Jul 9 – 13, 2018
Sofia, Bulgaria
Europe/Sofia timezone

Macaroons: looking back and looking forward

Jul 10, 2018, 3:30 PM
Hall 7 (National Palace of Culture)

Hall 7

National Palace of Culture

presentation Track 3 – Distributed computing T3 - Distributed computing


Paul Millar (DESY)


X.509 is the dominate security infrastructure used in WLCG. Although
this technology has worked well, it has some issues. One is that,
currently, a delegated proxy can do everything the parent credential
can do. A stolen "production" proxy could be used from any machine in
the world to delete all data owned by that VO on all storage systems
in the grid.

Generating a delegated X.509 credential is also computationally
expensive. As a result, credentials tend to be cached and reused,
potentially increasing the likelihood of theft.

In October 2017, dCache v3.2 was released, which introduced support
for macaroons: a pure authorisation, bearer token that supports
delegation with autonomous attenuation.

In contrast to X.509, minting a macaroon is much faster, so that
creating a macaroon per request is feasible. Macaroons also support
attenuation when delegating: the delegated macaroon can be limited to
a specific task and to a specific machine.

This paper reviews the current state of this support in dCache and
present the different use-cases and projects that are using or are
evaluating macaroons. It also compares macaroons to other pure bearer
token solutions, such as the OAuth2 approach in SciToken, highlighting
the relative strengths and weaknesses of each.

Primary authors

Paul Millar (DESY) Dr Olufemi Adeyemi (DESY) Gerd Behrmann (NEIC) Patrick Fuhrmann (DESY) Vincent Garonne (University of Oslo (NO)) Dmitry Litvintsev (FNAL) Tigran Mkrtchyan (DESY) Dr Albert Rossi (FNAL) Dr Marina Sahakyan (DESY) Mr Juergen Starek (DESY) Brian Paul Bockelman (University of Nebraska Lincoln (US))

Presentation materials