ABSTRACT
Custos is open source software that provides user, group, and resource credential management services for science gateways. This paper describes the resource credential, or secrets, management service in Custos that allows science gateways to safely manage security tokens, SSH keys, and passwords on behalf of users. Science gateways such as Galaxy are well-established mechanisms for researchers to access cyberinfrastructure and, increasingly, couple it with other online services, such as user-provided storage or compute resources. To support this use case, science gateways need to operate on behalf of the users to connect, acquire, and release these resources, which are protected by a variety of authentication and access mechanisms. Storing and managing the credentials associated with these access mechanisms must be done using “best of breed” software and established security protocols. The Custos Secrets Service allows science gateways to store and retrieve these credentials using secure protocols and APIs while the data is protected at rest. Here, we provide implementation details for the service, describe the available APIs and SDKs, and discuss integration with Galaxy as a use case.
- Jim Basney, Heather Flanagan, Terry Fleury, Jeff Gaynor, Scott Koranda, and Benn Oshrin. 2019. CILogon: Enabling Federated Identity and Access Management for Scientific Collaborations. PoS ISGC2019(2019), 031. https://doi.org/10.22323/1.351.0031Google Scholar
- Steve Buchanan, Janaka Rangama, and Ned Bellavance. 2020. Deploying and using Rancher with Azure Kubernetes service. In Introducing Azure Kubernetes Service. Springer, 79–99.Google Scholar
- CNCF. 2022. Helm. Retrieved April 8, 2022 from https://helm.sh/Google Scholar
- Custos. 2022. Python SDK. Retrieved April 8, 2022 from https://cwiki.apache.org/confluence/display/CUSTOS/Use+Custos+Python+SDKGoogle Scholar
- Custos. 2022. REST Endpoints. Retrieved April 8, 2022 from https://cwiki.apache.org/confluence/display/CUSTOS/Use+Custos+REST+EndpointsGoogle Scholar
- Dave Dykstra, Mine Altunay, and Jeny Teheran. 2021. Secure Command Line Solution for Token-based Authentication. In EPJ Web of Conferences, Vol. 251. EDP Sciences, EDP Sciences, France, 02036. https://doi.org/10.1051/epjconf/202125102036Google Scholar
- David Y Hancock, Jeremy Fischer, John Michael Lowe, Winona Snapp-Childs, Marlon Pierce, Suresh Marru, J Eric Coulter, Matthew Vaughn, Brian Beck, Nirav Merchant, 2021. Jetstream2: Accelerating cloud computing via Jetstream. In Practice and Experience in Advanced Research Computing. 1–8.Google Scholar
- Vahid Jalili, Enis Afgan, Qiang Gu, Dave Clements, Daniel Blankenberg, Jeremy Goecks, James Taylor, and Anton Nekrutenko. 2020. The Galaxy platform for accessible, reproducible and collaborative biomedical analyses: 2020 update. Nucleic acids research 48, W1 (2020), W395–W402.Google Scholar
- Katherine A Lawrence, Michael Zentner, Nancy Wilkins-Diehr, Julie A Wernert, Marlon Pierce, Suresh Marru, and Scott Michael. 2015. Science gateways today and tomorrow: positive perspectives of nearly 5000 members of the research community. Concurrency and Computation: Practice and Experience 27, 16(2015), 4252–4268.Google ScholarCross Ref
- Isuru Ranawaka, Samitha Liyanage, Dannon Baker, Alexandru Mahmoud, Juleen Graham, Terry Fleury, Dimuthu Wannipurage, Yu Ma, Enis Afgan, Jim Basney, Suresh Marru, and Marlon Pierce. 2021. Science Gateway Integration Examples with the Custos Security Service. In 8th International Workshop on HPC User Support Tools (HUST). Zenodo, 9 pages. https://doi.org/10.5281/zenodo.5749727Google Scholar
- Isuru Ranawaka, Suresh Marru, Juleen Graham, Aarushi Bisht, Jim Basney, Terry Fleury, Jeff Gaynor, Dimuthu Wannipurage, Marcus Christie, Alexandru Mahmoud, 2020. Custos: Security middleware for science gateways. In Practice and Experience in Advanced Research Computing. 278–284. https://doi.org/10.1145/3311790.3396635Google ScholarDigital Library
- Alex Withers, Brian Bockelman, Derek Weitzel, Duncan Brown, Jeff Gaynor, Jim Basney, Todd Tannenbaum, and Zach Miller. 2018. SciTokens: Capability-Based Secure Access to Remote Scientific Data. In Proceedings of Practice and Experience on Advanced Research Computing (Pittsburgh, PA, USA) (PEARC ’18). ACM, New York, NY, USA, Article 24, 8 pages. https://doi.org/10.1145/3219104.3219135Google ScholarDigital Library
Recommendations
Custos: Security Middleware for Science Gateways
PEARC '20: Practice and Experience in Advanced Research ComputingScience gateways represent potential targets for cybersecurity threats to users, scientific research, and scientific resources. In this paper, we introduce Custos, a software framework that provides common security operations for science gateways, ...
Supporting Science Gateways Using Apache Airavata and SciGaP Services
PEARC '18: Proceedings of the Practice and Experience on Advanced Research ComputingThe Science Gateways Platform as a service (SciGaP.org) project provides a rapid development and stable hosting platform for a wide range of science gateways that focus on software as a service. Based on the open source Apache Airavata project, SciGaP ...
Distributed web security for science gateways
GCE '11: Proceedings of the 2011 ACM workshop on Gateway computing environmentsScience gateways broaden and simplify access to cyberinfrastructure (CI) by providing advanced interfaces to collaboration, analysis, data management, and other tools for students and researchers. As these science gateway interfaces to ...
Comments