whose bits are they anyway
play

Whose Bits Are They, Anyway? Access Controlled Applications Built - PowerPoint PPT Presentation

Dec 28, 2022 •93 likes •278 views

Whose Bits Are They, Anyway? Access Controlled Applications Built Around AFS DJ Byrne djbyrne@jpl.nasa.gov Jet Propulsion Laboratory Information Services - File/Web Service Engineer http://fil.jpl.nasa.gov/ SLAC AFS Best Practices Workshop

  1. Whose Bits Are They, Anyway? Access Controlled Applications Built Around AFS DJ Byrne djbyrne@jpl.nasa.gov Jet Propulsion Laboratory Information Services - File/Web Service Engineer http://fil.jpl.nasa.gov/ SLAC AFS Best Practices Workshop March 25, 2004 2004-03-25 SLAC AFS Best Practices - djbyrne 1

  2. The Enchilada in a Nut Shell Economy of scale: keep your bits in a nice big central repository. Shoot yourself in the foot: require users to change their tools to match your repository. Productivity: share bits with application adapted to its context. The more interfaces available, the more leveraging of centralization. Calm down, it’ s only ones and zeros. 2004-03-25 2004-03-25 SLAC AFS Best Practices - djbyrne SLAC AFS Best Practices - djbyrne 2 2

  3. JPLIS File Service AFS FTP access to AFS SMB access to AFS SSH access to AFS client (login.jpl.nasa.gov) AppleTalk access recently shut down Whatever those Windows-95/98 protocol translator things were, recently shut down HTTP and HTTPS access to AFS recently spun off 2004-03-25 2004-03-25 SLAC AFS Best Practices - djbyrne SLAC AFS Best Practices - djbyrne 3 3

  4. Examples: web servers HTML file created by vi/emacs served via httpd Who can see it? The web server has to get the bits, identify the user, and make a second authorization decision (fileserver made the first decision to give ‘ em to the web server). Web browser access to document repository using kerberos principals in LDAP groups to control access to files on NAS indexed in Oracle database. I am not making this up. Access decisions spread among components Places trust in admins of several organizations 2004-03-25 2004-03-25 SLAC AFS Best Practices - djbyrne SLAC AFS Best Practices - djbyrne 4 4

  5. Heterogeneous Technologies Repositories Client Access Interfaces Web front-ends Users (Authentication) Group management Authorization 2004-03-25 2004-03-25 SLAC AFS Best Practices - djbyrne SLAC AFS Best Practices - djbyrne 5 5

  6. DJ’ s Report Card Notation [BP] = Best Practice Can be more than one “Best” depending on context [CP] = Common Practice Convenient, or legacy, or just what we thought of first [P] = uh, Practice Or, “needs more practice” [E] = Evil Well, OK, I suppose every layer helps… Confuses, delays, or prevents The Right Thing 2004-03-25 2004-03-25 SLAC AFS Best Practices - djbyrne SLAC AFS Best Practices - djbyrne 6 6

  7. Repositories AFS [BP] Global namespace Kerberized Client caching NFS (e.g., NAS filer) [CP] Oracle databases [CP] Local disk (boooring. Ignored for this talk) 2004-03-25 2004-03-25 SLAC AFS Best Practices - djbyrne SLAC AFS Best Practices - djbyrne 7 7

  8. Client Access Interfaces AFS native (cleartext) [CP] AFS native (-crypt) [BP] HTTP [P] HTTPS [BP] WebDAV FTP [P] Clients easy to come by, users already comfortable Cleartext, PW in clear [E] Scp [BP] SMB (cleartext?) [CP] 2004-03-25 2004-03-25 SLAC AFS Best Practices - djbyrne SLAC AFS Best Practices - djbyrne 8 8

  9. Web front-ends iPlanet Apache WebSecure plugin - makes web server respect AFS ACLs; keeps a token cache DocuShare TeamCenter 2004-03-25 2004-03-25 SLAC AFS Best Practices - djbyrne SLAC AFS Best Practices - djbyrne 9 9

