The CMS Submission Infrastructure (SI) is the main computing resource provisioning system for CMS workloads. A number of HTCondor pools are employed to manage this infrastructure, which aggregates geographically distributed resources from the WLCG and other providers. Historically, the model of authentication among the diverse components of this infrastructure has relied on the Grid Security Infrastructure (GSI), based on identities and X509 certificates. In contrast, commonly used modern authentication standards are based on capabilities and tokens. The WLCG has identified this trend and aims at a transparent replacement of GSI for all its workload management, data transfer and storage access operations, to be completed during the current LHC Run 3. As part of this effort, and within the context of CMS computing, the Submission Infrastructure group is in the process of phasing out the GSI part of its authentication layers, in favor of IDTokens and Scitokens. The use of tokens is already well integrated into the HTCondor Software Suite, which has allowed us to fully migrate the authentication between internal components of SI. Additionally, recent versions of the HTCondor-CE support tokens as well, enabling CMS resource requests to Grid sites employing this CE technology to be granted by means of token exchange. After a rollout campaign to sites, successfully completed by the third quarter of 2022, the totality of HTCondor CEs in use by CMS are already receiving Scitoken-based pilot jobs. On the ARC CE side, a parallel campaign was launched to foster the adoption of the REST interface at CMS sites (required to enable token-based job submission via HTCondor-G), which is nearing completion as well. In this contribution, the newly adopted authentication model will be described. We will then report on the migration status and final steps towards complete GSI phase out in the CMS SI.

翻译：CMS提交基础设施（SI）是CMS工作负载的主要计算资源供给系统。该系统采用多个HTCondor资源池来管理这一基础设施，汇聚了来自全球LHC计算网格（WLCG）及其他供应商的地理分布式资源。历史上，该基础设施各组件间的认证模型依赖于基于身份与X509证书的网格安全基础设施（GSI）。相比之下，现代广泛使用的认证标准基于能力与令牌。WLCG已识别这一趋势，并计划在当前LHC第三运行周期内，对其所有工作负载管理、数据传输和存储访问操作实现GSI的透明化替代。作为此项工作的一部分，并在CMS计算框架内，提交基础设施团队正在逐步淘汰其认证层中的GSI组件，转而采用IDToken与Scitoken。令牌的使用已深度集成至HTCondor软件套件中，这使得我们能够完全迁移SI内部组件间的认证机制。此外，新版本的HTCondor-CE同样支持令牌，使得采用该CE技术的网格站点能够通过令牌交换来授权CMS资源请求。经过2022年第三季度已成功完成的站点推广活动，CMS使用的全部HTCondor-CE现已接收基于Scitoken的探针作业。在ARC CE方面，我们同步开展了推广活动以促进CMS站点采用REST接口（这是通过HTCondor-G实现基于令牌的作业提交所必需的），该工作也即将完成。本报告将阐述新采用的认证模型，并汇报迁移进展以及实现CMS SI中GSI完全淘汰的最终步骤。