BADC, BODC, CCLRC, PML and SOC Interacting with NDG + ++ + +[ ]= Bryan Lawrence (on behalf of a big team)

Slides:

Advertisements

Similar presentations

GT 4 Security Goals & Plans Sam Meder

Advertisements

BADC, BODC, CCLRC, PML and SOC NDG Security: Distributed Governance, Distributed Access Control, Distributed Data [ ]= Bryan Lawrence (on behalf.

Haga clic para cambiar el estilo de título Haga clic para modificar el estilo de subtítulo del patrón DIRAC Framework A.Casajus and R.Graciani (Universitat.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Make Secure Information Sharing (SIS) Easy and an Reality C. Edward Chow, PI Osama Khaleel Bill Kretschmer C. Edward Chow, PI Osama Khaleel Bill Kretschmer.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (

Bryan Lawrence on behalf of BADC, BODC, CCLRC, PML and SOC The British Atmospheric Data Centre and the NERC DataGrid (for) [ ]=

NERC Data Grid Helen Snaith and the NDG consortium …

Globus Computing Infrustructure Software Globus Toolkit 11-2.

Web-based Portal for Discovery, Retrieval and Visualization of Earth Science Datasets in Grid Environment Zhenping (Jane) Liu.

Talend 5.4 Architecture Adam Pemble Talend Professional Services.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 18 Slide 1 Software Reuse 2.

OnTimeMeasure Integration with Gush Prasad Calyam, Ph.D. (PI) Tony Zhu (Software Programmer) Alex Berryman (REU Student) GEC10 Selected.

DIRAC Web User Interface A.Casajus (Universitat de Barcelona) M.Sapunov (CPPM Marseille) On behalf of the LHCb DIRAC Team.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

C Copyright © 2009, Oracle. All rights reserved. Appendix C: Service-Oriented Architectures.

Bryan Lawrence on behalf of BADC, BODC, CCLRC, PML and SOC An Introduction to NDG concepts [ ]=

Integrating with UCSF’s Shibboleth system

Standalone Java Application vs. Java Web Application

Designing System for Internet Commerce 6. Functional Architecture Jinwon Lee.

1 The NERC DataGrid DataGrid The NERC DataGrid DataGrid AHM 2003 – 2 Sept, 2003 e-Science Centre Metadata of the NERC DataGrid Kevin O’Neill CCLRC e-Science.

Shib-Grid Integrated Authorization (Shintau) George Inman (University of Kent) TF-EMC2 Meeting Prague, 5 th September 2007.

Introduction to Apache OODT Yang Li Mar 9, What is OODT Object Oriented Data Technology Science data management Archiving Systems that span scientific.

Indo-US Workshop, June23-25, 2003 Building Digital Libraries for Communities using Kepler Framework M. Zubair Old Dominion University.

NOCS, PML, STFC, BODC, BADC The NERC DataGrid = Bryan Lawrence Director of the STFC Centre for Environmental Data Archival (BADC, NEODC, IPCC-DDC.

Secure Credential Manager Claes Nilsson - Sony Ericsson

DELIVERING ENVIRONMENTAL WEB SERVICES (DEWS) Partners: UK Met Office (Lead Partner), British Atmospheric Data Centre (BADC), British Maritime Technology.

1 All-Hands Meeting 2-4 th Sept 2003 e-Science Centre The Data Portal Glen Drinkwater.

NERC DataGrid NERC DataGrid Vocabulary Server Use Cases Vocabulary Workshop, RAL, February 25, 2009.

Database Design and Management CPTG /23/2015Chapter 12 of 38 Functions of a Database Store data Store data School: student records, class schedules,

1 CS 502: Computing Methods for Digital Libraries Lecture 19 Interoperability Z39.50.

Supporting further and higher education The Akenti Authorisation System Alan Robiette, JISC Development Group.

Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.

Technical Break-out group What are the biggest issues form past projects – need for education about standards and technologies to get everyone on the same.

Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.

Practical Access Control Using NDG Security e-Science All Hands Meeting 11 September 2007 Philip Kershaw BADC Bryan Lawrence BADC Jon Blower ESSC.

NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.

1 Protection and Security: Shibboleth. 2 Outline What is the problem Shibboleth is trying to solve? What are the key concepts? How does the Shibboleth.

OAI Overview DLESE OAI Workshop April 29-30, 2002 John Weatherley

AUKEGGSWorkshop ANU, Canberra, 29 November 2006 Implementing CSML Feature Types in applications within the NERC DataGrid Dominic Lowe, British Atmospheric.

