O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

User Authentication and Cloud Authorization in the Galaxy project: https://doi.org/10.1101/506238

175 visualizações

Publicada em

An overview of user authentication and authorization in the Galaxy project, and they can use it to authorize Galaxy to access their private resources on cloud, and how Galaxy implements the flow leveraging OpenID Connect protocol and Role-Based Access Control model to obtain temporary credentials.

Publicada em: Engenharia
  • Seja o primeiro a comentar

User Authentication and Cloud Authorization in the Galaxy project: https://doi.org/10.1101/506238

  1. 1. User X Galaxy Cloud Get data from my S3 bucket to my history Give me User X’s bucket Give me your secrets! Any middleware Any science gateway Hey, can you share your secrets with me?
  2. 2. Do NOT ask for user’s credentials, because: • Obtaining credentials demands a degree of familiarity with the provider, which is usually not intuitive for general users; • Liability concern for Galaxy to securely store the credentials; • Provide Galaxy with same level of privileges as the user; • Stolen credentials can be disabled by manual intervention of the user.
  3. 3. Instead: • User server-to-server communication, and minimize user interaction/intervention; • User token-based authentication and authorization; • Use temporary tokens; • Use role-based access control.
  4. 4. User X Galaxy Cloud User X has authorized me to access her private bucket Who are you? Who is User X? What is your authorization? User X authorized me
  5. 5. Who Are You? Who is User X? What is Your Authorization?
  6. 6. Who Are You? Who is User X? What is Your Authorization? Galaxy’s OIDC Client ID Register Galaxy as an OIDC Client Client ID: 8936 … 8o88f.apps.googleusercontent.com
  7. 7. Who Are You? Who is User X? What is Your Authorization? Galaxy’s OIDC Client ID Give me a proof of User X’s identity https://accounts.google.com/o/oauth2/auth? nonce=U9zZAIsacYEB7lJ3FZxO9G3nfzPaIxrl94Vnr5f2WfLMc8KQoG3C2B8LP2IGlwAW& state=zCbXw5YEEiHHqsOEWQnkydFfolBYYWFB& redirect_uri=http://localhost:8080/authnz/google/callback& prompt=consent& response_type=code& client_id=8936 … 8o88f.apps.googleusercontent.com& scope=openid+email+profile+https://www.googleapis.com/auth/user.birthday.read& access_type=offline
  8. 8. Who Are You? Who is User X? What is Your Authorization? Galaxy’s OIDC Client ID Give me a proof of User X’s identity User’s Authentication (who they are)
  9. 9. Who Are You? Who is User X? What is Your Authorization? Galaxy’s OIDC Client ID Give me a proof of User X’s identity User’s Authorization (what they allow you to do)
  10. 10. Who Are You? Who is User X? What is Your Authorization? Galaxy’s OIDC Client ID Give me a proof of User X’s identity Here is your proof { "code": "4/NwEDKgZ2GZFbzd … I7xeXhvWEBESoc", "prompt": "consent", "state": "zCbXw5YEEiHHqsOEWQnkydFfolBYYWFB", "session_state": "ccd20afbeec42f7711fb787ebebde0b38ff85255..85bb", "scope": "email profile openid https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/user.birthday.read", "authuser": "0" }
  11. 11. Who Are You? Who is User X? What is Your Authorization? Galaxy’s OIDC Client ID User’s OIDC ID Token Give me a proof of User X’s identity Here is your proof { "access_token": "… 129 chars …", "auth_time": 1556220254, "expires": 3600, "id_token": "… 1000 chars …", "refresh_token": "… 45 chars …", "token_type": "Bearer" } ID token: - is a JWT - Contains claims about the authentication of end-user Access token: - is not a JWT - Can be used to request info
