Fermilab Computing Division

CS Document 5772-v1

CHEP 2016 - Grid Access with Federated Identities

Document #:
CS-doc-5772-v1
Document type:
Presentation
Submitted by:
Dave Dykstra
Updated by:
Dave Dykstra
Document Created:
05 Jul 2016, 15:13
Contents Revised:
26 Jan 2017, 08:47
Metadata Revised:
26 Jan 2017, 08:47
Viewable by:
  • Public document
Modifiable by:

Quick Links:
Latest Version

Other Versions:
CS-doc-5772-v0
05 Jul 2016, 15:13
Abstract:
It is well known that submitting jobs to the grid and transferring the resulting data are not trivial tasks, especially when users are required to manage their own X.509 certificates. Asking users to manage their own certificates means that they need to keep the certificates secure, remember to renew them periodically, frequently create proxy certificates, and make them available to long-running grid jobs. We have made those tasks easier by creating and managing certificates for users. In order to do this we have written a new general purpose open source tool called `cigetcert´ that takes advantage of the existing InCommon federated identity infrastructure and the InCommon X.509 certificate creation service, CILogon. The tool uses the SAML Enhanced Client or Proxy (ECP) profile protocol which was designed for non-web browser environments, so it fits well with traditional command line-based grid access. The tool authenticates with the local institution's Identity Provider (IdP) using either Kerberos or the institutional username/password, retrieves a user certificate from CILogon Basic CA, stores a relatively short-lived proxy certificate on the local disk, and stores a longer-lived proxy certificate in a MyProxy server. The local disk proxy certificate is then available to submit jobs, and the grid job submission system reads the proxy certificate out of the MyProxy server and uses that to authorize data transfers for long-lived grid jobs. This paper describes the motivation, design, implementation, and deployment of this system that provides grid access with federated identities.
Files in Document:
Associated with Events:
CHEP 2016 held from 10 Oct 2016 to 14 Oct 2016 in San Francisco
DocDB Home ]  [ Search ] [ Authors ] [ Events ] [ Topics ]

DocDB Version 8.8.9, contact Document Database Administrators