Authentication and Authorization Considerations for a Multi-tenant Service

Heiland, Randy; Koranda, S.; Marru, Suresh; Pierce, Marlon; Welch, Von

doi:10.1145/2753524.2753534

Cited by 7 publications

(2 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Figure 4 summarizes the communication interactions between the desktop client, identity server and Airavata server in order to achieve access control at the Airavata API. For a general discussion of these considerations, see [11].…”

Section: Enforcing Access Control Using Rolesmentioning

confidence: 99%

Anatomy of the SEAGrid Science Gateway

Nakandala

Pamidighantam

Yodage

et al. 2016

Proceedings of the XSEDE16 Conference on Diversity, Big Data, and Science at Scale

Self Cite

View full text Add to dashboard Cite

The SEAGrid science gateway provides scientists and educators with user interfaces and tools for conducting computational chemistry, material science, and engineering experiments online using XSEDE and campus computing resources. This paper describes the architecture of the recently completed technology refresh for the gateway, replacing its desktop user interface, adding a web browser user interface, using Apache Airavata middleware for job management, and providing enhanced data search and feature extraction capabilities. These introduce several challenges, particularly in providing unified authentication and authorization mechanisms to middleware services for the desktop and web clients, and in extending Apache Airavata middleware with new components. Access, authentication, and authorization problems were solved by using standard-based approaches (OAuth2, XACML) that were implemented by incorporating WSO2's Identity Server into both SEAGrid and Apache Airavata. SEAGrid-specific data extraction capabilities were added to Airavata middleware using a message-based component approach. This approach is generalizable to other advanced and gatewayspecific capabilities and enables Airavata to add additional data analysis components without modifying its core functionality.

show abstract

Section: Enforcing Access Control Using Rolesmentioning

confidence: 99%

Anatomy of the SEAGrid Science Gateway

Nakandala

Pamidighantam

Yodage

et al. 2016

Proceedings of the XSEDE16 Conference on Diversity, Big Data, and Science at Scale

Self Cite

View full text Add to dashboard Cite

show abstract

“…Examples include APIs for maps, credit card payments, and cloud storage, to say nothing of integration with social media platforms. As part of this integration, developers generally have to authenticate to the service, typically by using static random API keys [35], which they must manage securely. Developers may also need to manage cryptographic public and private keys for access control (e.g., SSH) or TLS.…”

Section: Introductionmentioning

confidence: 99%

How Bad Can It Git? Characterizing Secret Leakage in Public GitHub Repositories

Meli

McNiece

Reaves

2019

Proceedings 2019 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

GitHub and similar platforms have made public collaborative development of software commonplace. However, a problem arises when this public code must manage authentication secrets, such as API keys or cryptographic secrets. These secrets must be kept private for security, yet common development practices like adding these secrets to code make accidental leakage frequent. In this paper, we present the first large-scale and longitudinal analysis of secret leakage on GitHub. We examine billions of files collected using two complementary approaches: a nearly six-month scan of real-time public GitHub commits and a public snapshot covering 13% of open-source repositories. We focus on private key files and 11 high-impact platforms with distinctive API key formats. This focus allows us to develop conservative detection techniques that we manually and automatically evaluate to ensure accurate results. We find that not only is secret leakage pervasive-affecting over 100,000 repositories-but that thousands of new, unique secrets are leaked every day. We also use our data to explore possible root causes of leakage and to evaluate potential mitigation strategies. This work shows that secret leakage on public repository platforms is rampant and far from a solved problem, placing developers and services at persistent risk of compromise and abuse.

show abstract