Have you ever forgotten the password for one of your many online accounts? You likely wasted time trying different variations of what you were certain was the password, only to give up and reset it. For your new password, you might have chosen something simpler and easier to remember, but potentially less secure.
You’re not alone in this cycle of frustration: some computational scientists do the same thing. Computational science uses today’s advanced computing capabilities, including models and simulations, to understand and solve complex problems.
Luckily, help is on the way: the University of Wisconsin-Madison is playing a key role in a National Science Foundation-supported effort to make scientific computing more secure and streamlined. A new project called SciTokens will produce open-source software to help scientists manage security credentials in a more reliable and safe manner.
SciTokens is a joint effort among several campuses and principal investigators: the National Center for Supercomputing Applications at the University of Illinois at Urbana-Champaign (Jim Basney and Alexander Withers), the University of Wisconsin-Madison (Todd Tannenbaum), the University of Nebraska-Lincoln (Brian Bockelman), and Syracuse University (Duncan Brown.) Together, these entities will receive $1 million in NSF funding over two years.
Says researcher Todd Tannenbaum, who spearheads the UW-Madison end of the SciTokens project, there are three key benefits to the project: simplicity, security and scalability. Tannenbaum is HTCondor Project Technical Lead.
Explains Tannenbaum, major scientific projects have large computing needs and must handle massive amounts of data. In order to process data, computing jobs are run at numerous physical sites simultaneously (known as distributed computing). “When very large scientific computing jobs run at remote sites, they need access to data at other places, other remote data sites. Currently, user credentials are passed back and forth between sites. Your computer job goes out to all these other university and government labs and carries your login and password.”
The problem, says Tannenbaum, is that your password can provide access to much more than just the specific data needed at the moment, resulting in security risks. SciTokens uses a system of bearer tokens with more limited access. “It reduces a lot of hassle and workloads at hundreds of sites in America and Europe,” he says.
In more detailed terms, SciTokens will use common web technologies, such as OAuth 2.0 and JSON Web Tokens, to create a new authorization approach at scale focused on the decentralized environment found in large scientific collaborations. Users logged in to a specific host will generate a refresh token and store it on the local token manager. They then submit jobs to the local queue manager. When the queue manager is prepared to execute the user's jobs, it contacts the token manager to create an access token. The access token is sent to the execute host and placed in the job runtime environment. When the job subsequently attempts to access data, it utilizes the access token to gain authorization.
The SciTokens project includes participants from two major science collaborations: the Laser Interferometer Gravitational-Wave Observatory Scientific Collaboration and the Large Synoptic Survey Telescope project. It also includes participants from the HTCondor, Open Science Grid, and Extreme Science and Engineering Discovery Environment projects. The project will promote adoption by integrating SciTokens into the widely used HTCondor software, developed at UW-Madison, and into the nation's cyberinfrastructure.
"The SciTokens project is launching at an opportune moment, with mature web security technologies now available to meet the challenging needs of science workflows," says principal investigator Jim Basney of the University of Illinois. "The open-source SciTokens software will help science projects migrate to these technologies, to enable more productive and secure scientific research.”