Macaroons and dCache or delegating in a cloudy world Patrick - - PowerPoint PPT Presentation

macaroons and dcache or delegating in a cloudy world
SMART_READER_LITE
LIVE PREVIEW

Macaroons and dCache or delegating in a cloudy world Patrick - - PowerPoint PPT Presentation

Nov 23, 2023 303 likes •432 views

Macaroons and dCache or delegating in a cloudy world Patrick Fuhrmann Paul Millar Paul Millar On behave of the project team Macaroons and dCache | Taipei | Patrick Fuhrmann, Paul Millar | 15 March 2016 | 1 Macaroons and dCache | Taipei |

slide-1
SLIDE 1

Macaroons and dCache … or delegating in a cloudy world

Patrick Fuhrmann Paul Millar Paul Millar On behave of the project team

Macaroons and dCache | Taipei | Patrick Fuhrmann, Paul Millar | 15 March 2016 | 1

slide-2
SLIDE 2

Macaroons and dCache | Taipei | Patrick Fuhrmann, Paul Millar | 15 March 2016 | 2

slide-3
SLIDE 3

AAI … but Thi t lk i b t th d 'A' A th i ti This talk is about the second 'A': Authorisation.

Macaroons and dCache | Taipei | Patrick Fuhrmann, Paul Millar | 15 March 2016 | 3

slide-4
SLIDE 4

Quick recap: which is which? Credential Authorization Authentication

Macaroons and dCache | Taipei | Patrick Fuhrmann, Paul Millar | 15 March 2016 | 4

slide-5
SLIDE 5

Authorisation without authentication?

How ? How ?

Macaroons and dCache | Taipei | Patrick Fuhrmann, Paul Millar | 15 March 2016 | 5

Photo by Alan Cleaver (CC-BY)

slide-6
SLIDE 6

Photon Science portal use‐case

U U Users Web Brouser

LOGIN

Authentication User DB dCache

P t l

http WebDAV

Request Download R di t Request Download

Portal

WebDAV

Redirect Request Download

Storage Pool

Stream Data q Stream Data Stream Data

Macaroons and dCache | Taipei | Patrick Fuhrmann, Paul Millar | 15 March 2016 | 6

USER Community Specific Service Stack Data Service

slide-7
SLIDE 7

Desired: client downloads directly

U U Users Web Brouser

LOGIN

Authentication User DB

Portal

Request Download

dCache http

Redirect Request Download (How to authorize this request ?)

p WebDAV

q ( q ) Redirect

Storage Pool

Stream Data Request Download

Macaroons and dCache | Taipei | Patrick Fuhrmann, Paul Millar | 15 March 2016 | 7

USER Community Specific Service Stack Data Service

slide-8
SLIDE 8

Desired: client downloads directly

U U Users Web Brouser

LOGIN

Authentication User DB dCache

Portal

Request Download Request Token

http WebDAV

Supply Token T Redirect

T

Request Download

T

Redirect q

T

Storage Pool

Stream Data Request Download

Macaroons and dCache | Taipei | Patrick Fuhrmann, Paul Millar | 15 March 2016 | 8

USER Community Specific Service Stack Data Service

slide-9
SLIDE 9

What are bearer tokens?

Bearer token is something the user presents with a request so the server will authorise it There's no interaction between the server will authorise it. There s no interaction between client and server. Examples of bearer tokens: Examples of bearer tokens:

  • HTTP BASIC authn, anything stored as a cookies.

Counter‐examples: Counter‐examples:

  • X.509 credential,
  • SAML
  • SAML,
  • Kerberos.

Macaroons and dCache | Taipei | Patrick Fuhrmann, Paul Millar | 15 March 2016 | 9

slide-10
SLIDE 10

Bearer tokens for download authz

  • Redirection should work without JavaScript,
  • Simple: embed token in redirection URL.

htt // bd l / th/t /fil ? th <TOKEN>

(There are nicer ways of embedding the token,

http://webdav.example.org/path/to/file?authz=<TOKEN>

but the URL is the only thing we can control)

  • Complete token always sent with the request
  • Complete token always sent with the request.
  • What can we do to stop someone stealing this

token?

  • … or make the token useless if they steal it.

Macaroons and dCache | Taipei | Patrick Fuhrmann, Paul Millar | 15 March 2016 | 10

… or make the token useless if they steal it.

slide-11
SLIDE 11

Introducing Macaroons