airavata-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marlon Pierce <marpi...@iu.edu>
Subject Re: Securing the Thrift API
Date Mon, 17 Feb 2014 19:33:36 GMT
The Airavata XBaya user composer tool will need to run this way. 


Marlon

On 2/17/14 2:26 PM, Borries Demeler wrote:
> Yes, we do. Raminder has been working with Emre Brookes on a desktop implementation.
> I presume this capability will be integrated into the Thrift API.
> Raminder may be able to shed more light on the way authentication is handled on the desktop.
>
> -b.
>
> On Mon, Feb 17, 2014 at 07:07:11PM +0000, Schwartz, Terri wrote:
>> Do we plan to support desktop clients with SciGap?   I don't have any particular
suggestion to make regarding authentication mechanisms, just want to understand what would
be the burden on the end user of a scigap enabled desktop application, with various authorization/authentication
choices.  
>>
>> Terri
>>
>> ________________________________________
>> From: Sachith Withana [swsachith@gmail.com]
>> Sent: Monday, February 17, 2014 8:18 AM
>> To: architecture@airavata.apache.org; dev@airavata.apache.org
>> Subject: Re: Securing the Thrift API
>>
>> The whole problem arises because we need to authenticate the client.
>>
>> In mutual authentication, you need to setup the server as well to support
>> each and every client.( by adding certificates manually). But scalability
>> can be an issue here?
>>
>> In terms of having a public API, Google, Evernote and Amazon web services
>> uses OAuth 2.0 to authenticate the client.
>> And Evernote is using Thrift as well.
>>
>> I thought in terms of the SciGap perspective ( it can also support the
>> current use case scenarios).
>>
>> But as you mentioned, it can make things more complicated. ( Since whoever
>> is using the thrift client would have to program to use the Oauth)
>>
>> For learning purposes : In terms of the operation, doesn't these two do the
>> same thing? ( Oauth coupled with server public key authentication vs mutual
>> authentication using certificates) ( apart from the fact that OAuth
>> supports delegation ?)
>>
>> User is delegating the thrift client to use the server right?
>>
>>
>>
>>
>> On Mon, Feb 17, 2014 at 11:01 AM, Amila Jayasekara
>> <thejaka.amila@gmail.com>wrote:
>>
>>> On Mon, Feb 17, 2014 at 10:36 AM, Sachith Withana <swsachith@gmail.com
>>>> wrote:
>>>> Hi all,
>>>>
>>>> We are exploring the options on securing the Thrift API.
>>>>
>>>> Our objective is to authenticate the server and authorize the client.
>>>>
>>> What do you mean by authorizing client ?
>>>
>>>> The options we are exploring are
>>>>
>>>> 1. mutual authentication using client and server certificates
>>>>
>>> This seems to be a good fit according to my understanding.
>>>
>>>
>>>> 2. Use the server certificate to setup a SSL communication and use OAuth
>>>> 1or 2 for the client Authorization
>>>>
>>> I dont see a requirement for doing this. Usually we use OAuth when we need
>>> delegation. I am not clear how a delegation model fits here. Also it make
>>> things complicated.
>>>
>>> Thanks
>>> Amila
>>>
>>>
>>>> Any suggestions on this matter are highly appreciated!
>>>>
>>>> --
>>>> Thanks,
>>>> Sachith Withana
>>>>
>>
>>
>> --
>> Thanks,
>> Sachith Withana


Mime
View raw message