Authentication and Authorization Considerations for a Multi-tenant Service
SCREAM 2015 June16, 2015
UITS
Randy Heiland, Scott Koranda, Suresh Marru, Marlon Pierce, Von Welch
UITS Research Technologies
Center for Trustworthy Scientific Cyberinfrastructure
(CTSC)
• Collaborate with NSF projects to help improve their cybersecurity (=engagements)
(IceCube, Pegasus, Globus, SciGaP) • Organize annual NSF Cybersecurity Summits
(this year: Aug 17-19) • Outreach & Education in cybersecurity
trustedci.org (Von Welch, PI)
Who’s this paper/talk for?
• Science Gateway community • Distributed CI community • Cybersecurity community • Actually, me
“… a Multi-tenant Service”
• SciGaP – Science Gateways Platform as a service (scigap.org)
• Hosted, generalized services with a
public API
• Auth, Identity Management, Job scheduling, Workflows, Auditing, etc.
Public Key Infrastructure (PKI)
• Arose from cryptographic keys (D-H, 1976) • PKI uses asymmetric keys (public, private) • à X.509 (IETF rfc 5280) • Crypto algorithm • Signature • Certificate Authority (CA)
à Good security; high complexity
OAuth
• Practically speaking: lets users log into 3rd party sites using their “big” credentials (Google, FB, Twitter, MS)
• OAuth 1.0, circa 2007 (for Twitter; now ~500M users)
• OAuth 2.0, 2012 (IETF rfc 6749) • User creds NOT shared; an access token generated & shared • Multiple “grant flow” options possible
OAuth: who’s using it?
• Google • FB • AWS • GitHub • Twitter • Evernote • … à Broad support; LOTS of OAuth
libraries, in multiple languages
Planned Auth Solution for SciGaP
• Adopt OAuth • covers all current SciGaP use cases
• Supported by WSO2 Identity Server (being used by SciGaP)
• API keys supported via OAuth grant option • Incorporate into SciGaP’s SDKs
Parting thoughts
• Science of CI: Research, Experience, Applications and Models • Science of Security (rf. Fred Schneider,
Cornell)
• Open question: is it possible to model, measure, and be more quantitative about these domains?
Top Related