Implementation of Projects for Periodic Task Execution

On Unix systems (like Linux), the cron daemon allows users to periodically execute specific tasks. The acron service at CERN extends this concept and provides a way to execute such tasks in a centralized and secure way and allows scheduling tasks with Kerberos and AFS credentials on central services, like lxplus, at CERN. The acron service is widely used across CERN, especially—but not exclusively— by scientists from the experiments, to automate recurring task execution. The scheduled tasks which are automatically executed are called acron jobs. This service helps some of our users to collect, preprocess, and analyze collision data from the experiments. It has been in service since 1996 (Toebbicke, 1996) and has undergone few changes over the years. However, in the past two years a re-design phase has been put in motion. The aim of this project is to design and develop a secure way to share acron jobs between multiple users called acron projects and, thus, mitigate this shortcoming of the acron service. The present work builds upon an existing draft dating back to 2019. Such draft was revamped to meet the updated expectations of the service. In conclusion, our contribution is the secure implementation of job sharing for periodic task execution— i.e., acron—; we restrict its availability to service accounts to eliminate the impersonation risk, this feature is only available in the deployment at CERN because service accounts are CERN-specific. After careful analysis, CERN Computer Security approves the design of this novel feature. Finally, a risk assessment and code review of the entire acron service is carried out by Computer Security.