dCache, towards Federated Identities &amp; Anonymized Delegation

Ashish, Anupam; Millar, AP; Mkrtchyan, T.; Fuhrmann, Patrick; Behrmann, Gerd; Sahakyan, Marina; Adeyemi, Olufemi; Starek, Jürgen; Litvintsev, D.; Rossi, Albert

doi:10.1088/1742-6596/898/10/102009

Cited by 4 publications

(3 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…If permitted, the returned token will permit the bearer to perform the specified activity ($ACTIVITY) for any resource inside the normalized $PATH. The defined authorizations (based upon the work done in dCache for its initial Macaroon support [6]) are:…”

Section: Evolving Approachmentioning

confidence: 99%

Third-party transfers in WLCG using HTTP

Bockelman

Ceccanti²,

Furano

et al. 2020

EPJ Web Conf.

View full text Add to dashboard Cite

Since its earliest days, the Worldwide LHC Computational Grid (WLCG) has relied on GridFTP to transfer data between sites. The announcement that Globus is dropping support of its open source Globus Toolkit (GT), which forms the basis for several FTP client and servers, has created an opportunity to reevaluate the use of FTP. HTTP-TPC, an extension to HTTP compatible with WebDAV, has arisen as a strong contender for an alternative approach. In this paper, we describe the HTTP-TPC protocol itself, along with the current status of its support in different implementations, and the interoperability testing done within the WLCG DOMA working group’s TPC activity. This protocol also provides the first real use-case for token-based authorisation for this community. We will demonstrate the benefits of such authorisation by showing how it allows HTTP-TPC to support new technologies (such as OAuth, OpenID Connect, Macaroons and SciTokens) without changing the protocol. We will also discuss the next steps for HTTP-TPC and the plans to use the protocol for WLCG transfers.

show abstract

Section: Evolving Approachmentioning

confidence: 99%

Third-party transfers in WLCG using HTTP

Bockelman

Ceccanti²,

Furano

et al. 2020

EPJ Web Conf.

View full text Add to dashboard Cite

show abstract

“…dCache supports macaroons [13] by allowing any authenticated user to request a macaroon. These macaroons have an enforced maximum lifetime and the bearer is only allowed (at most) those operations the macaroon-requesting user is authorised to do.…”

Section: Using Semi-trusted Resources With Atlas@workmentioning

confidence: 99%

Adapting ATLAS@Home to trusted and semi-trusted resources

et al. 2020

View full text Add to dashboard Cite

ATLAS@Home is a volunteer computing project which enables members of the public to contribute computing power to run simulations of the ATLAS experiment at CERN’s Large Hadron Collider. The computing resources provided to ATLAS@Home increasingly come not only from traditional volunteers, but also from data centres or office computers at institutes associated to ATLAS. The design of ATLAS@Home was built around not giving out sensitive credentials to volunteers, which means that a sandbox is needed to bridge data transfers between trusted and untrusted domains. As the scale of ATLAS@Home increases, this sandbox becomes a potential data management bottleneck. This paper explores solutions to this problem based on relaxing the constraints of sending credentials to trusted volunteers, allowing direct data transfer to grid storage and avoiding the intermediate sandbox. Fully trusted resources such as grid worker nodes can run with full access to grid storage, whereas semi-trusted resources such as student desktops can be provided with “macaroons”: time-limited access tokens which can only be used for specific files. The steps towards implementing these solutions as well as initial results with real ATLAS simulation tasks are discussed along with the experience gained so far and the next steps in the project.

show abstract

“…A Kafka agent consumes these events, filtering for those that have the signature of incoming data (e.g., matching target directory and filename). When such an event is found, macaroons [18,19] are requested that allow the bearer to download the new file, and upload the derived data. A new event that contains macaroon-embedded URLs is sent to a different topic in the Kafka instance.…”

Section: Processing Data On Ingestmentioning

confidence: 99%

Storage events: distributed users, federation and beyond

Millar¹,

Adeyemi²,

Garonne

et al. 2019

EPJ Web Conf.

View full text Add to dashboard Cite

For federated storage to work well, some knowledge from each storage system must exist outside that system, regardless of the use case. This is needed to allow coordinated activity; e.g., executing analysis jobs on worker nodes with good accessibility to the data. Currently, this is achieved by clients notifying central services of activity; e.g., a client notifies a replica catalogue after an upload. Unfortunately, this forces end users to use bespoke clients. It also forces clients to wait for asynchronous activities to finish. dCache provides an alternative approach: storage events. In this approach the storage systems (rather than the clients) become the coordinating service, notifying interested parties of key events. At DESY, we are investigating storage events along with Apache OpenWhisk and Kubernetes to build a "serverless" cloud, similar to AWS Lambda or Google Cloud Functions, for photon science use cases. Storage events are more generally useful: catalogues are notified whenever data is uploaded or delete, tape becomes more efficient because analysis can start immediately after the data is on disk, caches can be "smart" fetching new datasets preemptively. In this paper we will present work within dCache to support a new event-based interface, with which these and other use cases become more efficient. *

show abstract

dCache, towards Federated Identities & Anonymized Delegation

Cited by 4 publications

References 12 publications

Third-party transfers in WLCG using HTTP

Third-party transfers in WLCG using HTTP

Adapting ATLAS@Home to trusted and semi-trusted resources

Storage events: distributed users, federation and beyond

Contact Info

Product

Resources

About