Presentation is loading. Please wait.

Presentation is loading. Please wait.

BADC, BODC, CCLRC, PML and SOC Interacting with NDG + ++ + +[ ]= Bryan Lawrence (on behalf of a big team)

Published byAdela Bridges Modified over 8 years ago

Similar presentations

Presentation on theme: "BADC, BODC, CCLRC, PML and SOC Interacting with NDG + ++ + +[ ]= Bryan Lawrence (on behalf of a big team)"— Presentation transcript:

1 BADC, BODC, CCLRC, PML and SOC Interacting with NDG + ++ + +[ ]= Bryan Lawrence (on behalf of a big team)

2 NDG Liaison July 2006 NDG Assumptions 1.No one would change their data storage systems! 2.Need to support a wide range of “metadata- maturity”! 3.No NDG-wide user management system possible. It is illegal to share user information without each and every user agreeing … implies no way of having one virtual organisation with common user management! With a large enough group it is impossible to agree on common roles that could be associated with access control. … but we want single-sign on … and trust relationships between data providers …

3 NDG Liaison July 2006 Integration NDG Use cases –Discovery(D) Find things –Context(B) Know what they represent –Manipulation(A) Do useful things with them familiarity NDG-Lite – NDG Discovery – Local Systems Find things, read web pages … Use data provider internal systems to access data etc.

4 NDG Liaison July 2006 Levels of Engagement: (1) NDG-Lite Discovery Only –Requirement for properly formatted discovery metadata DIF now ISO19139 later –ISO19139 issues. –OAI repository Decision on “harvestability” … Must be kept live … –Related URLs and Services Decisions on binding and service metadata outstanding! –Deployment of NDG discovery service at provider websites Branding Maintenance Start NOW!

5 NDG Liaison July 2006 Levels of Engagement: (2) NDG-Data (only) Providers Discovery + “A” services –Need to deploy NDG security (of which more later) –At the moment, need to have CSML data descriptions and to deploy the NDG data extractor (but not necessarily GEOSPLAT). In the future we may have “vanilla” OGC services … In the future may use “OWN” feature definitions … –Expecting to support: NetCDF, NasaAmes, GRIB, HDF(4 or 5 not yet clear), SQL queries, xquery extractions. Probably not something to be taken on before mid- 2007!

6 NDG Liaison July 2006 Levels of Engagement (3): Data Centres and Browse We only expect data centres to engage in the time and expense of producing browse metadata! –MOLES is/will be a coat-hanger for discipline specific metadata, with some holes for common concepts. –We will provide tooling for a MOLES repository to autogenerate discovery metadata (one less job to do!) –Provides the basis for cross-data centre thematic repositories (e.g. RAPID) –Can be secure metadata in own right!

7 NDG Liaison July 2006 Authentication and Authorisation Clean separation between concepts: Authentication –Identity - Who you are –Users are identified between data providers and services by means of Proxy Certificates –Proxy Certificates issued by MyProxy services –Users are identified between sessions at the same browser by means of a cookie which points to the location of a proxy certificate. Authorisation –For a user: what you can do e.g. what data they can access –For a data provider: how you determine what a user can and can’t do –NDG Attribute Certificates determine access –Attribute Certificates issued by AttributeAuthorities.

8 NDG Liaison July 2006 Controlling Access to Data NDG Attribute Certificate –Issued to a user by an ATTRIBUTE-AUTHORITY –Contain roles – these determine what the user is authorised to do An attribute authority determines on behalf of a data provider what roles a user has, from the list of roles known to that data provider e.g. badc has the coapec role which allows access to the coapec data set. If a badc user has a badc issued Attribute Certificate containing coapec then badc will grant access. –XML based –Issued by the Attribute Authorities on receipt of a valid user Proxy Certificate –Digitally signed by the Attribute Authority issuer –Contain the user’s identity expressed as a Distinguished Name as derived from the user’s Proxy Certificate –Has a timebound validity

9 NDG Liaison July 2006 Key Concepts thus far All data providers deploy, or have access to, a myproxy database capable of delivering proxy certificates on request. All data providers deploy or have access to a Session Manager instance. –No requirement for the myproxy to visible outside a firewall, access can be mediated by a Session Manager. All data providers secure resources by coupling resources to roles. –There is no assumption that data providers share the same role names or role definitions. All data providers deploy, or have access to, Attribute Authorities that grant NDG Attribute Certificates to users based on their “rights”.

10 NDG Liaison July 2006 badcAttAuthorityURI badcLoginPageURI bodcAttAuthorityURI bodcLoginPageURI eScienceAttAuthorityURI Example MapConfig TRUST HANDLES AUTHORISATION HANDLES AUTHENTICATION LIST OF REMOTE ADDRESSES FOR GETTING AUTHORISATION CREDENTIALS AUTHORISATION Trust between data providers is established by making BILATERAL agreements on role mapping!

11 NDG Liaison July 2006 User Authorisation smClient UserSession CredWallet UserSession CredWallet SessionManager WS AA ProxyCert, reqAttCert AttCert sessionID and smWSDL reqRole AAwsdl Returned Proxy Cert. is kept in CredWallet of user’s UserSession instance FIREWALL (Installable Library) Client Application Calls Exploits reqAuthorisaton method Local smClient talks to local SessionManager which may or may not talk to remote SessionManagers. Credential Wallet is populated with attribute certificates as needed.

12 NDG Liaison July 2006 How to Deploy a system What’s needed to represent ID? –[User DataBase of some sort and Own connection software] –[PKI/Proxy Certificates] –[MyProxy Server] –[Session Manager] What’s needed to grant access rights to a user? –[Attribute Authority] –[Session Manager] –Some “database” binding resources to roles and AA [Indicate that a minimally configured data provider can use remote resources to provide these services]

13 NDG Liaison July 2006 Python Browser Application class YourClass: ''' Dummy class encapsulating key ndg security concepts from a browser application developers perspective ''' def __init__(self,stuff):... self.cookie=... #set cookie self.config=... #read from config file, includes local smWSDL …. self.makeGateway()... def makeGateway(self,cookie=None): ''' Make connection to NDG security and load what is necessary for an NDG cookie to be written ''' # - the requestURL so that a redirect can come back, and to pass # any URL components which have come back from one... # - your local smWSDL address, and your cookie... self.ndgGate=securityGateway(self.requestURL,self.cookie,self.config) def goforit(self): ''' your actions... trying to access a URI for which you may have constraints'''... if constraints.exist: result=self.ndgGate.check((role,AAwsdl)) if result=='AccessGranted': access=1 else: access=0

14 NDG Liaison July 2006 Architecture: Deployment Data Providers NDG Core Services Users NDG GUI Interface(s) Vocab Services

15 NDG Liaison July 2006 Architecture: Deployment NDG Core Services Users NDG GUI Interface(s) Vocab Services

16 NDG Liaison July 2006 Architecture: Deployment Users NDG GUI Interface(s) Vocab Services

17 NDG Liaison July 2006 Architecture: Deployment Users Vocab Services

18 NDG Liaison July 2006 Architecture: Deployment

Download ppt "BADC, BODC, CCLRC, PML and SOC Interacting with NDG + ++ + +[ ]= Bryan Lawrence (on behalf of a big team)"

Similar presentations

GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
BADC, BODC, CCLRC, PML and SOC NDG Security: Distributed Governance, Distributed Access Control, Distributed Data. + ++ + +[ ]= Bryan Lawrence (on behalf.

BADC, BODC, CCLRC, PML and SOC NDG Security: Distributed Governance, Distributed Access Control, Distributed Data [ ]= