apache airavata security manager
play

Apache Airavata Security Manager Authentication & Authorization - PowerPoint PPT Presentation

Nov 18, 2023 •350 likes •695 views

Apache Airavata Security Manager Authentication & Authorization Im Implementation for a Multi- Tenant e-Science Framework Supun Nakandala, Hasini Gunasinghe, Suresh Marru and Marlon Pierce Science Gateways Research Center Indiana

  1. Apache Airavata Security Manager Authentication & Authorization Im Implementation for a Multi- Tenant e-Science Framework Supun Nakandala, Hasini Gunasinghe, Suresh Marru and Marlon Pierce Science Gateways Research Center Indiana University

  2. Outline • Introduction • Problem Definition • Solution Overview • Solution in Detail • Implementation Details • Conclusions IEEE eScience 2016 2/33

  3. In Introduction • Solving identity management challenges in multi-tenanted eScience middleware that needs to support multiple diverse virtual organizations . • Implementation is based on Apache Airavata Science Gateways middleware. But the concepts are equally applicable to other similar systems too. IEEE eScience 2016 3/33

  4. In Introduction – What are Scie ience Gateways? • A Science Gateway is a community-developed set of tools, applications, and data that are integrated via a portal or a suite of applications, usually in a graphical user interface, that is further customized to meet the needs of a specific community . ( XSEDE) IEEE eScience 2016 4/33

  5. What are these customized requirements ? Gateways share many of these requirements! IEEE eScience 2016 5/33

  6. Apache Air iravata IEEE eScience 2016 6/33

  7. Outline • Introduction • Problem Definition • Solution Overview • Solution in Detail • Implementation Details • Conclusions IEEE eScience 2016 7/33

  8. Problem Definition • Previously • Security model was based on the trust relationship between gateway software and Airavata middleware by restricting access to the Airavata API only from pre-validated web-based gateway clients. • Mutual trust between the gateways and Airavata server was established using TLS mutual authentication and enforcing firewall commands. • End users who interacted with Airavata API through gateways were only authenticated and authorized at the gateway level, and no validation was done at the Airavata API level. Hence no explicit user notion in Airavata. IEEE eScience 2016 8/33

  9. Problem Definition (Continued…) • Previous approach was reviewed by the Center for Trustworthy Scientific Cyberinfrastructure and was determined to be operationally acceptable [1]. • However, • This approach does not scale to a large number of gateways. • It does not address the issue of securing native client (desktop and mobile) access to the Airavata API. • It does not enable a uniform approach to user-level tracking of API calls. • Not satisfying from the architectural point of view. [1] - R. Heiland, J. Basney , and V. Welch, “Suggested security practices for SciGaP: A preliminary report ,” IEEE eScience 2016 9/33 http://hdl.handle.net/2022/20811.

  10. So why can’t we implement identity management in Airavata ? • Three different identity management scenarios that needs to be considered • Scenario 1 - The gateway client does not have a user store and would like to depend on Airavata to provide user management features. • Scenario 2 - The gateway has a user store and in-house identity management mechanisms. • Scenario 3 - The gateway does not have a dedicated user store but authenticates users into the gateway using some federated identity provider. IEEE eScience 2016 10/33

  11. Formal Problem Defin inition • How to provide a unified identity management solution that can meet the standard security requirements for the above three usecases and be able to seamlessly adopted by all types of gateways including web based and native (desktop and mobile) clients IEEE eScience 2016 11/33

  12. Outline • Introduction • Problem Definition • Solution Overview • Solution in Detail • Implementation Details • Conclusions IEEE eScience 2016 12/33

  13. Solution Overview • We use standard security protocols and standards in our design. • OAuth 2.0 based authorization delegation for the user authenticated at the gateway . • OAuth access tokens are generated by a separate dedicated authorization server . • We map specific OAuth grant types for our requirements. • OpenID-Connect which runs on top of OAuth 2.0 for user authentication. • Role based fine grained customized authorization is done using XACML. IEEE eScience 2016 13/33

  14. Hig igh le level l Solution IEEE eScience 2016 14/33

  15. Hig igh le level l Solution • Only the user authentication and access token retrieval will change for each use case scenario. • Depending on the client type and usage scenario appropriate OAuth grant type should be used to obtain an access token. IEEE eScience 2016 15/33

  16. Outline • Introduction • Problem Definition • Solution Overview • Solution in Detail • Implementation Details • Conclusions IEEE eScience 2016 16/33

  17. OAuth 2.0 Grant Types • Authorization code grant – Client app is web based (or can spawn a web browser) (e.g. Web applications) and can maintain a client credential. • Implicit grant – Client app is web based (or can spawn a web browser) but cannot keep it’s credentials secret (e.g. Thick web clients) • Resource owner password grant – User trusts the client application (e.g. Gateway provided desktop clients) • Client credential grant – Machine to machine communication. No user involvement. • Refresh code grant – Retrieve new access token when current token expired IEEE eScience 2016 17/33

  18. Scenario 1 – Gateway does not have exis istin ing user management IEEE eScience 2016 18/33

  19. Scenario 1 – Gateway does not have exis istin ing user management • Authorization Server maintains a user store for the gateway. • Gateway will use Airavata SDK to invoke user management operations. • Authorization Code, Implicit or Resource Owner Password can be used to obtain an access token. IEEE eScience 2016 19/33

  20. Scenario 2 – Gateway has a user-store and its own in in-house identity management mechanisms • Case 1 – Gateway does not share any user information with Airavata. • Case 2 – Gateway is willing to share user identity information but does not allow Airavata to connect to the gateway’s user store. • Case 3 – Gateway is willing to share user identity information. IEEE eScience 2016 20/33

  21. Scenario 2 – Gateway has a user-store and its own in in-house identity management mechanisms • Case 1 – Gateway does not share any user information with Airavata IEEE eScience 2016 21/33

  22. Scenario 2 – Gateway has a user-store and its own in in-house identity management mechanisms • Case 2 – Gateway is willing to share user identity information but does not allow Airavata to connect to the gateway’s user store IEEE eScience 2016 22/33

  23. Scenario 2 – Gateway has a user-store and its own in in-house identity management mechanisms • Case 3 – Gateway is willing to share user identity information. IEEE eScience 2016 23/33

  24. Scenario 3 – Gateway authenticates users into the gateway using a federated identity provider. IEEE eScience 2016 24/33

  25. Scenario 3 – Gateway authenticates users into the gateway using a federated identity provider. • Authentication request is forwarded to configured federated identity provider. • If the federated identity provider supports retrieval of user information a user account is created just-in-time. IEEE eScience 2016 25/33

  26. Role le based fine grained user authorization • XACML is used to define customized role based API authorization decisions. • Each gateway can have different policy on how they allow their users to access the API. IEEE eScience 2016 26/33

  27. Role le based fine grained user authorization IEEE eScience 2016 27/33

  28. Outline • Introduction • Problem Definition • Solution Overview • Solution in Detail • Implementation Details • Conclusions IEEE eScience 2016 28/33

  29. Im Implementatio ion Detail ils • Most of the features that we use in our solution are based on standard security protocols. • We use WSO2 Identity Server which is an open source (Apache V2 license) identity management system which supports multi-tenancy out of box and provide most of the required features. • We extend the features available in IS in order to support custom user store and federated authenticator integration. • A new component, Security Manager, is added to the Airavata API which manages the communication with Authorization server and validates user requests. IEEE eScience 2016 29/33

  30. Im Implementatio ion Detail ils • Additional security validation added some overhead on the overall Airavata API performance. But caching of authorization decisions improved it a lot. IEEE eScience 2016 30/33