EGEE User Forum Data Management session Development of gLite Web Service Based Security Components for the ATLAS Metadata Interface Thomas Doherty GridPP.

DGC Paris WP2 Summary of Discussions and Plans Peter Z. Kunszt And the WP2 team.

WEB SERVER SOFTWARE FEATURE SETS

© 2004 IBM Corporation ICSOC2004 Panel Discussion: Grid Systems: What is needed from web service standards? Jeffrey Frey IBM.

Last update 21/01/ :05 LCG 1Maria Dimou- cern-it-gd Current LCG User Registration, VO management and Authorisation Procedures VOMS workshop

Service Proforma Middleware Workshop. Notes Please complete as much of this proforma as possible – it will help make the workshop more informative & productive.

ARCH-5: Service Interfaces in Practice Christian Stiller Technical Architect.

1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.

1 Grid School Module 4: Grid Security. 2 Typical Grid Scenario Users Resources.

Linus Joyeux Valerie Alonso Managing consultantLead consultant blue-infinity (Switzerland) Active Directory Federation Services v2.

Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.

Rights Management for Shared Collections Storage Resource Broker Reagan W. Moore

Securing Web Applications Lesson 4B / Slide 1 of 34 J2EE Web Components Pre-assessment Questions 1. Identify the correct return type returned by the doStartTag()

EGI-InSPIRE RI Grid Training for Power Users EGI-InSPIRE N G I A E G I S Grid Training for Power Users Institute of Physics Belgrade.

ASP.NET 2.0 Security Alex Mackman CM Group Ltd

Building Preservation Environments with Data Grid Technology Reagan W. Moore Presenter: Praveen Namburi.

Excel Services Displays all or parts of interactive Excel worksheets in the browser –Excel “publish” feature with optional parameters defined in worksheet.

EMI is partially funded by the European Commission under Grant Agreement RI Common Authentication Library Daniel Kouril, for the CaNL PT EGI CF.

1 Copyright © 2008, Oracle. All rights reserved. Repository Basics.

Virtual Organisations and the NGS Mike Jones Research Computing Services e-Science & “The Grid” for Bio/Health Informaticians, IT January 2008.

Practical Access Control Using NDG Security

Secure Single Sign-On Across Security Domains

NERC DataGrid: Googling for Secure Data

Database System Concepts and Architecture

Identity Federations - Overview

Service Metadata Registry (COSMOS)

Open Archival Information System

SDMX IT Tools SDMX Registry

Presentation transcript:

BADC, BODC, CCLRC, PML and SOC Interacting with NDG [ ]= Bryan Lawrence (on behalf of a big team)

NDG Liaison July 2006 NDG Assumptions 1.No one would change their data storage systems! 2.Need to support a wide range of “metadata- maturity”! 3.No NDG-wide user management system possible. It is illegal to share user information without each and every user agreeing … implies no way of having one virtual organisation with common user management! With a large enough group it is impossible to agree on common roles that could be associated with access control. … but we want single-sign on … and trust relationships between data providers …

NDG Liaison July 2006 Integration NDG Use cases –Discovery(D) Find things –Context(B) Know what they represent –Manipulation(A) Do useful things with them familiarity NDG-Lite – NDG Discovery – Local Systems Find things, read web pages … Use data provider internal systems to access data etc.

NDG Liaison July 2006 Levels of Engagement: (1) NDG-Lite Discovery Only –Requirement for properly formatted discovery metadata DIF now ISO19139 later –ISO19139 issues. –OAI repository Decision on “harvestability” … Must be kept live … –Related URLs and Services Decisions on binding and service metadata outstanding! –Deployment of NDG discovery service at provider websites Branding Maintenance Start NOW!

NDG Liaison July 2006 Levels of Engagement: (2) NDG-Data (only) Providers Discovery + “A” services –Need to deploy NDG security (of which more later) –At the moment, need to have CSML data descriptions and to deploy the NDG data extractor (but not necessarily GEOSPLAT). In the future we may have “vanilla” OGC services … In the future may use “OWN” feature definitions … –Expecting to support: NetCDF, NasaAmes, GRIB, HDF(4 or 5 not yet clear), SQL queries, xquery extractions. Probably not something to be taken on before mid- 2007!

NDG Liaison July 2006 Levels of Engagement (3): Data Centres and Browse We only expect data centres to engage in the time and expense of producing browse metadata! –MOLES is/will be a coat-hanger for discipline specific metadata, with some holes for common concepts. –We will provide tooling for a MOLES repository to autogenerate discovery metadata (one less job to do!) –Provides the basis for cross-data centre thematic repositories (e.g. RAPID) –Can be secure metadata in own right!

