Building global HEP systems on Kerberos
Abstract
As an underpinning of AFS and Windows 2000, and as a formally proven security protocol [1] in its own right, Kerberos is ubiquitous among HEP sites. Fermilab and users from other sites have taken advantage of this and built a diversity of distributed applications over Kerberos v5. We present several projects in which this security infrastructure has been leveraged to meet the requirements of geographically dispersed collaborations. These range from straightforward ''Kerberization'' of applications such as database and batch services, to quick tricks like simulating a user-authenticated web service with AFS and the ''file'': schema, to more complex systems. Examples of the latter include experiment control room operations and the Central Analysis Farm (CAF). We present several use cases and their security models, and examine how they attempt to address some of the outstanding problems of secure distributed computing: delegation of the least necessary privilege; establishment of trust between a user and a remote processing facility; credentials for long-queued or long-running processes, and automated processes running without any user's presence; security of remotely-stored credentials; and ability to scale to the numbers of sites, machines and users expected in the collaborations of the coming decade.
- Authors:
- Publication Date:
- Research Org.:
- Fermi National Accelerator Lab. (FNAL), Batavia, IL (United States)
- Sponsoring Org.:
- USDOE
- OSTI Identifier:
- 15016946
- Report Number(s):
- FERMILAB-CONF-04-491-CD
TRN: US200621%%413
- DOE Contract Number:
- AC02-76CH03000
- Resource Type:
- Conference
- Resource Relation:
- Conference: Prepared for Computing in High-Energy Physics (CHEP '04), Interlaken, Switzerland, 27 Sep - 1 Oct 2004
- Country of Publication:
- United States
- Language:
- English
- Subject:
- 99 GENERAL AND MISCELLANEOUS//MATHEMATICS, COMPUTING, AND INFORMATION SCIENCE; CONTROL ROOMS; FARMS; FERMILAB; PHYSICS; PROCESSING; SECURITY; COMPUTERS; Computing
Citation Formats
Crawford, Matt, and /Fermilab. Building global HEP systems on Kerberos. United States: N. p., 2004.
Web.
Crawford, Matt, & /Fermilab. Building global HEP systems on Kerberos. United States.
Crawford, Matt, and /Fermilab. 2004.
"Building global HEP systems on Kerberos". United States. https://www.osti.gov/servlets/purl/15016946.
@article{osti_15016946,
title = {Building global HEP systems on Kerberos},
author = {Crawford, Matt and /Fermilab},
abstractNote = {As an underpinning of AFS and Windows 2000, and as a formally proven security protocol [1] in its own right, Kerberos is ubiquitous among HEP sites. Fermilab and users from other sites have taken advantage of this and built a diversity of distributed applications over Kerberos v5. We present several projects in which this security infrastructure has been leveraged to meet the requirements of geographically dispersed collaborations. These range from straightforward ''Kerberization'' of applications such as database and batch services, to quick tricks like simulating a user-authenticated web service with AFS and the ''file'': schema, to more complex systems. Examples of the latter include experiment control room operations and the Central Analysis Farm (CAF). We present several use cases and their security models, and examine how they attempt to address some of the outstanding problems of secure distributed computing: delegation of the least necessary privilege; establishment of trust between a user and a remote processing facility; credentials for long-queued or long-running processes, and automated processes running without any user's presence; security of remotely-stored credentials; and ability to scale to the numbers of sites, machines and users expected in the collaborations of the coming decade.},
doi = {},
url = {https://www.osti.gov/biblio/15016946},
journal = {},
number = ,
volume = ,
place = {United States},
year = {Wed Dec 01 00:00:00 EST 2004},
month = {Wed Dec 01 00:00:00 EST 2004}
}