irods Security Aspects Willem Elbers CLARIN-ERIC, Netherlands

Similar documents
EUDAT & AAI. Daan Broeder MPI for Psycholinguistics

EUDAT - Open Data Services for Research

Guidelines on non-browser access

irods hands-on tutorial

ArcGIS Server and Portal for ArcGIS An Introduction to Security

2. HDF AAI Meeting -- Demo Slides

Warm Up to Identity Protocol Soup

Best Practices: Authentication & Authorization Infrastructure. Massimo Benini HPCAC - April,

Goal. TeraGrid. Challenges. Federated Login to TeraGrid

ArcGIS Enterprise Security: An Introduction. Gregory Ponto & Jeff Smith

EGI-InSPIRE. GridCertLib Shibboleth authentication for X.509 certificates and Grid proxies. Sergio Maffioletti

Enhancing cloud applications by using external authentication services. 2015, 2016 IBM Corporation

SAML-Based SSO Solution

irods Scalable Architecture

irods user empowerment: A matter of Sudo microservices Chris Smeele - ITS/ResearchIT

SAML-Based SSO Solution

irods Hands-On Elena Erastova (RZG) Based on material provided by RENCI

VMware Identity Manager Administration

BIG-IP Access Policy Manager : Authentication and Single Sign-On. Version 13.1

Cloud Access Manager Configuration Guide

Office 365 and Azure Active Directory Identities In-depth

irods Hands-On Elena Erastova (RZG) Based on material provided by RENCI

EGI Check-in service. Secure and user-friendly federated authentication and authorisation

The EUDAT Collaborative Data Infrastructure

SSH with Globus Auth

SLCS and VASH Service Interoperability of Shibboleth and glite

User Management. Jabber IDs

Securing ArcGIS Services

Authentication & Authorization systems developed for CTA

Your Auth is open! Oversharing with OpenAuth & SAML

Today s workforce is Mobile. Cloud and SaaSbased. are being deployed and used faster than ever. Most applications are Web-based apps

Attributes for Apps How mobile Apps can use SAML Authentication and Attributes

Webthority can provide single sign-on to web applications using one of the following authentication methods:

dcache: challenges and opportunities when growing into new communities Paul Millar on behalf of the dcache team

Deliverable DJRA1.1. Use-Cases for Interoperable Cross- Infrastructure AAI

AAI in EGI Current status

Introduction to application management

User Management. Juan J. Doval DEIMOS SPACE S.L.U. NextGEOSS, September 25 th 2017

Liferay Security Features Overview. How Liferay Approaches Security

globus online Globus Nexus Steve Tuecke Computation Institute University of Chicago and Argonne National Laboratory

Unified Secure Access Beyond VPN

irods Manual Author: Renaissance Computing Institute (RENCI) Version: Date: page 1

ArcGIS for Server: Security

irods 4.0.0rc1 - Manual Author: Renaissance Computing Institute (RENCI) Version: 4.0.0rc1 Date: page 1

IMPLEMENTING SINGLE SIGN-ON (SSO) TO KERBEROS CONSTRAINED DELEGATION AND HEADER-BASED APPS. VMware Identity Manager.

irods Manual Author: Renaissance Computing Institute (RENCI) Version: Date: page 1

Federated Authentication with Web Services Clients

Inside Symantec O 3. Sergi Isasi. Senior Manager, Product Management. SR B30 - Inside Symantec O3 1

Introducing Shibboleth. Sebastian Rieger

penelope case management software AUTHENTICATION GUIDE v4.4 and higher

INDIGO-Datacloud Identity and Access Management Service

Management der Virtuellen Organisation DARIAH im Rahmen von Shibboleth- basierten Föderationen. 58. DFN- Betriebstagung, Berlin, 12.3.

GSI Online Credential Retrieval Requirements. Jim Basney

ForgeRock Access Management Core Concepts AM-400 Course Description. Revision B

SAP Security in a Hybrid World. Kiran Kola

SAML-Based SSO Configuration

RCauth.eu / MasterPortal update

Salesforce1 Mobile Security White Paper. Revised: April 2014

DARIAH Update. 9th FIM4R Workshop. Vienna, Novemer 30, Peter Gietz, DAASI International GmbH.

O365 Solutions. Three Phase Approach. Page 1 34

Cisco ISE Features. Cisco Identity Services Engine Administrator Guide, Release 1.4 1

VMware Workspace ONE Quick Configuration Guide. VMware AirWatch 9.1

How to Configure Authentication and Access Control (AAA)

Remote access to router portal

Unified Communications Manager Version 10.5 SAML SSO Configuration Example

Qualys Cloud Platform (VM, PC) v8.x Release Notes

Major SAML 2.0 Changes. Nate Klingenstein Internet2 EuroCAMP 2007 Helsinki April 17, 2007

SAML-Based SSO Configuration

Unity Connection Version 10.5 SAML SSO Configuration Example

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

ArcGIS Enterprise Security: An Introduction. Randall Williams Esri PSIRT

VIEVU Solution AD Sync and ADFS Guide

Canadian Access Federation: Trust Assertion Document (TAD)

The EGI AAI CheckIn Service

Integrating VMware Workspace ONE with Okta. VMware Workspace ONE

SAS Viya 3.3 Administration: Authentication

Administering Jive Mobile Apps for ios and Android

Spotfire Security. Peter McKinnis July 2017

Challenges in Authenticationand Identity Management

CLI users are not listed on the Cisco Prime Collaboration User Management page.

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager

VMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager

Data management and discovery

Configure Unsanctioned Device Access Control

NotifySCM Integration Overview

Open Source in the Corporate World. Open Source. Single Sign On. Erin Mulder

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES BEST PRACTICES FOR IDENTITY FEDERATION IN AWS E-BOOK

User Authentication Principles and Methods

LiveEngage Messaging Platform: Security Overview Document Version: 2.0 July 2017

Google Search Appliance

Configuring the Cisco APIC-EM Settings

Securing ArcGIS Server Services An Introduction

Quick Start Guide for SAML SSO Access

CA SiteMinder Federation

API Security Management with Sentinet SENTINET

Deploying OAuth with Cisco Collaboration Solution Release 12.0

ShibVomGSite: A Framework for Providing Username and Password Support to GridSite with Attribute based Authorization using Shibboleth and VOMS

ForgeRock Access Management Customization and APIs

Single Sign-On for PCF. User's Guide

CLI users are not listed on the Cisco Prime Collaboration User Management page.

Transcription:

irods Security Aspects Willem Elbers CLARIN-ERIC, Netherlands Utrecht,28-29 April 2014

Contents Client / Server connections Authentication Within Zone Across Zone Authorization EUDAT B2ACCESS

Client / Server connections Image provided by Ton Smeele

System port Default: 1247 Client / Server connections Data communication range Default: 20000-20199 Optional Database port LDAP authentication: port 636 irods Web Browser: HTTP(S) 80/443

Client Authentication Users can authenticate to their home zone in different ways: Default: username/password Since irods 1.0? Users can use the dedicated irods credentials to authenticate with irods PAM with LDAP, Kerberos, Since irods 3.2 Users can use their system credentials to authenticate with irods Kerberos was available standalone since irods 2.1 GSI (Grid Security Infrastructure) Both the clients and servers need to be built with GSI User can use X.509 certificates to authenticate with irods Note: no easy access to attributes in the certificate

Client / Server connections client zone1 /zone1 /collection1 /collection2 node1 node2 node3

Client / Server connections client zone1 /zone1 /collection1 /collection2 node1 node2 node3

Server Authentication: Within Zone A user can authenticate to any server in the irods zone Only the icat enabled server (IES) stores user credential information What happens if a user authenticates to a non-ies? The non-ies will connect to the IES to perform the authentication Use a localzonesid (shared secreted between all irods servers) to make this a little bit more secure than just trusting DNS <3.3.1 only a warning in the log file, >= 3.3.1 authentication will fail

2.2 response user: willem proxy: willem authenticated: no_user_auth(0) local_user_auth(2) Client 2.1 challenge Non icat Enabled Server 1.1 authenticate willem Auth flag values: no_user_auth(0), remote_user_auth(1), local_user_auth(2), remote_priv_user_auth(3), local_priv_user_auth(4) (opt.) Verify localzonesid 3.1 Verify challenge/response 3.2 Authenticated? yes/no 4.1 authenticate 5.1 challenge 5.2 response Local and remote refer to local or remote zones. "priv" or not indicates whether or not the user is an irods admin. icat Enabled Server user: null willem proxy: null rodsadmin Authenticated: no_user_auth(0) : local_user_auth(2) icat

Challenge response irods authentication: Response: MD5 hash of (challenge+password) icat server can verify this by generated the same hash based on credential information stored in the icat OS level authentication (e.g. PAM): Response: MD5 hash of(username, uid, challenge, shared secret) Each of these components come from a trusted source, the uid being the systems user id set by the OS level authentication

Client / Server connections client zone1 zone2 /zone1 /collecson1 /collecson2 /zone2 /collecson1 /collecson2 node1 node2 node3 node1 node2

Server Authentication: Across Zone When accessing a remote zone, the user is actually authenticated against his/her home zone No sensitive user information is distributed Only works if the remote zone connects to the correct home zone, again DNS is trusted by default. Configure a RemoteZoneSid in the remote zones, which matches the LocalZoneSid of the users home zone. LocalZoneSid qwerty123 RemoteZoneSid tempzone-qwerty123 The server IDs can be scrambled (using iadmin spass), but this doesn t add security Only prevents clear text passwords in the log files

iadmin mkzone vzrzge host:port iadmin mkuser eudat#vzrzge rodsuser iadmin mkzone vzmpi host:port iadmin mkuser latuser#vzmpi rodsuser /vzrzge eudat#vzrzge latuser#vzmpi rods#vzsara latuser#vzmpi Federated Data Grid: iadmin mkzone vzsara host:port iadmin mkuser rods#vzsara rodsuser eudat#vrzge rods#vzsara /vzmpi /vzmpi /vzrzge /vzsara iadmin mkzone vzrzge host:port iadmin mkuser eudat#vzrzge rodsuser iadmin mkzone vzsara host:port iadmin mkuser rods#vzsara rodsuser iadmin mkzone vzmpi host:port iadmin mkuser latuser#vzmpi rodsuser /vzsara rods#vzsara latuser#vzmpi eudat#vrzge

Authorization: Data Objects The default approach to restrict access to data objects in an irods zone, is by setting ACLs on collections or data objects Modify ACLs (rods admin) with: ichmod Look at ACLs with: ils -A Set ownership, read and write permission on data objects Set inheritance on collections When collections have this attribute set, new dataobjects and collections added to the collection inherit the access permissions (ACLs) of the collection

Authorization: Data Objects Implement policies as rules, triggered by irods Policy Enforcement Points (configured in core.re) acpreprocfordataobjopen acpreprocforcollcreate acpreprocforcreate. With the policy enforcement points you can also restrict access to execution of rules

liu.se ceda.ac.uk dkrz.de B2SHARE B2SAFE OpenID Bridge DFN federason OAuth authorisason server access token Gateway portal B2STAGE CLARIN IDP Unity IdenSty Management Unity / federason database X.509 Google FederaSon User CerSficaSon Authority SAML B2DROP EUDAT Core AAI FuncSons EUDAT Resources 17

OpenID Unicore Unity Contrail google MulS (LoA) SAML AuthorizaSon Server CA IDP 1 IDP 2 IDP n SAML ldap DB...... DN: EUDAT uid Attributes: Community uid

Conclusion Default authentication mechanism works out of the box and easy to use, but not scalable With PAM/LDAP or X.509 authentication can be better integrated into existing infrastructure Users must be created in all zones where ACLs should be set irods communication over the wire is not encrypted Sometimes hashed values are used With PAM authentication, the iinit session (client - server) can be encrypted 19

Questions Thank you for your attention

https://github.com/irods/irods/tree/master/irods/doc Authentication: Authorization: https://github.com/irods/irods/blob/master/irods/doc/designspecs/authorization https://wiki.irods.org/index.php/server_authentication https://wiki.irods.org/index.php/secure_installation PAM: https://wiki.irods.org/index.php/pam/ldap_authentication/authorization https://wiki.irods.org/index.php/pam_authentication https://wiki.irods.org/index.php/pam_ssl_setup

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback