Details
-
Type:
RFC
-
Status: Implemented
-
Resolution: Done
-
Component/s: DM
-
Labels:None
Description
This RFC is largely informational to document a change in technical direction from a previously discussed plan. Unless you are developing Science Platform and adjacent services, it will not affect you.
Historically the idea was that the Science Platform layer would rely on underlying infrastructure permissions. For a number of reasons, some technical and some not, we are now proceeding with a model where the service layer is responsible for authentication and the infrastructure is agnostic of the user management model. While the previous approach had the virtue of simplicity, the new approach means that:
- Certain service architectures (eg remote Butler) become possible
- Generating large number of fake accounts for scale testing becomes easy
- Onboarding/offboarding and other user management on a large number of heterogenous deployments (LDF, IDF, USDF, Summit, iDACs, etc) is simpler
- Users do not need infrastructure accounts (from the provider), just Science Platform accounts which means that scientists of all nationalities may use our services even if they are hosted in a government lab (eg SLAC)
- Concerns than this model would place an unsupportable burden on the A&A service have been allayed by our new service, gafaelfawr
- Interoperability with off-the-shelf OAuth2 services becomes easier
- Object Stores can be transparently substituted in services that previously relied on POSIX filesystems
This model is already applied on Science Platform services (for example, users do not need Google accounts to use the platform deployed on IDF). We have not yet worked out the details of access to the user database tables, but have no reason to believe this approach won't work.
Tagging all relevant parties, hopefully not a surprise to anyone at this point.
Attachments
Issue Links
Activity
I am a tad concerned that this RFC discussion is now revolving around a poorly defined service to which we don't have a prototype, a conceptual design, or a rich set of requirements. There are a lot of ways to service requirements for user ad-hoc analytics; some of them can be serviced science-platform side, some can be serviced factory-batch side, and I would be fairly stunned if access to the latter was not gatekeeped in some way that if the as-yet non-existent user-factory-batch system required infrastructure accounts it would not be a problem.
I'd like to bring this RFC to a close by constraining it to the Science Platform. The only Science Platform requirement relating to user batch is that nublado provide shell access to the user batch system.
I think you are saying two things: "we believe that user-provided batch code execution is not part of the RSP, besides shell access" (and indeed it was anticipated that project DACs would use an underlying infrastructure component provided by the facility) and "we have not yet worked out the details of user-provided batch code execution, but have reason to believe that either this approach (accounts in the RSP service layer) will work or else underlying infrastructure accounts can be provided to such users for authentication, authorization, and resource management." Is that correct?
I agree with Frossie. Let's handle user batch separately - but soon, so that USDF can make a plan.
Adopting this in the narrow intended way of Science Platform services, excluding user batch.
My expectation has been: