Shibbolized Subversion

1
Shibbolized Subversion

• Advisor Prof. Amy Apon
• Linh Ngo

2
Overview

• Introduction
• Background
• Tools and Methods
• Design
• Issues Encountered
• Accomplishments
• Limitation
• Future Work

3
Introduction

• Motivation
• Cross-institutions collaborations
• Resource-sharing system
• Issues
• Account management
• Access control

4
Introduction

• Goals
• Shared repository with trusted open access
• Simple authentication
• Fine-grained access control
• Guaranteed security, authenticity, and privacy
• Platform independent

5
Background

• Authentication/Authorization System
• Shibboleth
• eduPerson Scheme
• Repository System
• Subversion System
• Subversion Interfaces

6
Shibboleth Architecture
7
eduPerson Scheme

• LDAP class
• Common ground in personal attribute definition

8
Subversion

• Version control system
• Features
• Directory and file versioning
• Atomic commit
• Versioned metadata
• Choice of network layers

9
Subversion Interfaces

• webDAV
• TortoiseSVN
• RapidSVN
• JSVN

10
Tools and Methods

• Repository installation
• Authentication mechanism
• Authorization mechanism

11
Repository Installation

• Prerequisites
• Apache Portable Runtime 0.9.5
• Neon library 0.24.7
• Apache Server 2.0
• Subversion 1.2
• Local installation

12
Authentication

• Shibboleth
• Certificate
• Service Provider
• WAYF
• Identity Provider

13
Authentication

• Certificate
• University of Wisconsins test certificate
  (Bossie)
• Service Provider
• subversion.csce.uark.edu

14
Authentication

• WAYF
• Local WAYF previously created for WebMPI
• InQueues WAYF
• Identity Provider
• chatter.uark.edu
• Test LDAP server

15
Authorization

• Difficulties
• Technical difficulties
• Account management
• Resource management
• Non-technical difficulties
• Different time frame
• Different schedule and workload
• Different internal politics

16
Authorization

• Who are you
• What are you allowed to do

17
Authorization

• User-active method
• Authorization by Identity Provider
• Advantages
• No access control needed
• Convenient for user management
• Disadvantages
• insecure

18
Authorization

• Resource-active
• Traditional access-control method
• Advantages
• Secured
• Disadvantages
• Scalability
• Administrative burden for Service Provider
• Leak of privacy

19
Authorization

• Fair-share

20
Authorization

• Advantages
• Secure
• Equal administrative responsibilities
• Disadvantages
• High infrastructure requirements

21
Authorization

• EduPerson Attributes
• eduPersonPrimaryAffiliation
• eduPersonScopeAffiliation
• eduPersonEntitlement
• eduPersonTargetedId

22
Design
23
Browser

• Browser Interface
• Perl CGI and HTML
• Protected by Shibboleth
• Subversion functionalities
• Checkout
• Add
• Update
• Status
• Commit

24
Local Script
25
Access Control

• Attributes matching
• Match Identity Providers user attributes and
  Subversion repositorys properties
• One attribute for both read and write access

26
Script Example
27
(No Transcript)
28
(No Transcript)
29
(No Transcript)
30
(No Transcript)
31
(No Transcript)
32
Issues Encountered

• Technical difficulties
• Administrative difficulties

33
Accomplishments

• Shared repository with trusted open access
• Secured authentication/authorization
• Fine-grained access control
• Platform-independent

34
Limitation

• Scalability
• Repository Administration
• Technical Difficulties
• Trade-offs
• Convenient for data size

35
Future Work

• Fixing the limitation
• Improving the current design