CERN’s Identity and Access Management: A journey to Open Source

Corman, Asier Aguado; Rodríguez, Daniel Fernández; Georgiou, Maria V.; Rische, Julien; Schuszter, Ioan Cristian; Short, Hannah; Tedesco, Paolo

doi:10.1051/epjconf/202024503012

Cited by 5 publications

(1 citation statement)

References 3 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…CERN is migrating its Authentication and Authorisation Infrastructure to Keycloak [1], which allows us to fully support OAuth 2.0 (Open Authorisation 2.0, hereafter OAuth for short, as previous versions are obsolete [2] and OAuth 2.1 is in draft stage) as well as SAML (Security Assertion Markup Language). OAuth has become increasingly popular over the past 5 years, and the vast majority of our authenticated applications now rely on OAuth.…”

Section: Introductionmentioning

confidence: 99%

Solutions for non-web OAuth 2.0 authorisation at CERN

Aguado Corman,

Henschel,

Short

et al. 2024

EPJ Web of Conf.

Self Cite

View full text Add to dashboard Cite

The need for Single Sign-On solutions in command line interfaces is not new to CERN. Different technologies have been introduced and internal solutions have been implemented to allow users to authenticate to remote servers or applications from their console interfaces. In the case of web services, the most common approach was to use cookie-based authentication, for which an internal tool was developed and made available for all the CERN user community. As the authorisation infrastructure evolved and started to fully support the OAuth 2.0 standard, as well as two-factor authentication (2FA), using the internal tool started to show its limitations. In this work, we present the past and present (OAuth-compliant) solutions, and compare them by looking at the advantages and disadvantages we have found. We also present a case study of a service, OpenShift, that implements this new authentication solution for their users.

show abstract

Section: Introductionmentioning

confidence: 99%

Solutions for non-web OAuth 2.0 authorisation at CERN

Aguado Corman,

Henschel,

Short

et al. 2024

EPJ Web of Conf.

Self Cite

View full text Add to dashboard Cite

show abstract

Evaluating CephFS Performance vs. Cost on High-Density Commodity Disk Servers

Peters

Ster

2021

Comput Softw Big Sci

View full text Add to dashboard Cite

CephFS is a network filesystem built upon the Reliable Autonomic Distributed Object Store (RADOS). At CERN we have demonstrated its reliability and elasticity while operating several 100-to-1000TB clusters which provide NFS-like storage to infrastructure applications and services. At the same time, our lab developed EOS to offer high performance 100PB-scale storage for the LHC at extremely low costs while also supporting the complete set of security and functional APIs required by the particle-physics user community. This work seeks to evaluate the performance of CephFS on this cost-optimized hardware when it is combined with EOS to support the missing functionalities. To this end, we have setup a proof-of-concept Ceph Octopus cluster on high-density JBOD servers (840 TB each) with 100Gig-E networking. The system uses EOS to provide an overlayed namespace and protocol gateways for HTTP(S) and XROOTD, and uses CephFS as an erasure-coded object storage backend. The solution also enables operators to aggregate several CephFS instances and adds features, such as third-party-copy, SciTokens, and high-level user and quota management. Using simple benchmarks we measure the cost/performance tradeoffs of different erasure-coding layouts, as well as the network overheads of these coding schemes. We demonstrate some relevant limitations of the CephFS metadata server and offer improved tunings which can be generally applicable. To conclude, we reflect on the advantages and drawbacks related to this architecture, such as RADOS-level free space requirements and double-network penalties, and offer ideas for improvements in the future.

show abstract

The new (and improved!) CERN Single-Sign-On

et al. 2021

Self Cite

View full text Add to dashboard Cite

The new CERN Single-Sign-On (SSO), built around an open source stack, has been in production for over a year and many CERN users are already familiar with its approach to authentication, either as a developer or as an end user. What is visible upon logging in, however, is only the tip of the iceberg. Behind the scenes there has been a significant amount of work taking place to migrate accounts management and to decouple Kerberos [1] authentication from legacy Microsoft components. Along the way the team has been engaging with the community through multiple fora, to make sure that a solution is provided that not only replaces functionality but also improves the user experience for all CERN members. This paper will summarise key evolutions and clarify what is to come in the future.

show abstract

CERN’s Identity and Access Management: A journey to Open Source

Cited by 5 publications

References 3 publications

Solutions for non-web OAuth 2.0 authorisation at CERN

Solutions for non-web OAuth 2.0 authorisation at CERN

Evaluating CephFS Performance vs. Cost on High-Density Commodity Disk Servers

The new (and improved!) CERN Single-Sign-On

Contact Info

Product

Resources

About