Indico is back online after maintenance on Tuesday, April 30, 2024.
Please visit Jefferson Lab Event Policies and Guidance before planning your next event: https://www.jlab.org/conference_planning.

Login

26TH INTERNATIONAL CONFERENCE ON COMPUTING IN HIGH ENERGY & NUCLEAR PHYSICS (CHEP2023)

May 8 – 12, 2023
Norfolk Waterside Marriott
US/Eastern timezone

Conference Secretariat

Design and implementation of experimental data access security policy for HEPS computing platform

Not scheduled
1h
Hampton Roads Ballroom and Foyer Area (Norfolk Waterside Marriott)

Hampton Roads Ballroom and Foyer Area

Norfolk Waterside Marriott

235 East Main Street Norfolk, VA 23510
Poster Poster Poster Session

Speaker

Fu, Shiyuan (IHEP)

Description

Based on k8s cluster, High Energy Photon Source (HEPS) computing platform creates a container computing environment to provide analysis services for users. The computing platform provides a container data analysis environment based on jupyterlib with the jupyterhub web page as the entry point. The platform uses CVMFS to store the software library, and the container environment accesses the cvmfs by CSI. The Lustre is used to store user experiment data, map storage volumes to the container virtualization environment in localhost mode, and provide read/write data access services for users.

HEPS computing platform has many users and requires high confidentiality of experimental data. In the scenario of experimental data acquisition, the generation and preservation of original data, as well as the field of experimental data analysis, data access, and resulting data generation all require strict permission control. The Lustre system is used on the platform to store user experiment data, but the Lustre file system implements data access control based on the uid and gid of the Linux system. In data generation scenarios, the original HEPS experiment data is set to the Linux attribute of uid and gid. Users use the same uid and gid to enter the analysis environment and obtain the corresponding read and write permissions. The process of generating and writing data to the disk is fixed and automatically completed in the background, which ensures high data security. HEPS data analysis environment is relatively complex, the container computing environment created based on k8s. In this process, there are many difficulties with user identity identification and environment configuration. The platform cannot guarantee the security of data access. Based on the above problems, this paper, combined with Oauth2.0, krb5 authentication, jupyterhub, container mirroring, and other technical means, realizes the user identity identification and environment automatic configuration functions in the single-container data analysis environment and multi-container collaborative computing environment, so as to ensure the security access of experimental data.

Consider for long presentation No

Primary authors

HU, QINGBAO (IHEP) Wang, Lu (Imstitute of High Energy Physics Chinese Academy) Xu, Jiping (IHEP) Luo, Qi (IHEP) Fu, Shiyuan (IHEP)

Presentation materials

There are no materials yet.

Peer reviewing

Paper

Accepted on by Paul Laycock
Paper files:
Powered by Indico v3.3.2