WLCG Common JWT Profiles

Altunay, Mine; Bockelman, Brian; Ceccanti, Andrea; Cornwall, L.; Crawford, M.; Crooks, D. R. M.; Dack, Thomas; Dykstra, David; Groep, David; Igoumenos, Ioannis; Jouvin, Michel; Keeble, Oliver; Kelsey, David; Lassnig, M.; Liampotis, Nicolas; Litmaath, M.; McNab, A.; Millar, Paul; Sallé, Mischa; Short, Hannah; Teheran, Jeny; Wartel, Romain

doi:10.5281/zenodo.3460258

Cited by 4 publications

(6 citation statements)

References 0 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…These activities have been led by the WLCG DOMA TPC working group which organizes several types of test-beds. A key activity in the coming months will be to evaluate fully token-based data transfers, with authorization following the rules defined by the WLCG JWT profile [5] and leveraging the integration with the WLCG IAM token issuer [2].…”

Section: Discussionmentioning

confidence: 99%

“…The WLCG DOMA TPC working group has instead settled on using bearer tokens to authenticate transfers. A number of bearer token based schemes have been proposed, including SciTokens [24] and the WLCG Common JWT profile [5]; these will eventually allow a transfer to be performed completely without the use of a X.509 client credential. As a transition mechanism, we have defined a way for clients to request a token from the storage endpoint, provided the request is made over a HTTPS connection that is GSI-authenticated.…”

Section: Building the Http-tpc Communitymentioning

confidence: 99%

See 1 more Smart Citation

Third-party transfers in WLCG using HTTP

Bockelman,

Ceccanti,

Furano

et al. 2020

Preprint

Self Cite

View full text Add to dashboard Cite

Since its earliest days, the Worldwide LHC Computational Grid (WLCG) has relied on GridFTP to transfer data between sites. The announcement that Globus is dropping support of its open source Globus Toolkit (GT), which forms the basis for several FTP client and servers, has created an opportunity to reevaluate the use of FTP. HTTP-TPC, an extension to HTTP compatible with WebDAV, has arisen as a strong contender for an alternative approach. In this paper, we describe the HTTP-TPC protocol itself, along with the current status of its support in different implementations, and the interoperability testing done within the WLCG DOMA working group's TPC activity. This protocol also provides the first real use-case for token-based authorisation for this community. We will demonstrate the benefits of such authorisation by showing how it allows HTTP-TPC to support new technologies (such as OAuth, OpenID Connect, Macaroons and SciTokens) without changing the protocol. We will also discuss the next steps for HTTP-TPC and the plans to use the protocol for WLCG transfers.

show abstract

Section: Discussionmentioning

confidence: 99%

Section: Building the Http-tpc Communitymentioning

confidence: 99%

Third-party transfers in WLCG using HTTP

Bockelman,

Ceccanti,

Furano

et al. 2020

Preprint

Self Cite

View full text Add to dashboard Cite

show abstract

“…The WLCG Common JWT Profiles document was published on September 25th, 2019 [22]. This document describes how WLCG users may use the available geographically distributed resources without X.509 credentials.…”

Section: Schemamentioning

confidence: 99%

“…Inspired by Auth token exchange draft X Table 1. Token Claims used in the WLCG Schema, including their origin in either RFC7519 [4], OIDC core [5], the Research and Education Federations (REFEDS) [25] or the WLCG Schema itself [22]. "X" indicates their use in ID and Access tokens.…”

Section: Claimmentioning

confidence: 99%

See 1 more Smart Citation

WLCG Authorisation from X.509 to Tokens

Bockelman,

Ceccanti,

Collier

et al. 2020

Preprint

Self Cite

View full text Add to dashboard Cite

The WLCG Authorisation Working Group was formed in July 2017 with the objective to understand and meet the needs of a future-looking Authentication and Authorisation Infrastructure (AAI) for WLCG experiments. Much has changed since the early 2000s when X.509 certificates presented the most suitable choice for authorisation within the grid; progress in token based authorisation and identity federation has provided an interesting alternative with notable advantages in usability and compatibility with external (commercial) partners. The need for interoperability in this new model is paramount as infrastructures and research communities become increasingly interdependent. Over the past two years, the working group has made significant steps towards identifying a system to meet the technical needs highlighted by the community during staged requirements gathering activities. Enhancement work has been possible thanks to externally funded projects, allowing existing AAI solutions to be adapted to our needs. A cornerstone of the infrastructure is the reliance on a common token schema in line with evolving standards and best practices, allowing for maximum compatibility and easy cooperation with peer infrastructures and services. We present the work of the group and an analysis of the anticipated changes in authorisation model by moving from X.509 to token based authorisation. A concrete example of token integration in Rucio is presented.

show abstract

Operating an HPC/HTC Cluster with Fully Containerized Jobs Using HTCondor, Singularity, CephFS and CVMFS

Freyermuth

Wienemann

Bechtle

et al. 2021

Comput Softw Big Sci

View full text Add to dashboard Cite

High performance and high throughput computing (HPC/HTC) is challenged by ever increasing demands on the software stacks and more and more diverging requirements by different research communities. This led to a reassessment of the operational concept of HPC/HTC clusters at the Physikalisches Institut at the University of Bonn. As a result, the present HPC/HTC cluster (named BAF2) introduced various conceptual changes compared to conventional clusters. All jobs are now run in containers and a container-aware resource management system is used which allowed us to switch to a model without login/head nodes. Furthermore, a modern, feature-rich storage system with powerful interfaces has been deployed. We describe the design considerations, the implemented functionality and the operational experience gained with this new-generation setup which turned out to be very successful and well-accepted by its users.

show abstract

WLCG Common JWT Profiles

Cited by 4 publications

References 0 publications

Third-party transfers in WLCG using HTTP

Third-party transfers in WLCG using HTTP

WLCG Authorisation from X.509 to Tokens

Operating an HPC/HTC Cluster with Fully Containerized Jobs Using HTCondor, Singularity, CephFS and CVMFS

Contact Info

Product

Resources

About