1 / 14

Delegation of Authority in Distributed Data Access System

This paper explores the challenges of AAIs in distributed systems, presents the onedata global data access system, discusses autonomous entities in onedata, popular AAI technologies, and introduces macaroons as a better solution for delegation of authority. The benefits of macaroons in onedata are highlighted, including high security, ease of use, simpler authorization system, fine-grained permissions, and low storage and computational overheads.

leeannag
Download Presentation

Delegation of Authority in Distributed Data Access System

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Delegation of authority in distributed data access system Konrad Zemek, Łukasz Opioła, MichałWrzeszcz, Renata G. Słota, Łukasz Dutka, Jacek Kitowski ACC Cyfronet AGH Department of Computer Science,AGH - UST CGW 2015 Kraków, Poland, October 26-28, 2015

  2. Agenda • AAIs in distributed systems - challenges • onedata – a global data access system • Autonomous entites in onedata • Popular technologies in AAI • Macaroons – better than cookies • Macaroons in onedata • Conclusions

  3. AAIs in distributed systems: challenges • Services can be autonomous components • User identity and privileges must be verified • Some operations require delegation • User credentials must be passed in a secure manner AuthN – AuthenticatioN AuthZ – AuthoriZation

  4. onedata • Global data access • Virtualizes access to files • Easy data sharing • Cooperation support • HPC support • Unifies heterogeneous storages into single data space • Highly distributed

  5. Autonomous entities in onedata TRUST TRUST Access file Share file NO TRUST • No trust between providers • Need for delegation

  6. Popular technologies in AAI • Certificates (Globus, X.509) • Depending on user awareness • Revocation handling may be problematic • SAML (Security Assertion Markup Language) • Complicated and heavyweight • High maintenance (in big systems) • Web cookies • Carry too much authority • No delegation mechanism

  7. „Macaroons are better than cookies!” • The answer to onedata needs – macaroons (by Google): • Bearer tokens • Contextual confinement of authority (caveats) • Caveats cannot be removed and cannot increase authority • Limitable lifespan • Third party caveats • Safe delegation of authority • Serializable for easy passing

  8. Macaroons in onedata • 1. Authentication macaroon • 2. Provider authorization macaroon • 3. Native client authorization macaroon

  9. Macaroons in onedata • 1. Authentication macaroon • Proof of user’s identity and presence (active session) • Short lived • Issued by identity service (Global Registry, GR) • 2. Provider authorization macaroon • 3. Native client authorization macaroon

  10. Macaroons in onedata • 1. Authentication macaroon • 2. Provider authorization macaroon • Long lived • Allows interacting with GR on behalf of the user • Contains a 3rd party caveat – needs authentication macaroon • 3. Native client authorization macaroon

  11. Macaroons in onedata • 1. Authentication macaroon • 2. Provider authorization macaroon • 3. Native client authorization macaroon • Long lived • Given to the user, confidential • Does not require authentication but limited authority • Allows read-only access to some GR metadata • Authority delegated by further confinement

  12. Macaroons vs autonomous entitiesin onedata https://onedata.org/share/ASHsdf980ycx… https://onedata.org/share/ASHsdf980ycx… 1 2 TRUST TRUST 3 Share file AuthN Access file 5 AuthZ 6 4 4 NO TRUST 5 6

  13. Conclusions • Macaroons in onedata ensure: • High security (macaroons are cryptographically strong) • Ease of use and transparency to the users • Simpler authorization system • Fine-grained permissions • Low storage and computational overheads

  14. Thank you onedata homepage: https://www.onedata.org

More Related