Third Party Transfers - PowerPoint PPT Presentation

1 / 11
About This Presentation
Title:

Third Party Transfers

Description:

Attribute URIs? ... Users can just start writing policies referencing the absolute attribute URIs ... Absolute Attribute URIs provide a way of maintaining small ... – PowerPoint PPT presentation

Number of Views:18
Avg rating:3.0/5.0
Slides: 12
Provided by: grid49
Category:
Tags: party | third | transfers | uris

less

Transcript and Presenter's Notes

Title: Third Party Transfers


1
Third Party Transfers Attribute URI ideas
  • Andrew McNab
  • University of Manchester

2
Third Party Transfers
  • GridSite now provides Third Party Transfers for
    HTTP
  • htcp command supports this on client side
  • although it can also be done using curl etc
  • gridsite-copy.cgi provides the necessary extra
    server-side support
  • mod_gridsite used as the passive server
  • security based on X.509, VOMS etc as normal
  • Onetime passcode used as minimal delegation

14 December 2005
Grid Security
3
Doing a transfer
GET /file Cookie PASSCODE
A Server with file
B Server to receive file
file
Onetime Passcode
HEAD /file
COPY https//A/file Destination /file Cookie
PASSCODE
Client
(All HTTPS except GET /file)
14 December 2005
Grid Security
4
Passcodes
  • Onetime passcodes originally added for GridHTTP
    uncrypted transfers
  • Since HTTP stream unencrypted, want simple
    authentication just a random, single-use number
  • Extend this idea for third-party, so the
    single-use is when it is used over an unencrypted
    stream
  • This provides a basic form of delegation
  • Passcode can only be used for the specified file
  • Time limit on the passcode imposed by the server

14 December 2005
Grid Security
5
Multistream
  • We've added support for multistream HTTP to htcp
    client
  • Client opens multiple HTTP connections fetches
    multiple blocks of the file
  • The necessary server-side Range support is
    always there in Apache
  • Now deciding how to merge this with 3rd Party
    Transfers
  • in simplest case, each block needs a passcode
  • Ideally, want to generate or request new
    passcodes on B server, based on original
    passcode

14 December 2005
Grid Security
6
Attribute URI ideas
7
Attribute URIs?
  • We've discussed the benefits of tying VOMS
    certificate names and attributes together
    somehow
  • Simplest would be that VO names are DNS names
  • eg if FQAN is like /atlas.cern.ch/analysis/higg
    s
  • Benefit is that dynamic or small VOs don't need
    to distribute their VOMS certificates via a
    trusted channel
  • ie like the one for CA root certificates
  • However, this renaming of VOs isn't happening...
  • Is there something we can do in policy engines
    instead?

14 December 2005
Grid Security
8
Proposal
  • We interpret our current Fully Qualified
    Attribute Names as relative attribute names
  • So /atlas/analysis/higgs (1) is now short for
    voms//voms.atlas.cern.ch/atlas/analysis/higgs
    (2)
  • If a policy evaluation engine sees (1) in a
    policy, then it processes as normal looks in
    vomsdir for the VOMS server cert
  • Change is that if it sees (2), then it can make
    use of a VOMS server cert obtained from the
    client, or by contacting voms.atlas.cern.ch
  • Since the policy is trusted anyway, we can check
    the chain back to the VOMS's CA just by checking
    signatures and DNs

14 December 2005
Grid Security
9
Implications (1)
  • VOs that are happy to distribute VOMS certifcates
    just carry on as normal
  • Other people can create small or dynamic VOs
    without needing to get their VOMS cert (or their
    VOMS contact details) into a centralised
    distribution mechanism
  • Users can just start writing policies referencing
    the absolute attribute URIs
  • CAs just continue as normal, ensuring that
    host/service certificates are only granted to
    people who own that DNS domain name

14 December 2005
Grid Security
10
Implications (2)
  • People running VOMS servers who want to benefit
    from this need to use a generic server name
    (atlas.cern.ch not atlas23421.cern.ch)
  • Either get the certificate for the generic name,
    or use SubjectAltName if the CA allows that
  • We need to define what (untrustworthy) sources
    the policy evaluators can query for the VOMS
    certificate
  • GSI Proxy extension?
  • Query the hostname via SSL what port numbers?

14 December 2005
Grid Security
11
Summary
  • GridSite now supports third party transfers via
    HTTP
  • Based on COPY from WebDAV RFC2518
  • This is implemented in the usual modular GridSite
    way so can be incorporated into other
    applications, middleware etc
  • We're extending to support multistream third
    party copies!
  • Absolute Attribute URIs provide a way of
    maintaining small or dynamic VOs without trusted
    VOMS cert distribution

14 December 2005
Grid Security
Write a Comment
User Comments (0)
About PowerShow.com