Experiences with Integrating Custos SecurityServices

TL;DR

This paper discusses the integration of Custos, an open-source cybersecurity service for science gateways, highlighting its deployment scenarios, hierarchical tenant management, and support for non-browser applications.

Contribution

It introduces extended deployment scenarios for Custos, demonstrating hierarchical tenant management and support for service accounts beyond previous work.

Findings

Hierarchical tenant management enables federation of multiple gateways.

Custos supports non-browser applications with service accounts.

Extended deployment scenarios enhance security and scalability.

Abstract

Science gateways are user-facing cyberinfrastruc-ture that provide researchers and educators with Web-basedaccess to scientific software, computing, and data resources.Managing user identities, accounts, and permissions are essentialtasks for science gateways, and gateways likewise must man-age secure connections between their middleware and remoteresources. The Custos project is an effort to build open sourcesoftware that can be operated as a multi-tenanted service thatprovides reliable implementations of common science gatewaycybersecurity needs, including federated authentication, iden-tity management, group and authorization management, andresource credential management. Custos aims further to provideintegrated solutions through these capabilities, delivering end-to-end support for several science gateway usage scenarios. Thispaper examines four deployment scenarios using Custos andassociated extensions beyond previously described work. Thefirst capability illustrated by these scenarios is the need forCustos to provide hierarchical tenant management that allowsmultiple gateway deployments to be federated together andalso to support consolidated, hosted science gateway platformservices. The second capability illustrated by these scenarios is theneed to support service accounts that can support non-browserapplications and agent applications that can act on behalf ofusers on edge resources. We illustrate how the latter can be builtusing Web security standards combined with Custos permissionmanagement mechanisms.