Addressing tokens dynamic generation, propagation, storage and renewal to secure the GlideinWMS pilot based jobs and system

TL;DR

This paper discusses the challenges and solutions in implementing dynamic token generation, propagation, storage, and renewal to enhance the security of GlideinWMS pilot jobs and infrastructure, supporting stricter requirements and multiple systems.

Contribution

It introduces new credential modules supporting dynamic generation, scope limitation, and lifecycle management, improving security and flexibility in GlideinWMS and related systems.

Findings

Successful migration of experiments to token-based credentials

Enhanced credential management with dynamic generation and renewal

Improved security through scope-limited, least privilege credentials

Abstract

GlideinWMS has been one of the first middleware in the WLCG community to transition from X.509 to support also tokens. The first step was to get from the prototype in 2019 to using tokens in production in 2022. This paper will present the challenges introduced by the wider adoption of tokens and the evolution plans for securing the pilot infrastructure of GlideinWMS and supporting the new requirements. In the last couple of years, the GlideinWMS team supported the migration of experiments and resources to tokens. Inadequate support in the current infrastructure, more stringent requirements, and the higher spatial and temporal granularity forced GlideinWMS to revisit once more how credentials are generated, used, and propagated. The new credential modules have been designed to be used in multiple systems (GlideinWMS, HEPCloud) and use a model where credentials have type, purpose, and different flows. Credentials are dynamically generated in order to customize the duration and limit the scope to the targeted resource. This allows to enforce the least privilege principle. Finally, we also considered adding credential storage, renewal, and invalidation mechanisms within the GlideinWMS infrastructure to better serve the experiments' needs.