SlideShare a Scribd company logo

Apache Airavata Credential Store

Download as PPTX, PDF
S
smarru

The document discusses a credential store designed for multi-tenant science gateways, addressing challenges like resource credential delegation, heterogeneous credentials management, multi-tenancy, and maintaining resource accountability. It proposes a secure, generic data store that facilitates gateway registration, credential persistence, and retrieval, while ensuring that each gateway operates independently and securely. The architecture is implemented as a module within the Apache Airavata gateway middleware and is available in its 0.11 release.

SoftwareTechnology
1 of 25
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
A Credential Store for Multi-Tenant Science Gateways Thejaka Kanewala, Suresh Marru, Jim Basney, Marlon Pierce. Agenda  Terminology  Problems / Challenges  Solutions proposed
Science Gateways  Computationally expensive experiments are run in resources such as Grids, Clouds.  Science Gateways …  Hide complexities in using underlying cyber infrastructure resources.  Provides a domain specific user interface to scientists.  Help scientists to build communities.  Create experiments  Share experiments  Share data  …
Organization of a Science Gateway
Organization of a Science Gateway (contd …)  Front end portal  Science domain specific  Web User Interface (UI)  Middleware  Bridges the communication between front end portal server and backend computational resources.  Implements other application logic (provenance data management, application execution, storing metadata, processing results from execution, etc …)  Backend resources
Challenges 1. Resource Credential Delegation. 2. Management of heterogeneous credentials associated grids, clouds and local resources. 3. Management of gateway credentials in an isolated manner in a middleware that supports multiple gateways. 4. Maintain accountability at the resource.
Problem 1. Resource Credential Delegation
Problem 1. Resource Credential Delegation (Community Account)
Resource Credential Delegation (contd …)  How to solve ?  Hand over credentials to gateway user.  Hard code resource credentials at the middleware layer.  Each time gateway administrator retrieves credentials they need to update in the middleware.  Hard coding credentials in the file system – Requires to change configuration files in the middleware, also needs additional mechanisms to secure passwords.
Problem 2. Heterogeneous Credentials  The gateway middleware connects various types of resources.  Clouds  Grids  Local Clusters  Different resources have different authentication mechanisms.  MyProxy based authentication.  SSH/Password/Key based authentication.  Incorporating a new authentication mechanism should not incorporate changes to the middleware.
Problem 3. Multi-Tenancy  Multiple science gateways connecting to a single gateway middleware.  Need to make sure the credentials used by one gateway does not interfere with another gateway.  Proper isolation of gateways is needed when it comes to multiple gateways.
Problem 4. Maintain Accountability at the Resource  Maintain comprehensive audit records at the resource.  In a disaster the resource should be able to find out which user is responsible by looking at its own records, without consulting the gateway middleware.  Middleware should supply experiment invoking user’s attributes to resource.
Credential Store  A secure generic data store to maintain heterogeneous authentication data.  Utilities to perform delegation and key generation.  A pluggable module to gateway middleware.  Involves 3 main operations  Gateway registration  Persisting credentials  Query credentials during application invocation
Credential Store – Gateway Registration  Multiple science gateways need to operate in isolation to each other.  Each gateway portal servers establishes trust with the gateway middleware using a TLS mutual authentication.
Credential Store – Credential Persistence  Capable of handling different types of credentials.  Each credential type is stored as a serialized byte stream in the store.  Credentials are stored in a secure manner  Secured at 3 layers  Each entry is encrypted using a key derived from the gateway id and a token.  Use database authentication mechanism to restrict access to database records.  Data files are secured with proper Unix file security.  Each action on the credential store is recorded in an audit log
Credential Store – Credential Persistence (contd …)
Credential Store – Credential Persistence (contd …)  Different mechanisms to persist credentials.  Delegation based credential persistence.  Key generation based credential persistence.  Credential persistence by manually invoking credential store service API.
Delegation based persistence  Mainly used for MyProxy credentials.  Uses OAuth protocol to delegate credentials into Credential Store and uses OA4MP.
Key Generation Based Persistence  Some resources only support SSH keys.  Most of the time users doesn't want to persist their SSH keys in a third party store.  Generate SSH keys within the Credential Store and hand over public key to user.  One time Manual Step: User needs to store given public key in the resource.
Raw Credential Persistence  If there is no support for delegation based credential persistence we can use direct credential deposit.
Credential Retrieval  Given the token id, read credentials from the Credential Store.  Decorates retrieved credentials (certificates) with actual user attributes (for MyProxy only).
Credential Renewal  When persisting credentials, lifetime of the credentials are extracted and stored in a separate column.  Credential Store periodically checks for validity of credentials.  Near expiring credentials are notified to owners of the credentials.  MyProxy: Register gateway middleware as a trusted renewer in the MyProxy server. Use gateway middleware credentials to renew other credentials.  SSH Keys does not expire: Provides a mechanism to remove credentials from the Credential Store.
Credential Store – High-level Architecture
Implementation  Implemented as a module in Apache Airavata Gateway Middleware.  Credentials are stored in a relational database.  Implemented using Java and related security packages.  Available in Apache Airavata 0.11 release.
Next …  Incorporate audit log integrity.  Incorporate other delegation mechanisms such as OpenId,etc …  Possible delegation mechanisms for SSH keys.
Thank you ! Q/A

More Related Content

PDF
Binary studio academy 2013 c++ group (andrey and max)
Binary Studio
 
PDF
IRJET- Blockchain based Certificate Issuing and Validation
IRJET Journal
 
PPTX
Digital Certificate Verification based on blockchain ethereum
nurhaniffah1
 
PPTX
O auth
Ashok Kumar N
 
PPTX
Ppt
Nidhi Bansal
 
PDF
Security Basics
ArchitecTerra Ltd.
 
PDF
M-Pass: Web Authentication Protocol
IJERD Editor
 
PDF
Strong zero knowledge authentication based on the session keys (sask)
IJNSA Journal
 
Binary studio academy 2013 c++ group (andrey and max)
Binary Studio
 
IRJET- Blockchain based Certificate Issuing and Validation
IRJET Journal
 
Digital Certificate Verification based on blockchain ethereum
nurhaniffah1
 
O auth
Ashok Kumar N
 
Ppt
Nidhi Bansal
 
Security Basics
ArchitecTerra Ltd.
 
M-Pass: Web Authentication Protocol
IJERD Editor
 
Strong zero knowledge authentication based on the session keys (sask)
IJNSA Journal
 

What's hot (12)

PDF
Blockchain Poc for Certificates and Degrees
CyberBahn Federal Solutions
 
DOCX
6.designing secure and efficient biometric based secure access mechanism for ...
Venkat Projects
 
PPTX
Security of the database
Pratik Tamgadge
 
PPTX
SCWCD : Secure web
Ben Abdallah Helmi
 
PPTX
PACE-IT, Security+ 6.3: Introduction to Public Key Infrastructure (part 1)
Pace IT at Edmonds Community College
 
PDF
Blockchain PoC For Education
Sanjeev Raman
 
PDF
Blockchain Presentation
Zied GUESMI
 
PPT
AUTHENTICATION MECHANISM ENHANCEMENT UTILISING SECURE REPOSITORY FOR PASSWORD...
IJNSA Journal
 
DOC
Certification authority
proser tech
 
PDF
Database security
keerthusandeepreddy
 
DOCX
decentralized access control with anonymous authentication of data stored in ...
swathi78
 
PPTX
Secure Code Warrior - Insufficient data encoding
Secure Code Warrior
 
Blockchain Poc for Certificates and Degrees
CyberBahn Federal Solutions
 
6.designing secure and efficient biometric based secure access mechanism for ...
Venkat Projects
 
Security of the database
Pratik Tamgadge
 
SCWCD : Secure web
Ben Abdallah Helmi
 
PACE-IT, Security+ 6.3: Introduction to Public Key Infrastructure (part 1)
Pace IT at Edmonds Community College
 
Blockchain PoC For Education
Sanjeev Raman
 
Blockchain Presentation
Zied GUESMI
 
AUTHENTICATION MECHANISM ENHANCEMENT UTILISING SECURE REPOSITORY FOR PASSWORD...
IJNSA Journal
 
Certification authority
proser tech
 
Database security
keerthusandeepreddy
 
decentralized access control with anonymous authentication of data stored in ...
swathi78
 
Secure Code Warrior - Insufficient data encoding
Secure Code Warrior
 
Ad

Viewers also liked (19)

PDF
RESTLess Design with Apache Thrift: Experiences from Apache Airavata
smarru
 
PPTX
008 benefits mnagement
Dr Fereidoun Dejahang
 
PDF
Cridential Amoraindotama
Daniel Tutkey
 
PDF
Pri sm credential scheme
samarato
 
PDF
Magento credential in indonesia
The World Bank
 
PPTX
İda Buluşmaları 2013-1401
Tribeca İletişim Danışmanlık
 
PPTX
Gestalt Coaching Presentation for INTAGIO - Updated
Naoum Liotas
 
PPT
The Management Consultancy Industry
University of Newcastle, Australia
 
PPTX
Agency credential of blueray part 1
Blueray_advertising and brand communications
 
PDF
Digital Credential - TVPLUS
Pham YLan
 
PPTX
Tribeca Şirket Tanıtım Sunumu
Tribeca İletişim Danışmanlık
 
PDF
Digital Agency Credential - 1 minute to know a bit about Calkboard
Chalkboard Asia
 
PDF
Wiktor Leo Burnett Credential 2011
wiktorleoburnett
 
PPT
Credential Rusu+Bortun Brand Growers
RusuBortun
 
PDF
Think Digital Vietnam - Digital Marketing Agency Credential
Think Digital Vietnam
 
PDF
Creative Sponge - Agency Credentials
alextosh
 
PDF
TEN Creative Design Agency Creds
TEN Creative
 
PDF
LEAP Agency Company Profile
Precision Group
 
PPT
Management Consultancy Proposals
Joe O'Mahoney
 
RESTLess Design with Apache Thrift: Experiences from Apache Airavata
smarru
 
008 benefits mnagement
Dr Fereidoun Dejahang
 
Cridential Amoraindotama
Daniel Tutkey
 
Pri sm credential scheme
samarato
 
Magento credential in indonesia
The World Bank
 
İda Buluşmaları 2013-1401
Tribeca İletişim Danışmanlık
 
Gestalt Coaching Presentation for INTAGIO - Updated
Naoum Liotas
 
The Management Consultancy Industry
University of Newcastle, Australia
 
Agency credential of blueray part 1
Blueray_advertising and brand communications
 
Digital Credential - TVPLUS
Pham YLan
 
Tribeca Şirket Tanıtım Sunumu
Tribeca İletişim Danışmanlık
 
Digital Agency Credential - 1 minute to know a bit about Calkboard
Chalkboard Asia
 
Wiktor Leo Burnett Credential 2011
wiktorleoburnett
 
Credential Rusu+Bortun Brand Growers
RusuBortun
 
Think Digital Vietnam - Digital Marketing Agency Credential
Think Digital Vietnam
 
Creative Sponge - Agency Credentials
alextosh
 
TEN Creative Design Agency Creds
TEN Creative
 
LEAP Agency Company Profile
Precision Group
 
Management Consultancy Proposals
Joe O'Mahoney
 
Ad

Similar to Apache Airavata Credential Store (9)

PDF
SCREAM-15: Authentication and Authorization Considerations for a Multi-tenant...
heiland
 
PDF
Credential store using HashiCorp Vault
Mayank Patel
 
PDF
Industry Best Practices For SSH - DevOps.com Webinar
Teleport
 
PDF
Industry Best Practices for SSH Access
DevOps.com
 
PDF
Ijarcet vol-2-issue-4-1398-1404
Editor IJARCET
 
PDF
Apache Airavata Sharing Service
Supun Nakandala
 
PDF
Security
Nilesh Sarade
 
PPTX
Beyond the Science Gateway
Boston Consulting Group
 
PDF
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
Mary Racter
 
SCREAM-15: Authentication and Authorization Considerations for a Multi-tenant...
heiland
 
Credential store using HashiCorp Vault
Mayank Patel
 
Industry Best Practices For SSH - DevOps.com Webinar
Teleport
 
Industry Best Practices for SSH Access
DevOps.com
 
Ijarcet vol-2-issue-4-1398-1404
Editor IJARCET
 
Apache Airavata Sharing Service
Supun Nakandala
 
Security
Nilesh Sarade
 
Beyond the Science Gateway
Boston Consulting Group
 
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
Mary Racter
 

More from smarru (8)

PPTX
Cyberinfrastructure Experiences with Apache Airavata
smarru
 
PPTX
Google Summer of Code at Apache Software Foundation
smarru
 
PPTX
Gsoc airavata
smarru
 
PPTX
Learning Open Source through GSOC
smarru
 
PDF
Apache Student Induction ApacheCon 2013
smarru
 
PDF
Apache Airavata ApacheCon2013
smarru
 
PPTX
Ogce Workflow Suite
smarru
 
PPTX
Ogce Workflow Suite Tg09
smarru
 
Cyberinfrastructure Experiences with Apache Airavata
smarru
 
Google Summer of Code at Apache Software Foundation
smarru
 
Gsoc airavata
smarru
 
Learning Open Source through GSOC
smarru
 
Apache Student Induction ApacheCon 2013
smarru
 
Apache Airavata ApacheCon2013
smarru
 
Ogce Workflow Suite
smarru
 
Ogce Workflow Suite Tg09
smarru
 

Recently uploaded (20)

DOCX
Greta — No-Code AI for Building Full-Stack Web & Mobile Apps
niloyislam1187
 
PDF
17 Powerful Integrations Your Next-Gen MLM Software Needs
ventaforcemlmsoftwar
 
PDF
Product Update: Alluxio AI 3.7 Now with Sub-Millisecond Latency
Alluxio, Inc.
 
PDF
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
PPTX
Log360_SIEM_Solutions Overview PPT_Feb 2020.pptx
nonameist3434
 
PDF
How AI/LLM recommend to you ? GDG meetup 16 Aug by Fariman Guliev
HusseinMalikMammadli
 
PDF
Adobe Premiere Pro 2025 (v24.5.0.057) Crack free
ghrom2211g
 
PDF
Nekopoi APK 2025 free lastest update
umarali35kp
 
PDF
Cost to Outsource Software Development in 2025
Omega Incorporations- Best Software Development Company
 
PDF
Salesforce Agentforce AI Implementation.pdf
Robert Mark
 
PDF
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
PDF
iTop VPN 6.5.0 Crack + License Key 2025 (Premium Version)
youngle786g
 
PPTX
Weekly report ppt - harsh dattuprasad patel.pptx
bikerslovers123
 
PDF
AI-Powered Threat Modeling: The Future of Cybersecurity by Arun Kumar Elengov...
Arun Kumar Elengovan
 
PPTX
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
PDF
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
PPTX
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
PPTX
Embracing Complexity in Serverless! GOTO Serverless Bengaluru
SheenBrisals
 
PPTX
Patient Appointment Booking in Odoo with online payment
AxisTechnolabs
 
PDF
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
Greta — No-Code AI for Building Full-Stack Web & Mobile Apps
niloyislam1187
 
17 Powerful Integrations Your Next-Gen MLM Software Needs
ventaforcemlmsoftwar
 
Product Update: Alluxio AI 3.7 Now with Sub-Millisecond Latency
Alluxio, Inc.
 
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
Log360_SIEM_Solutions Overview PPT_Feb 2020.pptx
nonameist3434
 
How AI/LLM recommend to you ? GDG meetup 16 Aug by Fariman Guliev
HusseinMalikMammadli
 
Adobe Premiere Pro 2025 (v24.5.0.057) Crack free
ghrom2211g
 
Nekopoi APK 2025 free lastest update
umarali35kp
 
Cost to Outsource Software Development in 2025
Omega Incorporations- Best Software Development Company
 
Salesforce Agentforce AI Implementation.pdf
Robert Mark
 
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
iTop VPN 6.5.0 Crack + License Key 2025 (Premium Version)
youngle786g
 
Weekly report ppt - harsh dattuprasad patel.pptx
bikerslovers123
 
AI-Powered Threat Modeling: The Future of Cybersecurity by Arun Kumar Elengov...
Arun Kumar Elengovan
 
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
Embracing Complexity in Serverless! GOTO Serverless Bengaluru
SheenBrisals
 
Patient Appointment Booking in Odoo with online payment
AxisTechnolabs
 
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 

Apache Airavata Credential Store

  • 1. A Credential Store for Multi-Tenant Science Gateways Thejaka Kanewala, Suresh Marru, Jim Basney, Marlon Pierce. Agenda  Terminology  Problems / Challenges  Solutions proposed
  • 2. Science Gateways  Computationally expensive experiments are run in resources such as Grids, Clouds.  Science Gateways …  Hide complexities in using underlying cyber infrastructure resources.  Provides a domain specific user interface to scientists.  Help scientists to build communities.  Create experiments  Share experiments  Share data  …
  • 3. Organization of a Science Gateway
  • 4. Organization of a Science Gateway (contd …)  Front end portal  Science domain specific  Web User Interface (UI)  Middleware  Bridges the communication between front end portal server and backend computational resources.  Implements other application logic (provenance data management, application execution, storing metadata, processing results from execution, etc …)  Backend resources
  • 5. Challenges 1. Resource Credential Delegation. 2. Management of heterogeneous credentials associated grids, clouds and local resources. 3. Management of gateway credentials in an isolated manner in a middleware that supports multiple gateways. 4. Maintain accountability at the resource.
  • 6. Problem 1. Resource Credential Delegation
  • 7. Problem 1. Resource Credential Delegation (Community Account)
  • 8. Resource Credential Delegation (contd …)  How to solve ?  Hand over credentials to gateway user.  Hard code resource credentials at the middleware layer.  Each time gateway administrator retrieves credentials they need to update in the middleware.  Hard coding credentials in the file system – Requires to change configuration files in the middleware, also needs additional mechanisms to secure passwords.
  • 9. Problem 2. Heterogeneous Credentials  The gateway middleware connects various types of resources.  Clouds  Grids  Local Clusters  Different resources have different authentication mechanisms.  MyProxy based authentication.  SSH/Password/Key based authentication.  Incorporating a new authentication mechanism should not incorporate changes to the middleware.
  • 10. Problem 3. Multi-Tenancy  Multiple science gateways connecting to a single gateway middleware.  Need to make sure the credentials used by one gateway does not interfere with another gateway.  Proper isolation of gateways is needed when it comes to multiple gateways.
  • 11. Problem 4. Maintain Accountability at the Resource  Maintain comprehensive audit records at the resource.  In a disaster the resource should be able to find out which user is responsible by looking at its own records, without consulting the gateway middleware.  Middleware should supply experiment invoking user’s attributes to resource.
  • 12. Credential Store  A secure generic data store to maintain heterogeneous authentication data.  Utilities to perform delegation and key generation.  A pluggable module to gateway middleware.  Involves 3 main operations  Gateway registration  Persisting credentials  Query credentials during application invocation
  • 13. Credential Store – Gateway Registration  Multiple science gateways need to operate in isolation to each other.  Each gateway portal servers establishes trust with the gateway middleware using a TLS mutual authentication.
  • 14. Credential Store – Credential Persistence  Capable of handling different types of credentials.  Each credential type is stored as a serialized byte stream in the store.  Credentials are stored in a secure manner  Secured at 3 layers  Each entry is encrypted using a key derived from the gateway id and a token.  Use database authentication mechanism to restrict access to database records.  Data files are secured with proper Unix file security.  Each action on the credential store is recorded in an audit log
  • 15. Credential Store – Credential Persistence (contd …)
  • 16. Credential Store – Credential Persistence (contd …)  Different mechanisms to persist credentials.  Delegation based credential persistence.  Key generation based credential persistence.  Credential persistence by manually invoking credential store service API.
  • 17. Delegation based persistence  Mainly used for MyProxy credentials.  Uses OAuth protocol to delegate credentials into Credential Store and uses OA4MP.
  • 18. Key Generation Based Persistence  Some resources only support SSH keys.  Most of the time users doesn't want to persist their SSH keys in a third party store.  Generate SSH keys within the Credential Store and hand over public key to user.  One time Manual Step: User needs to store given public key in the resource.
  • 19. Raw Credential Persistence  If there is no support for delegation based credential persistence we can use direct credential deposit.
  • 20. Credential Retrieval  Given the token id, read credentials from the Credential Store.  Decorates retrieved credentials (certificates) with actual user attributes (for MyProxy only).
  • 21. Credential Renewal  When persisting credentials, lifetime of the credentials are extracted and stored in a separate column.  Credential Store periodically checks for validity of credentials.  Near expiring credentials are notified to owners of the credentials.  MyProxy: Register gateway middleware as a trusted renewer in the MyProxy server. Use gateway middleware credentials to renew other credentials.  SSH Keys does not expire: Provides a mechanism to remove credentials from the Credential Store.
  • 22. Credential Store – High-level Architecture
  • 23. Implementation  Implemented as a module in Apache Airavata Gateway Middleware.  Credentials are stored in a relational database.  Implemented using Java and related security packages.  Available in Apache Airavata 0.11 release.
  • 24. Next …  Incorporate audit log integrity.  Incorporate other delegation mechanisms such as OpenId,etc …  Possible delegation mechanisms for SSH keys.

Editor's Notes

  • #2: Describe the outline Science gateways Middlewares Multi tenancy
  • #3: Often accessing and using resources needs awareness and knowledge about the resources e.g. :- users needs to be aware about job schedulers such as pbs, torque etc … Scientist focus is on the experiment
  • #4: Emphasise end users doesn’t need to have credentials to run applications in resource Need 2 diagrams - express the problem - express the solution Spent too much time Put a text box explaining portal server and middleware server are operated by 2 different entities
  • #11: Need a figure
  • #14: Mutual TLS
  • #15: Gateway id is extracted from the certificate provided by the client (subject key identifier)
  • #20: Can remove
  • #21: Modify the figure For other credentials we write an audit record
  • #23: Correct typo – Gateway Middleware Change colors Change font – hard to read Explain how to handle kerberos credentials (backup slides) ============================================= We are not providing an another authentication mechanisms. Not a single sign on mechanisms like MyProxy. A token based resource credential management service only.