Www.egi.eu European Grid Initiative www.egi.eu e-Infrastructure Directory Service: GOCDB Tiziana Ferrari/EGI.eu on behalf of David Meredith/STFC 1 Wiki:

Slides:

Advertisements

Similar presentations

The CA MDB Revised May © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced.

Advertisements

My First Building Block Presented By Tracy Engwirda 28 September, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Enterprise Search With SharePoint Portal Server V2 Steve Tullis, Program Manager, Business Portal Group 3/5/2003.

Implementing An Extensible Role-Based Security Module in a Java Web Development Framework Joe Hesse Technology Director, UCSF Memory and Aging Center Dept.

Microsoft ® Official Course Interacting with the Search Service Microsoft SharePoint 2013 SharePoint Practice.

Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.

LDS Account and the Java Stack. Disclaimer This is a training NOT a presentation. – Be prepared to learn and participate in labs Please ask questions.

1 Application Specific Module for P-GRADE Portal 2.7 Application Specific Module overview Akos Balasko MTA-SZTAKI LPDS

CensorNet Ltd An introduction to CensorNet Mailsafe Presented by: XXXXXXXX Product Manager Tel: XXXXXXXXXXXXX.

Aurora: A Conceptual Model for Web-content Adaptation to Support the Universal Accessibility of Web-based Services Anita W. Huang, Neel Sundaresan Presented.

Kuali Rice at Indiana University Rice Setup Options July 29-30, 2008 Eric Westfall.

Survey of Identity Repository Security Models JSR 351, Sep 2012.

Building Search Portals With SP2013 Search. 2 SharePoint 2013 Search  Introduction  Changes in the Architecture  Result Sources  Query Rules/Result.

Key Management with the Voltage Data Protection Server Luther Martin IEEE P May 7, 2007.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EG recent developments T. Ferrari/EGI.eu ADC Weekly Meeting 15/05/

Embedding CenterView and Hosting External Content.

ArcGIS Server and Portal for ArcGIS An Introduction to Security

Microsoft SharePoint Server 2010 for the Microsoft ASP.NET Developer Yaroslav Pentsarskyy

1 Emergency Alerts as RSS Feeds with Interdomain Authorization Filippo Gioachin 1, Ravinder Shankesi 1, Michael J. May 1,2, Carl A. Gunter 1, Wook Shin.

Application code Registry 1 Alignment of R-GMA with developments in the Open Grid Services Architecture (OGSA) is advancing. The existing Servlets and.

ArcGIS Server for Administrators

James Akrigg Microsoft Ltd Integrating InfoPath Forms Into Workflow Solutions And Business Processes.

Page 1 © 2001, Epicentric - All Rights Reserved Epicentric Modular Web Services Alan Kropp Web Services Architect WSRP Technical Committee – March 18,

Roles 1. Your Role: End User End Users use Inside NCDOT and Connect NCDOT for basic browsing and reading Typical tasks can include: Open or download files.

TIDEN Node Management Texas Integrated Data Exchange Node Partnered with.

Solutions using Microsoft Content Management Server 2002 Connector for SharePoint Technologies Sue Corke Mark Harrison Microsoft UK.

 Registry itself is easy and straightforward in implementation  The objects of registry are actually complicated to store and manage  Objects of Registry.

Grouper Tom Barton University of Chicago. I2MM Spring Outline  Grouper’s place in the world  Some Grouper guts  Deployment scenarios.

Module 9 User Profiles and Social Networking. Module Overview Configuring User Profiles Implementing SharePoint 2010 Social Networking Features.

EGI-Engage is co-funded by the Horizon 2020 Framework Programme of the European Union under grant number STFC Daresbury Labs, Warrington,

JAVA BEANS JSP - Standard Tag Library (JSTL) JAVA Enterprise Edition.

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 JSP Application Models.

Preface IIntroduction Objectives I-2 Course Overview I-3 1Oracle Application Development Framework Objectives 1-2 J2EE Platform 1-3 Benefits of the J2EE.

ESG-CET Meeting, Boulder, CO, April 2008 Gateway Implementation 4/30/2008.

Computer Security: Principles and Practice

1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.

 An essential supporting structure of any thing  A Software Framework  Has layered structure ▪ What kind of functions and how they interrelate  Has.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI How to integrate portals with the EGI monitoring system Dusan Vudragovic.

15 Copyright © 2004, Oracle. All rights reserved. Adding JAAS Security to the Client.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.

A New UK CA Portal David Meredith Jens Jensen John Kewley.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Grid Configuration Data or “What should be.

Building Preservation Environments with Data Grid Technology Reagan W. Moore Presenter: Praveen Namburi.

Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.

GOCDB Handover + Status Update Quite heavy GGUS ticketing traffic; responding to user issues has been quite timely, especially in first few weeks (expected.

Apache Cocoon – XML Publishing Framework 데이터베이스 연구실 박사 1 학기 이 세영.

INFSO-RI Enabling Grids for E-sciencE GOCDB Requirements John Gordon, STFC.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI /05/2011 SA1 & JRA1 - EGI-InSPIRE Review

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Services for Distributed e-Infrastructure Access Tiziana Ferrari on behalf.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Regional tools use cases overview Peter Solagna – EGI.eu On behalf of the.

Authentication and Authorisation for Research and Collaboration Peter Solagna, Nicolas EGI AAI integration experiences AARC Project.

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks GOCDB4 Gilles Mathieu, RAL-STFC, UK An introduction.

GocDB Extensibility Mechanism David Meredith James McCarthy.

Transportation Agenda 19. Transportation Your Role: Designer Designers organize SharePoint content and determine how to display that content Typical tasks.

