Science Gateway Integration Examples with the Custos Security Service
Science gateways are user-facing cyberinfrastructure that provide researchers and educators with Web-based access to scientific software, computing, and data resources. Streamlining and expanding use of High Performance Computing resources is the primary goal for many science gateways. Managing user identities, accounts, and permissions are essential tasks for science gateways, and gateways likewise must manage secure connections between their middleware and remote, distributed resources. These
... security services can be separated from specific science gateway deployments and provided as independent services for multiple gateway tenants. The Custos project is an effort to build open source software that can be operated as a multi-tenanted service that provides reliable implementations of gateway that meets cybersecurity requirements, including federated authentication, identity management, authorization management, group management, and resource credential management. Providing these capabilities through a single, consolidated platform furthermore enables end-to-end, integrated usage scenarios to be built up from basic security components. This paper examines four deployment scenarios using Custos and identifies extended capabilities that emerge from these scenarios. The first capability is to provide hierarchical tenant management that allows multiple gateway deployments to be federated together. The second capability illustrated by these scenarios is the need to support service accounts for non-browser applications and agent applications that can act on behalf of users on edge resources. The latter can be built using Web security standards combined with permission management mechanisms.