  10. Users (Authentication) kerberos principals [BP] srvtab/keytab PTS entries matching some of the principals [BP] LDAP objects [CP] “password” attribute Vendor availability. Simple, lightweight Cleartext binds on port 389 [E], SSL on 636 IP address as authentication [E] Policies like expirations and strength have to be agreed on, and therefore published So how does a user get told their password expires tomorrow? And which interface do they use to reset the password? No hooks in kerberos servers (?) 2004-03-25 2004-03-25 SLAC AFS Best Practices - djbyrne SLAC AFS Best Practices - djbyrne 10 10

  11. Group Management: PTS [P] System:anyuser is Just Plain Evil, except for public outreach material [E] System:authuser is only A Slightly Lesser Evil at JPL, because it doesn’ t actually say anything about the principal. [E] Dangerous common mis-conceptions include JPL employee US person Someone we could contact if we need to jpl.networks for IP-based authentication [E] Actively managed by attentive humans [BP] Automatically generated from some out-of-band data source, like “everyone in section 366” [BP] Insufficient meta-data for administrative details We rely heavily on naming conventions instead 2004-03-25 2004-03-25 SLAC AFS Best Practices - djbyrne SLAC AFS Best Practices - djbyrne 11 11

  12. Group Management: LDAP [BP] Lightweight Directory Access Protocol X500 without the cumbersome stuff… • … like security “Meta-directory” collects and publishes from many “gold sources” Personnel Projects Individual Base group “jimo” Ya can’ t beat a general-purpose DB with extensible attributes. Description: Jupiter Icy Moons Orbiter jplService: emaillist, afs_pts_group Memberurl: LDAP filter expression to auto-generate group Auto-generated derivative groups jimo.us jimo.jpl jimo.usjpl 2004-03-25 2004-03-25 SLAC AFS Best Practices - djbyrne SLAC AFS Best Practices - djbyrne 12 12

  13. Group Management: PTS/LDAP Synchronization [BP] PTS groups sync from LDAP Vice-versa is possible, but what would be the point? Watch the “One to one and Onto” mapping assumption! Doesn’t make sense for it to hold; LDAP groups are intended to be generic but PTS carries context. System:{anyuser, authuser,administrator} clearly only mean the AFS system Naming conventions very important • Use of colons • At JPL, *.admin owns and can administer the base group PTS contexts already overloaded • At JPL, *.admin pays for the group space, plus any websites 2004-03-25 2004-03-25 SLAC AFS Best Practices - djbyrne SLAC AFS Best Practices - djbyrne 13 13

  14. Authorization ACLs Individuals [P] Role-based groups [BP] “IP ACLs” [CP][E] srvtab/keytab [BP] token passing [BP?] nsconfig/htaccess [CP] By web client IP [CP][E] • nsconfig.jpl By username authentication [BP?] Application-specific [BP] Mapping [E] E.g., database of “protected” URLs Ignores power of indirection, which is the whole point of popular words like “distributed,” “web,” and “hyper.” 2004-03-25 2004-03-25 SLAC AFS Best Practices - djbyrne SLAC AFS Best Practices - djbyrne 14 14

  15. Conclusions Break the problem into small, well-defined technology pieces with clean interfaces Use glue code to translate contexts Only two things really need to be centralized: • Authentication • Group Management Push Authorization as close to the bits as possible. It’ s tempting to build “mapping” applications to cross contexts. This invariably leads to a data sync problem. 2004-03-25 2004-03-25 SLAC AFS Best Practices - djbyrne SLAC AFS Best Practices - djbyrne 15 15

