Exhibits, Demos & Posters
Communicating Security Assertions over the GridFTP Control Channel
Authors
- Rajkumar Kettimuthu, Mathematics and Computer Science Division, Argonne National Laboratory, Argonne, Illinois; Computation Institute, The University of Chicago
- Liu Wantao, Department of Computer Science, The University of Chicago; Beihang University, Beijing
- Frank Siebenlist, Mathematics and Computer Science Division, Argonne National Laboratory, Argonne, Illinois; Computation Institute, The University of Chicago
- Ian Foster, Mathematics and Computer Science Division, Argonne National Laboratory, Argonne, Illinois; Computation Institute, The University of Chicago; Department of Computer Science, The University of Chicago
Abstract
The GridFTP protocol defines a general-purpose mechanism for secure, reliable, high-performance data movement. GridFTP has been widely used for efficiently transferring large volumes of data. GSI is the commonly used security mechanism for GridFTP transfers. In portal environments multiple users logon and initiate third-party data transfers between two remote nodes. Typically, all of these users belong to the same virtual organization and use a common community credential to authenticate with Grid services. Each user will have different access permissions on the end hosts and their permissions are typically embedded into the community credential as SAML assertions. Even though all the users share the community credential, the embedded SAML assertions make the credential for each user unique. Thus a separate GridFTP session needs to be established for each user's transfer request. Each session needs to be authenticated and authorized, which involves a significant overhead. In this work, we develop a mechanism to reduce the security overhead in authenticating and authorizing the users to perform GridFTP transfers in portal environments.
The objective is to provide the GridFTP clients with the ability to specify a SAML-assertion per GridFTP data transfer command while reusing the existing established session between the client and the GridFTP server. We add a new SITE command to achieve this functionality. We implement the new command on the Globus GridFTP server, add new API to the GridFTP client library, and enhance the authorization callout on the server to process SAML assertion on a per-command basis.
