Konrad Zemek, Łukasz Opioła, Michał Wrzeszcz, Renata G. Słota, Łukasz Dutka, Jacek Kitowski ACC Cyfronet AGH Department of Computer Science, AGH - UST.

Slides:

Advertisements

Similar presentations

Using PHINMS and Web-Services for Interoperability The findings and conclusions in this presentation are those of the author and do not necessarily represent.

Advertisements

GT 4 Security Goals & Plans Sam Meder

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

TNC 2008 / Short Lived Credential Service Implementation Based on National AAI Short Lived Credential Service Implementation Based on National AAI Emir.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

High Performance Computing Course Notes Grid Computing.

Understanding WebLogic Security

Grid Security. Typical Grid Scenario Users Resources.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Data Grids: Globus vs SRB. Maturity SRB  Older code base  Widely accepted across multiple communities  Core components are tightly integrated Globus.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

GRDevDay March 21, 2015 Cloud-based Identity for Applications.

Next Generation Domain-Services in PL-Grid Infrastructure for Polish Science. Numerical Simulations of Metal Forming Production Processes and Cycles by.

Web services security I

Web-based Portal for Discovery, Retrieval and Visualization of Earth Science Datasets in Grid Environment Zhenping (Jane) Liu.

EUROPEAN UNION Polish Infrastructure for Supporting Computational Science in the European Research Space Towards scalable, semantic-based virtualized storage.

Virtual Organization Approach for Running HEP Applications in Grid Environment Łukasz Skitał 1, Łukasz Dutka 1, Renata Słota 2, Krzysztof Korcyl 3, Maciej.

Polish Infrastructure for Supporting Computational Science in the European Research Space Policy Driven Data Management in PL-Grid Virtual Organizations.

Distributed Web Security for Science Gateways Jim Basney In collaboration with: Rion Dooley Jeff Gaynor

CGW 2003 Institute of Computer Science AGH Proposal of Adaptation of Legacy C/C++ Software to Grid Services Bartosz Baliś, Marian Bubak, Michał Węgiel,

Security in Virtual Laboratory System Jan Meizner Supervisor: dr inż. Marian Bubak Consultancy: dr inż. Maciej Malawski Master of Science Thesis.

TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.

1 Grid Security. 2 Grid Security Concerns Control access to shared services –Address autonomous management, e.g., different policy in different work groups.

SAML CCOW Work Item HL7 Working Group Meeting San Antonio - January 2008 Presented by: David Staggs, JD CISSP VHA Office of Information Standards.

Key Management. Session and Interchange Keys  Key management – distribution of cryptographic keys, mechanisms used to bind an identity to a key, and.

Identity Management: A Technical Perspective Richard Cissée DAI-Labor; Technische Universität Berlin

PROGRESS: ICCS'2003 GRID SERVICE PROVIDER: How to improve flexibility of grid user interfaces? Michał Kosiedowski.

Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.

Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

Data Access and Security in Multiple Heterogeneous Databases Afroz Deepti.

Scalarm: Scalable Platform for Data Farming D. Król, Ł. Dutka, M. Wrzeszcz, B. Kryza, R. Słota and J. Kitowski ACC Cyfronet AGH KU KDM, Zakopane, 2013.

Security, Accounting, and Assurance Mahdi N. Bojnordi 2004

Connect. Communicate. Collaborate The authN and authR infrastructure of perfSONAR MDM Ann Arbor, MI, September 2008.

1 Network Security Lecture 7 Overview of Authentication Systems Waleed Ejaz

Internet2 AdvCollab Apps 1 Access Grid Vision To create virtual spaces where distributed people can work together. Challenges:

Federating PL-Grid Computational Resources with the Atmosphere Cloud Platform Piotr Nowakowski, Marek Kasztelnik, Tomasz Bartyński, Tomasz Gubała, Daniel.

Rafał Słota, Michał Wrzeszcz, Renata G. Słota, Łukasz Dutka, Jacek Kitowski ACC Cyfronet AGH Department of Computer Science, AGH - UST CGW 2015 Kraków,

Approaches for Ensuring Security and Privacy in Unplanned Ubiquitous Computing Environments V. Ramakrishna, Kevin Eustice, Matthew Schnaider Laboratory.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.

1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.

Parameter Sweep and Resources Scaling Automation in Scalarm Data Farming Platform J. Liput, M. Paciorek, M. Wrona, M. Orzechowski, R. Slota, and J. Kitowski.

Chapt. 10 – Key Management Dr. Wayne Summers Department of Computer Science Columbus State University

PROGRESS: GEW'2003 Using Resources of Multiple Grids with the Grid Service Provider Michał Kosiedowski.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.

