SciTokens: Capability-Based Secure Access to Remote Scientific Data

The management of security credentials (e.g., passwords, secret keys) for computational science workflows is a burden for scientists and information security officers. Problems with credentials (e.g., expiration, privilege mismatch) cause workflows to fail to fetch needed input data or store valuable scientific results, distracting scientists from their research by requiring them to diagnose the problems, re-run their computations, and wait longer for their results. In this paper, we introduce SciTokens, open source software to help scientists manage their security credentials more reliably and securely. We describe the SciTokens system architecture, design, and implementation addressing use cases from the Laser Interferometer Gravitational-Wave Observatory (LIGO) Scientific Collaboration and the Large Synoptic Survey Telescope (LSST) projects. We also present our integration with widely-used software that supports distributed scientific computing, including HTCondor, CVMFS, and XrootD. SciTokens uses IETF-standard OAuth tokens for capability-based secure access to remote scientific data. The access tokens convey the specific authorizations needed by the workflows, rather than general-purpose authentication impersonation credentials, to address the risks of scientific workflows running on distributed infrastructure including NSF resources (e.g., LIGO Data Grid, Open Science Grid, XSEDE) and public clouds (e.g., Amazon Web Services, Google Cloud, Microsoft Azure). By improving the interoperability and security of scientific workflows, SciTokens 1) enables use of distributed computing for scientific domains that require greater data protection and 2) enables use of more widely distributed computing resources by reducing the risk of credential abuse on remote systems.Comment: 8 pages, 6 figures, PEARC '18: Practice and Experience in Advanced Research Computing, July 22--26, 2018, Pittsburgh, PA, US

Symbiotic Futures: Health, Well-being and Care in the Post-Covid World

The "Symbiotic Futures: Health, Well-being and Care in the Post-Covid World" project was jointly conceived by the Innovation School at Glasgow School of Art and the Institute of Cancer Sciences at the University of Glasgow. The project partnership involved a community of experts working across both organisations including the University of Glasgow’s new Mazumdar-Shaw Advanced Research Centre (ARC). Future experiences is a collaborative, futures-focused design project where students benefit from the input of a community of experts to design speculative future worlds and experiences based on research within key societal contexts. This iteration of the project asked the students to consider what happens in the Post-Covid landscape ten years from now, where symbiotic experiences of health, well-being and care have evolved to the extent that new forms of medical practice, health communities and cultures of care transform how we interact with each other, with professionals and the world around us. The GSA Innovation School’s final year BDes Product Design students and faculty formed a dynamic community of practice with health, wellbeing and care practitioners and researchers from The University of Glasgow and beyond. This gave the students the opportunity to reflect on the underlying complexities of the future of health, well-being and care, technological acceleration, human agency and quality of life, to envision a 2031 blueprint as a series of six future world exhibits, and design the products, services and system experiences for the people and environments within it. In the first part of the project (Stage 1), Future worlds are groups of students working together on specific topics, to establish the context for their project and collaborate on research and development. In this iteration of Future Experiences, the "Health, Well-being and Care" worlds were clustered together around ‘People focused’ and ‘Environment focused’, but also joined up across these groups to create pairs of worlds, and in the process generate symbiosis between the groups. These worlds were then the starting points which the students explored in their individual projects. The second part of the project (Stage 2) saw individual students select an aspect of their Future World research to develop as a design direction, which they then prototyped and produced as products, services, and/or systems. These are designed for specific communities, contexts or scenarios of use defined by the students to communicate a future experience. These Future experiences reflect the societal contexts explored during the research phase, projected 10 years into the future, and communicated in a manner that makes the themes engaging and accessible. The deposited materials are arranged as follows: 1. Project Landscape Map - A report and blueprint for the project that gives a visual overview of the structure and timeline of the project. 2. Stage one data folders - the data folders for stage one of the project are named after the themes the groups explored to create their Future Worlds. 3. Stage two data folders - the data folders for stage two of the project are named after the individual students who created the project

An OAuth service for issuing certificates to science gateways for TeraGrid users

In this paper, we present a TeraGrid OAuth service, integrated with the TeraGrid User Portal and TeraGrid MyProxy service, that provides certificates to science gateways. The OAuth service eliminates the need for TeraGrid users to disclose their TeraGrid passwords to science gateways when accessing their individual TeraGrid accounts via gateway interfaces. Instead, TeraGrid users authenticate at the TeraGrid User Portal to approve issuance of a certificate by MyProxy to the science gateway they are using. We present the design and implementation of the TeraGrid OAuth service, describe the underlying network protocol, and discuss design decisions and security considerations we made while developing the service in consultation with TeraGrid working groups and staff

ncsa/OA4MP: Version 4.3

Open Authorization for MyProxy

Capability-Based Authorization for HEP

Outside the HEP computing ecosystem, it is vanishingly rare to encounter user X509 certificate authentication (and proxy certificates are even more rare). The web never widely adopted the user certificate model, but increasingly sees the need for federated identity services and distributed authorization. For example, Dropbox, Google and Box instead use bearer tokens issued via the OAuth2 protocol to authorize actions on their services. Thus, the HEP ecosystem has the opportunity to reuse recent work in industry that now covers our needs. We present a token-based ecosystem for authorization tailored for use by CMS. We base the tokens on the SciTokens profile for the standardized JSON Web Token (JWT) format. The token embeds a signed description of what capabilities the VO grants the bearer; the site-level service can verify the VO’s signature without contacting a central service. In this paper, we describe the modifications done to enable token-based authorization in various software packages used by CMS, including XRootD, CVMFS, and HTCondor. We describe the token-issuing workflows that would be used to get tokens to running jobs in order to authorize data access and file stageout, and explain the advantages for hosted web services. Finally, we outline what the transition would look like for an experiment like CMS

Prevalence of Electronic Health Records in U.S. Hospitals

This work provides prevalence estimates for electronic health record (EHR) systems within U.S. hospitals in 2008. Specifically, we identify the set of information technology (IT) applications that provide the technological pre-conditions for hospitals' achievement of meaningful use. We estimate a set of descriptive and multivariate analyses to identify the organizational attributes that are significantly related to EHR adoption. In addition to considering IT applications individually, we consider the cumulative adoption by hospitals. Our results suggest that most U.S. hospitals continue to lack the technological pre-conditions for achieving meaningful use. Approximately 72% of hospitals had adopted three or fewer of these key applications. Furthermore, we observe some evidence of complementarities between IT and other production inputs. Finally, ownership status, system affiliation, and geographic location are all significantly related to IT adoption. These results provide a useful benchmark for pending IT investments resulting from health reform

Martina Thomas, 1924-1995: painter

Contents: Preface Biography Epitome Martina's family and Martina's locations Colour, colour and more colour The artist: Painting with Marty, and Joy in jugs and harmony in harbour