[GSoC Proposal] Securing Airavata API

Similar documents
Advanced API Security

INDIGO AAI An overview and status update!

ArcGIS Enterprise Security: An Introduction. Gregory Ponto & Jeff Smith

WSO2 Identity Management

SAP Security in a Hybrid World. Kiran Kola

ArcGIS Server and Portal for ArcGIS An Introduction to Security

THE ESSENTIAL OAUTH PRIMER: UNDERSTANDING OAUTH FOR SECURING CLOUD APIS

Federated Authentication with Web Services Clients

Administering Jive Mobile Apps for ios and Android

Best Practices: Authentication & Authorization Infrastructure. Massimo Benini HPCAC - April,

Microsoft Architecting Microsoft Azure Solutions.

API Security Management SENTINET

Authorization Survey Results & Use Cases Presentation to Concordia Working Group

Introduction to application management

Tutorial: Building the Services Ecosystem

Novell Access Manager 3.1

The SciTokens Authorization Model: JSON Web Tokens & OAuth

Consuming Office 365 REST API. Paolo Pialorsi PiaSys.com

ArcGIS Enterprise Security: Advanced. Gregory Ponto & Jeff Smith

Security and Privacy Overview

ArcGIS Enterprise Security: An Introduction. Randall Williams Esri PSIRT

DocuSign Single Sign On Implementation Guide Published: June 8, 2016

Identity, Authentication and Authorization. John Slankas

Configuration Guide - Single-Sign On for OneDesk

Single Sign-On for PCF. User's Guide

Using Keycloak to Provide Authentication, Authorization, and Identity Management Services for Your Gateway

Securing APIs and Microservices with OAuth and OpenID Connect

Introduction to SciTokens

A solution for Access Delegation based on SAML. Ciro Formisano Ermanno Travaglino Isabel Matranga

How to use or not use the AWS API Gateway for Microservices

Five9 Plus Adapter for Agent Desktop Toolkit

ServiceNow Deployment Guide

Administering Jive Mobile Apps

Centrify for Dropbox Deployment Guide

Technical Overview. Version March 2018 Author: Vittorio Bertola

SAP IoT Application Enablement Best Practices Authorization Guide

2. HDF AAI Meeting -- Demo Slides

Authentication. Katarina

SAML-Based SSO Solution

Introduction... 5 Configuring Single Sign-On... 7 Prerequisites for Configuring Single Sign-On... 7 Installing Oracle HTTP Server...

Warm Up to Identity Protocol Soup

Cloud-based Identity and Access Control for Diagnostic Imaging Systems

Qualys SAML 2.0 Single Sign-On (SSO) Technical Brief

Securing Modern API and Microservice Based Applications by Design A closer look at security concerns for modern applications Farshad Abasi / Forward

API Security Management with Sentinet SENTINET

Authorization Aspects of the Distributed Dataflow-oriented IoT Framework Calvin

ForgeRock Access Management Core Concepts AM-400 Course Description. Revision B

Cloud Access Manager Overview

GLOBUS TOOLKIT SECURITY

IBM Exam C IBM Tivoli Federated Identity Manager V6.2.2 Implementation Version: 6.0 [ Total Questions: 134 ]

API Gateway. Version 7.5.1

SAML-Based SSO Solution

Admin Panel for MEETS. User Guide

DreamFactory Security Guide

Partner Center: Secure application model

Salesforce1 Mobile Security White Paper. Revised: April 2014

Access Management and Identity Federation for the Connected World

How to Configure Authentication and Access Control (AAA)

Lesson 13 Securing Web Services (WS-Security, SAML)

Network Security Essentials

CLI users are not listed on the Cisco Prime Collaboration User Management page.

BMS Managing Users in Modelpedia V1.1

Beyond X.509: Token-based Authentication and Authorization with the INDIGO Identity and Access Management Service

The Modern Web Access Management Platform from on-premises to the Cloud

Red Hat Single Sign-On 7.1 Authorization Services Guide

Identity and Access Management Level 100

13241 Woodland Park Road, Suite 400 Herndon, VA USA A U T H O R : E X O S T A R D ATE: M A R C H V E R S I O N : 3.

ISACA Silicon Valley. APIs The Next Hacker Target or a Business and Security Opportunity? Tim Mather, CISO Cadence Design Systems

Oracle Communications Services Gatekeeper

Usage of "OAuth2" policy action in CentraSite and Mediator

BIG-IP Access Policy Manager : Authentication and Single Sign-On. Version 13.1

A RESTful Approach to Identity-based Web Services

All about SAML End-to-end Tableau and OKTA integration

Securing your Standards Based Services. Rüdiger Gartmann (con terra GmbH) Satish Sankaran (Esri)

Inside Symantec O 3. Sergi Isasi. Senior Manager, Product Management. SR B30 - Inside Symantec O3 1

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

BSE-SINGLE SIGN ON. For Brokers/ Banks/ Mutual Funds

ArcGIS Enterprise Security. Gregory Ponto & Jeff Smith

CONNECTED IDENTITY: BENEFITS, RISKS, AND CHALLENGES DIRECTOR - SECURITY ARCHITECTURE, WSO2

uick Start Guide 1. Install Oracle Java SE Development Kit (JDK) version or later or 1.7.* and set the JAVA_HOME environment variable.

Contents About This Guide... 5 About Notifications... 5 Managing User Accounts... 6 Managing Companies Managing Password Policies...

Salesforce Mobile App Security Guide

Integrating with Prime Service Catalog

Securing Office 365 with Okta

SOCIAL IDENTITIES IN HIGHER ED: WHY AND HOW WITH REAL-WORLD EXAMPLES

CLI users are not listed on the Cisco Prime Collaboration User Management page.

Authentication in the Cloud. Stefan Seelmann

Liferay Security Features Overview. How Liferay Approaches Security

Argus Vulnerability Assessment *1

Canadian Access Federation: Trust Assertion Document (TAD)

W H IT E P A P E R. Salesforce Security for the IT Executive

Building the Modern Research Data Portal using the Globus Platform. Rachana Ananthakrishnan GlobusWorld 2017

Integrating Apache Mesos with Science Gateways via Apache Airavata

Mozy. Administrator Guide

ArcGIS for Server: Security

Single Sign-On Best Practices

Oracle Communications WebRTC Session Controller

DCCKI Interface Design Specification. and. DCCKI Repository Interface Design Specification

Leveraging the Globus Platform in your Web Applications. GlobusWorld April 26, 2018 Greg Nawrocki

5 OAuth Essentials for API Access Control

Transcription:

[GSoC Proposal] Securing Airavata API TITLE: Securing AIRAVATA API ABSTRACT: The goal of this project is to design and implement the solution for securing AIRAVATA API. Particularly, this includes authenticating and authorizing end users in to AIRAVATA API. One of the challenges in this project is to design a unified solution which can be easily adapted to set of identified use cases that are based on different identity management scenarios. The proposed solution addresses all such use cases and involves open identity management standards. PROPOSAL CONTENT: Problem Definition: AIRAVATA is used by science gateways as a platform to create, submit, execute and monitor different types of scientific jobs and work flows in scientific grids. In the current architecture (see Figure 1 for a high level overview), the end user who interacts with AIRAVATA APIs through such gateways, is not authenticated or authorized, hence there is no notion of the identity of the end user maintained in AIRAVATA. However, it is a critical requirement in production deployment that only the legitimate users are allowed in and access to different functionalities exposed by AIRAVATA API is controlled based on the privileges of such users and the organizational policies. Attaching user identity with different jobs, work flows and other artifacts created by different individuals is also useful in the perspective of AIRAVATA in order to isolate them based on the user who created them.

security. Figure 1: Overview of AIRAVATA deployment without When designing the solution to address the aforementioned requirements, there are three main use cases that we need to support based on how the end user's identity is managed at the gateways: 1. 2. 3. Gateway does not have identity management capability and would like to depend on the identity management features provided by AIRAVATA. Gateway has a user-store and in-house identity management mechanisms. Different gateways might have different preferences on the level at which they share user identity information with AIRAVATA. Gateway authenticates users via some federated identity management protocol such as SAML SSO, OpenID, OAuth, InCommon, etc. The solution should also support multi-tenancy and be applicable to mobile /desktop clients. Solution Overview: Figure 2 illustrates the high level architecture of the proposed solution. Figure 2: High Level Overview of the Solution

This solution makes use of the identity management features offered by WSO2 Identity Server (WSO2 IS) which acts as the identity manager of AIRAVATA. Details of the interactions illustrated in Figure 2 are as follows: (numbers correspond to the labels of interactions) 1. 2. 3. 4. 5. User is authenticated to AIRAVATA (how the authentication is performed with regard to aforementioned three different use cases is described in the next section) and OAuth access token is obtained from the WSO2 IS to access the AIRAVATA API on behalf of the authenticated user. Request to AIRAVATA (depending on what action user wants to perform) is sent along with the obtained OAuth access token. Each request sent to AIRAVATA API is authorized before executing any of the API functionality. The first step in authorization is: validating the OAuth access token attached to the request. Second step is: authorizing the request based on the authorization policy which is pre-defined by the gateway administrator (details to follow). Only the authorized requests are served by AIRAVATA API. Authorization of subsequent requests from the same user will be handled using session management and caching of authorization decisions in order to avoid the requirement of contacting the WSO2 IS for authorizing multiple requests by the same user for the same resource. Above solution supports multi-tenancy as when ever the user identity is exchanged, it includes the tenant domain that the user belongs too so that the authentication authorization is performed with respect to that tenant domain. The same client side logic can be implemented in desktop and mobile clients as well so that the above solution is applicable to desktop and mobile clients. Solution in detail: This section elaborates the high level solution presented in the previous section.

Authentication: Authentication is the only step in the high level solution that differs among the three different use cases that we identified at the beginning. In what follows I explain how the aforementioned high level solution is adapted to address those three use cases. Use Case 1: Gateway does not have a user-store and would like to depend on the user management features provided by AIRAVATA. In this scenario, the gateway users are stored in the user-store provided by the identity manager of AIRAVATA (i.e: WSO2 IS) as shown in Figure 3. Figure 3: Solution for use case 1. The gateway makes use of the AIRAVATA Client API to create users, which in turn invokes the User Admin API of WSO2 IS. (This is already being implemented in AIRAVATA.) When the users are authenticated to the gateway, their credentials are validated against those stored in the user-store of WSO2 IS. The gateway makes use of the AIRAVATA Client API to authenticate users and obtain OAuth access token. This corresponds to the "resource owner credential" grant type in OAuth.

Use Case 2: Gateway has a user-store and in-house identity management mechanisms. Different gateways might have different preferences on the level at which they share user identity information with AIRAVATA. Three solutions are proposed to address this use case and they are ordered based on the order of priority as discussed with the AIRAVATA team. (1). The gateway wants to share only the minimum required information about the end user's identity with AIRAVATA. In this case, the gateway obtains an OAuth access token by authenticating to the identity manager of AIRAVATA (i.e: WSO2 IS). This corresponds to the "client credential" grant type in OAuth. End user requests are sent to AIRAVATA attaching this OAuth access token and the minimum required user identity information required by AIRAVATA API (see Figure 4). Figure 4: Solution for use case 2 - option 1. (2). In the second level at which the gateway is willing to share user identity information; the gateway does not want to connect AIRAVATA to its organizational user store, however, it prefers to provision user accounts to AIRAVATA with the identity information required by AIRAVATA.

In this case, the gateway makes use of the identity provisioning client in AIRAVATA client API to provision user accounts to the identity manager of AIRAVATA (i.e: WSO2 IS), at the time of user account creation in the gateway. This enables the execution flow of accessing the AIRAVATA API be the same as in the use case 1 (see Figure 5). 2. Figure 5: Solution for use case 2 - option (3). In the third level at which the gateway is willing to share user identity information; the gateway allows AIRAVATA to connect to its organizational user store in read-only mode. In this case, the identity manager of AIRAVATA (i.e: WSO2 IS), is connected to the gateway's organizational user store through the user store manager extension provided by WSO2 IS. This enables the execution flow of accessing the AIRAVATA API be the same as in the use case 1 (see Figure 6).

Figure 6: Solution for use case 2 - option 3. Use Case 3: Gateway authenticates users via some federated identity management protocol such as SAML SSO, OpenID, OAuth, InCommon, etc. In this case, the gateway becomes the relying party and it needs to authenticate users to AIRAVATA through the same authentication mechanism that is being used to authenticate users to the gateway. This can be achieved with the support of federated authenticators in the authentication framework of WSO2 IS 5.0 [1] (see Figure 7). If the gateway needs to support a federated authentication protocol that is not supported out of the box by WSO2 IS 5.0, we write a custom authenticator. If the federated authentication protocol supports retrieval of user's identity attributes from the identity provider, a user account is created in WSO2 IS (i.e: the identity manager of AIRAVATA) with such identity information. Once the user is authenticated to WSO2 IS via the federated identity management protocol, OAuth access token is obtained (for e.g: if the federated authentication protocol is SAML2 SSO; this corresponds to SAML 2.0 Bearer Assertion Profile grant type in OAuth) to access the AIRAVATA API and the rest of the flow of execution continues in the same way as in use case 1. case 3 Figure 7 : Solution for use

Authorization: OAuth for authorization delegation and validation of user-authentication: The gateway obtains an OAuth access token from WSO2 IS via in order to send requests to AIRAVATA API on behalf of the authenticated user (different OAuth grant types are used based on the use case as described previously). The gateway makes use of the AIRAVATA Client API to obtain OAuth tokens, which in turn invokes the OAuth token issuer API of WSO2 IS. The gateway can use this token until it expires, avoiding the user having to authenticate each time the user accesses AIRAVATA through the gateway. Enforcing Authorization: All the requests to AIRAVATA go through Security Manager before they hit the actual business logic of AIRAVATA API. As per step 4,5 of the high level solution overview (see Figure 2), authorization is performed in two steps: Validation of the OAuth token attached to the request: This guarantees that the request comes from an authenticated user who has obtained a valid OAuth access token. Authorizing the API request based on the authorization policy which is predefined by the gateway administrator: This guarantees that the authenticated user is only allowed to invoke AIRAVATA API functions and access resources which he/she has permission to. Note: Although above is how the authorization is enforced in the default Security Manager, we make the implementation extensible such that any other Security Manager could also be plugged in easily. XACML for Authorization: XACML is the de-facto standard for fine grained, policy based access control. Policy based access control is more flexible than baking the authorization logic into the code of Security Manager. Administrators of different gateways might have different authorization rules based on their organizational policies. They can be facilitated to define, update and enforce such authorization rules to control access to their instance of AIRAVATA API. The implementation will

be based on the fully fledged implementation of XACML reference architecture in WSO2 IS. Three main components of XACML reference architecture that will be used in this solution are: PAP (Policy Administration Point), PDP (Policy Decision Point) and PEP (Policy Enforcement Point). PAP facilitates defining, updating and publishing the authorization policies. Figure 8 illustrates the involvement of PAP for defining the authorization policies by the gateway administrator. The gateway makes use of AIRAVATA client for this which in turn invokes XACML PAP API of WSO2 IS. Gateway Admin Figure 8: Creation of Authorization Policy by PEP (this will be a part of the Security Manager that fronts the AIRAVATA API) is where the authorization is actually enforced on the API requests. Upon intercepting a request sent to AIRAVATA API, the PEP forms a XACML authorization request including the information related to the current API request (such as user identity, name of the API function or resource that was requested) and then it sends that XACML authorization request to the PDP.

PDP - which is the XACML policy engine of WSO2 IS, evaluates the authorization request sent by the PEP, against the policy defined by the gateway administrator and returns the authorization decision back to the PEP. Based on this decision, the PEP (in the Security Manager) allows or denies the API request that it intercepted. Securing Communication: It is critical to secure the communication between: (1)gateway and WSO2 IS (2) gateway and AIRAVATA and (3)AIRAVATA and WSO2 IS (see Figure 2). Communication between the AIRAVATA client at the gateway and the WSO2 IS mainly involves the requests (SOAP over HTTP) which invoke the admin services of WSO2 IS (such as User Admin API, Authentication API, OAuth Token Issuer API, XACML PAP API, etc). These requests should be authenticated with the gateway admin-credentials and should be sent over SSL, as per the default settings of WSO2 IS. The same is true for communication between the Security Manager at the AIRAVATA server and the WSO2 IS. This solution proposes that the Thrift calls from the AIRAVATA client at the gateway to the AIRAVATA API should also be made over TLS. Main Components of the Solution: Main components of this solution are identified as: 1. 2. 3. AIRAVATA Client: (which consists of the following sub components) Authentication Client OAuth Client XACML Policy Admin Client Security improvements for the Thrift client which invokes AIRAVATA API Provisioning client Security Manager Manager: OAuth access token validator XACML Policy Enforcement Point (PEP) Custom extension points to WSO2 IS (If out of the box features do not cater the requirements): Custom federated authenticator(s)

DELIVERABLES: Implementation of the solution for use case 1, use case 2 - option 1,2 and use case 3. Test cases (both unit and integration tests) and samples as appropriate. Documentation of the security solution for AIRAVATA. TIMELINE AND MILESTONE PLAN (Divided into 2 week sprints): At the end of each two weeks sprint, I will do a demo of the features developed during that sprint. Sprint time line 13th May - 27th May 28th May - 10th June Sprint plan - Completing AIRAVATA API changes. - OAuth access token retrieval and validation (for use case 1). - Defining default XACML policy - XACML PEP client in Security Manager with caching. - Securing communication between client and AIRAVATA API with SSL. 11th June - 24th June - Extend the implementation to support use case 2- option 1. - Session management. - PAP client. 25th June - 8th July - Use case 3 with SAML 2 SSO as the federated authentication mechanism

- Use case 3 with Face book login as the federated authentication mechanism 9th July - 22nd July 23rd July - 5th August - Custom authenticator for a federated authentication mechanism that is not supported in WSO2 IS out of the box. - Provisioning client to support use case 2 - option 2 - Provisioning handler for JIT provisioning in use case 3 6th August - 12th August - (1 week) wrap up work and documentation REFERENCES: [1] Prabath Siriwardena. WSO2 Identity Server 5.0.0 Authentication Framework. http://java.dzone.com/articles/wso2-identity-server-500, July 2014.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback