The WLCG is modernizing its security infrastructure, replacing X.509 client authentication with the newer industry standard of JSON Web Tokens (JWTs) obtained through the Open ID Connect (OIDC) protocol. There is a wide variety of software available using the standards, but most of it is for Web browser-based applications and doesn’t adapt well to the command line-based software used heavily in High Throughput Computing (HTC). OIDC command line client software did exist, but it did not meet our requirements for security and convenience. This paper discusses a command line solution we have made based on the popular existing secrets management software from Hashicorp called vault . We made a package called htvault-config to easily configure a vault service and another called htgettoken to be the vault client. In addition, we have integrated use of the tools into the HTCondor workload management system, although they also work well independent of HTCondor . All of the software is open source, under active development, and ready for use.
展开▼
机译:WLCG正在通过Open ID Connect(OIDC)协议获得的JSON Web令牌(JWT)的较新的行业标准,更换X.509客户端认证。使用标准有各种各样的软件,但大多数是用于基于Web浏览器的应用程序,并且不适合在高吞吐量计算(HTC)中使用的基于命令行的软件。 oidc命令行客户端软件确实存在,但它没有满足我们的安全性和便利要求。本文讨论了我们基于来自Hashicorp称为Vault的流行现有秘密管理软件的命令行解决方案。我们制作了一个名为htvault-config的包,以轻松配置Vault服务,另一个名为HTGetToken以成为Vault客户端。此外,我们还将工具综合使用进入HTCondor工作负载管理系统,尽管它们也与Htcondor完全齐全。所有软件都是开源,在主动开发下,准备使用。
展开▼
