Presentation is loading. Please wait.

Presentation is loading. Please wait.

Third Party Transfers & Attribute URI ideas

Published byBranden Peter Simon Modified over 6 years ago

Similar presentations

Presentation on theme: "Third Party Transfers & Attribute URI ideas"— Presentation transcript:

1 Third Party Transfers & Attribute URI ideas
Andrew McNab University of Manchester

2 Third Party Transfers GridSite now provides Third Party Transfers for HTTP htcp command supports this on client side although it can also be done using curl etc gridsite-copy.cgi provides the necessary extra server- side support mod_gridsite used as the passive server security based on X.509, VOMS etc as normal Onetime passcode used as minimal delegation 14 December 2005 Grid Security

3 Doing a transfer A: Server with file Onetime Passcode HEAD /file
GET /file Cookie: PASSCODE A: Server with file B: Server to receive file file Onetime Passcode HEAD /file COPY Destination: /file Cookie: PASSCODE Client (All HTTPS except GET /file) 14 December 2005 Grid Security

4 Passcodes Onetime passcodes originally added for “GridHTTP” uncrypted transfers Since HTTP stream unencrypted, want simple authentication: just a random, single-use number Extend this idea for third-party, so the single-use is when it is used over an unencrypted stream This provides a basic form of delegation Passcode can only be used for the specified file Time limit on the passcode imposed by the server 14 December 2005 Grid Security

5 Multistream We've added support for multistream HTTP to htcp client
Client opens multiple HTTP connections; fetches multiple blocks of the file The necessary server-side Range: support is always there in Apache Now deciding how to merge this with 3rd Party Transfers in simplest case, each block needs a passcode Ideally, want to generate or request new passcodes on “B” server, based on original passcode 14 December 2005 Grid Security

6 Attribute URIs? We've discussed the benefits of tying VOMS certificate names and attributes together “somehow” Simplest would be that VO names are DNS names eg if FQAN is like: “/atlas.cern.ch/analysis/higgs” Benefit is that dynamic or small VOs don't need to distribute their VOMS certificates via a trusted channel ie like the one for CA root certificates However, this renaming of VOs isn't happening... Is there something we can do in policy engines instead? 14 December 2005 Grid Security

7 Proposal We interpret our current Fully Qualified Attribute Names as relative attribute names So “/atlas/analysis/higgs” (1) is now short for “voms://voms.atlas.cern.ch/atlas/analysis/higgs” (2) If a policy evaluation engine sees (1) in a policy, then it processes as normal: looks in vomsdir for the VOMS server cert Change is that if it sees (2), then it can make use of a VOMS server cert obtained from the client, or by contacting “voms.atlas.cern.ch” Since the policy is trusted anyway, we can check the chain back to the VOMS's CA just by checking signatures and DNs 14 December 2005 Grid Security

8 Implications (1) VOs that are happy to distribute VOMS certifcates just carry on as normal Other people can create small or dynamic VOs without needing to get their VOMS cert (or their VOMS contact details) into a centralised distribution mechanism Users can just start writing policies referencing the absolute attribute URIs CAs just continue as normal, ensuring that host/service certificates are only granted to people who own that DNS domain name 14 December 2005 Grid Security

9 Implications (2) People running VOMS servers who want to benefit from this need to use a generic server name (atlas.cern.ch not atlas23421.cern.ch) Either get the certificate for the generic name, or use SubjectAltName if the CA allows that We need to define what (untrustworthy) sources the policy evaluators can query for the VOMS certificate GSI Proxy extension? Query the hostname via SSL – what port numbers? 14 December 2005 Grid Security

10 Summary GridSite now supports third party transfers via HTTP
Based on COPY from WebDAV RFC2518 This is implemented in the usual modular GridSite way so can be incorporated into other applications, middleware etc We're extending to support multistream third party copies! Absolute Attribute URIs provide a way of maintaining small or dynamic VOs without trusted VOMS cert distribution 14 December 2005 Grid Security

Download ppt "Third Party Transfers & Attribute URI ideas"

Similar presentations

Security middleware Andrew McNab University of Manchester.

Security middleware Andrew McNab University of Manchester.
29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
The GridSite Toolbar Shiv Kaushal The University of Manchester All Hands Meeting 2006.

The GridSite Toolbar Shiv Kaushal The University of Manchester All Hands Meeting 2006.
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
The GridSite Security Framework Andrew McNab University of Manchester.

The GridSite Security Framework Andrew McNab University of Manchester.
Www.eu-eela.eu E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci.

E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci.
DGC Paris 4.03.02 Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
20 March 2007 VOMS etc - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.

20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.
EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.

EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.
1 3 Web Proxies Web Protocols and Practice. 2 Topics Web Protocols and Practice WEB PROXIES  Web Proxy Definition  Three of the Most Common Intermediaries.

1 3 Web Proxies Web Protocols and Practice. 2 Topics Web Protocols and Practice WEB PROXIES  Web Proxy Definition  Three of the Most Common Intermediaries.
10 May 2007 HTTP - - User data via HTTP(S) Andrew McNab University of Manchester.

10 May 2007 HTTP - - User data via HTTP(S) Andrew McNab University of Manchester.
Andrew McNab - GACL - 16 Dec 2003 Grid Access Control Language Andrew McNab, University of Manchester

Andrew McNab - GACL - 16 Dec 2003 Grid Access Control Language Andrew McNab, University of Manchester
3 May 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org Web Services for Grids in Scripts and C using GridSite Andrew McNab University of.

3 May 2006 GridSite Andrew McNabwww.gridsite.org Web Services for Grids in Scripts and C using GridSite Andrew McNab University of.
Security Middleware and VOMS service status Andrew McNab Grid Security Research Fellow University of Manchester.

Security Middleware and VOMS service status Andrew McNab Grid Security Research Fellow University of Manchester.
Andrew McNab - GridPP Security - 24 Feb 2003 GridPP Security Middleware Andrew McNab, University of Manchester

Andrew McNab - GridPP Security - 24 Feb 2003 GridPP Security Middleware Andrew McNab, University of Manchester
Andrew McNab - SlashGrid, HTTPS, fileGridSite SlashGrid, HTTPS and fileGridSite 30 October 2002 Andrew McNab, University of Manchester

Andrew McNab - SlashGrid, HTTPS, fileGridSite SlashGrid, HTTPS and fileGridSite 30 October 2002 Andrew McNab, University of Manchester
Andrew McNab - GridSite/G-HTTPS - 17 Feb 2003 GridSite and G-HTTPS update Andrew McNab, University of Manchester

Andrew McNab - GridSite/G-HTTPS - 17 Feb 2003 GridSite and G-HTTPS update Andrew McNab, University of Manchester

Similar presentations

Ads by Google