Thursday, April 27, 2017

OSiRIS Engagement Summary

OSiRIS (Open Storage Research Infrastructure, NSF award #1541335) is a multi-institutional project aimed a providing a distributed storage infrastructure that allows researchers to manage and share data from their home computing facilities with other partner locations. The University of Michigan, Michigan State, Wayne State, and Indiana University are working together to develop the transparent, high-performance storage infrastructure which will be available to connected locations on participating campuses. The project will provide data sharing, archiving, security, and life-cycle management, all implemented and managed with a single distributed service.

In October 2016, CTSC began an analysis of the new OSiRIS Access Assertions (OAA) design. CTSC and OSiRIS staff worked together via a series of weekly phone calls to review the design of the authentication and authorization framework for OSiRIS. As OSiRIS is an open-source project, all design documentation and related code for OAA is available on GitHub.

Since the OAA design was at an early stage, CTSC asked OSiRIS staff to document the various use-case scenarios which would be addressed by OAA. This resulted in a set of requirements needed by scientists (end-users), system administrators, and network administrators.

Next, CTSC began the review of the core OAA system. It was discovered that OAA borrows concepts from OAuth 2.0 (RFC 6749), including JSON Web Tokens (RFC 7519) and the practice of issuing short-lived access tokens and long-lived refresh tokens. The resemblance of OAA to OAuth 2.0 inspired the team to use the OAuth 2.0 Threat Model and Security Considerations (RFC 6819) as an evaluation framework for the OAA system. Over the course of several weeks, the OSiRIS team used recommendations from the OAuth 2.0 Threat Model to make modifications to the evolving OAA design, as noted in the final engagement report.

The above swim lane diagram, produced by the OSiRIS team during the engagement, helped the CTSC team understand the OSiRIS Access Assertions (OAA) design.

After the review of the core OAA design, the review shifted to the integration of OAA with other OSiRIS components including Ceph and NMAL/perfSONAR. As the integration is still in an early phase, CTSC staff reviewed the integration design for potential issues drawing on knowledge of similar analyses in the past.

OSiRIS is using COmanage Registry for managing groups and roles for researchers and administrators. CTSC staff has significant experience with COmanage, so several conference calls were of the question-and-answer variety where OSiRIS staff were able to ask detailed questions about COmanage and how to best leverage the power of the software for their particular scenarios.

CTSC's involvement early in the design and implementation phase enabled the OSiRIS developers to incorporate several security recommendations before development had proceeded to a point where change would have been painful. CTSC identified no significant weaknesses in the resulting design. CTSC encouraged OSiRIS to apply for a follow-on engagement after implementation is complete, to review design changes that may have occurred during implementation and initial deployment.

Edited to add: See also the OSiRIS blog post on our engagement.