[ogsa-hpcp-wg] File staging extension

Paolo Andretto paolo.andreetto at pd.infn.it
Fri Nov 2 08:10:34 CDT 2007 

The solution proposed by EGEE/OMII for the datastaging with the 
CREAM-BES is essentially the Andrew's one.
We've modified the middleware in order to support "ftp://user:pwd@host" 
ONLY for this demo; the CREAM-BES usually supports only gsiftp and https.
If the service is not able to find these credentials in the URI then it 
tries to retrieve username&password from WSS header (Username token 
profile). Having a password written in a jsdl file is abysmal, we know, 
but for a demo can be a good compromise.
For the long term the datastaging is an issue for the OMII project that 
depends on reaching an agreement for a "common delegation mechanism", so 
now it's too early for spending more efforts on that.

Cheers
Paolo

A.S.McGough wrote:
> Two small points here,
>
> First off, I think we can sell this as a non security problem. We're not 
> proposing ftp as a mechanism for transmitting private data. Especially 
> if we use uernames of "anonymous" and similar passwords. Many people 
> still use ftp for making non-secure information available thus we can do 
> the same here. We use ftp to transfer bioinformatics databases which are 
> also available from a project web page so this can be seen as not a problem.
>
> Second, I don't know if anyone saw the spam of the 
> "we've-scooped-your-passwords" last year (if you didn't they got the 
> first five passwords to be the first few lines of the parody on lord of 
> the rings "one OS to rule them all...."). I know the people who did this 
> and it took over 40,000 connections to get these to the top of the list. 
> So hopefully unless we're submitting that many jobs we won't make it 
> that high.
>
> Other than that I agree with KISS for now.
>
> steve..
>
>
> Marty Humphrey wrote:
>   
>> Hi Steven,
>>
>> I'm sorry if I did not make myself clearer. I am NOT suggesting that we
>> remove ftp, for the reasons you mention. Rather, I am stating that the set
>> of 3 does not include something with a reasonable "security story". Sftp and
>> ftps are both "reasonable" in their own ways and arguably should be included
>> in the discussion. 
>>
>> On a related topic, how are we going to feel when all of our passwords
>> appear on the "we've-scooped-your-passwords" screen at SC07? :^) 
>>
>> -- Marty  
>>
>> -----Original Message-----
>> From: Steven Newhouse [mailto:Steven.Newhouse at microsoft.com] 
>> Sent: Thursday, November 01, 2007 6:20 PM
>> To: Marty Humphrey; 'Vesselin Novov'
>> Cc: ogsa-hpcp-wg at ogf.org
>> Subject: RE: [ogsa-hpcp-wg] File staging extension
>>
>> A little more broadly, I am concerned that someone could semi-legitimately
>> accuse the HPC Profile effort of "mandating insecurity".
>>
>> We're mandating in HPCBP that over an open network plain text username and
>> passwords are passed over SSL. We're demonstrating a proof of concept that
>> using 'movement protocols' such as ftp, http, ... can be integrated into the
>> HPCBP by passing in a credential from the client. This IMHO is the goal of
>> the normative extensions.
>>
>> The set of credentials that we mandate that we support and the movement
>> protocols that they access is effectively a profile ontop of this normative
>> extensions. If your HPCBP endpoint is only going to go to files within your
>> network (because by policy you do not allow external FTP traffic through
>> your firewall) then use of FTP may not be a major concern. Other deployments
>> going cross-enterprise in their file access may require that certain
>> protocols are only used.
>>
>> Basically I think we have three phases:
>> 1. Proof of concept for SC07 to drive further development of the extensions.
>> 2. Developing normative extensions that are fairly flexible in terms of the
>> things moved and the tokens used to authenticate access to the things being
>> moved.
>> 3. Concrete profiles defining the protocols and the credentials. This set
>> may be very different in different domains, e-science (GridFTP &
>> certificates), commerce (ftp & username/password) for example.
>>
>> 2 & 3 I think this is something we can really discuss post SC07. For now we
>> need to KISS* and together be happy with an answer to 1!
>>
>> Steven
>>
>> KISS = Keep It Simple Stupid (This is a generic working group stupid - not a
>> person specific stupid in this email thread!)
>>
>>
>>
>> --
>>   ogsa-hpcp-wg mailing list
>>   ogsa-hpcp-wg at ogf.org
>>   http://www.ogf.org/mailman/listinfo/ogsa-hpcp-wg
>>   
>>     
>
>
>

More information about the ogsa-hpcp-wg mailing list