SciTokens: Capability-Based Secure Access to Remote Scientific Data

The management of security credentials (e.g., passwords, secret keys) for computational science workflows is a burden for scientists and information security officers. Problems with credentials (e.g., expiration, privilege mismatch) cause workflows to fail to fetch needed input data or store valuable scientific results, distracting scientists from their research by requiring them to diagnose the problems, re-run their computations, and wait longer for their results. In this paper, we introduce SciTokens, open source software to help scientists manage their security credentials more reliably and securely. We describe the SciTokens system architecture, design, and implementation addressing use cases from the Laser Interferometer Gravitational-Wave Observatory (LIGO) Scientific Collaboration and the Large Synoptic Survey Telescope (LSST) projects. We also present our integration with widely-used software that supports distributed scientific computing, including HTCondor, CVMFS, and XrootD. SciTokens uses IETF-standard OAuth tokens for capability-based secure access to remote scientific data. The access tokens convey the specific authorizations needed by the workflows, rather than general-purpose authentication impersonation credentials, to address the risks of scientific workflows running on distributed infrastructure including NSF resources (e.g., LIGO Data Grid, Open Science Grid, XSEDE) and public clouds (e.g., Amazon Web Services, Google Cloud, Microsoft Azure). By improving the interoperability and security of scientific workflows, SciTokens 1) enables use of distributed computing for scientific domains that require greater data protection and 2) enables use of more widely distributed computing resources by reducing the risk of credential abuse on remote systems.

[1]  Brian Bockelman,et al.  Accessing Data Federations with CVMFS , 2017 .

[2]  Brian Bockelman,et al.  Data Access for LIGO on the OSG , 2017, PEARC.

[3]  Ian T. Foster,et al.  Globus auth: A research identity and access management platform , 2016, 2016 IEEE 12th International Conference on e-Science (e-Science).

[4]  B. A. Boom,et al.  Binary Black Hole Mergers in the First Advanced LIGO Observing Run , 2016, 1606.04856.

[5]  D Huet,et al.  GW151226: Observation of Gravitational Waves from a 22-Solar-Mass Binary Black Hole Coalescence , 2016 .

[6]  D. Reitze The Observation of Gravitational Waves from a Binary Black Hole Merger , 2016 .

[7]  D. Sigg,et al.  GW150914: The Advanced LIGO Detectors in the Era of First Discoveries , 2016, 1602.03838.

[8]  Justin Richer,et al.  OAuth 2.0 Token Introspection , 2015, RFC.

[9]  Matthew West,et al.  The PyCBC search for gravitational waves from compact binary coalescence , 2015, 1508.02357.

[10]  Miron Livny,et al.  Pegasus, a workflow management system for science automation , 2015, Future Gener. Comput. Syst..

[11]  JSON Web Token (JWT) , 2015, RFC.

[12]  Jim Basney,et al.  CILogon: A federated X.509 certification authority for cyberinfrastructure logon , 2013, Concurr. Comput. Pract. Exp..

[13]  Jim Basney,et al.  An OAuth service for issuing certificates to science gateways for TeraGrid users , 2011, TG.

[14]  William J. Dally,et al.  Throughput computing , 2010, ICS '10.

[15]  Igor Sfiligoi,et al.  Flexible session management in a distributed environment , 2010, ArXiv.

[16]  Will Reese,et al.  Nginx: the high-performance web server and reverse proxy , 2008 .

[17]  William E. Allcock,et al.  The Globus Striped GridFTP Framework and Server , 2005, ACM/IEEE SC 2005 Conference (SC'05).

[18]  Ian T. Foster,et al.  Security for Grid services , 2003, High Performance Distributed Computing, 2003. Proceedings. 12th IEEE International Symposium on.

[19]  Ákos Frohner,et al.  VOMS, an Authorization System for Virtual Organizations , 2003, European Across Grids Conference.

[20]  E.J. Whitehead,et al.  WEBDAV: IETF Standard for Collaborative Authoring on the Web , 1998, IEEE Internet Comput..

[21]  Brian Bockelman,et al.  Scitokens/Xrootd-Scitokens: Flexible Authorization Handling , 2018 .

[22]  N. Palmer Workflow Management , 2018, Encyclopedia of Database Systems.

[23]  B. Willke Observation of gravitational waves from a binary black hole merger – dawn of a new astronomy , 2018 .

[24]  Armin Haller,et al.  Survey of Workflow Management Systems , 2014 .

[25]  M. Westerlund,et al.  Intended status: Standards Track , 2008 .

[26]  Junwei Cao,et al.  A Case Study on the Use of Workflow Technologies for Scientific Analysis: Gravitational Wave Data Analysis , 2007, Workflows for e-Science, Scientific Workflows for Grids.

[27]  Jeff Weber,et al.  Workflow Management in Condor , 2007, Workflows for e-Science, Scientific Workflows for Grids.

[28]  Rl Bob Morgan,et al.  Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V2. 0 , 2001 .

[29]  Allen D. Malony,et al.  CONCURRENCY AND COMPUTATION: PRACTICE AND EXPERIENCE Concurrency Computat.: Pract. Exper. 2005; 17:117–141 Published online in Wiley InterScience (www.interscience.wiley.com). DOI: 10.1002/cpe.931 , 2022 .