Metadata Organization and Management for Globalization of Data Access with Michał Wrzeszcz, Krzysztof Trzepla, Rafał Słota, Konrad Zemek, Tomasz Lichoń,

INDIGO – DataCloud WP5 introduction INFN-Bari CYFRONET RIA

ONEDATA Way to access to your Data at the global scale Lukasz Dutka, R. Slota, M. Wrzeszcz, D. Krol, L. Opiola, R. Slota, J. Kitowski ACK Cyfronet AGH.

INDIGO – DataCloud Security and Authorization in WP5 INFN RIA

Connect. Communicate. Collaborate Applying eduGAIN to network operations The perfSONAR case Diego R. Lopez (RedIRIS) Maurizio Molina (DANTE)

General Overview of Various SSO Systems: Active Directory, Google & Facebook Antti Pyykkö Mikko Malinen Oskari Miettinen.

Onedata Eventually Consistent Virtual Filesystem for Multi-Cloud Infrastructures Michał Orzechowski (CYFRONET AGH)

Applying eduGAIN to network operations The perfSONAR case

AAI for a Collaborative Data Infrastructure

Unified Data Access and MGMT. in Distributed hybrid Cloud

AAI … but This talk is about the second 'A': Authorisation.

Onedata Eventually Consistent Virtual Filesystem for Multi-Cloud Infrastructures Michał Orzechowski (CYFRONET AGH)

BY: SHIVI AGRAWAL ( ) CSE-(6)C

The Onedata platform Konrad Zemek, Krzysztof Trzepla ACC Cyfronet AGH

Chapt. 10 – Key Management Dr. Wayne Summers

Laws for Secure Credentialing

O. Otenko PERMIS Project Salford University © 2002

Office 365 Identity Management

SharePoint Online Authentication Patterns

Mariusz Sterzel1 , Lukasz Dutka1, Tomasz Szepieniec1

Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.

Presentation transcript:

Konrad Zemek, Łukasz Opioła, Michał Wrzeszcz, Renata G. Słota, Łukasz Dutka, Jacek Kitowski ACC Cyfronet AGH Department of Computer Science, AGH - UST CGW 2015 Kraków, Poland, October 26-28, 2015 Delegation of authority in distributed data access system

AAIs in distributed systems - challenges onedata – a global data access system Autonomous entites in onedata Popular technologies in AAI Macaroons – better than cookies Macaroons in onedata Conclusions Agenda

AAIs in distributed systems: challenges Services can be autonomous components User identity and privileges must be verified Some operations require delegation User credentials must be passed in a secure manner AuthN – AuthenticatioN AuthZ – AuthoriZation

onedata Global data access Virtualizes access to files Easy data sharing Cooperation support HPC support Unifies heterogeneous storages into single data space Highly distributed

Autonomous entities in onedata NO TRUST No trust between providers Share file Access file Need for delegation TRUST

Popular technologies in AAI Certificates (Globus, X.509) Depending on user awareness Revocation handling may be problematic SAML (Security Assertion Markup Language) Complicated and heavyweight High maintenance (in big systems) Web cookies Carry too much authority No delegation mechanism

„Macaroons are better than cookies!” The answer to onedata needs – macaroons (by Google): Bearer tokens Contextual confinement of authority (caveats) Caveats cannot be removed and cannot increase authority Limitable lifespan Third party caveats Safe delegation of authority Serializable for easy passing

3. Native client authorization macaroon Macaroons in onedata 1. Authentication macaroon 2. Provider authorization macaroon

Macaroons in onedata 1. Authentication macaroon Proof of user’s identity and presence (active session) Short lived Issued by identity service (Global Registry, GR) 3. Native client authorization macaroon 2. Provider authorization macaroon

Macaroons in onedata 2. Provider authorization macaroon Long lived Allows interacting with GR on behalf of the user Contains a 3rd party caveat – needs authentication macaroon 3. Native client authorization macaroon 1. Authentication macaroon

3. Native client authorization macaroon Long lived Given to the user, confidential Does not require authentication but limited authority Allows read-only access to some GR metadata Authority delegated by further confinement Macaroons in onedata 1. Authentication macaroon 2. Provider authorization macaroon

Macaroons vs autonomous entities in onedata NO TRUST Share file Access file TRUST AuthN AuthZ

Conclusions Macaroons in onedata ensure: High security (macaroons are cryptographically strong) Ease of use and transparency to the users Simpler authorization system Fine-grained permissions Low storage and computational overheads

Thank you onedata homepage: