Versions Compared

Old Version 2

changes.mady.by.user Simone Visconti

Saved on

compared with

New Version 3

changes.mady.by.user Hannah Short

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Pilot Description

Main objective of this section is to provide a briefly high-level description of related pilot. The idea is to provide basic information, so that the reader can easily understand it.

Pilot goals

Some questions to answer:

WLCG has been operating a distributed computing infrastructure for the past 15 years. User authentication and group management is based on x509 certificates, with authorisation conveyed in VOMS Proxy certificates. This is no longer considered good practice, both for user experience and for infrastructure sustainability since the community at large is moving to OAuth2.0 token based authentication and authorisation models.

This pilot activity aims to identify and enhance an existing AAI service to suit the requirements of the High Energy Physics community. The requirements focus on aspects currently not included in AAIs, a sample of which are included here:

  • A user-friendly workflow to provision authorisation tokens in the user's local environment for command line activities. The majority of physicists time is spent submitting "jobs" (analysis code) from a terminal and it is essential that limited browser interaction is required for authentication/authorisation.
  • Integration with existing infrastructure for a smooth transition. Token translation to and from certificates will be essential for backwards compatibility. The existing database of identity vetting must also be leveraged. 
  • Development of a shared JWT profile for the wider physics community

A priority for WLCG was not to reinvent the wheel, following the FIM4R recommendation to re-use shared components. Two solutions have been identified as possibilities and are currently undergoing developments; EGI-Check-in and INDIGO IAM. Both solutions have multiple reasons for enhancing their services and as such the decision was made to continue with the two options in parallel.

The goal is to provide a self-contained AAI pilot solution that enables token based authentication and authorisation for WLCG. The two pilot services will be developed in parallel, assessed and a recommendation made to the community. Such a solution will be of wider benefit to user communities also looking to move away from x509 based authentication and authorisation, and developments in INDIGO IAM and EGI-Check-in will be relevant for a larger audience.

More information can be found here: https://hackmd.web.cern.ch/s/rkyic3vtm 

Pilot goals

The pilot goals are to:

  • Support the development of shared AAI components to meet the requirements of WLCG
  • Contribute AARC best practices to definition of the JWT Profile for token content

  • What are the goals of this pilot?

  • Why is it in AARC project?

  • How this pilot will improve AARC community?

    • Why should I use this pilot instead of other solutions?

Description


Main objective of this section is to report detailed informations about pilot. 

...

  • How this pilot works

  • Reason to prefer this pilot instead of other existing tool

  • Detailed Scope

  • others

Components

This section will contain a lists of components used for this pilot.

It is not required to add a detailed description for each component, but 3 important parts are:

  1. Add Link to component web page
  2. Add a short description to explain its function (not more than 1 raw)
  3. Explain why these components have been chosen

An example:

...

The components are as follows:

ComponentDescriptionWhy?Link
RCAuthToken Translation. Used to generate x509 certificates for access to legacy servicesEU widehttps://rcauth.eu
VOMSAttribute Authority & Membership Management. Legacy authorisation database for WLCG, must be integrated for backwards compatibilityPre-existing. Backwards compatibilityhttps://italiangrid.github.io/voms/
CERN HR DBAttribute Authority. CERN's source of identity vetting informationPre-existing. Backwards compatibilityN/A
INDIGO-IAMOne option for the proxy and membership management componentImplements multiple components, easier maintenance. Product used by other communities.https://www.indigo-datacloud.eu/identity-and-access-management
EGI-Check-inThe second option for the proxy and membership management componentImplements multiple components, easier maintenance. Product used by other communities.https://www.egi.eu/services/check-in/


Architecture

This section will provide 2 important parts:

...