1 / 1

Communicating Security Assertions over the GridFTP Control Channel

Rajkumar Kettimuthu 1,2 , Liu Wantao 3,4 , Frank Siebenlist 1,2 and Ian Foster 1,2,3 1 Argonne National Laboratory, Argonne, IL USA 2 Computation Institute, The University of Chicago, Chicago, IL USA 3 Department of Computer Science, The University of Chicago, Chicago, IL USA

malina
Download Presentation

Communicating Security Assertions over the GridFTP Control Channel

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Rajkumar Kettimuthu1,2,Liu Wantao3,4, Frank Siebenlist1,2 and Ian Foster1,2,3 1Argonne National Laboratory, Argonne, IL USA 2Computation Institute, The University of Chicago, Chicago, IL USA 3Department of Computer Science, The University of Chicago, Chicago, IL USA 4Beihang University, Beijing, China Abstract • GridFTP protocol defines general purpose mechanism for secure, reliable, high-performancedata movement. • Globus implementation of GridFTP has a modular structure that supports multiple security options, multiple transport protocols, coordinated data transfer utilizing multiple computer nodes at the source and destination, and other desirable features. • TheGlobus GridFTP design provides support forsecure authentication of control channelrequests via Grid Security Infrastructure(GSI), Kerberos or SSH securitymechanism. • In this work, we develop a mechanism toreduce the security overhead in authenticating and authorizing the users toperform GridFTP transfers in portal environments. Communicating Security Assertions over the GridFTP Control Channel Motivation • In environments with large number of users,services such as Community AuthorizationService (CAS) and Virtual OrganizationManagement Service (VOMS) have beendeveloped to address the scalability issueswith the Globus gridmapfile approach. • These services allow for multiple users tohave the sameDistinguished Name (DN)and encode in Security Assertion MarkupLanguage (SAML) assertions (that are embedded as extensions in proxy certificate)the specific files that a user is authorized toread and/or write. • These services also maintainthe permissions of users in a virtualorganization and the individual sites do nothave to have a large number of useraccounts and/or maintain long gridmapfiles. • Consider a web portal where multiple userslogon and initiate third party data transfersbetween two remote nodes. It is quitepossible that more than one user want tomove data between the same pair of sites. • Each user either has his own individualcertificate or gets a community certificatefrom a service such as CAS or VOMS thathas his permissions embedded as a SAMLassertion. Either way each user’s certificateis different and a separate control channel. • If a separate control channel is needed for each user, it is quite difficult for the portal to cache the control channels and reuse it. • Implementation • We develop enhancements to GridFTP to avoid the overhead by reusing a single control channel for multiple file transfer operations (from the one or more users). • The portal would use a single proxy certificate for all the users. Currently, the SAML assertions are embedded in the proxy certificate that is used by the client to authenticate to the GridFTP server. • The objective is to provide the GridFTP clients with the ability to specify a SAML-assertion per GridFTP data transfer command while reusing the existing established session between the client and the GridFTP server. • The proposed solution is to use the GridFTP SITE command to let the client communicate a SAML assertion to the GridFTP server where it will be used for the next authorization decision in the authorization call-out. Any subsequent SITE directive that communicates a new SAML assertion will substitute and therefore override the previous one, which will allow the next GridFTP commands to use the last SAML assertion that was communicated. • A new command SITE AUTHZ_ASSERT has been added to the Globus GridFTP framework. A new API has been added to the Globus FTP client library that allows the passing of SAML assertion to the GridFTP server.For third party transfers, clients may have to send different security assertions to the source and destination. Support for sending different assertions to source and destination GridFTP servers has also been added. • Background • A session is established when the clientinitiates a TCP connection to the port onwhich the server is listening. • The first thingthat must happen is an authentication perRFC 2228. By default, the client presents adelegated proxy certificate, and theserver must present a host (or user)certificate issued by a CA trusted by theclient. • If authentication is not successful, theconnection is dropped. If authentication issuccessful, an authorization callout is invoked to verify authorization; determine the local user id as which therequest should be executed. • Typically, the local userid is obtained from a Globus gridmapfile,which contains a mapping of DistinguishedName (DN) in user’s certificate to local userids. Server does a setuid to the local user idas determined by the authorization callout. • Ifauthorization succeeds, the control channelhas been established and the rest of thecontrol channel protocol exchange canproceed.

More Related