Presentation is loading. Please wait.

Presentation is loading. Please wait.

OCI-1148453 OCI-1148090 2012-2017 Flexible file access control for iRODS Alva L. Couch, Ph.D. Tufts University with David Tarboton and Jeff Horsburgh:

Published byRosemary Wood Modified over 8 years ago

Similar presentations

Presentation on theme: "OCI-1148453 OCI-1148090 2012-2017 Flexible file access control for iRODS Alva L. Couch, Ph.D. Tufts University with David Tarboton and Jeff Horsburgh:"— Presentation transcript:

1 OCI-1148453 OCI-1148090 2012-2017 Flexible file access control for iRODS Alva L. Couch, Ph.D. Tufts University with David Tarboton and Jeff Horsburgh: USU; Ray Idaszak, Hong Yi, Michael Stealey: RENCI

2 Subtitle: iRODS as a social collaboration environment(!)

3 Data management versus collaboration Data managementSocial collaboration Administrative control and management of user privilege over objects and user groups Unprivileged and transitive user privilege and group management. Only an owner can share an object. Anyone with a privilege can grant that privilege to another. Only an administrator can create a group. Anyone can create and manage a group, including granting privilege to others.

4 The problem iRODS access control is designed around filesystem-like access. –Creating a user group requires administrative privilege. –Only owners can share files with others. We wanted a “social” access control in which: –Users can create and manage user groups at will. –Privileges can be delegated without owning an object.

5 Transitive privilege

6 Why not do this inside iRODS itself? Websites support this kind of sharing all the time now. Can we implement the same kind of sharing consistently at the iRODS level?

7 Am I crazy? Probably. Social networking does that to people. But iRODS can do this. The rule engine is that powerful.

8 Two Use Cases 1.Researcher plus graduate students. 2.Researcher plus peer researchers at other institutions.

9 Researcher plus graduate students Researcher should “own” all files. Researcher “invites” graduate students to receive “view” or “change” permission for directories. Files in directory inherit directory privilege. When graduate student graduates, researcher retains ownership and control. Graduate students can delegate privileges they have to others, as needed.

10 Researcher plus graduate students

11 Researcher plus peers Each researcher can assign joint ownership to others for –iRODS objects. –IrodsShare user groups. Those, in turn, can delegate privilege to their assistants.

12 Researcher plus peers

13 Options for implementation Strategy: use dynamic policy enforcement points to deny access by raising an error condition if user does not have appropriate privileges. Available in 4.1. Several options for authorization information –In iRODS AVUs: insufficiently secure at this time. –In iRODS ACLs: relatively difficult to manage without a provenance database to implement “undo” policies. –In the iCAT catalog as separate tables: too brittle and subject to disruption as iCAT is expanded. –In a separate database parallel to iCAT.

14 Present IrodsShare architecture

15 Subtractive Access Control A user of IrodsShare is a member of the HydroShare iRODS group and by default is granted full change permission over all HydroShare group resources. Policy enforcement points deny access according to IrodsShare policies. Thus “all that is not denied is permitted”.

16 Access control policies Any user who has a privilege can grant that privilege or less to another user. Grantors can also revoke privileges that they granted. Privileges are additive: if two users grant a third different privileges on the same object, the strongest privilege is granted. Object owners can revoke any privilege, and can set an object as unshareable, which turns off the main features of the sharing mechanism. This applies to folders, their contents, and groups.

17 Status and availability Access control logic and policy engine implemented, http://github.com/hydroshare/IrodsShare http://github.com/hydroshare/IrodsShare Policy enforcement not yet implemented. Plans for immediate future –Move API inside iRODS via Python Microservices. –Expose as REST. Considering several options for the future: –Reflecting policies into ACLs. –Using limited privilege policies to allow regular users to create and manage regular iRODS groups.

18 Conclusions iRODS is not just for data management. iRODS policies are powerful enough to allow very fluid data sharing and collaboration. These policies bring collaboration facilities normally thought of as UI features to the filesystem level.

Download ppt "OCI-1148453 OCI-1148090 2012-2017 Flexible file access control for iRODS Alva L. Couch, Ph.D. Tufts University with David Tarboton and Jeff Horsburgh:"

Similar presentations

File Server Organization and Best Practices IT Partners June, 02, 2010.

File Server Organization and Best Practices IT Partners June, 02, 2010.
CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.
Administrative Policies in XACML Erik Rissanen Swedish Institute of Computer Science.

Administrative Policies in XACML Erik Rissanen Swedish Institute of Computer Science.
When you combine NTFS permissions and share permissions the most restrictive effective permission applies. For example, if you share a folder and assign.

When you combine NTFS permissions and share permissions the most restrictive effective permission applies. For example, if you share a folder and assign.
1 Chapter Overview Understanding and Applying NTFS Permissions Assigning NTFS Permissions and Special Permissions Solving Permissions Problems.

1 Chapter Overview Understanding and Applying NTFS Permissions Assigning NTFS Permissions and Special Permissions Solving Permissions Problems.
1 Chapter Overview Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions.

1 Chapter Overview Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions.
How to Succeed with Active Directory Robert Williams, PhD CEO Secure Logistix Corporation.

How to Succeed with Active Directory Robert Williams, PhD CEO Secure Logistix Corporation.
Access Control Patterns Fatemeh Imani Mehr Amirkabir university of technology, Department of Computer Engineering & Information Technology.

Access Control Patterns Fatemeh Imani Mehr Amirkabir university of technology, Department of Computer Engineering & Information Technology.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Chapter 4 Chapter 4: Planning the Active Directory and Security.

Chapter 4 Chapter 4: Planning the Active Directory and Security.
11 WORKING WITH GROUPS Chapter 7. Chapter 7: WORKING WITH GROUPS2 CHAPTER OVERVIEW  Understand the functions of groups and how to use them.  Understand.

11 WORKING WITH GROUPS Chapter 7. Chapter 7: WORKING WITH GROUPS2 CHAPTER OVERVIEW  Understand the functions of groups and how to use them.  Understand.
Administering Active Directory

Administering Active Directory
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.

11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.
Lecture 7 Access Control

Lecture 7 Access Control
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.

7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
1 Securing Network Resources Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions Copying and Moving Files and Folders.

1 Securing Network Resources Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions Copying and Moving Files and Folders.
Group Accounts; Securing Resources with Permissions

Group Accounts; Securing Resources with Permissions
Authentication and authorization Access control consists of two steps, authentication and authorization. Subject Do operation Reference monitor Object.

Authentication and authorization Access control consists of two steps, authentication and authorization. Subject Do operation Reference monitor Object.
Understanding Active Directory

Understanding Active Directory

Similar presentations

Ads by Google