Authentication and Authorization Considerations for a Multi-tenant Service

SCREAM 2015 June16, 2015

UITS

Randy Heiland, Scott Koranda, Suresh Marru, Marlon Pierce, Von Welch

UITS Research Technologies

Overview •  CTSC •  SciGaP •  Auth

•  Some history •  Examples •  Criteria/Selection

Center for Trustworthy Scientific Cyberinfrastructure

(CTSC)

•  Collaborate with NSF projects to help improve their cybersecurity (=engagements)

(IceCube, Pegasus, Globus, SciGaP) •  Organize annual NSF Cybersecurity Summits

(this year: Aug 17-19) •  Outreach & Education in cybersecurity

trustedci.org (Von Welch, PI)

Who’s this paper/talk for?

•  Science Gateway community •  Distributed CI community •  Cybersecurity community •  Actually, me

“… a Multi-tenant Service”

•  SciGaP – Science Gateways Platform as a service (scigap.org)

•  Hosted, generalized services with a

public API

•  Auth, Identity Management, Job scheduling, Workflows, Auditing, etc.

SciGaP Arch Schematic

Auth: an evolving idea

•  Username/Password •  Kerberos •  PKI (à X.509) •  API Keys •  OAuth •  …

Passphrases

https://xkcd.com/936/

Public Key Infrastructure (PKI)

•  Arose from cryptographic keys (D-H, 1976) •  PKI uses asymmetric keys (public, private) •  à X.509 (IETF rfc 5280) •  Crypto algorithm •  Signature •  Certificate Authority (CA)

à Good security; high complexity

DCI: PKI à GSI

IEE

E C

ompu

ter,

Dec

. 200

0

V. Welch: 10/7/2010 seminar

OAuth

•  Practically speaking: lets users log into 3rd party sites using their “big” credentials (Google, FB, Twitter, MS)

•  OAuth 1.0, circa 2007 (for Twitter; now ~500M users)

•  OAuth 2.0, 2012 (IETF rfc 6749) •  User creds NOT shared; an access token generated & shared •  Multiple “grant flow” options possible

OAuth Flow

From Evernote dev docs.

OAuth: who’s using it?

•  Google •  FB •  AWS •  GitHub •  Twitter •  Evernote •  … à Broad support; LOTS of OAuth

libraries, in multiple languages

Planned Auth Solution for SciGaP

•  Adopt OAuth •  covers all current SciGaP use cases

•  Supported by WSO2 Identity Server (being used by SciGaP)

•  API keys supported via OAuth grant option •  Incorporate into SciGaP’s SDKs

Parting thoughts

•  Science of CI: Research, Experience, Applications and Models •  Science of Security (rf. Fred Schneider,

Cornell)

•  Open question: is it possible to model, measure, and be more quantitative about these domains?

Funding

NSF ACI #1339774 and #1234408

THANKS!