SciTokens: Capability-Based Secure Access to Remote Scientific Data

The management of security credentials (e.g., passwords, secret keys) for computational science workflows is a burden for scientists and information security officers. Problems with credentials (e.g., expiration, privilege mismatch) cause workflows to fail to fetch needed input data or store valuable scientific results, distracting scientists from their research by requiring them to diagnose the problems, re-run their computations, and wait longer for their results. In this paper, we introduce SciTokens, open source software to help scientists manage their security credentials more reliably and securely. We describe the SciTokens system architecture, design, and implementation addressing use cases from the Laser Interferometer Gravitational-Wave Observatory (LIGO) Scientific Collaboration and the Large Synoptic Survey Telescope (LSST) projects. We also present our integration with widely-used software that supports distributed scientific computing, including HTCondor, CVMFS, and XrootD. SciTokens uses IETF-standard OAuth tokens for capability-based secure access to remote scientific data. The access tokens convey the specific authorizations needed by the workflows, rather than general-purpose authentication impersonation credentials, to address the risks of scientific workflows running on distributed infrastructure including NSF resources (e.g., LIGO Data Grid, Open Science Grid, XSEDE) and public clouds (e.g., Amazon Web Services, Google Cloud, Microsoft Azure). By improving the interoperability and security of scientific workflows, SciTokens 1) enables use of distributed computing for scientific domains that require greater data protection and 2) enables use of more widely distributed computing resources by reducing the risk of credential abuse on remote systems.Comment: 8 pages, 6 figures, PEARC '18: Practice and Experience in Advanced Research Computing, July 22--26, 2018, Pittsburgh, PA, US

Flexible Session Management in a Distributed Environment

Many secure communication libraries used by distributed systems, such as SSL, TLS, and Kerberos, fail to make a clear distinction between the authentication, session, and communication layers. In this paper we introduce CEDAR, the secure communication library used by the Condor High Throughput Computing software, and present the advantages to a distributed computing system resulting from CEDAR's separation of these layers. Regardless of the authentication method used, CEDAR establishes a secure session key, which has the flexibility to be used for multiple capabilities. We demonstrate how a layered approach to security sessions can avoid round-trips and latency inherent in network authentication. The creation of a distinct session management layer allows for optimizations to improve scalability by way of delegating sessions to other components in the system. This session delegation creates a chain of trust that reduces the overhead of establishing secure connections and enables centralized enforcement of system-wide security policies. Additionally, secure channels based upon UDP datagrams are often overlooked by existing libraries; we show how CEDAR's structure accommodates this as well. As an example of the utility of this work, we show how the use of delegated security sessions and other techniques inherent in CEDAR's architecture enables US CMS to meet their scalability requirements in deploying Condor over large-scale, wide-area grid systems

The CMS Integration Grid Testbed

The CMS Integration Grid Testbed (IGT) comprises USCMS Tier-1 and Tier-2 hardware at the following sites: the California Institute of Technology, Fermi National Accelerator Laboratory, the University of California at San Diego, and the University of Florida at Gainesville. The IGT runs jobs using the Globus Toolkit with a DAGMan and Condor-G front end. The virtual organization (VO) is managed using VO management scripts from the European Data Grid (EDG). Gridwide monitoring is accomplished using local tools such as Ganglia interfaced into the Globus Metadata Directory Service (MDS) and the agent based Mona Lisa. Domain specific software is packaged and installed using the Distrib ution After Release (DAR) tool of CMS, while middleware under the auspices of the Virtual Data Toolkit (VDT) is distributed using Pacman. During a continuo us two month span in Fall of 2002, over 1 million official CMS GEANT based Monte Carlo events were generated and returned to CERN for analysis while being demonstrated at SC2002. In this paper, we describe the process that led to one of the world's first continuously available, functioning grids.Comment: CHEP 2003 MOCT01

Nitric Oxide Antagonizes the Acid Tolerance Response that Protects Salmonella against Innate Gastric Defenses

Reactive nitrogen species (RNS) derived from dietary and salivary inorganic nitrogen oxides foment innate host defenses associated with the acidity of the stomach. The mechanisms by which these reactive species exert antimicrobial activity in the gastric lumen are, however, poorly understood.The genetically tractable acid tolerance response (ATR) that enables enteropathogens to survive harsh acidity was screened for signaling pathways responsive to RNS. The nitric oxide (NO) donor spermine NONOate derepressed the Fur regulon that controls secondary lines of resistance against organic acids. Despite inducing a Fur-mediated adaptive response, acidified RNS largely repressed oral virulence as demonstrated by the fact that Salmonella bacteria exposed to NO donors during mildly acidic conditions were shed in low amounts in feces and exhibited ameliorated oral virulence. NO prevented Salmonella from mounting a de novo ATR, but was unable to suppress an already functional protective response, suggesting that RNS target regulatory cascades but not their effectors. Transcriptional and translational analyses revealed that the PhoPQ signaling cascade is a critical ATR target of NO in rapidly growing Salmonella. Inhibition of PhoPQ signaling appears to contribute to most of the NO-mediated abrogation of the ATR in log phase bacteria, because the augmented acid sensitivity of phoQ-deficient Salmonella was not further enhanced after RNS treatment.Since PhoPQ-regulated acid resistance is widespread in enteric pathogens, the RNS-mediated inhibition of the Salmonella ATR described herein may represent a common component of innate host defenses

Competition and Combative Advertising: An Historical Analysis

Fred K. Beard (PhD, University of Oklahoma) is a professor of advertising in the Gaylord College of Journalism and Mass Communication, University of Oklahoma. His research interests include comparative advertising, advertising humor, and advertising history. His work has appeared in the Journal of Advertising, the Journal of Advertising Research, the Journal of Business Ethics, the Journal of Business Research, Journalism History, the Journal of Historical Research in Marketing, the Journal of Macromarketing, and the Journal of Marketing Communications, among others.Yeshttps://us.sagepub.com/en-us/nam/manuscript-submission-guideline

Book illustration

Book synopsis: William Blake, poet and artist, is a figure often understood to have 'created his own system'. Combining close readings and detailed analysis of a range of Blake's work, from lyrical songs to later myth, from writing to visual art, this collection of thirty-eight lively and authoritative essays examines what Blake had in common with his contemporaries, the writers who influenced him, and those he influenced in turn. Chapters from an international team of leading scholars also attend to his wider contexts: material, formal, cultural, and historical, to enrich our understanding of, and engagement with, Blake's work. Accessibly written, incisive, and informed by original research, William Blake in Context enables readers to appreciate Blake anew, from both within and outside of his own idiom

Hands-On Experience with Condor, the Advanced Load Sharing System

These days UNIX workstations are common in both the academia and the industry. It is very seldom the case that a computer engineer or a computer scientist does not have a UNIX workstation sitting on her/his desk. The users of those workstations often fall under one of two overlapping categories. The first is an administrative user who works on email, paper preparation, code development and debugging, and similar things. These users often have more CPU power than they need, and their machines often sit idle after they go home. The second type, the power user, is the user who has production code that is ready to run. In practice this kind of code needs a great deal of CPU time to execute. This type of user is willing to use any available CPU cycle at any time. Condor is a load sharing system that was developed at the University of Wisconsin-Madison [3, 2]. Its goal is to solve the problems of the second type of users by utilizing the CPU cycles that are not used by the first type. Condor..

Inter-Operating Grids through Delegated MatchMaking ABSTRACT

The grid vision of a single computing utility has yet to materialize: while many grids with thousands of processors each exist, most work in isolation. An important obstacle for the effective and efficient inter-operation of grids is the problem of resource selection. In this paper we propose a solution to this problem that combines the hierarchical and decentralized approaches for interconnecting grids. In our solution, a hierarchy of grid sites is augmented with peer-topeer connections between sites under the same administrative control. To operate this architecture, we employ the key concept of delegated matchmaking, which temporarily binds resources from remote sites to the local environment. With trace-based simulations we evaluate our solution under various infrastructural and load conditions, and we show that it outperforms other approaches to inter-operating grids. Specifically, we show that delegated matchmaking achieves up to 60 % more goodput and completes 26 % more jobs than its best alternative. 1