JAliEn (Java-AliEn) is the ALICE next generation Grid framework which will be used for the top-level distributed computing resources management during the LHC Run 3 and onward. While preserving an interface familiar to the ALICE users, its performance and scalability are an order of magnitude better than the currently used framework. To implement the JAliEn security model, we have developed the so-called Token Certificates – short lived full Grid certificates, generated by central services automatically or on the client’s request. Token Certificates allow fine-grained control over user/client authorization, e.g. filtering out unauthorized requests based on the client’s type: end user, job agent, jobpayload. These and other parameters (like job ID) are encrypted in the token by the issuing service and cannot be altered.The client-side security implementation is further described in aspects of the interaction between user jobs and job agents. User jobs will use JAliEn tokens for authentication and authorization by the central JAliEn services. These tokens are passed from the job agent through a pipe stream, not stored on disk and thus readily available only to the intended job process. The level of isolation of user payloads is further improved by running them in containers. While JAliEn doesn't rely on X.509 proxies, the backward compatibility is kept to assure interoperability with services that require them.
展开▼
机译:JAliEn(Java-AliEn)是ALICE的下一代网格框架,将在LHC Run 3及更高版本中用于顶级分布式计算资源管理。在保留ALICE用户熟悉的界面的同时,其性能和可伸缩性比当前使用的框架好一个数量级。为了实施JAliEn安全模型,我们开发了所谓的令牌证书-短暂的完整Grid证书,由中央服务自动生成或应客户要求生成。令牌证书允许对用户/客户端授权进行细粒度控制,例如根据客户类型过滤出未经授权的请求:最终用户,工作代理,工作量。这些和其他参数(例如作业ID)由发布服务在令牌中加密,并且不能更改。客户端安全性实现在用户作业和作业代理之间的交互方面进一步描述。用户作业将使用JAliEn令牌通过中央JAliEn服务进行身份验证和授权。这些令牌通过管道流从作业代理传递,而不存储在磁盘上,因此仅可用于预期的作业进程。通过在容器中运行它们,可以进一步提高用户有效负载的隔离级别。尽管JAliEn不依赖X.509代理,但仍保持向后兼容,以确保与需要它们的服务的互操作性。
展开▼
