WebDAV and MFA

[peer35]

Hi all,

I'm hoping you can help us with a thorny issue that came up at the VU:
In discussions with our security officers a major issue was MFA. Unfortunately SRAM will only partly solve this issue, the lack of MFA on all interfaces (meaning WebDAV and iRODS) is also seen as a blocking issue to use Yoda for sensitive data. The use of Data Access Passwords is not seen as a sufficient mitigating measure by our ISOs.

As far as I know work has been done to be able to use an OAuth/OIDC/SAML login on the iRODS CLI (https://github.com/irods-contrib/irods_working_group_authentication), that could potentially provide a solution.

That still leaves WebDAV. Their are of course no easy solutions for this, since the protocol simply doesn't support it. Possible workarounds I can think of:

• Putting the entire Yoda instance behind a VPN. Authentication on the VPN should then have MFA (via SRAM?).
• Putting WebDAV behind a web proxy so the users have to log in on the proxy via SRAM first.
• Creating a dedicated Yoda WebDAV client which sends the user to a browser to authenticate.
• Switch to another protocol for file transfers...?

None of these solutions are simple or elegant.

Any other ideas? Maybe the UU has considered other protocols in the past?

• Another question for the other consortium members is:
  Do the security officers of other consortium members also see Data Access Passwords as an insufficient mitigation for the lack of MFA on WebDAV? If it's just us, it would be more fruitful to convince ours ISOs to accept the measures we take together as a consortium, even if they don't entirely agree.

[Danny-dK]

It's not just you. At least at WUR it is not the ideal solution, but they also see that webdav is impossible to add mfa to. They have pointed to possibilities of the usage of VPN as well. Having said that, I know that the Yoda devs have been working on this for a long time now (and maybe even looking at other protocol if memory serves me right) also due to security demands at UU.

[lwesterhof]

Any other ideas? Maybe the UU has considered other protocols in the past?

We are considering S3 as replacement for webDAV. iRODS is working on a S3 client API.

We have considered putting WebDAV behind a VPN so the users have to log in on the VPN first. But this does not work for users outside our institution, but could work when used in combination with SRAM.

[Danny-dK]

Now that SRAM is upon us, would it be easy to make SRAM 2fa for webdav connections available, or would this still be rather complicated (if complicated, probably better to wait for S3).

[ll4strw]

Hello all,
via OpenOnDemand it is possible to provide irods users with a modern, OS-independent, MFA-protected, web alternative to webdav. In some of our institutes, OpenOnDemand is used as a gateway to several services (not only HPC). Its files app supports all protocols known to rclone, including webdav (davrods). This means that while your not-MFA-protected davrods instance will only be exposed to OpenOnDemand, your users will still benefit from a nice, user-friendly, OS-independent, and MFA-protected iRODS files browser.
Besides, the iRODS consortium will soon be working on a rclone-backend to iRODS (see https://irods.org/2024/01/irods-internship-summer-2024/) which could practically replace davrods.

[Danny-dK]

@ll4strw I'm completely unfamiliar with all of this (consider me a n00b), so will probably sound dumb.

with a modern, OS-independent, MFA-protected, web alternative

There already is a web - based browser of files in Yoda? The Yoda webportal allows browsing of files, download, and upload them, and is MFA protected. So what is then the extra use of that over the existing webportal?

Rclone (as far as I quickly looked) seems to be a "command-line utility for managing files in cloud storage. Rclone allows users to copy or sync files from local storage to a cloud storage provider like Google Drive, Dropbox, OneDrive, etc (or vice versa)." How would that be different from GoCommands or iCommands also CLI's to transfer data to and from Yoda, and how does that replace davrods when most researchers want an easy interface in their current file explorer to connect to Yoda (or at most use a simple other client like CyberDuck, WinSCP, Kadaver, etc)? Is it the case that on server side Rclone is used and the user just connects to Yoda in their preferred file explorer without having to worry about Rclone?

As far as I know, S3 compatibility is being developed which I was told would have better capabilities in MFA and still has some easier use cases for researchers?

[ll4strw]

Sorry, I was not clear in my comment.
OOD could be used as a web proxy/gateway to all irods entrances. By using an MFA-protected OOD portal, a researcher could safely

• access icommands (technically also any other client) without installing any client software
• automatically access yoda via the same SSO should they want to
• access any irods files without having to use yoda, for those who do not like it
• upload files/directories using drag and drop (like in webdav) without installing any webdav client

The main advantages in this approach are MFA in front of all accesses to irods and the fact that users will not need to install any software on their side. The disadvantages are mainly related to the installation and maintenance of the OOD portal.
Clearly, the best approach is always dependent on what users want and need. This is just a suggestion based on the experience accrued here.

PS: it is now possible also to authenticate icommands users with MFA using irods pam_interactive auth plugin.

[Danny-dK]

@lwesterhof
#201 (comment)

We have considered putting WebDAV behind a VPN so the users have to log in on the VPN first. But this does not work for users outside our institution, but could work when used in combination with SRAM.

Is that still up for consideration? Or would by the time work on this was done, S3 already be available?

[lwesterhof]

This is still a possibility, but this is a organizational choice. In the case of SURF I do not know if they have a VPN service?

[Danny-dK]

@ccacciari Does SURF have this? Not that we want to enable it already, just enquiring.

[ccacciari]

SURF has not a VPN as a service. It has projects with VPN enabled, but it is work done case by case.

[Danny-dK]

That's a shame. @lwesterhof I'm assuming that it is probably not possible (or ill-advised) for each institute using Yoda from SURF to put it behind their own VPN service themselves (guess not as this also presents difficulties for external users)? If not, I opt to close the discussion and we'll happily wait until S3.