CS Document 5772-v1
CHEP 2016 - Grid Access with Federated Identities
- Public document
- It is well known that submitting jobs to the grid and transferring the resulting data are not trivial tasks, especially when users are required to manage their own X.509 certificates. Asking users to manage their own certificates means that they need to keep the certificates secure, remember to renew them periodically, frequently create proxy certificates, and make them available to long-running grid jobs. We have made those tasks easier by creating and managing certificates for users. In order to do this we have written a new general purpose open source tool called `cigetcert´ that takes advantage of the existing InCommon federated identity infrastructure and the InCommon X.509 certificate creation service, CILogon. The tool uses the SAML Enhanced Client or Proxy (ECP) profile protocol which was designed for non-web browser environments, so it fits well with traditional command line-based grid access. The tool authenticates with the local institution's Identity Provider (IdP) using either Kerberos or the institutional username/password, retrieves a user certificate from CILogon Basic CA, stores a relatively short-lived proxy certificate on the local disk, and stores a longer-lived proxy certificate in a MyProxy server. The local disk proxy certificate is then available to submit jobs, and the grid job submission system reads the proxy certificate out of the MyProxy server and uses that to authorize data transfers for long-lived grid jobs. This paper describes the motivation, design, implementation, and deployment of this system that provides grid access with federated identities.
- Associated with Events:
- CHEP 2016 held from 10 Oct 2016 to 14 Oct 2016 in San Francisco