1 / 10

Third Party Transfers & Attribute URI ideas

Third Party Transfers & Attribute URI ideas. Andrew McNab University of Manchester. Third Party Transfers. GridSite now provides Third Party Transfers for HTTP htcp command supports this on client side although it can also be done using curl etc

milt
Download Presentation

Third Party Transfers & Attribute URI ideas

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Third Party Transfers& Attribute URI ideas Andrew McNab University of Manchester

  2. Third Party Transfers • GridSite now provides Third Party Transfers for HTTP • htcp command supports this on client side • although it can also be done using curl etc • gridsite-copy.cgi provides the necessary extra server-side support • mod_gridsite used as the passive server • security based on X.509, VOMS etc as normal • Onetime passcode used as minimal delegation 14 December 2005 Grid Security

  3. Doing a transfer GET /file Cookie: PASSCODE A: Server with file B: Server to receive file file Onetime Passcode HEAD /file COPY https://A/file Destination: /file Cookie: PASSCODE Client (All HTTPS except GET /file) 14 December 2005 Grid Security

  4. Passcodes • Onetime passcodes originally added for “GridHTTP” uncrypted transfers • Since HTTP stream unencrypted, want simple authentication: just a random, single-use number • Extend this idea for third-party, so the single-use is when it is used over an unencrypted stream • This provides a basic form of delegation • Passcode can only be used for the specified file • Time limit on the passcode imposed by the server 14 December 2005 Grid Security

  5. Multistream • We've added support for multistream HTTP to htcp client • Client opens multiple HTTP connections; fetches multiple blocks of the file • The necessary server-side Range: support is always there in Apache • Now deciding how to merge this with 3rd Party Transfers • in simplest case, each block needs a passcode • Ideally, want to generate or request new passcodes on “B” server, based on original passcode 14 December 2005 Grid Security

  6. Attribute URIs? • We've discussed the benefits of tying VOMS certificate names and attributes together “somehow” • Simplest would be that VO names are DNS names • eg if FQAN is like: “/atlas.cern.ch/analysis/higgs” • Benefit is that dynamic or small VOs don't need to distribute their VOMS certificates via a trusted channel • ie like the one for CA root certificates • However, this renaming of VOs isn't happening... • Is there something we can do in policy engines instead? 14 December 2005 Grid Security

  7. Proposal • We interpret our current Fully Qualified Attribute Names as relative attribute names • So “/atlas/analysis/higgs” (1) is now short for “voms://voms.atlas.cern.ch/atlas/analysis/higgs” (2) • If a policy evaluation engine sees (1) in a policy, then it processes as normal: looks in vomsdir for the VOMS server cert • Change is that if it sees (2), then it can make use of a VOMS server cert obtained from the client, or by contacting “voms.atlas.cern.ch” • Since the policy is trusted anyway, we can check the chain back to the VOMS's CA just by checking signatures and DNs 14 December 2005 Grid Security

  8. Implications (1) • VOs that are happy to distribute VOMS certifcates just carry on as normal • Other people can create small or dynamic VOs without needing to get their VOMS cert (or their VOMS contact details) into a centralised distribution mechanism • Users can just start writing policies referencing the absolute attribute URIs • CAs just continue as normal, ensuring that host/service certificates are only granted to people who own that DNS domain name 14 December 2005 Grid Security

  9. Implications (2) • People running VOMS servers who want to benefit from this need to use a generic server name (atlas.cern.ch not atlas23421.cern.ch) • Either get the certificate for the generic name, or use SubjectAltName if the CA allows that • We need to define what (untrustworthy) sources the policy evaluators can query for the VOMS certificate • GSI Proxy extension? • Query the hostname via SSL – what port numbers? 14 December 2005 Grid Security

  10. Summary • GridSite now supports third party transfers via HTTP • Based on COPY from WebDAV RFC2518 • This is implemented in the usual modular GridSite way so can be incorporated into other applications, middleware etc • We're extending to support multistream third party copies! • Absolute Attribute URIs provide a way of maintaining small or dynamic VOs without trusted VOMS cert distribution 14 December 2005 Grid Security

More Related