Fermilab is transitioning authentication and authorization for grid operations to using bearer tokens based on the WLCG Common JWT (JSON Web Token) Profile. One of the functionalities that Fermilab experimenters rely on is the ability to automate batch job submission, which in turn depends on the ability to securely refresh and distribute the necessary credentials to experiment job submit points. Thus, with the transition to using tokens for grid operations, we needed to create a service that would obtain, refresh, and distribute tokens for experimenters' use. This service would avoid the need for experimenters to be experts in obtaining their own tokens and would better protect the most sensitive long-lived credentials. Further, the service needed to be widely scalable, as Fermilab hosts many experiments, each of which would need their own credentials. To address these issues, we created and deployed a Managed Tokens Service. The service is written in Go, taking advantage of that language's native concurrency primitives to easily be able to scale operations as we onboard experiments. The service uses as its first credentials a set of kerberos keytabs, stored on the same secure machine that the Managed Tokens service runs on. These kerberos credentials allow the service to use htgettoken via condor_vault_storer to store vault tokens in the HTCondor credential managers (credds) that run on the batch system scheduler machines (HTCondor schedds); as well as downloading a local, shorter-lived copy of the vault token. The kerberos credentials are then also used to distribute copies of the locally-stored vault tokens to experiment submit points.
翻译:费米实验室正在将网格操作的认证与授权机制过渡到基于WLCG通用JWT(JSON Web令牌)规范的持有者令牌。实验人员依赖的核心功能之一是批量作业提交的自动化,这又取决于能否安全地刷新必要凭证并将其分发至实验作业提交节点。因此,随着网格操作向令牌机制的过渡,我们需要构建一种能够为实验人员获取、刷新和分发令牌的服务。该服务既避免了实验人员需精通令牌获取技术的负担,又能更有效地保护最敏感的长周期凭证。此外,由于费米实验室承载大量实验项目且每个项目都需要独立凭证,该服务必须具备广泛的可扩展性。针对这些问题,我们设计并部署了托管令牌服务。该服务采用Go语言编写,利用该语言原生的并发特性实现实验项目接入时的弹性扩展。服务使用Kerberos密钥表作为初始凭证,这些密钥表存储在运行托管令牌服务的安全主机上。通过condor_vault_storer工具调用htgettoken,Kerberos凭证使得服务能够将保险库令牌存储至运行在批处理系统调度器(HTCondor schedds)上的HTCondor凭证管理器(credds)中,同时下载本地短期有效的保险库令牌副本。随后,Kerberos凭证还可用于将本地存储的保险库令牌副本分发至各实验提交节点。