  31. Outline • Introduction • Problem Definition • Solution Overview • Solution in Detail • Implementation Details • Conclusions IEEE eScience 2016 31/33

  32. Conclusions • The most significant advance in gateway architectures over the last several years is the use of hosted, general purpose gateway platform services. • We examined the over the-wire access patterns that exist between a wide range of gateway clients and multi-tenanted platform services like Apache Airavata. • We map these patterns to widely accepted security standards and protocols and implement a solution that can support all the identified use cases. IEEE eScience 2016 32/33

  33. Q & & A Thank You!

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Apache Airavata Open Community Science Gateway Framework Shahbaz Memon * , Suresh Marru + , Marlon

Apache Airavata Open Community Science Gateway Framework Shahbaz Memon * , Suresh Marru + , Marlon

Apache Airavata Open Community Science Gateway Framework Shahbaz Memon * , Suresh Marru + , Marlon Pierce + * Juelich Supercomputing Centre + University of Indiana Bloomington Outline Introduce Apache Airavata High level architecture

611 views • 20 slides
Security best practices for Security best practices for Apache web services Apache web services

Security best practices for Security best practices for Apache web services Apache web services

Security best practices for Security best practices for Apache web services Apache web services Agenda Security Advisories @ Apache Issues associated with the advisory process Apache CXF advisories + lessons learned

394 views • 28 slides
Security As A Service Leveraged by Apache Projects Oliver Wulff, Talend Application Security

Security As A Service Leveraged by Apache Projects Oliver Wulff, Talend Application Security

Security As A Service Leveraged by Apache Projects Oliver Wulff, Talend Application Security Landscape 11/19/14 2 Solution Building blocks Apache CXF Fediz Apache CXF Fediz Single Sign On (WS-Federation) Attribute Based Access

515 views • 29 slides
Apache Shiro - Executive Summary Apache Shiro is a powerful, easy-to-use Java Security

Apache Shiro - Executive Summary Apache Shiro is a powerful, easy-to-use Java Security

Christopher Lynch - CSCI 5448 Graduate Presentation Apache Shiro - Executive Summary Apache Shiro is a powerful, easy-to-use Java Security Framework with a goal to be more powerful and easier to use than the standard Java APIs. If you

348 views • 34 slides
Apache Security Secrets: Revealed! (Again!) for ApacheCon 2003, Las Vegas Mark J Cox revision 3

Apache Security Secrets: Revealed! (Again!) for ApacheCon 2003, Las Vegas Mark J Cox revision 3

Apache Security Secrets: Revealed! (Again!) for ApacheCon 2003, Las Vegas Mark J Cox revision 3 www.awe.com/mark/apcon2003 Apache Apache web server Powers over half of the Internet web server infrastructure Mature project, over 7

890 views • 53 slides
CSN09101 Networked Services Week 10: Using Apache Week 10: Using Apache Module Leader: Dr

CSN09101 Networked Services Week 10: Using Apache Week 10: Using Apache Module Leader: Dr

CSN09101 Networked Services Week 10: Using Apache Week 10: Using Apache Module Leader: Dr Gordon Russell Lecturers: G. Russell This lecture Apache Basic Authentication Log Analysis Security Issues Discussions

803 views • 51 slides
Apache Security Secrets: Revealed for ApacheCon 2002, Las Vegas Mark J Cox revision 1

Apache Security Secrets: Revealed for ApacheCon 2002, Las Vegas Mark J Cox revision 1

Apache Security Secrets: Revealed for ApacheCon 2002, Las Vegas Mark J Cox revision 1 www.awe.com/mark/apcon2002 Quick Introduction Who am I? Why do you care? What is Security Response Why do we need it? Red Hat, Apache,

551 views • 51 slides
Web Sever Security APACHE; MYSQL; NIKTO B Y : Y : M E G E G A N C U N C U T L E R E R A N

Web Sever Security APACHE; MYSQL; NIKTO B Y : Y : M E G E G A N C U N C U T L E R E R A N

