Speaker
M. Crawford
(FERMILAB)
Description
As an underpinning of AFS and Windows 2000, and as a formally proven
security protocol in its own right, Kerberos is ubiquitous among HEP
sites. Fermilab and users from other sites have taken advantage of this
and built a diversity of distributed applications over Kerberos v5. We
present several projects in which this security infrastructure has been
leveraged to meet the requirements of far-flung collaborations. These
range from straightforward "Kerberization" of applications such as
database and batch services, to quick tricks like simulating a
user-authenticated web service with AFS and the "file:" schema, to more
complex systems. Examples of the latter include experiment control room
operations and the Central Analysis Farm (CAF).
We present several use cases and their security models, and examine how
they attempt to address some of the outstanding problems of secure
distributed computing: delegation of the least necessary privilege;
establishment of trust between a user and a remote processing facility;
credentials for long-queued or long-running processes, and automated
processes running without any user's instigation; security of
remotely-stored credentials; and ability to scale to the numbers of
sites, machines and users expected in the collaborations of the coming
decade.
Primary author
M. Crawford
(FERMILAB)
