Presentation is loading. Please wait.

Presentation is loading. Please wait.

Xrootd Authentication & Authorization Andrew Hanushevsky Stanford Linear Accelerator Center 6-June-06.

Published byRolf Allison Modified over 9 years ago

Similar presentations

Presentation on theme: "Xrootd Authentication & Authorization Andrew Hanushevsky Stanford Linear Accelerator Center 6-June-06."— Presentation transcript:

1 xrootd Authentication & Authorization Andrew Hanushevsky Stanford Linear Accelerator Center 6-June-06

2 June 6, 20062: MWSG Goals Flexible security architecture Multiple protocols Easily expandable Simultaneous heterogeneous protocols Allow multiple administrative domains Simple administration Minimal server configuration No No client configuration needed

3 June 6, 20063: MWSG Authentication & Authorization Developed as runtime plug-in components Easy to substitute Trivial to extend Client/Server architecture plugin aware Designed for flexibility from the start Application layer architecture Portable to other application architectures

4 June 6, 20064: MWSG xrootd Server Architecture Protocol Layer Filesystem Logical Layer Filesystem Physical Layer Filesystem Implementation Protocol & Thread Manager (included in distribution) p2p heart

5 June 6, 20065: MWSG Security Architecture login authenticate Client-Specific Security Configuration libXrdSec.so Protocol Selection Self Configuration Security Token Multiple handshakes allowed during authentication phase (required by some PKI protocols) libXrdSecgsi.so libXrdSeckrb4.so libXrdSeckrb5.so libXrdSecpwd.so Dynamically selected by client Server specifies availability Libraries managed by libXrdSec.so

6 June 6, 20066: MWSG Authentication I Specified by config file directives xrootd.seclib so_path xrootd.seclib /opt/rooted/lib/libXrdSec,so sec.protocol [ libpath ] protid sec.protocol gsi sec.protocol krb5 sec.protbind hostpat { none | [ only ] protocols } sec.protbind * only gsi sec.protbind *stanford.edu krb5 gsi sec.protbind *slac.stanford.edu none

7 June 6, 20067: MWSG Authentication II Server constructs configuration for clients Client specific Information contained in security “token” Client needs are simple Protocol manager library + protocol libraries No libraries needed for host authentication No fuss, no mess, no bother Server configures the client at run-time

8 June 6, 20068: MWSG Heterogeneous Security Support Servers have one or more protocol objects Server protocol objects created at server initialization time Client selects which protocol to use when security context created Protocol object created based on configuration returned by xrootd One security context object per physical xrootd connection Protocol objects may be shared by one or more contexts Each “pass” through a security context object may generate credentials to be passed to xrootd protocols

9 June 6, 20069: MWSG Authentication Information char prot[XrdSecPROTOIDSIZE]; // Protocol used char *name; // Entity's name char *host; // Entity's host name char *vorg; // Entity's virtual organization char *role; // Entity's role char *endorsements; // Protocol specific endorsements char *tident; // Trace identifier (do not touch) Passed to file system layer to be used for authorization

10 June 6, 200610: MWSG Authorization Challenge Number of files Billions and billions of files Amount of data is a moot point Access control list model unmanageable Too many files to protect Don’t want to record usernames in many places Capability model is manageable Few users relative to number of files Usernames recorded only once Each user given access to arbitrary file space regions

11 June 6, 200611: MWSG Authorization Approach Works as a plug-in ofs.authlib path [ parms ] ofs.authorize Default authorization is built-in Basic NT-like access control

12 June 6, 200612: MWSG Authorization Architecture u abh rw /slac/files/usr/abh r /cern/files libXrdSec.so lib????.so Authentication Authorization

13 June 6, 200613: MWSG Builtin Architecture Detail access() yesno yes or no client database request liboofs.so u abh rw /slac/files/usr/abh r /cern/files lib????.so or builtin

14 June 6, 200614: MWSG Builtin Authorization Model Capability based model Each entity has a list of capabilities A capability is a path prefix-privilege pair Any number of such pairs may be specified More scalable when number of objects greatly exceeds number of entities Can mimic an access control model Entities can be: Hosts NIS Netgroups Unix Groups Users u abh rw /slac/files/usr/abh r /cern/files

15 June 6, 200615: MWSG Builtin Authorization Entities idtype idtype id { path privs | tempid } [ ] [ \ ] g- Unix group name Applied when user is a member of the group h- Host name Applied when request originates from this host Always fully qualify the host name and specify in lower case n- NIS netgroup name Applied when the triplet (hostname, username, domainname) is a member of the specified netgroup t- template name Specification substituted in future authorization records for tempid u- user’s name (can be DN) Applied for specific user, as identified by authentication protocol

