Speaker
Mr
Michael Schuh
(DESY)
Description
Drawback of an authentication-based access control to storage or computing resources is the need to have a consistent identity namespace over all such resources, e.g., a program runs under a user ID and can read/write files belonging to that suer or group. For a distributed instance of storage and computing this means, that at all components the correct identities have to be mapped and authenticated, where errors might pose significant security risks.
By moving to an authorization-based access control and confining the authentication to a few central components, one can overcome the constraints of a site-wide identity handling and allows as well for an easier scaling out to external resources.
We propose for our local workflow chains the concept of anonymous jobs, where such an anonymous jobs is a self-sufficient description of the job's file input and output as well as the processing function or application combined with the necessary identity-free access tokens for both, storage and compute resources.
For automatised workflow chains an event initiates a processing chain, in which access tokens in the form of Macaroons are requested from the dCache storage system. As the access tokens are tailored to only the necessary paths for input \& output and limited in time as well as network ranges, the risk of file losses can be significantly reduced compared to the full file namespace available to an user. Similarly, compute resources on the HTCondor batch system could be abstracted as tokens, so that one can combine the access tokens in a self-sufficient job, that can be processed decoupled from the initial user.
Primary author
Dr
Thomas Hartmann
(DESY)
Co-authors
Dr
Christian Voss
(DESY Hamburg)
Christoph Beyer
(DESY)
Marina Sahakyan
(DESY)
Mr
Michael Schuh
(DESY)
Dr
Patrick Fuhrmann
(DESY/dCache.org)
