Authentication and Authorization Considerations for a Multi-tenant Service

dc.contributor.authorHeiland, Randy
dc.contributor.authorKoranda, Scott
dc.contributor.authorMarru, Suresh
dc.contributor.authorPierce, Marlon
dc.contributor.authorWelch, Von
dc.description.abstractDistributed cyberinfrastructure requires users (and machines) to perform some sort of authentication and authorization (together simply known as "auth"). In the early days of com- puting, authentication was performed with just a username and password combination, and this is still prevalent today. But during the past several years, we have seen an evolution of approaches and protocols for auth: Kerberos, SSH keys, X.509, OpenID, API keys, OAuth, and more. Not surpris- ingly, there are trade-offs, both technical and social, for each approach. The NSF Science Gateway communities have had to deal with a variety of auth issues. However, most of the early gateways were rather restrictive in their model of access and development. The practice of using community credentials (certificates), a well-intentioned idea to alleviate restrictive access, still posed a barrier to researchers and challenges for security and auditing. And while the web portal-based gate- way clients offered users easy access from a browser, both the interface and the back-end functionality were constrained in the flexibility and extensibility they could provide. Design- ing a well-defined application programming interface (API) to fine-grained, generic gateway services (on secure, hosted cyberinfrastructure), together with an auth approach that has a lower barrier to entry, will hopefully present a more welcoming environment for both users and developers. This paper provides a review and some thoughts on these topics, with a focus on the role of auth between a Science Gateway and a service provider.en
dc.description.sponsorshipNational Science Foundation, Grant Numbers 1339774 and 1234408.en
dc.identifier.citationRandy Heiland, Scott Koranda, Suresh Marru, Marlon Pierce, and Von Welch. 2015. Authentication and Authorization Considerations for a Multi-tenant Service. In Proceedings of the 1st Workshop on The Science of Cyberinfrastructure: Research, Experience, Applications and Models (SCREAM '15). ACM, New York, NY, USA, 29-35. DOI=
dc.rightsPermission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from SCREAM ’15, June 16 2015, Portland, OR, USA Copyright is held by the owner/author(s). Publication rights licensed to ACM. ACM 978-1-4503-3566-9/15/06...$15.00en
dc.subjectscience gatewaysen
dc.titleAuthentication and Authorization Considerations for a Multi-tenant Serviceen


Original bundle

Now showing 1 - 1 of 1
Thumbnail Image
988.82 KB
Adobe Portable Document Format
Can’t use the file because of accessibility barriers? Contact us with the title of the item, permanent link, and specifics of your accommodation need.