Establishing users’ identities and determining their permissions before they access research infrastructure resources are key features of science gateways. With many science gateways now relying on ...general purpose gateway platform services, the challenges of managing identity-derived features have expanded to include network-based authentication and authorization scenarios that connect science gateway tenants, science gateway platform middleware, and third party identity provider services, including campus identity management systems. This paper examines both architectural and implementation considerations for integrating these services. We provide a summary case study that further shows how end-to-end authentication and authorization can be provided between gateways, campus authentication systems, science gateway middleware, and campus computing resources. We conclude with observations on lifecycle management of third party components in science gateway platform services, which is an important consideration for both selection of new technologies and transitioning from older systems.
•Establishing users’ identities and determining their permissions before they access research infrastructure resources is a key feature of science gateways.•With many science gateways now relying on general purpose gateway platform services, the challenges of managing identity-derived features have expanded to include network-based authentication and authorization scenarios that connect science gateway tenants, science gateway platform middleware, and third party identity provider services, including campus identity management systems.•This paper examines both architectural and implementation considerations for integrating these services.•We provide a summary case study that further shows how end-to-end authentication and authorization can be provided between gateways, campus authentication systems, science gateway middleware, and campus computing resources.•We conclude with observations on lifecycle management of third party components in science gateway platform services, which is an important consideration for both selection of new technologies and transitioning from older systems.
Deploying Cray EX systems with CSM at LANL Stradling, Alden; Johnson, Steven L.; Van Heule, Graham
Concurrency and computation,
05/2024, Letnik:
36, Številka:
18
Journal Article
Recenzirano
Odprti dostop
Summary
Los Alamos National Laboratory has deployed (over the last year and a half) a pair of Cray Shasta machines—a development testbed named Guaje and and production machine named Chicoma, which ...will soon comprise the bulk of LANL's open science research computing portfolio. In the process, we have encountered a number of problems and challenges in several realms—authentication and authorization, cluster health management, image management, and configuration management. Both independently and in collaboration with Cray/HPE, we have found solutions and brought the system into stable production. The presentation will discuss the solutions and how they came about, and issues we are working to resolve in the near future.
In this study, we implemented an integrated security solution with Spring Security and Keycloak open-access platform (SSK) to secure data collection and exchange over microservice architecture ...application programming interfaces (APIs). The adopted solution implemented the following security features: open authorization, multi-factor authentication, identity brokering, and user management to safeguard microservice APIs. Then, we extended the security solution with a virtual private network (VPN), Blowfish and crypt (Bcrypt) hash, encryption method, API key, network firewall, and secure socket layer (SSL) to build up a digital infrastructure. To accomplish and describe the adopted SSK solution, we utilized a web engineering security method. As a case study, we designed and developed an electronic health coaching (eCoach) prototype system and hosted the system in the expanded digital secure infrastructure to collect and exchange personal health data over microservice APIs. We further described our adopted security solution's procedural, technical, and practical considerations. We validated our SSK solution implementation by theoretical evaluation and experimental testing. We have compared the test outcomes with related studies qualitatively to determine the efficacy of the hybrid security solution in digital infrastructure. The SSK implementation and configuration in the eCoach prototype system has effectively secured its microservice APIs from an attack in all the considered scenarios with 100% accuracy. The developed digital infrastructure with SSK solution efficiently sustained a load of (≈)300 concurrent users. In addition, we have performed a qualitative comparison among the following security solutions: Spring-based security, Keycloak-based security, and their combination (our utilized hybrid security solution), where SSK showed a promising outcome.
IoT devices can be applied in diverse domains, including farming to maximize CAPEX and OPEX costs. Despite the increased gain in production through IoT, there are still challenges that need to be ...properly tackled for wider adoption. Traditional authentication and authorization mechanisms cannot be blindly applied to IoT due to the associated limitations. This tutorial presented a solution for an IoT Farm scenario, with multiple authentications across different geographic locations with a centralized identity provider and application in the cloud, and IoT devices on the edge. The proposed approach relies on standard protocols and tools, like Keycloak, as the identity management solution. By using OpenID Connect (OIDC), we can assure a secure federated authentication and authorization of both users and IoT devices for IoT farming scenarios.
PDF
