International Symposium on Grids & Clouds 2019 (ISGC 2019)

Authentication and Authorization for RESTful WEB API in Scientific Computing Environment

5 Apr 2019, 10:50

30m

Media Conference Room (Academia Sinica)

Oral Presentation Virtual Reserach Environment (including Middleware, tools, services, workflow, … etc.) VRE

Speaker

Dr Rongqiang Cao (Computer Network Information Center, Chinese Academy of Sciences)

Description

Through grid computing and cloud computing technologies，SCE (Scientific Computing Environment, previously also known as ScGrid) integrates massive computing, storage and application resources. AS a general-purpose computing platform started from 2006 in CAS (Chinese Academy of Sciences), SCE is designed as a pyramidal structure. At present, the top layer is a centralized massive computing environment named ERA which is a heterogeneous cluster, building a 2.3 petaflops (CPU: 700 teraflops, GPU and MIC: 1.6 petaflops) computer and software support platform. The middle layer is distributed among China, in which 9 branch centres are chose and connected. In addition, SCE has 18 sub-branch centres and 11 GPU centres in the bottom layer.   All resources in SCE are packaged as easy-to-use open APIs in RESTful web services. These APIs are used to develop client softwares for multi-disciplinary and cross-scenario. Around authentication and authorization issues among users, open APIs and clients, simplified authentication and authorization services are proposed and implemented in this paper. There are 3 problems to be solved as follows: (1) how an account of SCE securely to login into a client developed by third-party without disclosing sensitive credential information such as password? (2) How a user of SCE authorizes a client access computing resources and private data in limited scope and block illegal actions beyond the approved scope? (3) How an administrator to manage privileges of open APIs and assign different permissions to any client dynamically?   Regarding background and issues above, the proposed services in this paper provide single sign-on in multiple WEB communities for SCE accounts, support users to authorize terminal softwares that could access massive resources and personal private data in proxy mode, and also help administrators determine which open APIs a client could access. Several micro-services were implemented or deployed to provide easy-to-use and simple authentication and authorization for RESTful WEB API in SCE. The single sign-on (SSO) micro-service is used to provide simple login service for clients and web gateways via account of SCE. The open API authorization is used to provide simple authorization workflow for user, perform delegated actions in permission scope, and forbid illegal and malicious attacks to computing resources and private data. The large files transfer micro-service also was implemented to transport large data in isolate service instances protected by the proposed authentication and authorization services. In addition, two-phrased authentication was proposed to enhance security and improve usability. The first authentication phase was used to provide the single sign-on or the simple username and password login service for users to login clients and web gateways developed by third-parties. The second authentication phase was used to provide authentication and permission validation service for clients and web gateways to perform delegated actions in user’s authorization scope.   Atop the proposed services, all related people, consisting of users, developers and administrators, they no longer need to worry about and solve complex problems in authentication and authorization. What they need to pay much attention on are specific business logics and application scenarios for their interested areas.

Summary

This paper designed and implemented simple authentication and authorization services for RESTful WEB API in SCE. The proposed services have been applied to general computing portal, operation and management portal in national high-performance computing environment, and also WEB communities for computational chemistry, bioinformatics, etc. These examples show that the proposed services have achieved positive effects and good results. In future, we will continue to improve the authorization service to support more types and sources of account, and extend the log analysis tools to discovery illegal events timely even real-time online. This work was partially supported by National Natural Science Foundation of China under grant No. 61702476.

Presentation materials

Slides

CAO_Oral-ISGC2019-26.pptx