Token-based technologies are attracting attention in order to realize authentication and authorization in distributed high-performance computing infrastructure for research. The purpose of this paper is to describe the design and implementation of the next authentication and authorization system in High Performance Computing Infrastructure (HPCI) in Japan.
Following the end of GSI (Grid Security Infrastructure) maintenance by the Globus Alliance, authentication and authorization technology to replace GSI is being considered worldwide for large-scale high performance computing environments. In Japan as well, HPCI uses currently GSI to realize single sign-on (SSO) among high performance computers and large-scale distributed file systems, therefore we have studied authentication technologies for the next authentication infrastructure that does not use GSI. As a result OAuth has been selected as the main authentication technology.
In order to use OAuth tokens for SSO among supercomputers and large-scale distributed file systems, it is necessary to skillfully delegate tokens. We must consider that in accesses to those resources there is not just Web user interface but command-line user interface (CUI), because end-users of HPCI typically log in to the front-end of a supercomputer with SSH and mount a distributed filesystem. We discuss token flows for typical CUI-based use cases in HPCI, which we consider beneficial for the other large-scale HPC infrastructure.
In this paper, we describe the details of token-based authentication and authorization system in HPCI such as access token details, token issuance and user information management, token processing in SSH and distributed file system, authorization management for services, and end-user environment.