The Distributed Computing Access with Federated Identities (DCAFI) project is moving forward on schedule and should be ready to start migrating the first experiment in June. For those of you who are unfamiliar with it, these are the motivations for the project:
- Dependency on Kerberos makes it difficult for non-Fermilab scientists to access our grid resources remotely, obstructing our lab´s goal of being an international laboratory.
- Fermilab’s Kerberos Certificate Authority (KCA) server is losing its support starting September 2016, forcing us to find a replacement Certificate Authority for grid access.
- Asking users to manage their own certificates is a burden on them we avoided with KCA-based grid access, and we want to continue to avoid it.
Those motivations translated into these goals:
- Remove our dependency on Kerberos and KCA certificates.
- Continue to shield the users from the complexities of directly dealing with X.509 certificates.
- Integrate the grid authentication infrastructure with federated identities.
- In phase 1 we will use only Fermilab-based identities, but in phase 2 we will support other institutions. Phase 1 users need a Fermilab account but do not need to login to a Fermilab machine in order to submit jobs using the FIFE infrastructure.
From the end user’s point of view, those who have Fermilab Kerberos credentials will be able to continue to submit jobs with no changes and no extra work for managing credentials. For those who want to submit from a remote site without Fermilab kerberos, the jobsub_submit command will tell them once a week when it is time to run a new “cigetcert” command to enter their Services password to get a new certificate. “cigetcert” will contact a Fermilab Identity Provider service to authorize the user, make use of the pre-existing CILogon Basic CA service to get a new certificate into /tmp, and place a longer-lived copy of the certificate on a MyProxy server where jobsub will be able to use it to get certificate proxies to run jobs.
For those more advanced users who had previously run kx509 to get a certificate, there will be a compatible replacement command provided that invokes cigetcert instead of contacting the KCA.
FIFE experiments will be transitioned to the new mechanism over the next few months in the following order:
|CDF, NUMI-X, GENIE:||6/6 – 6/20|
|g-2, ANNIE, CHIPS:||6/13 – 6/27|
|MINOS, Darkside:||6/20 – 7/4|
|DUNE:||6/27 – 7/11|
|Mu2e:||7/5 – 7/19|
|DES:||7/11 – 7/25|
|uboone:||7/18 – 8/1|
|Nova:||7/25 – 8/8|
|SBND:||8/1 – 8/15|
|Minerva:||8/15 – 8/29|
|Seaquest:||tentative 8/15 – 8/29|
— Dave Dykstra