Authentication and Authorization Considerations for a Multi-tenant Service. Heiland, R., Koranda, S., Marru, S., Pierce, M., & Welch, V. In Proceedings of the 1st Workshop on The Science of Cyberinfrastructure Research, Experience, Applications and Models - SCREAM '15, pages 29-35, 2015. ACM Press.
Authentication and Authorization Considerations for a Multi-tenant Service [link]Website  doi  abstract   bibtex   
Distributed cyberinfrastructure requires users (and machines) to perform some sort of authentication and authorization (together simply known as auth). In the early days of computing, authentication was performed with just a username and password combination, and this is still prevalent today. But during the past several years, we have seen an evolution of approaches and protocols for auth: Kerberos, SSH keys, X.509, OpenID, API keys, OAuth, and more. Not surprisingly, there are trade-offs, both technical and social, for each approach. The NSF Science Gateway communities have had to deal with a variety of auth issues. However, most of the early gateways were rather restrictive in their model of access and development. The practice of using community credentials (certificates), a well-intentioned idea to alleviate restrictive access, still posed a barrier to researchers and challenges for security and auditing. And while the web portal-based gateway clients offered users easy access from a browser, both the interface and the back-end functionality were constrained in the flexibility and extensibility they could provide. Designing a well-defined application programming interface (API) to fine-grained, generic gateway services (on secure, hosted cyberinfrastructure), together with an auth approach that has a lower barrier to entry, will hopefully present a more welcoming environment for both users and developers. This paper provides a review and some thoughts on these topics, with a focus on the role of auth between a Science Gateway and a service provider.
@inproceedings{
 title = {Authentication and Authorization Considerations for a Multi-tenant Service},
 type = {inproceedings},
 year = {2015},
 pages = {29-35},
 websites = {https://www.scopus.com/inward/record.uri?eid=2-s2.0-84962377238&doi=10.1145%2F2753524.2753534&partnerID=40&md5=06c617703f402a57e3922f8a290ed55d,http://dl.acm.org/citation.cfm?doid=2753524.2753534},
 publisher = {ACM Press},
 city = {New York, New York, USA},
 id = {b25b955b-6670-308f-b1bf-4d5aa029fdd3},
 created = {2019-10-01T18:06:09.871Z},
 file_attached = {false},
 profile_id = {42d295c0-0737-38d6-8b43-508cab6ea85d},
 last_modified = {2019-10-01T18:06:33.599Z},
 read = {false},
 starred = {false},
 authored = {true},
 confirmed = {true},
 hidden = {false},
 citation_key = {Heiland201529},
 source_type = {conference},
 notes = {cited By 3; Conference of 1st Workshop on the Science of Cyberinfrastructure: Research, Experience, Applications and Models, SCREAM 2015 ; Conference Date: 16 June 2015; Conference Code:116136},
 folder_uuids = {f285719c-254b-42e8-a6fb-527e7c80488b,9559c0d7-009c-4a6d-b131-a3e3d83d98b8,22c3b665-9e84-4884-8172-710aa9082eaf},
 private_publication = {false},
 abstract = {Distributed cyberinfrastructure requires users (and machines) to perform some sort of authentication and authorization (together simply known as auth). In the early days of computing, authentication was performed with just a username and password combination, and this is still prevalent today. But during the past several years, we have seen an evolution of approaches and protocols for auth: Kerberos, SSH keys, X.509, OpenID, API keys, OAuth, and more. Not surprisingly, there are trade-offs, both technical and social, for each approach. The NSF Science Gateway communities have had to deal with a variety of auth issues. However, most of the early gateways were rather restrictive in their model of access and development. The practice of using community credentials (certificates), a well-intentioned idea to alleviate restrictive access, still posed a barrier to researchers and challenges for security and auditing. And while the web portal-based gateway clients offered users easy access from a browser, both the interface and the back-end functionality were constrained in the flexibility and extensibility they could provide. Designing a well-defined application programming interface (API) to fine-grained, generic gateway services (on secure, hosted cyberinfrastructure), together with an auth approach that has a lower barrier to entry, will hopefully present a more welcoming environment for both users and developers. This paper provides a review and some thoughts on these topics, with a focus on the role of auth between a Science Gateway and a service provider.},
 bibtype = {inproceedings},
 author = {Heiland, Randy and Koranda, Scott and Marru, Suresh and Pierce, Marlon and Welch, Von},
 doi = {10.1145/2753524.2753534},
 booktitle = {Proceedings of the 1st Workshop on The Science of Cyberinfrastructure Research, Experience, Applications and Models - SCREAM '15}
}

Downloads: 0