from straightforward "Kerberization" of applications such as database and batch services, to quick tricks like simulating a user-authenticated web service with AFS and the "file:" schema, to more complex systems. Examples of the latter include experiment control room operations and the Central Analysis Farm (CAF).

We present several use cases and their security models, and examine how they attempt to address some of the outstanding problems of secure distributed computing: delegation of the least necessary privilege; establishment of trust between a user and a remote processing facility; credentials for long-queued or long-running processes, and automated processes running without any user's instigation; security of remotely-stored credentials; and ability to scale to the numbers of sites, machines and users expected in the collaborations of the coming decade.

Files in Document:
Other Files:
Topics:
None
Notes and Changes:
Fermilab Publication number CONF-04-491-CD
Associated with Events:
CHEP2004 held from 27 Sep 2004 to 01 Oct 2004 in Interlaken, Switzerland
DocDB Home ]  [ Search ] [ Authors ] [ Events ] [ Topics ]

DocDB Version 8.8.9, contact Document Database Administrators