NPO Tsukuba OSS Technical Support Center (OSS Tsukuba)

Technical Overview

Introducing Web Standard Authentication Technology to Gfarm

Since Gfarm 2.8.0, modern authentication methods such as Kerberos authentication, TLS client certificate authentication, & OAuth/OIDC authentication have been supported in addition to traditional shared keys & GSI (Grid Security Infrastructure). OAuth/OIDC authentication is a technology widely used in web applications & employs access tokens (JWT) for authentication. This makes it possible to elevate Gfarm's security level to match that of modern web services.

The key to this authentication system is addressing the challenge of access token "short lifespan." Since access tokens have short expiration periods, a mechanism to periodically refresh tokens is necessary for continued command-line operation of Gfarm. To this end, the following two components were developed.

JWT Server: Users log in through a web browser, & the server collaborates with an OpenID provider to issue access tokens & refresh tokens. It encrypts & stores the refresh token, & presents a passphrase to the user (the passphrase is not stored on the server).

JWT Agent: Runs on the host executing command-line operations and communicates with the JWT server to decrypt the encrypted refresh token using the passphrase, automatically refreshing the access token periodically.

Features & Strengths

Balancing Security & Sustainability

1Compliance with Latest Security Standards

In addition to traditional authentication methods such as shared keys and GSI, support for OAuth/OIDC, a web-standard authentication technology, has been added. This enables the construction of a more robust & centrally managed security environment.

2Highly Secure Token Storage

The JWT server encrypts & stores critical information (refresh tokens) for updating access tokens. Since the passphrase presented to users is not stored on the server side, the security of the refresh token is maintained at a high level.

3Improved Convenience for Command-Line Operations

By keeping the JWT agent running, hosts performing command-line operations can always maintain valid access tokens. This eliminates the need for manual authentication operations during long-running batch processes or script executions, removing concerns about authentication expiring mid-process.

4Versatile Implementation

Authentication in Gfarm is implemented using the SASL library used in email clients & other applications, & a library implementing XOAUTH2 as a SASL mechanism has also been developed. Simply by enabling the configuration & specifying XOAUTH2 as the SASL mechanism, OAuth/OIDC authentication becomes available.

Usage Examples

Automated Secure Access

Batch Processing Execution: In HPC environments, when executing large-scale batch processes that may take several days, the JWT agent automatically maintains authentication, preventing access denial during processing.

Centralized ID Management: By integrating with an organization-wide OpenID provider (e.g., Keycloak), access to Gfarm can be managed centrally, simplifying user ID management.

Secure Passphrase Management: Users only need to log in once through a web browser & securely store the provided passphrase. There is no need to store passwords or long-lived tokens on the server side.

Target Needs & Users

System Administrators & Security Personnel: Those who want to centralize user authentication & apply the latest OAuth/OIDC security standards to large-scale distributed file systems.

Heavy Users of Large-Scale Systems: Those who want to build automated workflows that require constantly valid session tokens while avoiding frequent manual updates of authentication information.

IT Infrastructure Personnel: Those who want to integrate Gfarm securely & seamlessly with existing ID management systems (OpenID providers) in corporations or universities.

Other Technology & Development

Gfptar: Parallel transfers large numbers of input entries (files) while automatically consolidating them into multiple archive files within the output directory.