2008 IEEE Fourth International Conference on eScience (2008)
Dec. 7, 2008 to Dec. 12, 2008
The GridFTP  protocol defines a general-purpose mechanism for secure, reliable, high-performance data movement. GridFTP has been widely used for efficiently transferring large volumes of data. GSI is the commonly used security mechanism for GridFTP transfers. In portal environments multiple users logon and initiate third-party data transfers between two remote nodes. Typically, all of these users belong to the same virtual organization and use a common community credential to authenticate with Grid services. Each user will have different access permissions on the end hosts and their permissions are typically embedded into the community credential as SAML assertions. Even though all the users share the community credential, the embedded SAML assertions make the credential for each user unique. Thus a separate GridFTP session needs to be established for each user’s transfer request. Each session needs to be authenticated and authorized, which involves a significant overhead. In this work, we develop a mechanism to reduce the security overhead in authenticating and authorizing the users to perform GridFTP transfers in portal environments. The objective is to provide the GridFTP clients with the ability to specify a SAML-assertion per GridFTP data transfer command while reusing the existing established session between the client and the GridFTP server. We add a new SITE command to achieve this functionality. We implement the new command on the Globus GridFTP server, add new API to the GridFTP client library and enhance the authorization callout on the server to process SAML assertion on a per command basis.
GridFTP, Security assertion, Data movement in Portal environments
Liu Wantao, Rajkumar Kettimuthu, Frank Siebenlist, Ian Foster, "Communicating Security Assertions over the GridFTP Control Channel", 2008 IEEE Fourth International Conference on eScience, vol. 00, no. , pp. 426-427, 2008, doi:10.1109/eScience.2008.108