Web Sever Security APACHE; MYSQL; NIKTO B Y : Y : M E G E G A N C U N C U T L E R E R A N A N D R I T I T I K A M A M O O R J A N A N I Introduction Topics Covered Security Checking using Nikto Dangers of Default

262 views • 22 slides
Apache Security - I m proving the security of your w eb server by breaking into it Sebastian

Apache Security - I m proving the security of your w eb server by breaking into it Sebastian

Risk Advisory Services Apache Security - I m proving the security of your w eb server by breaking into it Sebastian Wolfgarten, 21C3, December 2004 sebastian.wolfgarten@de.ey.com 1 Berlin, Germany - 29.12.2004 Agenda Preface

697 views • 41 slides
Painless Applica,on Security Les Hazlewood Apache Shiro Project

Painless Applica,on Security Les Hazlewood Apache Shiro Project

Painless Applica,on Security Les Hazlewood Apache Shiro Project Chair CTO, Kataso5 Inc / CloudDirectory What is Apache Shiro? Applica>on security

628 views • 43 slides
Secure Services with Apache CXF Andrei Shakirin, Talend ashakirin@talend.com

Secure Services with Apache CXF Andrei Shakirin, Talend ashakirin@talend.com

Karlsruher Entwicklertag 2014 Secure Services with Apache CXF Andrei Shakirin, Talend ashakirin@talend.com ashakirin.blogspot.com/ Agenda Introduction in Apache CXF Security Requirements Apply security features to CXF Services

930 views • 49 slides
Apache Kylin Introduction Dec 8, 2014 @ ApacheKylin Luke Han Sr. Product Manager |

Apache Kylin Introduction Dec 8, 2014 @ ApacheKylin Luke Han Sr. Product Manager |

Apache Kylin Introduction Dec 8, 2014 @ ApacheKylin Luke Han Sr. Product Manager | lukhan@ebay.com | @lukehq Yang Li Architect & Tech Leader | yangli9@ebay.com http://kylin.io Agenda n Whats Apache Kylin? n Tech Highlights

854 views • 42 slides
Fault Domains in Mesos Vinod Kone (vinodkone@apache.org) About me Apache Mesos PMC and

Fault Domains in Mesos Vinod Kone (vinodkone@apache.org) About me Apache Mesos PMC and

Fault Domains in Mesos Vinod Kone (vinodkone@apache.org) About me Apache Mesos PMC and Committer Engineering Manager for Mesos team @ Mesosphere Previously Tech Lead for Mesos team @ Twitter PhD in Computer Science @

429 views • 24 slides
Apache Felix Web Console Carsten Ziegeler | cziegeler@apache.org ApacheCon NA 2014 About

Apache Felix Web Console Carsten Ziegeler | cziegeler@apache.org ApacheCon NA 2014 About

Apache Felix Web Console Carsten Ziegeler | cziegeler@apache.org ApacheCon NA 2014 About cziegeler@apache.org @cziegeler RnD Team at Adobe Research Switzerland Member of the Apache So fu ware Foundation Apache Felix and Apache

725 views • 26 slides
Bug hunting with Apache Lucene Uwe Schindler Apache Lucene PMC & Apache Software Foundation

Bug hunting with Apache Lucene Uwe Schindler Apache Lucene PMC & Apache Software Foundation

Bug hunting with Apache Lucene Uwe Schindler Apache Lucene PMC & Apache Software Foundation Member uschindler@apache.org http://www.thetaphi.de, http://blog.thetaphi.de @ThetaPh1 SD DataSolutions GmbH , Wtjenstr. 49, 28213 Bremen,

859 views • 51 slides
Integrating Apache Camel with Apache Syncope Dr. Colm higeartaigh, Talend. Speaker

Integrating Apache Camel with Apache Syncope Dr. Colm higeartaigh, Talend. Speaker

Integrating Apache Camel with Apache Syncope Dr. Colm higeartaigh, Talend. Speaker Introduction Introducing Apache Syncope Apache Syncope basics Apache Syncope is an Open Source system for managing digital identities in enterprise

929 views • 33 slides
Hadoop Security Design? Just Add Kerberos? Really? Andrew Becherer Black Hat USA 2010

Hadoop Security Design? Just Add Kerberos? Really? Andrew Becherer Black Hat USA 2010

Hadoop Security Design? Just Add Kerberos? Really? Andrew Becherer Black Hat USA 2010 https://www.isecpartners.com Agenda Conclusion What is Hadoop Old School Hadoop Risks The New Approach to Security Concerns

300 views • 29 slides
Testing Kotlin at Scale: Spek Artem Zinnatullin @artem_zin - Productivity - Productivity -

Testing Kotlin at Scale: Spek Artem Zinnatullin @artem_zin - Productivity - Productivity -

Testing Kotlin at Scale: Spek Artem Zinnatullin @artem_zin - Productivity - Productivity - Reviewability - Productivity - Reviewability - Maintainability - Patterns - Principles - OOP/FP - Common Sense But We focus on production code

1.47k views • 113 slides
Session Subtyping and Multiparty Compatibility using Circular Sequents 31st International

Session Subtyping and Multiparty Compatibility using Circular Sequents 31st International

Session Subtyping and Multiparty Compatibility using Circular Sequents 31st International Conference on Concurrency Theory (CONCUR 2020) Adapted for Mobility Reading group 22/10/2020. Ross Horne Computer Science, University of Luxembourg 1-4

546 views • 35 slides
Web Security: Sessions; CSRF; start on authentication CS 161: Computer Security Prof. Raluca

Web Security: Sessions; CSRF; start on authentication CS 161: Computer Security Prof. Raluca

Web Security: Sessions; CSRF; start on authentication CS 161: Computer Security Prof. Raluca Ada Popa Nov 10, 2016 Credit: some slides are adapted from previous offerings of this course or from CS 241 of Prof. Dan Boneh Announcements Proj 3

1.32k views • 66 slides
R configuration for packages install.packages(c("devtools", "usethis",

R configuration for packages install.packages(c("devtools", "usethis",

R configuration for packages install.packages(c("devtools", "usethis", "testthat", "reprex", "pkgdown")) git_sitrep() > library(usethis) > git_sitrep() Git user * Name: 'Amelia McNamara'

308 views • 9 slides
Web Security and Auth Shan-Hung Wu CS, NTHU Outline Security risks of web applications

Web Security and Auth Shan-Hung Wu CS, NTHU Outline Security risks of web applications

Web Security and Auth Shan-Hung Wu CS, NTHU Outline Security risks of web applications Injection, broken authentication , XSS, CSRF, etc. Checklist of 23 Node.js security best practices Auth: Authentication, authorization, and

336 views • 30 slides
OAuth 2.0 Ein Standard wird erwachsen Uwe Friedrichsen (codecentric AG) Berlin Expert Days

OAuth 2.0 Ein Standard wird erwachsen Uwe Friedrichsen (codecentric AG) Berlin Expert Days

OAuth 2.0 Ein Standard wird erwachsen Uwe Friedrichsen (codecentric AG) Berlin Expert Days 2013 4. April 2013 Uwe Friedrichsen @ufried <session> <no-code> <motivation /> <history /> <solution />

1.03k views • 44 slides
Secure System Development Mechanisms CS460 Cyber Security Lab Spring 2010 Reading Material

Secure System Development Mechanisms CS460 Cyber Security Lab Spring 2010 Reading Material

Secure System Development Mechanisms CS460 Cyber Security Lab Spring 2010 Reading Material Web sites Microsoft links from last lecture Linux Capabilities - man 7 capabilities or http://www.linuxjournal.com/article/5737

1.17k views • 29 slides

More recommend