BADC, BODC, CCLRC, PML and SOC NDG Security: Distributed Governance, Distributed Access Control, Distributed Data [ ]= Bryan Lawrence (on behalf of a big team)
GO-ESSP June British Atmospheric Data Centre British Oceanographic Data Centre Complexity + Volume + Remote Access = Grid Challenge NCAR
GO-ESSP June 2006 NDG Assumptions 1.No one would change their data storage systems! 2.Need to support a wide range of “metadata- maturity”! 3.No NDG-wide user management system possible. It is illegal to share user information without each and every user agreeing … implies no way of having one virtual organisation with common user management! With a large enough group it is impossible to agree on common roles that could be associated with access control. … but we want single-sign on … and trust relationships between data providers …
GO-ESSP June 2006 Authentication and Authorisation Clean separation between concepts: Authentication –Identity - Who you are –Users are identified between data providers and services by means of Proxy Certificates –Proxy Certificates issued by MyProxy services –Users are identified between sessions at the same browser by means of a cookie which points to the location of a proxy certificate. Authorisation –For a user: what you can do e.g. what data they can access –For a data provider: how you determine what a user can and can’t do –NDG Attribute Certificates determine access –Attribute Certificates issued by AttributeAuthorities.
GO-ESSP June 2006 Controlling Access to Data NDG Attribute Certificate –Issued to a user by an ATTRIBUTE-AUTHORITY –Contain roles – these determine what the user is authorised to do An attribute authority determines on behalf of a data provider what roles a user has, from the list of roles known to that data provider e.g. badc has the coapec role which allows access to the coapec data set. If a badc user has a badc issued Attribute Certificate containing coapec then badc will grant access. –XML based –Issued by the Attribute Authorities on receipt of a valid user Proxy Certificate –Digitally signed by the Attribute Authority issuer –Contain the user’s identity expressed as a Distinguished Name as derived from the user’s Proxy Certificate –Has a timebound validity
GO-ESSP June 2006 Key Concepts thus far All data providers deploy, or have access to, a myproxy database capable of delivering proxy certificates on request. All data providers deploy or have access to a Session Manager instance. –No requirement for the myproxy to visible outside a firewall, access can be mediated by a Session Manager. All data providers secure resources by coupling resources to roles. –There is no assumption that data providers share the same role names or role definitions. All data providers deploy, or have access to, Attribute Authorities that grant NDG Attribute Certificates to users based on their “rights”.
GO-ESSP June 2006 badcAttAuthorityURI badcLoginPageURI bodcAttAuthorityURI bodcLoginPageURI eScienceAttAuthorityURI Example MapConfig TRUST HANDLES AUTHORISATION HANDLES AUTHENTICATION LIST OF REMOTE ADDRESSES FOR GETTING AUTHORISATION CREDENTIALS AUTHORISATION Trust between data providers is established by making BILATERAL agreements on role mapping!
GO-ESSP June 2006 Browser User Authentication Authenticate when trying to access a secured resource (which has role, AAwsdl). 1.Pole AAwsdl for trusted host list (including self) 2.Choose a login 1.Application should redirect to a loginURL 2.Login … 1.Login Service establishes an NDG Session Manager, and populates it with proxy certificate/ 2.LoginURL sets a cookie and redirects back to originator with cookie details in URL (if not local) (All redirections done with https) 3.Originator sets cookie with session manager details 4.Originator establishes local session manager session that knows about remote session manager via cookie contents.
GO-ESSP June 2006 User Authorisation smClient UserSession CredWallet UserSession CredWallet SessionManager WS AA ProxyCert, reqAttCert AttCert sessionID and smWSDL reqRole AAwsdl Returned Proxy Cert. is kept in CredWallet of user’s UserSession instance FIREWALL (Installable Library) Client Application Calls Exploits reqAuthorisaton method Local smClient talks to local SessionManager which may or may not talk to remote SessionManagers. Credential Wallet is populated with attribute certificates as needed.
GO-ESSP June 2006 How to Deploy a system What’s needed to represent ID? –[User DataBase of some sort] –[PKI/Proxy Certificates] –[MyProxy Server] –[Session Manager] What’s needed to grant access rights to a user? –[Attribute Authority] –[Session Manager] –Some “database” binding resources to roles and AA [Indicate that a minimally configured data provider can use remote resources to provide these services]
GO-ESSP June 2006 Python Browser Application class YourClass: ''' Dummy class encapsulating key ndg security concepts from a browser application developers perspective ''' def __init__(self,stuff):... self.cookie=... #set cookie self.config=... #read from config file, includes local smWSDL …. self.makeGateway()... def makeGateway(self,cookie=None): ''' Make connection to NDG security and load what is necessary for an NDG cookie to be written ''' # - the requestURL so that a redirect can come back, and to pass # any URL components which have come back from one... # - your local smWSDL address, and your cookie... self.ndgGate=securityGateway(self.requestURL,self.cookie,self.config) def goforit(self): ''' your actions... trying to access a URI for which you may have constraints'''... if constraints.exist: result=self.ndgGate.check((role,AAwsdl)) if result=='AccessGranted': access=1 else: access=0
GO-ESSP June 2006 NDG Security Current Status NDG Started Phase 2 in 2006 with Alpha Stage milestone this week: –Target secure data resource with NDG security –Done (both for A and B metadata) –Engineered NDG security into BBFTP … Working prototype implemented in Python: –Deployed at partner sites: British Oceanographic Data Centre, National Oceanography Centre Southampton, Plymouth Marine Lab and Centre for Ecology and Hydrology –Supports single sign on –Uses XML Signature and XML encryption but not WS- Security compliant (yet) –Uses WSDL –Open Source
GO-ESSP June 2006 Security Next Steps WS interfaces need to be adapted to be compliant to WS-Security –Produce Java implementation for DEWS –Adapt ZSI Python WS libraries –Possibly use LBL libraries – pyGridWare Latest status info: NDG Project Management Trac site (
GO-ESSP June 2006 DEWS Department of Trade and Industry funding … - health stream (new WFS) - Marine stream (new WCS based on GADS) - NDG Security - Prototype for commercial activity Delivering Environmental Web Services
Current Status
GO-ESSP June 2006 Architecture: NDG Metadata Taxonomy … not one schema, not one solution! CSML NCML+CF MOLES THREDDS (… NMM, SENSORML etc) DIF -> ISO19115 CLADDIER
GO-ESSP June 2006 Architecture: Deployment Data Providers NDG Core Services Users NDG GUI Interface(s) Vocab Services
GO-ESSP June 2006 Architecture: Deployment NDG Core Services Users NDG GUI Interface(s) Vocab Services
GO-ESSP June 2006 Architecture: Deployment Users NDG GUI Interface(s) Vocab Services
GO-ESSP June 2006 Architecture: Deployment Users Vocab Services
GO-ESSP June 2006 MOLES: implementation Core linking concept is the deployment Deployment Activity on behalf of an Activity of a Data Production Toolat an Observation Station that produces a Data Entity Data Production Tool Observation Station Data Entity Each of the main metadata objects has security data attached to it. This means that this can be applied to queries on the metadata Links the metadata records into a structure that can be turned into a navigable structure
GO-ESSP June 2006 NDG “Pseudo-Demo” EXPLOITING DISCOVERY WEB SERVICE (running interface on my laptop last night)
GO-ESSP June 2006 More Browse Scrolling Down
GO-ESSP June 2006 MOLES Navigation Actually, this is where we plan to use NMM
GO-ESSP June 2006 MOLES to Secure Dx
GO-ESSP June 2006 NDG Authentication Offering up trusted host list …
GO-ESSP June 2006 Data Extractor
GO-ESSP June 2006 Geosplat
GO-ESSP June 2006 NDG Timeline NDG2 runs until September 2007: NDG-Alpha (June 2006) –Not all components in place (particularly delivery broker) –Not many (maybe only DX) products will be deployable by non-NDG participants (too much hard work installing things that haven’t been optimised for installation) –Discovery portal will be (is now) usable, linking to NCAR data etc, but isn’t very user friendly (options not obvious etc). NDG-Beta (Feb 2007) –Most components should work, but deployment of software may still be difficult by non-participants NDG-Prod (Jun 2007) –Should be deployable and far more user friendly (spending from Feb-June working on deployment and friendliness, no new functionality) Last few months working on sustainability etc