27 September 2004 to 1 October 2004
Interlaken, Switzerland
Europe/Zurich timezone

Building Global HEP Systems on Kerberos

29 Sep 2004, 16:30
Brunig 3 (Interlaken, Switzerland)

Brunig 3

Interlaken, Switzerland

oral presentation Track 4 - Distributed Computing Services Grid Security


M. Crawford (FERMILAB)


As an underpinning of AFS and Windows 2000, and as a formally proven security protocol in its own right, Kerberos is ubiquitous among HEP sites. Fermilab and users from other sites have taken advantage of this and built a diversity of distributed applications over Kerberos v5. We present several projects in which this security infrastructure has been leveraged to meet the requirements of far-flung collaborations. These range from straightforward "Kerberization" of applications such as database and batch services, to quick tricks like simulating a user-authenticated web service with AFS and the "file:" schema, to more complex systems. Examples of the latter include experiment control room operations and the Central Analysis Farm (CAF). We present several use cases and their security models, and examine how they attempt to address some of the outstanding problems of secure distributed computing: delegation of the least necessary privilege; establishment of trust between a user and a remote processing facility; credentials for long-queued or long-running processes, and automated processes running without any user's instigation; security of remotely-stored credentials; and ability to scale to the numbers of sites, machines and users expected in the collaborations of the coming decade.

Primary author

M. Crawford (FERMILAB)

Presentation Materials