A Flexible Component based Access Control Architecture for OPeNDAP Services Philip Kershaw STFC Rutherford Appleton Laboratory.

Slides:

Advertisements

Similar presentations

22 May 2008IVOA Trieste: Grid & Web Services1 Alternate security mechanisms Matthew J. Graham (Caltech, NVO) T HE US N ATIONAL V IRTUAL O BSERVATORY.

Advertisements

OGSA Security Profile 2.0 (a.k.a. Express Authentication Profile) DUANE MERRILL October 18, 2007.

© S.J. Coles 2006 Usability WS, NeSC Jan 06 Experiences in deploying a useable Grid-enabled service for the National Crystallography Service Simon J. Coles.

Peter Berrisford RAL – Data Management Group SRB Services.

TNC 2008 / Short Lived Credential Service Implementation Based on National AAI Short Lived Credential Service Implementation Based on National AAI Emir.

Data Management Expert Panel - WP2. WP2 Overview.

Contrail and Federated Identity Management

Data Grids Darshan R. Kapadia Gregor von Laszewski

INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.

H The MashMyData Project MashMyData [1] is a NERC (Natural Environment Research Council) funded Technology Proof of Concept project whose aim is to enable.

Gateway Node Security Block Diagram ESG Gateway Node Confluence Server OpenID Filter Authz Service Callout Authorization Service (SSL) F-TDS OpenID Filter.

Finalize RESTful Application Programming Interface (API) Security Recommendations Transport & Security Standards Workgroup January 28, 2014.

Web-based Portal for Discovery, Retrieval and Visualization of Earth Science Datasets in Grid Environment Zhenping (Jane) Liu.

Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.

IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn.

OPeNDAP Hyrax Back-End Server (BES) Authentication and Authorization Patrick West

IS-ENES [ees-enes] InfraStructure for the European Network for Earth System Modelling IS-ENES will develop a virtual Earth System Modelling Resource Centre.

1 Dr. Markus Hillenbrand, ICSY Lab, University of Kaiserslautern, Germany A Generic Database Web Service for the Venice Service Grid Michael Koch, Markus.

Digital Object Architecture

1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!

Presented by The Earth System Grid: Turning Climate Datasets into Community Resources David E. Bernholdt, ORNL on behalf of the Earth System Grid team.

Climate Sciences: Use Case and Vision Summary Philip Kershaw CEDA, RAL Space, STFC.

GT Components. Globus Toolkit A “toolkit” of services and packages for creating the basic grid computing infrastructure Higher level tools added to this.

ESP workshop, Sept 2003 the Earth System Grid data portal presented by Luca Cinquini (NCAR/SCD/VETS) Acknowledgments: ESG.

Workgroup Discussion on RESTful Application Programming Interface (API) Security Transport & Security Standards Workgroup January 12, 2014.

ArcGIS Server and Portal for ArcGIS An Introduction to Security

Helsinki Institute of Physics (HIP) Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.

Crystal-25 April The Rising Power of the Web Browser: Douglas du Boulay, Clinton Chee, Romain Quilici, Peter Turner, Mathew Wyatt. Part of a.

Simplify and Strengthen Security with Oracle Application Server Allan L Haensgen Senior Principal Instructor Oracle Corporation Session id:

The Grid System Design Liu Xiangrui Beijing Institute of Technology.

Serving society Stimulating innovation Supporting legislation Danny Vandenbroucke & Ann Crabbé KU Leuven (SADL) AAA-architecture for.

JASMIN and CEMS: The Need for Secure Data Access in a Virtual Environment Cloud Workshop 23 July 2013 Philip Kershaw Centre for Environmental Data Archival.

ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.

GEM Portal and SERVOGrid for Earthquake Science PTLIU Laboratory for Community Grids Geoffrey Fox, Marlon Pierce Computer Science, Informatics, Physics.

Building Security into Your System Bill Major Gregory Ponto.

Data Publication and Quality Control Procedure for CMIP5 / IPCC-AR5 Data WDC Climate / DKRZ:

Opendap dev - meeting, Boulder, Feb 2007 OPeNDAP infrastructure in European Operational Oceanography T Loubrieu (IFREMER) T Jolibois (CLS)

Shibboleth A word which was made the criterion by which to distinguish the Ephraimites from the Gileadites. The Ephraimites, not being able to pronounce.

W3C Web Services Architecture Security Discussion Kick-Off Abbie Barbir, Ph.D. Nortel Networks.

Workshop Presentation [1] Investigating Liberty Alliance and Shibboleth Integration Nishen Naidoo, Supervisor: Dr. Steve Cassidy.

Shibboleth: An Introduction

Federated Identity in the Earth Science Domain: the Earth System Grid Federation, EGI-Inspire and GENESI-DEC Federated Identity System for Scientific Collaborations.

Leveraging Globus Services to Support Climate Model Data Access Through the Earth System Grid Federation (ESGF) Brian Knosp 1, Luca Cinquini 1, Lukasz.

Virtual Workspaces Kate Keahey Argonne National Laboratory.

Practical Access Control Using NDG Security e-Science All Hands Meeting 11 September 2007 Philip Kershaw BADC Bryan Lawrence BADC Jon Blower ESSC.

1 Protection and Security: Shibboleth. 2 Outline What is the problem Shibboleth is trying to solve? What are the key concepts? How does the Shibboleth.

Grid Security: Authentication Most Grids rely on a Public Key Infrastructure system for issuing credentials. Users are issued long term public and private.

The Earth System Grid (ESG) Computer Science and Technologies DOE SciDAC ESG Project Review Argonne National Laboratory, Illinois May 8-9, 2003.

Practical Distributed Authorization for GARA Andy Adamson and Olga Kornievskaia Center for Information Technology Integration University of Michigan, USA.

- Vendredi 27 mars PRODIGUER un nœud de distribution des données CMIP5 GIEC/IPCC Sébastien Denvil Pôle de Modélisation, IPSL.

WP6/SA2: Access to IS-ENES Data Federation SA2 is a European distributed data infrastructure providing access to data from ESM simulations produced in.

Internet2 AdvCollab Apps 1 Access Grid Vision To create virtual spaces where distributed people can work together. Challenges:

Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)

Integration of Live Access Server with Climate Data Analysis Tools (CDAT)‏ Velimir Mlaker LLNL 30-May-2007 LAS CDAT for WCRP CMIP3 Multi-Model Data.

1 Earth System Grid Center for Enabling Technologies ESG-CET Security January 7, 2016 Frank Siebenlist Rachana Ananthakrishnan Neill Miller ESG-CET All-Hands.

1 Accomplishments. 2 Overview of Accomplishments  Sustaining the Production Earth System Grid Serving the current needs of the climate modeling community.

1 Overall Architectural Design of the Earth System Grid.

Globus and PlanetLab Resource Management Solutions Compared M. Ripeanu, M. Bowman, J. Chase, I. Foster, M. Milenkovic Presented by Dionysis Logothetis.

Earth System Curator and Model Metadata Discovery and Display for CMIP5 Sylvia Murphy and Cecelia Deluca (NOAA/CIRES) Hannah Wilcox (NCAR/CISL) Metafor.

Andrew McNab - HTTP/HTTPS extensions HTTP/HTTPS as Grid data transport 6 March 2003 Andrew McNab, University of Manchester

1 Earth System Grid Center for Enabling Technologies OPeNDAP Services for ESG March 9, 2016 Peter Fox, Patrick West, Stephan Zednik RPI Performance Measures.

GO-ESSP The Earth System Grid The Challenges of Building Web Client Geo-Spatial Applications Eric Nienhouse NCAR.

ECMWF 24 th November 2008 Deploying secure OGC services in front of a heterogeneous data archive. Bryan Lawrence, Phil Kershaw, Dominic Lowe, and Stephen.

Practical Access Control Using NDG Security

Access Policy - Federation March 23, 2016

NERC DataGrid: Googling for Secure Data

WEB SERVICES From Chapter 19 of Distributed Systems Concepts and Design,4th Edition, By G. Coulouris, J. Dollimore and T. Kindberg Published by Addison.

NAAS 2.0 Features and Enhancements

WEB SERVICES From Chapter 19, Distributed Systems

Presentation transcript:

A Flexible Component based Access Control Architecture for OPeNDAP Services Philip Kershaw STFC Rutherford Appleton Laboratory

Background Themes Focus on two areas alluded to in the abstract: – “ Without ready means to restrict access to data for such services, data providers and data owners are constrained from making their data more widely available. ” – “ The range of different security technologies available can make interoperability between services and user client tools a challenge. ” Paradox: provision of access control can open access?! – Illustrated by the BADC and OPeNDAP – But in the wider context of changing attitudes: data.gov.ukdata.gov.uk Vision of seamless access can seem remote: – Services too complicated, get in the way or simply broken 2 Philip Kershaw, EGU 2010

Inception Seeds planted with discussion started at this conference last year OPeNDAP implementations have existing support to follow HTTP redirects* A pre-existing Design Pattern: 1.Initiate request, 2.server side security challenge 3.Redirect to authentication endpoint 4.Redirect authenticated client back to original requested URI NERC DataGrid Security and Python WSGI middleware – Security filters based on a flexible, pluggable architecture * TDS: PyDAP: 3 Philip Kershaw, EGU 2010

Alternative Approaches to Authentication Why use redirects at all? Everything over HTTPS: – but then performance limitation for large datasets, – change from a well known HTTP address to HTTPS – user confusion? HTTP Digest – Not secure enough What about SOAP? – An invasive approach which would change the interfaces breaking existing client tools – Unsuited to large dataset transfers 4 Philip Kershaw, EGU 2010

CMIP5 is a framework for co-ordinated climate change experiments Will input into the IPCC 5 th Assessment Report (AR5) scheduled for 2013 Software infrastructure under development: 20 modelling centres50 numerical experiments86 simulations (total ensemble members) within experiments6500 years of simulation Data to be available from “core-nodes” and “modelling- nodes” in a global federation. Users need to find & download datasets, and discriminate between models, and between simulation characteristics. mid-2009 Simulations Starting 2009 Model and Simulation Documentation needed end of 2010 Data available early to mid 2012 Scientific Analysis, Paper Submission and Review early 2013! Reports Coupled Model Intercomparison Project Phase 5 Philip Kershaw, EGU2010 5

Users have an identity URI: both an identifying for them and the location of an OP (OpenID Provider), a service where they can be authenticated An OpenID Relying Party trusts the authentication assertion of a given OP ESG stipulates SSL to enable RPs and OPs to mutually authenticate and enable RPs to whitelist OPs and only trust ones known to the ESG Federation OpenID less suited to non-browser based clients MyProxy provides compatibility with any PKI based authentication including Grid based applications Earth System Grid Security: Single sign on 6 Philip Kershaw, EGU 2010

Filter Architecture OPeNDAP service is protected by an Authentication filter This redirects unauthenticated requests to an authentication service This authenticates based on the client request If client certificate provided, authenticate with this Default to OpenID based sign in 7 Philip Kershaw, EGU 2010

Authentication Example – ncopen client 8 Philip Kershaw, EGU 2010

Demo... Browser based access Command line access with wget 9 Philip Kershaw, EGU 2010