16 June 6, 200616: MWSG Special Entities u = { path privs | tempid } [ ] [ \ ] User’s name replaces the first occurrence of @= in path Allows specializing privileges by user’s name without listing all users Only one such entry may exist Example: u = /usr/@=/files a u = /usr/@=/files a User abh has all privileges for /usr/abh/files u * { path privs | tempid } [ ] [ \ ] The entry applies to all users regardless of the originating host Essentially default privileges Only one such entry may exist Example u * /files rws u * /files rws Fungible Default

17 June 6, 200617: MWSG Builtin Authorization Privileges privs idtype id { path privs | tempid } [ ] [ \ ] a- all privileges i- insert (create) l- lookup r- read d- deletek- lock (unused) n- renamew- write Positive and negative privileges allowed Negative privileges always override positive privileges Examples u aaa /foo rw User aaa has read/write privileges in /foo u abh /foo a-n User abh has all privileges except rename in /foo u xyz /foo –wind User xyz is denied write/insert/rename/delete privileges in /foo

18 June 6, 200618: MWSG Principal of Least Privilege For the first applicable path, if any, in each of Default entry Fungible user entry Specific user entry Entry for originating host All Unix groups in which user is a member All netgroups to which (hostname, username, domainname) applies Logically add together positive privileges pos_privs |= new_pos_privs Logically add together negative privileges neg_privs |= new_neg_privs Final privileges are positive less negative privileges final_privs = pos_privs & ~neg_privs

19 June 6, 200619: MWSG Entities and Certs Some entities equivalent User Name and DN Host Others are not clear Group, Netgroup Additions are needed Vorg and Role (the definition?) Endorsement handling is totally unclear Future Project

20 June 6, 200620: MWSG Summary xrootd security Fully configurable, extendable, even replaceable Standards-based authentication GSI Kerberos (version 4 or 5) Host based Password Builtin Capability-based authorization Extensive privilege support Auditing Good model for application level security

Download ppt "Xrootd Authentication & Authorization Andrew Hanushevsky Stanford Linear Accelerator Center 6-June-06."

Similar presentations

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
Access Control Methodologies

Access Control Methodologies
 Introduction Originally developed by Open Software Foundation (OSF), which is now called The Open Group (www.opengroup.org) Provides a set of tools and.

 Introduction Originally developed by Open Software Foundation (OSF), which is now called The Open Group ( Provides a set of tools and.
Security Issues in Physics Grid Computing Ian Stokes-Rees OeSC Security Working Group 14 June 2005.

Security Issues in Physics Grid Computing Ian Stokes-Rees OeSC Security Working Group 14 June 2005.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 5 Database Application Security Models.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 5 Database Application Security Models.
CSI 400/500 Operating Systems Spring 2009 Lecture #20 – Security Measures Wednesday, April 29 th.

CSI 400/500 Operating Systems Spring 2009 Lecture #20 – Security Measures Wednesday, April 29 th.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
Introduction To Windows NT ® Server And Internet Information Server.

Introduction To Windows NT ® Server And Internet Information Server.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Chapter 5 Database Application Security Models

Chapter 5 Database Application Security Models
Group Accounts; Securing Resources with Permissions

Group Accounts; Securing Resources with Permissions
S6C12 - AAA AAA Facts. AAA Defined Authentication, Authorization, and Accounting Central Management of AAA –Information in a single, centralized, secure.

S6C12 - AAA AAA Facts. AAA Defined Authentication, Authorization, and Accounting Central Management of AAA –Information in a single, centralized, secure.
Authenticating REST/Mobile clients using LDAP and OERealm

Authenticating REST/Mobile clients using LDAP and OERealm
Implementing RADIUS AAA Phil & Rick. Content Terms and Concepts Access Control What is AAA? Benefits of AAA What is RADIUS? Microsoft IAS Overview Installation.

Implementing RADIUS AAA Phil & Rick. Content Terms and Concepts Access Control What is AAA? Benefits of AAA What is RADIUS? Microsoft IAS Overview Installation.
Telecommunication Networks Group Technical University Berlin Secure WLAN Operation and Deployment in Home and Small to Medium Size Office Environments.

Telecommunication Networks Group Technical University Berlin Secure WLAN Operation and Deployment in Home and Small to Medium Size Office Environments.
Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.

Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.
Delivering Excellence in Software Engineering ® 2006. EPAM Systems. All rights reserved. ASP.NET Authentication.

Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.

Similar presentations

Ads by Google