The Globus team at the University of Chicago stopped development of the Globus Toolkit at the end of 2017 and plans to stop providing security patches by the end of 2018 [1]. XSEDE uses Globus Toolkit components in day-to-day operations. Note, the Globus announcement does not affect XSEDE’s use of Globus file transfer and sharing cloud service (SaaS), Globus Auth identity and access management service, or the Globus Connect products.
XCI began developing plans in response to this significant Globus Toolkit announcement in 2017. This document summarizes these plans.
The XSEDE plan consists of the following key steps:
The XSEDE community has long relied on the Globus Toolkit’s X.509 implementation to identify and authenticate XSEDE users in our federation of XSEDE Service Providers (SPs) and services. This mechanism is currently used each and every day by XSEDE community members, and is prominently used in our remote login and remote job management services (SSH services and the XSEDE SSO Hub) and our data transfer services (XSEDE’s GridFTP transfer endpoints).
X.509 and GridFTP have played a secondary roll in XSEDE by facilitating cooperation with other science communities (notably: U.S. National Laboratories, the Open Science Grid, and the international Large Hadron Collider collaborations), who have also standardized around X.509 and GridFTP.
On plan step 1 we’ve received assurance from the Globus team that they will continue providing essential security patches for the Globus Toolkit components we use until they’ve offered replacements to the general public for a minimum of six months. In most cases, XSEDE will have had previews and beta versions under evaluation for longer than that. This support might extend beyond the original “end of 2018” period announced, depending on the availability of Globus’ replacements.
For plan step 2 we’re looking at two primary sources for replacement services. One is the Globus team’s newer services, which are based on new mechanisms and in some cases are still under development at this time. The second source is the Grid Community Toolkit (GCT): a “fork” of the Globus Toolkit. [2] Importantly, there is no reason for us to limit ourselves to a single replacement for each service. XSEDE serves a diverse user community with diverse needs, sometimes requiring more than one approach to satisfying related needs.
Plan step 3 will come into play as we make new services available that support specific user needs. Wherever those needs were previously supported by other means, we’ll monitor the transition to the newer services and begin plans to decommission the older ones.
Since 2016, XSEDE has been transitioning from X.509 to newer mechanisms for federated user identification and authentication based on OpenID Connect (OIDC), OAuth 2.0 (OAuth2), and academic InCommon/eduGAIN identity providers. There are advantages and disadvantages to this approach, but we are confident that it is the right approach for the XSEDE community, so we are exploiting the advantages and addressing disadvantages as we proceed.
New XSEDE services resulting from OIDC+OAuth2+InCommon/eduGAIN already include the following.
We are monitoring--and in some cases evaluating--the following development efforts in the community in hope that they will result in services or capabilities that XSEDE can use in the near future.
As each of these matures and becomes available to XSEDE, we will integrate it with the XSEDE system and services so that it can be used by our community members.
References:
[1] https://github.com/globus/globus-toolkit/blob/globus_6_branch/support-changes.md