JAliEn (Java-AliEn) is the ALICE’s next generation Grid framework which will be used for the top-level distributed computing resources management during the LHC Run3 and onward. While preserving an interface familiar to the ALICE users, its performance and scalability are an order of magnitude better than the currently used system.
To enhance the JAliEn security, we have developed the so-called Token Certificates – short lived full Grid certificates, generated by central services automatically or on client’s request. The new system provides fine-grained control over user/client authorization, e.g. filtering out unauthorized requests based on the client’s type: generic user, job agent, job payload. These and other parameters (like job ID) are encrypted in the token by the issuing service and cannot be altered.
Client-side security implementation is also described in the aspect of interaction between user jobs and job agents. User jobs will use JAliEn tokens for authentication and authorization to the central JAliEn services. These tokens are passed from the job agent through a pipe stream, thus are not stored on disk or in environment visible to anyone except the job process. Furthermore, we foresee improvement at the level of isolation of users’ payloads by running them in containers.
While JAliEn doesn't rely on X509 proxies, the backward compatibility is kept to assure interoperability with services, which require these.