  12. 12. Who Are You? Who is User X? What is Your Authorization? Galaxy’s OIDC Client ID User’s OIDC ID Token Give me a proof of User X’s identity Here is your proof Part of a decoded ID token: Payload { "iss": "accounts.google.com", "azp": "…", "aud": "8936 ... 8o88f.apps.googleusercontent.com", "sub": "100813134013939805912", "email": "jalili.vahid@gmail.com", "email_verified": true, "at_hash": "oRKH9-7HUwPJx-OxBSR-TA", "nonce": "…", "iat": 1556220253, "exp": 1556223853 } { "access_token": "… 129 chars …", "auth_time": 1556220254, "expires": 3600, "id_token": "… 1000 chars …", "refresh_token": "… 45 chars …", "token_type": "Bearer" }
  13. 13. Who Are You? Who is User X? What is Your Authorization? Galaxy’s OIDC Client ID User’s OIDC ID Token Give me a proof of User X’s identity Here is your proof Part of a decoded ID token: Payload { "iss": "accounts.google.com", "azp": "…", "aud": "8936 ... 8o88f.apps.googleusercontent.com", "sub": "100813134013939805912", "email": "jalili.vahid@gmail.com", "email_verified": true, "at_hash": "oRKH9-7HUwPJx-OxBSR-TA", "nonce": "…", "iat": 1556220253, "exp": 1556223853 } Authorization Code Grant flow in nutshell{ "access_token": "… 129 chars …", "auth_time": 1556220254, "expires": 3600, "id_token": "… 1000 chars …", "refresh_token": "… 45 chars …", "token_type": "Bearer" }
  14. 14. Who Are You? Who is User X? What is Your Authorization? Galaxy’s OIDC Client ID User’s OIDC ID Token Give me a proof of User X’s identity Here is your proof Let Galaxy access my private data { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::my-bucket/hgmm_100_R2.fastq" ], "Condition": { "IpAddress": { "aws:SourceIp": "1.2.3.4" } } } ] } AWS IAM Role Policy Role ARN
  15. 15. Who Are You? Who is User X? What is Your Authorization? Galaxy’s OIDC Client ID User’s OIDC ID Token Give me a proof of User X’s identity Here is your proof Let Galaxy access my private data AWS IAM Role Trust { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "accounts.google.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "accounts.google.com:aud": "8936 ... 8o88f.apps.googleusercontent.com" } } }] } Role ARN
  16. 16. Who Are You? Who is User X? What is Your Authorization? Galaxy’s OIDC Client ID User’s OIDC ID Token Give me a proof of User X’s identity Here is your proof Let Galaxy access my private data https://sts.amazonaws.com/?" "DurationSeconds=3600&" "Action=AssumeRoleWithWebIdentity&" "Version=2011-06-15&" "RoleSessionName=cloudauthz&" "RoleArn= Role ARN &" "WebIdentityToken= ID Token " Here is my ID and authorization, give me temporary secrets to access user X’s private data
  17. 17. Who Are You? Who is User X? What is Your Authorization? Galaxy’s OIDC Client ID User’s OIDC ID Token Temporary Secrets Here is my ID and authorization, give me temporary secrets to access user X’s private data Give me a proof of User X’s identity Here is your proof Let Galaxy access my private data AccessKeyId: ASIA4 … AA2ZE SecretAccessKey: owi+huRYTTWlL … zujnvKZvS SessionToken: FQoGZXIvYXdzEIv//////////wEaDME/ … u0o9fGc5gU= Temporary secrets
  18. 18. Who Are You? Who is User X? What is Your Authorization? Galaxy’s OIDC Client ID User’s OIDC ID Token Temporary Secrets Here is my ID and authorization, give me temporary secrets to access user X’s private data Give me a proof of User X’s identity Here is your proof Let Galaxy access my private data AccessKeyId: ASIA4 … AA2ZE SecretAccessKey: owi+huRYTTWlL … zujnvKZvS SessionToken: FQoGZXIvYXdzEIv//////////wEaDME/ … u0o9fGc5gU= Temporary secrets Role-Based Access Control flow in nutshell
  19. 19. Thanks Publication: - https://www.biorxiv.org/content/10.1101/506238v1 Demo: - https://galaxyproject.org/authnz/cloud/demo/ Details: - https://galaxyproject.org/authnz/cloud/ - https://galaxyproject.org/authnz/config/oidc/ - https://galaxyproject.org/authnz/use/oidc/

×