XSEDE response to the Globus Toolkit end-of-support announcement

Mar 16, 2018

The Globus team at the University of Chicago stopped development of the Globus Toolkit at the end of 2017 and plans to stop providing security patches by the end of 2018 [1].   XSEDE uses Globus Toolkit components in day-to-day operations.  Note, the Globus announcement does not affect XSEDE’s use of Globus file transfer and sharing cloud service (SaaS), Globus Auth identity and access management service, or the Globus Connect products.

XCI began developing plans in response to this significant Globus Toolkit announcement in 2017. This document summarizes these plans. 

Executive Summary

The XSEDE plan consists of the following key steps:

  1. Confirm that we will continue to receive support from Globus for our current Globus Toolkit services as we modernize them. (This has been done)
  2. Add replacement services that use: (1) newer mechanisms, or (2) the original mechanisms with support provided elsewhere. (This is in progress now)
  3. Monitor how and why the original services continue to be used and assist their users to transition to the replacement services. (This is in progress now)

Details

The XSEDE community has long relied on the Globus Toolkit’s X.509 implementation to identify and authenticate XSEDE users in our federation of XSEDE Service Providers (SPs) and services. This mechanism is currently used each and every day by XSEDE community members, and is prominently used in our remote login and remote job management services (SSH services and the XSEDE SSO Hub) and our data transfer services (XSEDE’s GridFTP transfer endpoints).

X.509 and GridFTP have played a secondary roll in XSEDE by facilitating cooperation with other science communities (notably: U.S. National Laboratories, the Open Science Grid, and the international Large Hadron Collider collaborations), who have also standardized around X.509 and GridFTP.

On plan step 1 we’ve received assurance from the Globus team that they will continue providing essential security patches for the Globus Toolkit components we use until they’ve offered replacements to the general public for a minimum of six months. In most cases, XSEDE will have had previews and beta versions under evaluation for longer than that. This support might extend beyond the original “end of 2018” period announced, depending on the availability of Globus’ replacements.

For plan step 2 we’re looking at two primary sources for replacement services. One is the Globus team’s newer services, which are based on new mechanisms and in some cases are still under development at this time. The second source is the Grid Community Toolkit (GCT): a “fork” of the Globus Toolkit. [2] Importantly, there is no reason for us to limit ourselves to a single replacement for each service. XSEDE serves a diverse user community with diverse needs, sometimes requiring more than one approach to satisfying related needs.

Plan step 3 will come into play as we make new services available that support specific user needs. Wherever those needs were previously supported by other means, we’ll monitor the transition to the newer services and begin plans to decommission the older ones.

Specific new services

Since 2016, XSEDE has been transitioning from X.509 to newer mechanisms for federated user identification and authentication based on OpenID Connect (OIDC), OAuth 2.0 (OAuth2), and academic InCommon/eduGAIN identity providers. There are advantages and disadvantages to this approach, but we are confident that it is the right approach for the XSEDE community, so we are exploiting the advantages and addressing disadvantages as we proceed.

New XSEDE services resulting from OIDC+OAuth2+InCommon/eduGAIN already include the following.

  • Web Single Sign-on for XSEDE services, gateways, and campuses
  • The XSEDE InCommon identity provider

We are monitoring--and in some cases evaluating--the following development efforts in the community in hope that they will result in services or capabilities that XSEDE can use in the near future.

  • SSH services authenticated with OIDC+OAuth2 (via Globus’ SSH with Globus Auth, currently under development)
  • Data transfer endpoints authenticated with OIDC+OAuth2 (via Globus Connect Server v5 with OAuth2 support, currently under development)
  • The GCT GridFTP server (via the Grid Community Toolkit), for maintaining data transfer interoperability with other contingents in the international science community  
  • The GCT GSI-OpenSSH server (via the Grid Community Toolkit), as a fallback for remote login services if Globus’ SSH with Globus Auth does not meet our needs
  • Assurance profiles and policies for OIDC/InCommon/eduGAIN identity providers (from IGTF and REFEDS, currently under development)

As each of these matures and becomes available to XSEDE, we will integrate it with the XSEDE system and services so that it can be used by our community members.

References:

[1]    https://github.com/globus/globus-toolkit/blob/globus_6_branch/support-changes.md

[2]    https://gridcf.org/