On a scientific computing grid the user’s identity is an X.509 certificate issued by an accredited certification authority, not a username/password pair held by the application. Almost everything about how you build a web portal on top of a grid such as GRID.IT follows from this. The most delicate work does not sit in the interface: it sits in the bridge between browser and security infrastructure.

Context

GRID.IT is the project funded under the FIRB programme (Fondo per gli Investimenti della Ricerca di Base) of the Italian Ministry of Education, Universities and Research, coordinated by Domenico Laforenza at ISTI-CNR in Pisa (Institute of Information Science and Technologies “Alessandro Faedo”), with the participation of INFN, CNR, INAF, INGV and several universities. Its stated aim is a distributed-computing infrastructure for Italian scientific research.

On the software side, the stack of a grid like this is entirely open source: the Globus Toolkit middleware (version 4.0 was released in April 2005, built on WSRF and the OGSA architecture) and the gLite middleware developed within the European EGEE project. The operating system is Linux, and most components — from the gatekeeper to the data-management services — run on Scientific Linux distributions. By portal we mean here the layer a researcher uses to submit jobs and consult results from a browser, without installing the grid’s command-line client on their own machine.

The authentication problem

The security model is the Grid Security Infrastructure (GSI), introduced by the Globus project in the late 1990s. GSI uses X.509 certificates and TLS for authentication, and it adds a delegation mechanism: the proxy certificate, standardised in 2004 by RFC 3820. A proxy is a short-lived certificate (typically twelve hours) signed by the user’s own certificate, carrying with it a private key not protected by a passphrase. It exists because a job running for hours on a remote node must be able to authenticate to other grid services — a storage element, another computing element — without the user being there to type the passphrase each time.

Hence the concrete problem for a portal. The user arrives with a browser. To submit work they need a valid proxy. But generating the proxy needs the user’s private key, which by sound practice should never leave the owner’s machine. A portal that asked the user to upload their private key to the server would break the assumption on which the whole trust of the grid rests.

Architecture

Across the grid ecosystem the solution is to interpose a credential service between portal and user. The pattern is MyProxy, born at NCSA: the user deposits in advance a longer-lived proxy in a MyProxy repository, protected by a passphrase; the portal, when the need arises, retrieves a short-lived proxy from that repository and uses it to act on the user’s behalf. The user’s long-term private key never passes through the portal.

On the interface side, the GENIUS portal developed at INFN is the Italian reference example: a web front-end built on Apache that translates the user’s actions into commands of the underlying middleware, mediating precisely through MyProxy. The portal’s logic does little presentation and much else: it orchestrates credentials, builds the job description, submits to the resource broker and tracks status.

There is then the authorisation layer, distinct from the authentication one. Knowing who the user is does not suffice: you need to know which virtual organisation they belong to and with what rights. This is provided by VOMS (Virtual Organisation Membership Service), which inserts signed attributes about groups and roles into the proxy. The portal has to handle this too: a proxy without VOMS extensions is authenticated but may be authorised to do nothing at all.

The critical point

The critical point is the certification authority. The whole trust model rests on each country having an accredited CA and on the CAs recognising one another through a trust federation. For Italy the accredited grid CA is the one run by INFN, whose Certificate Policy / Certification Practice Statement is coordinated at European level by EUGridPMA, the body that curates the fabric of trust for e-Science authentication in Europe, itself part of IGTF (International Grid Trust Federation).

The practical consequence is that a portal cannot improvise its identity handling. It must trust exactly the set of CAs the federation recognises, distribute the correct root certificates, respect the revocation and lifetime policies. An out-of-date CA certificate, or an expired revocation list, is enough for authentication to stop working for everyone — or, worse, to keep working when it should not. Managing the CA, in a project like GRID.IT, is therefore a task in its own right, with operational responsibilities that do not end with writing code.

Implications

For whoever builds the web layer, the consequence is that the portal is above all a security mediator. The choices that really weigh — depositing proxies via MyProxy, distributing the CA trust anchors, integrating VOMS attributes, honouring RFC 3820 — are infrastructure choices, and the graphical interface lives on top of them. Here the fully open-source stack weighs for a practical reason, not an ideological one: every middleware component is inspectable, so the behaviour of authentication across the various layers can be traced all the way through. Which is indispensable when a credential signed by a national CA crosses four or five services before a job starts. The GRID.IT portal on a Linux/Apache/Zope stack and the project’s certification authority — built on OpenCA, with directory and authentication on OpenLDAP, issuing the X.509 certificates of nodes and users, distinct from INFN’s national accredited CA — are among the components built by noze in the project, described in the related insight: https://www.noze.it/en/insights/gridit-firb/.

Limits

What is described here concerns authentication and authorisation, not the overall usability of a grid. Out of the picture remain scheduling, the reliability of data movement over the WAN, job reproducibility and queue management, which weigh on the researcher’s experience at least as much as the security model. And the centrality of the short-lived proxy solves delegation but introduces a fragile point: a stolen proxy stays usable until it expires, and CA policies on this are still evolving. The portal makes the grid reachable from a browser; it does not make it simple.


Cover image: Row of rack cabinets packed with servers and cables in the CERN computing centre, part of the scientific computing grid — photo by Bigfoot~commonswiki, public domain — https://commons.wikimedia.org/wiki/File:Cern_computer_grid.jpg