GOCDB Status and Plans David Meredith John Casson

Gridpp37 – 31/08/2016 George Ryall David Meredith

GOCDB + EGI Marketplace

Using E-Business Suite Attachments

GOCDB New Requirements

DotNetNuke® Web Application Framework

GOCDB Update 27/05/ Me: Working on GOCDB 3 days a week

GOCDB Mini-Project Scoping Enhancements and Management Interface

…and web frameworks in general

EGI Ops Tools Advisory Group (GOCDB)

WebDAV Design Overview

EUDAT Site and Service Registry

Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.

06 | SQL Server and the Cloud

SDMX IT Tools SDMX Registry

Presentation transcript:

European Grid Initiative e-Infrastructure Directory Service: GOCDB Tiziana Ferrari/EGI.eu on behalf of David Meredith/STFC 1 Wiki: EGI Production Instance: Src: Info Doc:

Infrastructure Service Directory....2 List infrastructure services including technical and contact details offered by a site (human + machine accessible) Domain Objects A subset of GLUE2: Projects, Admin-Domains (NGIs), Sites, Services, Service- Groups, Endpoints, Downtimes, Users, Roles Interfaces Web Portal (view/input/edit) + REST style API to query in XML Tagging Resource owners tag their objects with >1 ‘scope-tags’ to provide.. Fine-grained resource grouping / filtering (eg declare multiple project affiliations) No resource duplication across ‘n’ projects (DRY – essential for data integrity) Auth abstractions to support multiple AAI (x509, SAML2,..)

What in general can GOCDC support? Register domain objects for e-infrastructures: Admin-domains, groups, sites, services, service-groups, endpoints, downtimes, users, roles Enforces business rules for object management Role based permission model Resource tagging for fine-grained resource filtering/selection Groups manage their own users and resources Add/edit/delete resource objects Grant/revoke roles over objects Extensible: Add custom key-value pairs to domain objects Auth abstractions to support multiple AAI (x509, SAML2,..) 3

Comprehensive Role/Permission Model 4 Sites GroupsProjects Users own Roles over objects that grant permissions:

Categorise Resources by Scope Tags 5 1.Resource owners tag their sites/services/groups Available tags are defined by GOCDB admins to avoid tag proliferation 2.Defines core categories/groupings with no duplication 3.Essential to maintain integrity of information across different infrastructures, sub-groups, projects… Service AService B Scope Tags Filter using ‘scope’ and ‘scope_match’ (Portal+API)

6 Extensibility Mechanism Extension Properties: define custom ‘Key=Values’ on objects Fine grained filtering of objects by property name + value Also supported in API using AND|OR|NOT expression Allows content to be organised into custom categories Good for rapid prototyping and building folksonomies e.g. filter Sites by VAT extension

1.Standalone instance per project / infrastructure Pro: Full control, easy to customise Con: May need to duplicate GOCDB entries across infrastructures (consider a single site that contributes to multiple projects) 2.Single shared instance that hosts multiple projects/infrastructures under different scopes Pro: Easy/cheap, single resource tagged for multiple infrastructures/projects Con: More difficult to customise Optional: Separate/standalone failover instance Securely downloads dump of DB every hour. 7 Deployment Scenarios

Useful Links Wiki: EGI Production Instance: Src: Info Doc: _System.pdf Technical Strongly constrained relational model using Doctrine Object- relational mapping AAI abstractions inspired by SpringSecurity3 API (AuthProvider, AuthToken, AuthManager, SecurityContextServer, UserDetailsService) 8

European Grid Initiative For more information....9

Core Domain model closely follows a sub-set of GLUE 2 10

Images 11 EGI EUDAT

12 Role / Permissions Model a) User Principle: /x509/DN/str c) OwnedObject > Project, NGI, Site, Service, SG, … REQUESTED, GRANTED d) RoleType SiteAdmin, SecurityOfficer, … b) Role Permissions: EDIT, DELETE, GRANT_ROLE, REVOKE_ROLE a) User owns b) Roles that link c) OwnedObjects to d) RoleTypes Can add new: RoleStatus values RoleTypes Owned Objects

PI methods

Extensibility Mechanism in PI Selected PI methods support ‘extensions’ URL parameter (get_site, get_service, get_downtime, get_service_group) Defines a (key=value) expression (K=V) pairs prefixed with AND, OR, NOT E.g. &extensions=(VO=) (blank for wildcard value) &extensions=(VO=foo)AND(VO=bar)OR(V02=baz) &extensions=(VO=foo)AND(VO=bar)OR(V02=baz)NOT(V03=) Pattern matching on values only, no notion of greater or less than e.g. can’t do (SampleRate>=20)

=(P4U_Pilot_VAT=20)AND(P4U_Pilot_Cloud_Wall=) …body elements hidden… 2 Sites selected with specified extensions User Guide on GOCDB docs/wiki: CDB/Input_System_User_ Documentation#Extension _Properties CDB/Input_System_User_ Documentation#Extension _Properties Extensibility Mechanism in PI

Authentication Abstractions The authentication logic is abstracted into its own module in GOCDB: 1.Isolates the bulk of the GOCDB code from authentication-mechanism changes 2.Allow extension: plug-in support for different authentication mechanisms using new AuthProvider and AuthToken (still requires work to implement a new AuthProvider for chosen auth-scheme!). X509 and SAML2 integrated into EGI instance Inspired by core interfaces and classes copied from Spring Security 3 framework....16

Key Authentication Abstractions X509AuthProvder, UserPasswordAuthProvider, SAML2 3. GOCDBUserDetailsService 4. X509AuthToken, SamlAuthToken 1. Manages >1 AuthProviders Queries user store Creates auth token (added to session prevent re-authentication across page requests) GOCDB calls out to SecurityContextService (is user authenticated?)