Adoption of a token-based authentication model for the CMS Submission Infrastructure

A. P. Yzquierdo, M. Mascheroni, Edita Kizinevič, F. Khan, Hyunwoo Kim, M. A. Flechas, Nikos Tsipinakis, Saqib Haleem, Frank Wurthwein
{"title":"Adoption of a token-based authentication model for the CMS Submission Infrastructure","authors":"A. P. Yzquierdo, M. Mascheroni, Edita Kizinevič, F. Khan, Hyunwoo Kim, M. A. Flechas, Nikos Tsipinakis, Saqib Haleem, Frank Wurthwein","doi":"10.1051/epjconf/202429504003","DOIUrl":null,"url":null,"abstract":"The CMS Submission Infrastructure (SI) is the main computing resource provisioning system for CMS workloads. A number of HTCondor pools are employed to manage this infrastructure, which aggregates geographically distributed resources from the WLCG and other providers. Historically, the model of authentication among the diverse components of this infrastructure has relied on the Grid Security Infrastructure (GSI), based on identities and X509 certificates. In contrast, commonly used modern authentication standards are based on capabilities and tokens. The WLCG has identified this trend and aims at a transparent replacement of GSI for all its workload management, data transfer and storage access operations, to be completed during the current LHC Run 3. As part of this effort, and within the context of CMS computing, the Submission Infrastructure group is in the process of phasing out the GSI part of its authentication layers, in favor of IDTokens and Scitokens. The use of tokens is already well integrated into the HTCondor Software Suite, which has allowed us to fully migrate the authentication between internal components of SI. Additionally, recent versions of the HTCondor-CE support tokens as well, enabling CMS resource requests to Grid sites employing this CE technology to be granted by means of token exchange. After a rollout campaign to sites, successfully completed by the third quarter of 2022, the totality of HTCondor CEs in use by CMS are already receiving Scitoken-based pilot jobs. On the ARC CE side, a parallel campaign was launched to foster the adoption of the REST interface at CMS sites (required to enable token-based job submission via HTCondor-G), which is nearing completion as well. In this contribution, the newly adopted authentication model will be described. We will then report on the migration status and final steps towards complete GSI phase out in the CMS SI.","PeriodicalId":11731,"journal":{"name":"EPJ Web of Conferences","volume":"23 1","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2024-05-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"EPJ Web of Conferences","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1051/epjconf/202429504003","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 1

Abstract

The CMS Submission Infrastructure (SI) is the main computing resource provisioning system for CMS workloads. A number of HTCondor pools are employed to manage this infrastructure, which aggregates geographically distributed resources from the WLCG and other providers. Historically, the model of authentication among the diverse components of this infrastructure has relied on the Grid Security Infrastructure (GSI), based on identities and X509 certificates. In contrast, commonly used modern authentication standards are based on capabilities and tokens. The WLCG has identified this trend and aims at a transparent replacement of GSI for all its workload management, data transfer and storage access operations, to be completed during the current LHC Run 3. As part of this effort, and within the context of CMS computing, the Submission Infrastructure group is in the process of phasing out the GSI part of its authentication layers, in favor of IDTokens and Scitokens. The use of tokens is already well integrated into the HTCondor Software Suite, which has allowed us to fully migrate the authentication between internal components of SI. Additionally, recent versions of the HTCondor-CE support tokens as well, enabling CMS resource requests to Grid sites employing this CE technology to be granted by means of token exchange. After a rollout campaign to sites, successfully completed by the third quarter of 2022, the totality of HTCondor CEs in use by CMS are already receiving Scitoken-based pilot jobs. On the ARC CE side, a parallel campaign was launched to foster the adoption of the REST interface at CMS sites (required to enable token-based job submission via HTCondor-G), which is nearing completion as well. In this contribution, the newly adopted authentication model will be described. We will then report on the migration status and final steps towards complete GSI phase out in the CMS SI.
查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
为内容管理系统提交基础设施采用基于令牌的身份验证模式
CMS 提交基础设施(SI)是 CMS 工作负载的主要计算资源供应系统。一些 HTCondor 池被用于管理该基础设施,它汇集了来自 WLCG 和其他供应商的地理分布资源。该基础设施不同组件之间的身份验证模式一直依赖于基于身份和 X509 证书的网格安全基础设施(GSI)。相比之下,常用的现代身份验证标准则以能力和令牌为基础。WLCG 已经发现了这一趋势,并计划在目前的大型强子对撞机运行 3 期间,为其所有工作负载管理、数据传输和存储访问操作透明地替换 GSI。作为这项工作的一部分,在 CMS 计算的背景下,提交基础设施小组正在逐步淘汰其身份验证层的 GSI 部分,转而使用 IDTokens 和 Scitokens。令牌的使用已经很好地集成到 HTCondor 软件套件中,这使我们能够在 SI 内部组件之间完全迁移身份验证。此外,HTCondor-CE 的最新版本也支持令牌,这样就可以通过令牌交换的方式,批准采用这种 CE 技术的网格站点的 CMS 资源请求。在 2022 年第三季度成功完成对站点的推广活动后,CMS 正在使用的所有 HTCondor CE 已经开始接收基于 Scitoken 的试点工作。在 ARC CE 方面,还发起了一项并行活动,以促进 CMS 站点采用 REST 接口(这是通过 HTCondor-G 提交基于令牌的工作所必需的),这项活动也已接近尾声。本文将介绍新采用的身份验证模型。然后,我们将报告迁移情况以及在 CMS SI 中完全淘汰 GSI 的最后步骤。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 去求助
来源期刊
自引率
0.00%
发文量
0
期刊最新文献
Heavy flavor and quarkonia results from the PHENIX experiment The ups and downs of inferred cosmological lithium Repurposing of the Run 2 CMS High Level Trigger Infrastructure as a Cloud Resource for Offline Computing HPC resources for CMS offline computing: An integration and scalability challenge for the Submission Infrastructure Adoption of a token-based authentication model for the CMS Submission Infrastructure
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1