This RFC is largely informational to document a change in technical direction from a previously discussed plan. Unless you are developing Science Platform and adjacent services, it will not affect you.
Historically the idea was that the Science Platform layer would rely on underlying infrastructure permissions. For a number of reasons, some technical and some not, we are now proceeding with a model where the service layer is responsible for authentication and the infrastructure is agnostic of the user management model. While the previous approach had the virtue of simplicity, the new approach means that:
- Certain service architectures (eg remote Butler) become possible
- Generating large number of fake accounts for scale testing becomes easy
- Onboarding/offboarding and other user management on a large number of heterogenous deployments (LDF, IDF, USDF, Summit, iDACs, etc) is simpler
- Users do not need infrastructure accounts (from the provider), just Science Platform accounts which means that scientists of all nationalities may use our services even if they are hosted in a government lab (eg SLAC)
- Concerns than this model would place an unsupportable burden on the A&A service have been allayed by our new service, gafaelfawr
- Interoperability with off-the-shelf OAuth2 services becomes easier
- Object Stores can be transparently substituted in services that previously relied on POSIX filesystems
This model is already applied on Science Platform services (for example, users do not need Google accounts to use the platform deployed on IDF). We have not yet worked out the details of access to the user database tables, but have no reason to believe this approach won't work.
Tagging all relevant parties, hopefully not a surprise to anyone at this point.