  16. Q&A 2004-03-25 2004-03-25 SLAC AFS Best Practices - djbyrne SLAC AFS Best Practices - djbyrne 16 16

  17. Backup slide: More on the Problem Space "The ITAR Problem" International Trade in Arms Regulation Clearance and Document Review User training and expectations "public" means "public," not just my company! “www” is not “Wcompany Wide Web” with a silent W “Any” does not mean “some” in system:anyuser Tools, Templates, and Best Practices to make the Right Thing easier to do than the Wrong Thing Policies to tell the difference Audit functions? Who’ s the policeman? On what authority? 2004-03-25 2004-03-25 SLAC AFS Best Practices - djbyrne SLAC AFS Best Practices - djbyrne 17 17

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

MIPS Instruction Formats 6 bits 5 bits 5 bits 5 bits 5 bits 6 bits for instance,

MIPS Instruction Formats 6 bits 5 bits 5 bits 5 bits 5 bits 6 bits for instance,

MIPS Instruction Formats 6 bits 5 bits 5 bits 5 bits 5 bits 6 bits for instance, add r1, r2, r3 has - 000000 00010 00011 00001 00000 100000 opcode (OP) tells the machine which format 1 VAX Instruction Formats (x86

431 views • 20 slides
1 Transducers Inherently Discrete values devices that convert from one representation to

1 Transducers Inherently Discrete values devices that convert from one representation to

Interpretation of bits depends on context meaning of a group of bits depends on how they are interpreted 1 byte could be Bits, Bytes, 1 bit in use, 7 wasted bits (e.g., M/F in a database) 8 bits storing a number between 0 and 255

543 views • 3 slides
Bits and Bytes Topics Topics Why bits? Representing information as bits

Bits and Bytes Topics Topics Why bits? Representing information as bits

Systems I Bits and Bytes Topics Topics Why bits? Representing information as bits Binary/Hexadecimal Byte representations numbers characters and strings Instructions Bit-level manipulations Boolean algebra

614 views • 33 slides
Bits and Bytes Aug. 29, 2002 Topics Topics n Why bits? n Representing information as bits l

Bits and Bytes Aug. 29, 2002 Topics Topics n Why bits? n Representing information as bits l

15-213 The Class That Gives CMU Its Zip! Bits and Bytes Aug. 29, 2002 Topics Topics n Why bits? n Representing information as bits l Binary/Hexadecimal l Byte representations numbers characters and strings Instructions n

690 views • 34 slides
C/C++ review bits & bytes Same bits, different interpretation What is the value of

C/C++ review bits & bytes Same bits, different interpretation What is the value of

CSC209 Fall 2001 C/C++ review bits & bytes Same bits, different interpretation What is the value of 11111111 ? it depends on the type (unsigned) char 1 byte = 8 bits, (unsigned) Unsigned: 255 short int 2 bytes =

255 views • 12 slides
2 4 0 = 2 x 10 2 + 4 x 10 1 + 0 x 10 0 100 10 1 weight Representing Data with Bits 10 2 10 1

2 4 0 = 2 x 10 2 + 4 x 10 1 + 0 x 10 0 100 10 1 weight Representing Data with Bits 10 2 10 1

Wellesley CS 240 - Data as Bits 8/31/16 positional number representation 2 4 0 = 2 x 10 2 + 4 x 10 1 + 0 x 10 0 100 10 1 weight Representing Data with Bits 10 2 10 1 10 0 position 2 1 0 Base determines: bits, bytes, numbers, and

556 views • 6 slides
1 2-bits, 4-bits, 6-bits, a dollar The ripple carry adder o We have a 1-bit ALU that performs

1 2-bits, 4-bits, 6-bits, a dollar The ripple carry adder o We have a 1-bit ALU that performs

Starting out slow The CPU s workhorse o Logical operations are easiest, because they map Constructing a basic ALU directly onto the hardware. o Of course we will need to CS240 Computer Organization array this to a full 32- Department of

161 views • 4 slides
PDC drill bits www.napescogroup.com www.mes-uae.com Repair of PDC drill bits EGYPTIAN PROJECT

PDC drill bits www.napescogroup.com www.mes-uae.com Repair of PDC drill bits EGYPTIAN PROJECT

We do - you succeed! Repair of PDC drill bits www.napescogroup.com www.mes-uae.com Repair of PDC drill bits EGYPTIAN PROJECT Who we are Napesco Egypt and Middle East Supplies Dubai started a cooperation to repair PDC bits. Both companies

154 views • 11 slides
Bytes, bits, etc., R. Inkulu http://www.iitg.ac.in/rinkulu/ (Bytes, bits, etc.,) 1 / 25

Bytes, bits, etc., R. Inkulu http://www.iitg.ac.in/rinkulu/ (Bytes, bits, etc.,) 1 / 25

Bytes, bits, etc., R. Inkulu http://www.iitg.ac.in/rinkulu/ (Bytes, bits, etc.,) 1 / 25 Outline 1 Self-alignment 2 Bitwise operators 3 Bit-fields 4 Endianness (Bytes, bits, etc.,) 2 / 25 Self-alignment of primitive types int i; short s;

594 views • 25 slides
Cryptographic Checksums Mathematical function to generate a set of k bits from a set of n bits

Cryptographic Checksums Mathematical function to generate a set of k bits from a set of n bits

Cryptographic Checksums Mathematical function to generate a set of k bits from a set of n bits (where k n ). k is smaller then n except in unusual circumstances Example: ASCII parity bit ASCII has 7 bits; 8th bit is

979 views • 40 slides
1 Tournament Branch Predictor Accuracy of Return Address Predictor Used in Alpha 21264: Track

1 Tournament Branch Predictor Accuracy of Return Address Predictor Used in Alpha 21264: Track

Correlating Branch Predictor General form: (m, n) Branch address (4 bits) predictor Lecture 10: Branch Prediction and m bits for global 2-bits per branch Instruction Delivery history, n bits for local local predictors history

227 views • 3 slides
CS 4803 A block cipher E is a collection of functions from n bits to n bits. Each function is

CS 4803 A block cipher E is a collection of functions from n bits to n bits. Each function is

Block ciphers Building blocks for symmetric cryptography. M EK C Examples: DES, 3DES, AES... CS 4803 A block cipher E is a collection of functions from n bits to n bits. Each function is fully specified by a k-bit key. Computer and

317 views • 4 slides
Bits and bytes Week 2: data representation Data is stored in the computer as bits. (20 cr

Bits and bytes Week 2: data representation Data is stored in the computer as bits. (20 cr

School of Computer Science, University of Birmingham. Java Lecture notes. M. D. Ryan. September 2000. Bits and bytes Week 2: data representation Data is stored in the computer as bits. (20 cr only) Bit stands for binary digit ; it has

76 views • 3 slides
Representing Data with Bits bits, bytes, numbers, and notation bit =

Representing Data with Bits bits, bytes, numbers, and notation bit =

Representing Data with Bits bits, bytes, numbers, and notation bit = binary digit = 0 or 1 Electronically: high voltage vs. low voltage 0 1 0 3.3V 2.8V 0.5V 0.0V Basis

389 views • 23 slides
? representing data with bits data SW- Processor Memory bits, bytes,

? representing data with bits data SW- Processor Memory bits, bytes,

9/4/15 1930s 1940s 1950s 1960s 1970s 1980s 1990s 2000s 2010s Modern Digital Computer von Neumann model HW- controlled instructions ? representing data with bits data SW- Processor

325 views • 4 slides
1 0 1 1 = 1 x 2 3 + 0 x 2 2 + 1 x 2 1 + 1 x 2 0 8 4 2 1 weight Representing Data with Bits

1 0 1 1 = 1 x 2 3 + 0 x 2 2 + 1 x 2 1 + 1 x 2 0 8 4 2 1 weight Representing Data with Bits

binary = base 2 1 0 1 1 = 1 x 2 3 + 0 x 2 2 + 1 x 2 1 + 1 x 2 0 8 4 2 1 weight Representing Data with Bits 2 3 2 2 2 1 2 0 position 3 2 1 0 bits, bytes, numbers, and notation When ambiguous, subscript with base: 101 10 Dalmatians

279 views • 4 slides
Practical: The Information Systems www.eu-egee.org EGEE-II INFSO-RI-031688 Overview of gLite

Practical: The Information Systems www.eu-egee.org EGEE-II INFSO-RI-031688 Overview of gLite

Enabling Grids for E-sciencE Practical: The Information Systems www.eu-egee.org EGEE-II INFSO-RI-031688 Overview of gLite Middleware Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 2 Uses of the Information System Enabling Grids for

440 views • 15 slides
Introduction to LDAP Frank A. Kuse Introduction to LDAP AGENDA Understanding LDAP

Introduction to LDAP Frank A. Kuse Introduction to LDAP AGENDA Understanding LDAP

Introduction to LDAP Frank A. Kuse Introduction to LDAP AGENDA Understanding LDAP LDAP Servers Information Structure Protocol Overview LDAP operations UNDERSTANDING LDAP LDAP stands for Lightweight Directory Access

268 views • 12 slides
Day Two: October 4, 2018 1 1 Building a Foundation for a Faster Payments Ecosystem: An Update

Day Two: October 4, 2018 1 1 Building a Foundation for a Faster Payments Ecosystem: An Update

Day Two: October 4, 2018 1 1 Building a Foundation for a Faster Payments Ecosystem: An Update from the Directories and the Rules, Standards, Laws, and Regulations Work Groups 2 Origin of Industry Work Groups In July 2017, the Faster

391 views • 17 slides
Early Years Provider Meeting Tuesday 3 rd March 2020 Agenda Agenda Early Years structure changes

Early Years Provider Meeting Tuesday 3 rd March 2020 Agenda Agenda Early Years structure changes

Early Years Provider Meeting Tuesday 3 rd March 2020 Agenda Agenda Early Years structure changes Early Years move from Early Help to Education and Learning- 01.03.2020 Closer working with education colleagues supporting children to

506 views • 28 slides
Intelligent Infrastructure management with GOsa Benoit Mortier Leila El Hitori This work is

Intelligent Infrastructure management with GOsa Benoit Mortier Leila El Hitori This work is

Intelligent Infrastructure management with GOsa Benoit Mortier Leila El Hitori This work is licensed under the Creative Commons Attribution-Noncommercial-Share Alike 2.0 Belgium License. Intelligent Infrastructure management with GOsa

600 views • 37 slides
Comprehensive File Management System What is FileOrbis ? How does FileOrbis work ?

Comprehensive File Management System What is FileOrbis ? How does FileOrbis work ?

Secure, Fast, Easy & Comprehensive File Management System What is FileOrbis ? How does FileOrbis work ? FileOrbis with Unique Features How can FileOrbis help? Modules FileOrbis is not just a sharing platform!

463 views • 21 slides
~FILE SYSTEM~ SUNU WIBIRAMA OUTLINE FILE SYSTEM ACCESS METHODS DIRECTORY STRUCTURE FILE

~FILE SYSTEM~ SUNU WIBIRAMA OUTLINE FILE SYSTEM ACCESS METHODS DIRECTORY STRUCTURE FILE

~FILE SYSTEM~ SUNU WIBIRAMA OUTLINE FILE SYSTEM ACCESS METHODS DIRECTORY STRUCTURE FILE SYSTEM MOUNTING PROTECTION EXTERNAL VIEW OF THE FILE MANAGER FILE MANAGEMENT FILE, IS A NAMED AND ORDERED COLLECTION OF INFORMATION COMPUTER SHOULD

341 views • 33 slides
Intrusion Detection Principles Basics Models of Intrusion Detection

Intrusion Detection Principles Basics Models of Intrusion Detection

Intrusion Detection Principles Basics Models of Intrusion Detection Architecture of an IDS Architecture of an IDS Organization Incident Response Slide #22-1 FEARLESS engineering Principles of Intrusion Detection

744 views • 40 slides

More recommend