airavata-custos

module
v0.0.0-...-7a32a38 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 13, 2026 License: Apache-2.0

README

Apache Airavata Custos

License GitHub closed pull requests

Custos is a security middleware for science gateways and HPC research computing, developed under the Apache Airavata umbrella. It provides identity and access management, credential storage, federated authentication, and resource allocation services through a language-independent API.

The project is currently being rebuilt around an HPC allocation management focus.

Project website

Repository Layout

Custos is composed of pluggable pieces a deployment site mixes and matches.

airavata-custos/
├── core/          # Shared contracts and domain models
├── connectors/    # Adapters to external allocation systems (ACCESS-CI, SLURM, ...)
├── extensions/    # Node-side components a site may opt into (PAM, SSH cert signer)
└── dev-ops/       # Local compose stack, Terraform, Ansible
Area Purpose Examples
core/ Go interfaces and shared domain types that connectors and extensions depend on accountprovisioning.Provisioner
connectors/ Protocol adapters that bring external state into Custos ACCESS/AMIE-Processor, SLURM/Association-Mapper
extensions/ Independent services that run alongside Custos to extend HPC node behavior CILogon-SSH-PAM, SSH-Certificate-Signer
dev-ops/ Local dev stack and deployment automation compose/, terraform/, account-provisioning/

For runtime topology and the audit conventions every component follows, see docs/architecture.md. New connector authors should start with docs/contributing/writing-a-connector.md.

Prerequisites

  • Go 1.24+
  • Docker and Docker Compose

Quick Start

git clone https://github.com/apache/airavata-custos.git
cd airavata-custos

See INSTALL.md to bring up the dev stack and run the server. See each connector's and extension's README for run and configuration details.

Documentation

Questions or Need Help?

Publications

@inproceedings{10.1145/3311790.3396635,
author = {Ranawaka, Isuru and Marru, Suresh and Graham, Juleen and Bisht, Aarushi and Basney, Jim and Fleury, Terry and Gaynor, Jeff and Wannipurage, Dimuthu and Christie, Marcus and Mahmoud, Alexandru and Afgan, Enis and Pierce, Marlon},
title = {Custos: Security Middleware for Science Gateways},
year = {2020},
isbn = {9781450366892},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
url = {https://doi.org/10.1145/3311790.3396635},
doi = {10.1145/3311790.3396635},
booktitle = {Practice and Experience in Advanced Research Computing},
pages = {278–284},
numpages = {7},
location = {Portland, OR, USA},
series = {PEARC '20}
}
@inproceedings{10.1145/3491418.3535177,
author = {Ranawaka, Isuru and Goonasekara, Nuwan and Afgan, Enis and Basney, Jim and Marru, Suresh and Pierce, Marlon},
title = {Custos Secrets: A Service for Managing User-Provided Resource Credential Secrets for Science Gateways},
year = {2022},
isbn = {9781450391610},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
url = {https://doi.org/10.1145/3491418.3535177},
doi = {10.1145/3491418.3535177},
booktitle = {Practice and Experience in Advanced Research Computing},
articleno = {40},
numpages = {4},
location = {Boston, MA, USA},
series = {PEARC '22}
}

Acknowledgment

This project is funded by the National Science Foundation (NSF).

We are grateful to Trusted CI for conducting the First Principles Vulnerability Assessment (FPVA) for this software and providing security architecture guidance and improvements.

Directories

Path Synopsis
cmd
server command
Command server starts the Custos HTTP API.
Command server starts the Custos HTTP API.
connectors
ACCESS/AMIE-Processor/pkg/amie
Package amie wires the ACCESS-AMIE connector into the core binary.
Package amie wires the ACCESS-AMIE connector into the core binary.
ACCESS/AMIE-Processor/server
Package server exposes the AMIE connector's REST read endpoints.
Package server exposes the AMIE connector's REST read endpoints.
COmanage/Identity-Provisioner/internal/client
Package client wraps the COmanage Core API and REST surfaces.
Package client wraps the COmanage Core API and REST surfaces.
COmanage/Identity-Provisioner/internal/operations
Package operations provisions POSIX identity in COmanage for a (CoPerson, UnixCluster) pair.
Package operations provisions POSIX identity in COmanage for a (CoPerson, UnixCluster) pair.
COmanage/Identity-Provisioner/pkg/comanage
Package comanage is the COmanage Identity-Provisioner entry point.
Package comanage is the COmanage Identity-Provisioner entry point.
SLURM/Rest-Client/pkg/client
cli/internal/client/accounts.go
cli/internal/client/accounts.go
internal
audit
Package audit carries cross-cutting audit metadata on ctx so writers do not have to pass it through every call site.
Package audit carries cross-cutting audit metadata on ctx so writers do not have to pass it through every call site.
db
httputil
Package httputil holds small HTTP helpers shared across the binary (tracing middleware, logging middleware, admin handlers).
Package httputil holds small HTTP helpers shared across the binary (tracing middleware, logging middleware, admin handlers).
server
Package server exposes the pkg/service API over HTTP/JSON.
Package server exposes the pkg/service API over HTTP/JSON.
pkg
events
Package events defines message types emitted by the service for downstream consumers (audit, projections, integrations).
Package events defines message types emitted by the service for downstream consumers (audit, projections, integrations).
identity
Package identity carries the verified caller across the request lifecycle.
Package identity carries the verified caller across the request lifecycle.
posix
Package posix builds and validates POSIX-conformant usernames for HPC account provisioning.
Package posix builds and validates POSIX-conformant usernames for HPC account provisioning.
service
Package service provides high-level operations on the core domain entities (Organization, User, Project).
Package service provides high-level operations on the core domain entities (Organization, User, Project).

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL