Return-Path: 
 <dev-return-6011-apmail-airavata-dev-archive=airavata.apache.org@airavata.apache.org>
X-Original-To: apmail-airavata-dev-archive@www.apache.org
Delivered-To: apmail-airavata-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 83F80E9E9
	for <apmail-airavata-dev-archive@www.apache.org>;
 Tue, 12 Feb 2013 18:47:02 +0000 (UTC)
Received: (qmail 52589 invoked by uid 500); 12 Feb 2013 18:47:02 -0000
Delivered-To: apmail-airavata-dev-archive@airavata.apache.org
Received: (qmail 52547 invoked by uid 500); 12 Feb 2013 18:47:02 -0000
Mailing-List: contact dev-help@airavata.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@airavata.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@airavata.apache.org>
List-Post: <mailto:dev@airavata.apache.org>
List-Id: <dev.airavata.apache.org>
Reply-To: dev@airavata.apache.org
Delivered-To: mailing list dev@airavata.apache.org
Received: (qmail 52539 invoked by uid 99); 12 Feb 2013 18:47:02 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 12 Feb 2013 18:47:02 +0000
X-ASF-Spam-Status: No, hits=-0.7 required=5.0
	tests=RCVD_IN_DNSWL_LOW,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: domain of thejaka.amila@gmail.com
 designates 74.125.82.181 as permitted sender)
Received: from [74.125.82.181] (HELO mail-we0-f181.google.com) (74.125.82.181)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 12 Feb 2013 18:46:54 +0000
Received: by mail-we0-f181.google.com with SMTP id t44so334156wey.12
        for <dev@airavata.apache.org>; Tue, 12 Feb 2013 10:46:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:x-received:in-reply-to:references:date:message-id
         :subject:from:to:content-type:content-transfer-encoding;
        bh=GaAb83kaKrGVh06y/TjZEeRNf5MaYoWkpg3sqF5RWdQ=;
        b=Kc99mXYzQLzuDuEZVJIwnSq2651S2fqdk1HW1vU7IzHfmoyVJWj5U8LYn3jNunYrY5
         Mvzf7Mq71sXQT0LyaCzWLdmA4Fu9AX5/l++bQ3ut3jiiqH2uh/5Q1j+/cPFTnPlmuz3q
         RbRahLcUcdgHHm48hhd2OEI+s6QFIoy9tPAcBeudia4Jjdh8UbNamk8PVN2GuMipk4UW
         ZozkOQq2MprwyH2vMvrvw2OfvFkT9H3SPuA4ccBqSyc12mXrbC0qi2r/Zy5QQy0bxP4b
         lBDLVEK/M5r5nNOLYTCsb+ESqV0HQ6yUUb+ZV7ommoLqjxfkXGMag5KXDTrmqMNLhS1S
         I6Zw==
MIME-Version: 1.0
X-Received: by 10.194.86.38 with SMTP id m6mr17421357wjz.13.1360694793997;
 Tue, 12 Feb 2013 10:46:33 -0800 (PST)
Received: by 10.194.45.136 with HTTP; Tue, 12 Feb 2013 10:46:33 -0800 (PST)
In-Reply-To: <68C2AC20-64D0-48B2-9A64-A3560D154745@gmail.com>
References: 
 <CAKUcLKY_1FhDwqb9Ob5-HNrFDoH9DY2hMNA0oHdV__b_f3Wgzw@mail.gmail.com>
	<68C2AC20-64D0-48B2-9A64-A3560D154745@gmail.com>
Date: Tue, 12 Feb 2013 13:46:33 -0500
Message-ID: 
 <CAKUcLKZdpLR+ZWn975uXtc5TEmoY8+3TdwX1d7_NRHBbSRqqdw@mail.gmail.com>
Subject: Re: Handling security context in airavata
From: Amila Jayasekara <thejaka.amila@gmail.com>
To: dev@airavata.apache.org
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
X-Virus-Checked: Checked by ClamAV on apache.org

Hi Raminder,

More answers inline.

Thanks
Amila

On Tue, Feb 12, 2013 at 11:28 AM, Raminder Singh
<raminderjsingh@gmail.com> wrote:
> Thanks Amila for describing it well. Are you planning to create the secur=
ity context per workflow(Workflow interpreter level) or per workflow applic=
ation(GFAC API level)? Difference is, GFAC knows the type of application an=
d can create/request a particular credential as needed fill it into the con=
ext. Then context can be shared between input/output chain and provider. Wo=
rkflow interpreter does not know anything about the type of service and nee=
d to fill all the different credentials into context before invoking any ap=
plication and one of them will be left unused. I thing having a single secu=
rity object per application is required. I can think about cases where user=
 want to transfer gridftp files to EC2 provider but i dont think we are add=
ressing that problem yet.  Problems of having multiple security in the cont=
ext will make the context object bulky and lot of time object will be not u=
sed.

I would say a security context for each invocation. I am not sure
whether you meant the same thing by saying "per application". If not
please describe.

>
> How do you expect users to send security information (Format)? Means if i=
 have workflow with Grid and EC2 service, i need to call some API functions=
 to set both with different object types. How do you think this to work for=
 non java clients?

Before invoking the WF (Workflow) credentials should be in ACS
(Airavata Credential Store). At the time of storing credentials to
ACS, user need to specify a name. This name is unique to a gateway.
Then afterwards when user invokes workflow he/she needs to send
"credential user names" as a list.

>
> Do you have ETA on  OA4MP service to renew proxy automatically?

No, I dont have. We may need to check with OA4MP debs how to achieve
this. Also we need to check how to renew credentials for other types
of providers. (Mainly IaaS ones)

Thanks
Amila

That would be much needed for production gateways to use OAUTH credentials.
>
> Thanks
> Raminder
>
>> Hi All,
>>
>> We had an offline discussion about handling security contexts at GFac
>> level. Some of the ideas discussed are as follows,
>>
>> 1. In the new GFac handler architecture we can set a security context.
>> This security context is used through out handler executions. We need
>> to populate security credentials retrieved from ACS (Airavata
>> Credential Store) to the security context. But we need to make sure
>> the populated security context will work for all providers (E.g :-
>> XSEDE, EC 2, Local Cluster etc ...).
>> So we thought of storing credentials in a generic object within the
>> security context and allow provider implementation to convert
>> credentials to correct object type (Keys, Tokens etc ...).
>>
>> 2. We also discussed about how to handle security when there are
>> multiple providers per request. E.g :- for a single request we may
>> need to transfer files between 2 GRID providers. Maybe from EC2 to
>> XSEDE. To handle such scenario we need to have more than one security
>> credentials in the security context. Inorder to support this use case
>> we can pass more than one community user names in the request.
>>
>> 3. Another concern that arose during the chat was about renewing
>> credentials. As per now OA4MP (OAuth for My Proxy) does not support
>> credential renewing. This might have an impact on current deployments
>> once 0.7 is released. I guess the ideal solution would be to have
>> credential renewing at OA4MP side. Until we have that feature in OA4MP
>> we can use a configuration file to read my proxy data. (As we do now).
>> So if "credential store" credentials are expired or not available we
>> will use configured default my proxy security data.
>>
>> Also it was proposed to store encrypted user name/passwords in ACS in
>> addition to SSH keys and myproxy keys.
>>
>> Appreciate your feedback on above suggestions.
>>
>> Thank you
>> Regards,
>> Amila
>