Presentation is loading. Please wait.

Presentation is loading. Please wait.

AAI … but This talk is about the second 'A': Authorisation.

Published byLeslie Daniel Modified over 6 years ago

Similar presentations

Presentation on theme: "AAI … but This talk is about the second 'A': Authorisation."— Presentation transcript:

1

2

3 AAI … but This talk is about the second 'A': Authorisation.

4 Quick recap: which is which?
Credential Authentication Authorization

5 Authorisation without authentication?
How ? Photo by Alan Cleaver (CC-BY)

6 Photon Science portal use-case
Users Web Brouser User DB LOGIN Authentication dCache Portal Request Download Request Download http WebDAV Redirect Storage Pool Request Download Stream Data Stream Data USER Community Specific Service Stack Data Service

7 Desired: client downloads directly
Users Web Brouser User DB LOGIN Authentication Portal Request Download dCache Redirect Request Download (How to authorize this request ?) http WebDAV Redirect Storage Pool Request Download Stream Data USER Community Specific Service Stack Data Service

8 Desired: client downloads directly
Users Web Brouser User DB LOGIN Authentication dCache Portal Request Download Request Token Redirect T Supply Token T http WebDAV Request Download T Redirect Storage Pool Request Download Stream Data USER Community Specific Service Stack Data Service

9 What are bearer tokens? Bearer token is something the user presents with a request so the server will authorise it. There's no interaction between client and server. Examples of bearer tokens: HTTP BASIC authn, anything stored as a cookies. Counter-examples: X.509 credential, SAML, Kerberos.

10 Bearer tokens for download authz
Redirection should work without JavaScript, Simple: embed token in redirection URL. (There are nicer ways of embedding the token, but the URL is the only thing we can control) Complete token always sent with the request. What can we do to stop someone stealing this token? … or make the token useless if they steal it.

11 Introducing Macaroons

12 Macaroon is a bearer token. Macaroon contains zero or more caveats.
Macaroons 101 Macaroon is a bearer token. Macaroon contains zero or more caveats. Each caveat limits something: who can use it, or what they do with it. Anyone can add a caveat to a macaroon: Create a new macaroon that is more limited. Nobody can remove a caveat from a macaroon.

13 Example: 3rd party copy M m M m m m m Portal Reducing Authz Roque
Storage Pool Reducing Authz only WRITE, only from <IP addr>, only for 10 minutes. M m M m m Roque Service m Used to authorize Subsequent transfer m Storage Pool

14 3rd party caveats – extra cool!
1st party caveat can be satisfied by the client. 3rd party caveat requires proof from some other service; e.g. only only members of VO ATLAS, only if not part of a denial-of-service attack. The proof is another macaroon: a discharge macaroon.

15 Example: download w/3rd party caveat
Limiting Permissions Portal Storage Pool M m M m m Group Service Used to Authenticate Subsequent Transfer m m

16 The original macaroon is only useful with a valid discharge macaroon.
Discharge macaroons The client proves it satisfies a 3rd party caveat by having a discharge macaroon. The original macaroon is only useful with a valid discharge macaroon. The discharge-macaroon can have caveats: Short-lived discharge macaroon can be used to simulate X.509's certificate revocation list. The discharge macaroon can have 3rd-party caveats.

17 Solution revisited: macaroons
Users Web Brouser User DB LOGIN Authentication dCache Portal Request Download Request Token Add Caveat to Macaroon Redirect m Macaroon M http WebDAV Request Download m Redirect Storage Pool Request Download Stream Data USER Community Specific Service Stack Data Service

18 For what else are macaroons good?

19 Enabling sharing: a new interface
Create a macaroon: Need to know the macaroon to access the file. List macaroons: Facilitate sharing files. Facilitate adding caveats: Purely in-browser or server-side? Third-party caveats? (e.g., member-of-ATLAS caveat) Destroy macaroons: Unclear if this really makes sense.

20 The END www.dCache.org Further reading : On dCache
On macaroons by Google: Macaroons: Cookies with Contextual Caveats for Decentralized Authorization in the Cloud. Presentation Paper

Download ppt "AAI … but This talk is about the second 'A': Authorisation."

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Chapter 17: WEB COMPONENTS

Chapter 17: WEB COMPONENTS
FI-WARE Testbed Access Control temporary solution.

FI-WARE Testbed Access Control temporary solution.
Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal 1 1 2 2 4 4 3,6 5 5 7 7 8 8 9 9 1010 1010 DNS Hello User Sample (Gateway)

Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal , DNS Hello User Sample (Gateway)
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.

COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
Multiple Tiers in Action

Multiple Tiers in Action
Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.

Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Martin Kruliš 2. 4. 2015 by Martin Kruliš (v1.0)1.

Martin Kruliš by Martin Kruliš (v1.0)1.
Sys Prog & Scripting - HW Univ1 Systems Programming & Scripting Lecture 15: PHP Introduction.

Sys Prog & Scripting - HW Univ1 Systems Programming & Scripting Lecture 15: PHP Introduction.
10 May 2007 HTTP - - User data via HTTP(S) Andrew McNab University of Manchester.

10 May 2007 HTTP - - User data via HTTP(S) Andrew McNab University of Manchester.
Introduction to InfoSec – Recitation 7 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 7 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Integrating with UCSF’s Shibboleth system

Integrating with UCSF’s Shibboleth system
PAPI Points of Access to Providers of Information.

PAPI Points of Access to Providers of Information.
ArcGIS Server and Portal for ArcGIS An Introduction to Security

ArcGIS Server and Portal for ArcGIS An Introduction to Security

Similar presentations

Ads by Google