Challenges in DUNE Computing: Addressing Authentication and Authorization Needs

DUNE, a long-baseline Neutrino experiment, faces computational challenges in managing authentication and authorization requirements for its data management and computing operations. This involves evolving current schemes to accommodate the anticipated growth in data volume and distribution across multiple sites. The experiment relies on Fermilab-provided utilities for security and closely follows site security policies, all while aiming to enhance its capabilities and efficiency. Collaboration with various platforms and tools facilitates job submissions, file services, and web-based operations to support DUNE's computing needs.

• DUNE Computing
• Authentication
• Authorization
• Neutrino Experiment
• Fermilab

novalee Follow

Uploaded on Aug 06, 2024 | 1 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. DUNE Authentication Needs Steven Timm 12 Sep 2019 For DUNE Software + Computing At mini-FIM4R Workshop, Fermilab

2. My Hats DUNE Data Management DUNE VO Security Contact FERMILAB VOMS service operator FERMILAB HEPCloud service operator My comments today given with my DUNE hat, but informed by my experience in running Grid services at Fermilab from 2005-present. 12 Sep 2019 S. Timm | DUNE@mini-FIM4R 2

3. Outline I will describe - Brief introduction to DUNE and DUNE computing - Current authentication/authorization scheme and the problems we currently face. - Expected evolution and growth of our setup in tokens era - Currently known DUNE requirements of next-generation AuthN/AuthZ Important caveats: - DUNE experiment currently does not manage our own AuthN/AuthZ The fact that I am a DUNE collaborator and also operator of VOMS at Fermilab is pure coincidence. - We rely on Fermilab site-provided utilities for authentication and authorization and hope to continue to do so. - As a Fermilab-hosted experiment, all Fermilab site security policies apply to DUNE and we work closely with the security people to be sure we are in compliance. 12 Sep 2019 S. Timm | DUNE@mini-FIM4R 3

4. DUNE Computing Challenges DUNE is a long-baseline Neutrino experiment - Currently 2 test-size (5% scale) detectors running at CERN - 4 modules, 40,000 tons each, to be built and installed in LEAD,SD 7 PB on tape so far from detector output, reconstruction, and simulation Expect 30PB/year once first far detector module comes online in 2026 time frame. Currently expected to get 75% of our computing on the grid outside of Fermilab much of that in European sites Using Rucio to distribute data to many disk centers. 12 Sep 2019 S. Timm | DUNE@mini-FIM4R 4

5. DUNE Web Services CLOUD HOSTED FNAL HOSTED (continued) ServiceNow - - Docs.dunescience.org (docdb) Dunescience.slack.com - Zoom - Dune-data.fnal.gov - Github.com - - Landscape.fnal.gov (monitoring) CERN HOSTED CERN Twiki (protodune) - - Collaboration Database CERN E-LOG - Indico.cern.ch - - ECL Electronic Logbook FNAL HOSTED - Conditions DB (web) Wiki.dunescience.org (mediawiki) - - Fermi VPN www.dunescience.org (wordpress) - Indico.fnal.gov - ECL electronic logbook - Cdcvs.fnal.gov. (redmine) - 12 Sep 2019 S. Timm | DUNE@mini-FIM4R 5

6. Job submission and file services (most of which use certificate auth right now) SAM* Jobsub* POMS* Rucio* dCache/Enstore EOS* / Castor* / CTA HEPCloud GlideinWMS Fermi FTS, CERN FTS-3 Lots and lots of databases everywhere DIRAC* 12 Sep 2019 S. Timm | DUNE@mini-FIM4R 6

7. State of DUNE Dist. Computing DUNE already computes at > 25 compute sites around the world - All possible grid middlewares, all possible docker/singularity config - Global pool unified through GlideinWMS following CMS model. DUNE has 12 storage elements declared in Rucio - All possible types of SE recognized by the WLCG plus some that aren t. (and all types of manual ad-hoc mechanisms for cert DN s) - Most can t 3rd-party-transfer between each other even now - When gridFTP goes away we lose our lowest common denominator. Need to *get* the data flowing in the current regime and then *keep* the data flowing in the post-cert regime. 12 Sep 2019 S. Timm | DUNE@mini-FIM4R 7

8. DUNE Production AuthN/AuthZ DUNE production servers run on IGTF certified InCommon certs DUNE production job submission done with IGTF certified InCommon cert DUNE data movement CERN->FNAL->everywhere else done with IGTF certified InCommon Cert. Production jobs can run anywhere, works fine. Long proxy of service cert is stored in MyProxy and shorter-lived delegations used in running Grid jobs. Need some way to ensure equivalent of this in age of tokens 12 Sep 2019 S. Timm | DUNE@mini-FIM4R 8

9. DUNE grid user AuthN/AuthZ Utility called cigetcert is used to contact CILogon on behalf of user and retrieve a certificate. (also Web UI available) Can use Fermi Kerberos credential or Fermi single sign on credential to authenticate Automatically done on behalf of user when they submit a job with jobsub. 1-month long cert stored in MyProxy Jobsub server is only machine that can get myproxy delegations of shorter proxies and get them pushed out to running jobs Most users never have to voms-proxy-init, openssl pkcs12, grid- proxy-init, or any of that certificate is transparent to them Unfortunately cilogon-basic not IGTF classic accredited (see earlier Mine Altunay talk). Previous Kerberos CA (SLCS) was. 12 Sep 2019 S. Timm | DUNE@mini-FIM4R 9

10. Current Challenges: Membership Initial Fermi ID and renewals taking much longer to process Initial CERN ID always took a long time to process. It is likely that DUNE will have some collaborators who are unbadgeable at Fermilab and others who are unbadgeable at CERN. Need ways to: - 1) Make the How To Join DUNE and Get an ID page public - 2) Give access to computing technical people who are not necessarily DUNE collaborators even whose institution may not be part of DUNE. - 3) Make proxy service for file fetching 12 Sep 2019 S. Timm | DUNE@mini-FIM4R 10

11. DUNE VO Membership Huge amount of work recently done at Fermilab to automate collaboration accounts, the FERRY project. User that wants to join DUNE has to get sign off from institutional board representative Request for DUNE computing account (and the associated Fermilab ID you need to get it) goes through DUNE collaboration office at Fermilab Once approved all account creation and VO population is automatic. Can add extra non CILogon-basic certs to your VO entry via a service desk form. VOMS-Admin interface is still there for now but it s read-only. 12 Sep 2019 S. Timm | DUNE@mini-FIM4R 11

12. Things we know and things we need to know Good to see that the developers are making progress in technology and compatibility How do we ensure compatibility/interoperability in interim period when some sites are using tokens and some are not Have learned a lot from this workshop thus far and made some good contacts. How to get data from CERN to Fermilab in 2021 See a lot of benefit for capabilities features particularly in Rucio but also in the various web 2.0 stuff. What s the process by which sites choose whose tokens to trust? How does this all play in mobile environment? AARC diagram brought lots of questions that we have to understand. How can we mitigate the rapidly growing number of MFA tokens? 12 Sep 2019 S. Timm | DUNE@mini-FIM4R 12