Presentation is loading. Please wait.

Presentation is loading. Please wait.

Konrad Zemek, Łukasz Opioła, Michał Wrzeszcz, Renata G. Słota, Łukasz Dutka, Jacek Kitowski ACC Cyfronet AGH Department of Computer Science, AGH - UST.

Published byPrimrose French Modified over 8 years ago

Similar presentations

Presentation on theme: "Konrad Zemek, Łukasz Opioła, Michał Wrzeszcz, Renata G. Słota, Łukasz Dutka, Jacek Kitowski ACC Cyfronet AGH Department of Computer Science, AGH - UST."— Presentation transcript:

1 Konrad Zemek, Łukasz Opioła, Michał Wrzeszcz, Renata G. Słota, Łukasz Dutka, Jacek Kitowski ACC Cyfronet AGH Department of Computer Science, AGH - UST CGW 2015 Kraków, Poland, October 26-28, 2015 Delegation of authority in distributed data access system

2 AAIs in distributed systems - challenges onedata – a global data access system Autonomous entites in onedata Popular technologies in AAI Macaroons – better than cookies Macaroons in onedata Conclusions Agenda

3 AAIs in distributed systems: challenges Services can be autonomous components User identity and privileges must be verified Some operations require delegation User credentials must be passed in a secure manner AuthN – AuthenticatioN AuthZ – AuthoriZation

4 onedata Global data access Virtualizes access to files Easy data sharing Cooperation support HPC support Unifies heterogeneous storages into single data space Highly distributed

5 Autonomous entities in onedata NO TRUST No trust between providers Share file Access file Need for delegation TRUST

6 Popular technologies in AAI Certificates (Globus, X.509) Depending on user awareness Revocation handling may be problematic SAML (Security Assertion Markup Language) Complicated and heavyweight High maintenance (in big systems) Web cookies Carry too much authority No delegation mechanism

7 „Macaroons are better than cookies!” The answer to onedata needs – macaroons (by Google): Bearer tokens Contextual confinement of authority (caveats) Caveats cannot be removed and cannot increase authority Limitable lifespan Third party caveats Safe delegation of authority Serializable for easy passing

8 3. Native client authorization macaroon Macaroons in onedata 1. Authentication macaroon 2. Provider authorization macaroon

9 Macaroons in onedata 1. Authentication macaroon Proof of user’s identity and presence (active session) Short lived Issued by identity service (Global Registry, GR) 3. Native client authorization macaroon 2. Provider authorization macaroon

10 Macaroons in onedata 2. Provider authorization macaroon Long lived Allows interacting with GR on behalf of the user Contains a 3rd party caveat – needs authentication macaroon 3. Native client authorization macaroon 1. Authentication macaroon

11 3. Native client authorization macaroon Long lived Given to the user, confidential Does not require authentication but limited authority Allows read-only access to some GR metadata Authority delegated by further confinement Macaroons in onedata 1. Authentication macaroon 2. Provider authorization macaroon

12 Macaroons vs autonomous entities in onedata NO TRUST Share file Access file TRUST https://onedata.org/share/ASHsdf980ycx… 1 2 AuthN AuthZ 3 4 4 5 5 6 6

13 Conclusions Macaroons in onedata ensure: High security (macaroons are cryptographically strong) Ease of use and transparency to the users Simpler authorization system Fine-grained permissions Low storage and computational overheads

14 Thank you onedata homepage: https://www.onedata.org

Download ppt "Konrad Zemek, Łukasz Opioła, Michał Wrzeszcz, Renata G. Słota, Łukasz Dutka, Jacek Kitowski ACC Cyfronet AGH Department of Computer Science, AGH - UST."

Similar presentations

Using PHINMS and Web-Services for Interoperability The findings and conclusions in this presentation are those of the author and do not necessarily represent.

Using PHINMS and Web-Services for Interoperability The findings and conclusions in this presentation are those of the author and do not necessarily represent.
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
TNC 2008 / Short Lived Credential Service Implementation Based on National AAI Short Lived Credential Service Implementation Based on National AAI Emir.

TNC 2008 / Short Lived Credential Service Implementation Based on National AAI Short Lived Credential Service Implementation Based on National AAI Emir.
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
High Performance Computing Course Notes 2007-2008 Grid Computing.

High Performance Computing Course Notes Grid Computing.
Understanding WebLogic Security

Understanding WebLogic Security
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Data Grids: Globus vs SRB. Maturity SRB  Older code base  Widely accepted across multiple communities  Core components are tightly integrated Globus.

Data Grids: Globus vs SRB. Maturity SRB  Older code base  Widely accepted across multiple communities  Core components are tightly integrated Globus.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Copyright B. Wilkinson, 2008. This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
GRDevDay March 21, 2015 Cloud-based Identity for Applications.

GRDevDay March 21, 2015 Cloud-based Identity for Applications.
Next Generation Domain-Services in PL-Grid Infrastructure for Polish Science. Numerical Simulations of Metal Forming Production Processes and Cycles by.

Next Generation Domain-Services in PL-Grid Infrastructure for Polish Science. Numerical Simulations of Metal Forming Production Processes and Cycles by.
Web services security I

Web services security I
Web-based Portal for Discovery, Retrieval and Visualization of Earth Science Datasets in Grid Environment Zhenping (Jane) Liu.

Web-based Portal for Discovery, Retrieval and Visualization of Earth Science Datasets in Grid Environment Zhenping (Jane) Liu.
EUROPEAN UNION Polish Infrastructure for Supporting Computational Science in the European Research Space Towards scalable, semantic-based virtualized storage.

EUROPEAN UNION Polish Infrastructure for Supporting Computational Science in the European Research Space Towards scalable, semantic-based virtualized storage.
Virtual Organization Approach for Running HEP Applications in Grid Environment Łukasz Skitał 1, Łukasz Dutka 1, Renata Słota 2, Krzysztof Korcyl 3, Maciej.

Virtual Organization Approach for Running HEP Applications in Grid Environment Łukasz Skitał 1, Łukasz Dutka 1, Renata Słota 2, Krzysztof Korcyl 3, Maciej.
Polish Infrastructure for Supporting Computational Science in the European Research Space Policy Driven Data Management in PL-Grid Virtual Organizations.

Polish Infrastructure for Supporting Computational Science in the European Research Space Policy Driven Data Management in PL-Grid Virtual Organizations.

Similar presentations

Ads by Google