Building global HEP systems on Kerberos
As an underpinning of AFS and Windows 2000, and as a formally proven security protocol [1] in its own right, Kerberos is ubiquitous among HEP sites. Fermilab and users from other sites have taken advantage of this and built a diversity of distributed applications over Kerberos v5. We present several projects in which this security infrastructure has been leveraged to meet the requirements of geographically dispersed collaborations. These range from straightforward ''Kerberization'' of applications such as database and batch services, to quick tricks like simulating a user-authenticated web service with AFS and the ''file'': schema, to more complex systems. Examples of the latter include experiment control room operations and the Central Analysis Farm (CAF). We present several use cases and their security models, and examine how they attempt to address some of the outstanding problems of secure distributed computing: delegation of the least necessary privilege; establishment of trust between a user and a remote processing facility; credentials for long-queued or long-running processes, and automated processes running without any user's presence; security of remotely-stored credentials; and ability to scale to the numbers of sites, machines and users expected in the collaborations of the coming decade.
- Research Organization:
- Fermi National Accelerator Lab. (FNAL), Batavia, IL (United States)
- Sponsoring Organization:
- USDOE
- DOE Contract Number:
- AC02-76CH03000
- OSTI ID:
- 15016946
- Report Number(s):
- FERMILAB-CONF-04-491-CD; TRN: US200621%%413
- Resource Relation:
- Conference: Prepared for Computing in High-Energy Physics (CHEP '04), Interlaken, Switzerland, 27 Sep - 1 Oct 2004
- Country of Publication:
- United States
- Language:
- English
Similar Records
The Generalized Security Framework
Security and Policy for Group Collaboration