skip to main content
OSTI.GOV title logo U.S. Department of Energy
Office of Scientific and Technical Information

Title: Building global HEP systems on Kerberos

Abstract

As an underpinning of AFS and Windows 2000, and as a formally proven security protocol [1] in its own right, Kerberos is ubiquitous among HEP sites. Fermilab and users from other sites have taken advantage of this and built a diversity of distributed applications over Kerberos v5. We present several projects in which this security infrastructure has been leveraged to meet the requirements of geographically dispersed collaborations. These range from straightforward ''Kerberization'' of applications such as database and batch services, to quick tricks like simulating a user-authenticated web service with AFS and the ''file'': schema, to more complex systems. Examples of the latter include experiment control room operations and the Central Analysis Farm (CAF). We present several use cases and their security models, and examine how they attempt to address some of the outstanding problems of secure distributed computing: delegation of the least necessary privilege; establishment of trust between a user and a remote processing facility; credentials for long-queued or long-running processes, and automated processes running without any user's presence; security of remotely-stored credentials; and ability to scale to the numbers of sites, machines and users expected in the collaborations of the coming decade.

Authors:
Publication Date:
Research Org.:
Fermi National Accelerator Lab. (FNAL), Batavia, IL (United States)
Sponsoring Org.:
USDOE
OSTI Identifier:
15016946
Report Number(s):
FERMILAB-CONF-04-491-CD
TRN: US200621%%413
DOE Contract Number:  
AC02-76CH03000
Resource Type:
Conference
Resource Relation:
Conference: Prepared for Computing in High-Energy Physics (CHEP '04), Interlaken, Switzerland, 27 Sep - 1 Oct 2004
Country of Publication:
United States
Language:
English
Subject:
99 GENERAL AND MISCELLANEOUS//MATHEMATICS, COMPUTING, AND INFORMATION SCIENCE; CONTROL ROOMS; FARMS; FERMILAB; PHYSICS; PROCESSING; SECURITY; COMPUTERS; Computing

Citation Formats

Crawford, Matt, and /Fermilab. Building global HEP systems on Kerberos. United States: N. p., 2004. Web.
Crawford, Matt, & /Fermilab. Building global HEP systems on Kerberos. United States.
Crawford, Matt, and /Fermilab. 2004. "Building global HEP systems on Kerberos". United States. https://www.osti.gov/servlets/purl/15016946.
@article{osti_15016946,
title = {Building global HEP systems on Kerberos},
author = {Crawford, Matt and /Fermilab},
abstractNote = {As an underpinning of AFS and Windows 2000, and as a formally proven security protocol [1] in its own right, Kerberos is ubiquitous among HEP sites. Fermilab and users from other sites have taken advantage of this and built a diversity of distributed applications over Kerberos v5. We present several projects in which this security infrastructure has been leveraged to meet the requirements of geographically dispersed collaborations. These range from straightforward ''Kerberization'' of applications such as database and batch services, to quick tricks like simulating a user-authenticated web service with AFS and the ''file'': schema, to more complex systems. Examples of the latter include experiment control room operations and the Central Analysis Farm (CAF). We present several use cases and their security models, and examine how they attempt to address some of the outstanding problems of secure distributed computing: delegation of the least necessary privilege; establishment of trust between a user and a remote processing facility; credentials for long-queued or long-running processes, and automated processes running without any user's presence; security of remotely-stored credentials; and ability to scale to the numbers of sites, machines and users expected in the collaborations of the coming decade.},
doi = {},
url = {https://www.osti.gov/biblio/15016946}, journal = {},
number = ,
volume = ,
place = {United States},
year = {Wed Dec 01 00:00:00 EST 2004},
month = {Wed Dec 01 00:00:00 EST 2004}
}

Conference:
Other availability
Please see Document Availability for additional information on obtaining the full-text document. Library patrons may search WorldCat to identify libraries that hold this conference proceeding.

Save / Share: