airavata-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Amila Jayasekara <>
Subject Handling security context in airavata
Date Mon, 11 Feb 2013 21:57:47 GMT
Hi All,

We had an offline discussion about handling security contexts at GFac
level. Some of the ideas discussed are as follows,

1. In the new GFac handler architecture we can set a security context.
This security context is used through out handler executions. We need
to populate security credentials retrieved from ACS (Airavata
Credential Store) to the security context. But we need to make sure
the populated security context will work for all providers (E.g :-
XSEDE, EC 2, Local Cluster etc ...).
So we thought of storing credentials in a generic object within the
security context and allow provider implementation to convert
credentials to correct object type (Keys, Tokens etc ...).

2. We also discussed about how to handle security when there are
multiple providers per request. E.g :- for a single request we may
need to transfer files between 2 GRID providers. Maybe from EC2 to
XSEDE. To handle such scenario we need to have more than one security
credentials in the security context. Inorder to support this use case
we can pass more than one community user names in the request.

3. Another concern that arose during the chat was about renewing
credentials. As per now OA4MP (OAuth for My Proxy) does not support
credential renewing. This might have an impact on current deployments
once 0.7 is released. I guess the ideal solution would be to have
credential renewing at OA4MP side. Until we have that feature in OA4MP
we can use a configuration file to read my proxy data. (As we do now).
So if "credential store" credentials are expired or not available we
will use configured default my proxy security data.

Also it was proposed to store encrypted user name/passwords in ACS in
addition to SSH keys and myproxy keys.

Appreciate your feedback on above suggestions.

Thank you

View raw message