NDG Liaison July 2006 Authentication and Authorisation Clean separation between concepts: Authentication –Identity - Who you are –Users are identified between data providers and services by means of Proxy Certificates –Proxy Certificates issued by MyProxy services –Users are identified between sessions at the same browser by means of a cookie which points to the location of a proxy certificate. Authorisation –For a user: what you can do e.g. what data they can access –For a data provider: how you determine what a user can and can’t do –NDG Attribute Certificates determine access –Attribute Certificates issued by AttributeAuthorities.

NDG Liaison July 2006 Controlling Access to Data NDG Attribute Certificate –Issued to a user by an ATTRIBUTE-AUTHORITY –Contain roles – these determine what the user is authorised to do An attribute authority determines on behalf of a data provider what roles a user has, from the list of roles known to that data provider e.g. badc has the coapec role which allows access to the coapec data set. If a badc user has a badc issued Attribute Certificate containing coapec then badc will grant access. –XML based –Issued by the Attribute Authorities on receipt of a valid user Proxy Certificate –Digitally signed by the Attribute Authority issuer –Contain the user’s identity expressed as a Distinguished Name as derived from the user’s Proxy Certificate –Has a timebound validity

NDG Liaison July 2006 Key Concepts thus far All data providers deploy, or have access to, a myproxy database capable of delivering proxy certificates on request. All data providers deploy or have access to a Session Manager instance. –No requirement for the myproxy to visible outside a firewall, access can be mediated by a Session Manager. All data providers secure resources by coupling resources to roles. –There is no assumption that data providers share the same role names or role definitions. All data providers deploy, or have access to, Attribute Authorities that grant NDG Attribute Certificates to users based on their “rights”.

NDG Liaison July 2006 badcAttAuthorityURI badcLoginPageURI bodcAttAuthorityURI bodcLoginPageURI eScienceAttAuthorityURI Example MapConfig TRUST HANDLES AUTHORISATION HANDLES AUTHENTICATION LIST OF REMOTE ADDRESSES FOR GETTING AUTHORISATION CREDENTIALS AUTHORISATION Trust between data providers is established by making BILATERAL agreements on role mapping!

NDG Liaison July 2006 User Authorisation smClient UserSession CredWallet UserSession CredWallet SessionManager WS AA ProxyCert, reqAttCert AttCert sessionID and smWSDL reqRole AAwsdl Returned Proxy Cert. is kept in CredWallet of user’s UserSession instance FIREWALL (Installable Library) Client Application Calls Exploits reqAuthorisaton method Local smClient talks to local SessionManager which may or may not talk to remote SessionManagers. Credential Wallet is populated with attribute certificates as needed.

NDG Liaison July 2006 How to Deploy a system What’s needed to represent ID? –[User DataBase of some sort and Own connection software] –[PKI/Proxy Certificates] –[MyProxy Server] –[Session Manager] What’s needed to grant access rights to a user? –[Attribute Authority] –[Session Manager] –Some “database” binding resources to roles and AA [Indicate that a minimally configured data provider can use remote resources to provide these services]

NDG Liaison July 2006 Python Browser Application class YourClass: ''' Dummy class encapsulating key ndg security concepts from a browser application developers perspective ''' def __init__(self,stuff):... self.cookie=... #set cookie self.config=... #read from config file, includes local smWSDL …. self.makeGateway()... def makeGateway(self,cookie=None): ''' Make connection to NDG security and load what is necessary for an NDG cookie to be written ''' # - the requestURL so that a redirect can come back, and to pass # any URL components which have come back from one... # - your local smWSDL address, and your cookie... self.ndgGate=securityGateway(self.requestURL,self.cookie,self.config) def goforit(self): ''' your actions... trying to access a URI for which you may have constraints'''... if constraints.exist: result=self.ndgGate.check((role,AAwsdl)) if result=='AccessGranted': access=1 else: access=0

NDG Liaison July 2006 Architecture: Deployment Data Providers NDG Core Services Users NDG GUI Interface(s) Vocab Services

NDG Liaison July 2006 Architecture: Deployment NDG Core Services Users NDG GUI Interface(s) Vocab Services

NDG Liaison July 2006 Architecture: Deployment Users NDG GUI Interface(s) Vocab Services

NDG Liaison July 2006 Architecture: Deployment Users Vocab Services

NDG Liaison July 2006 Architecture: Deployment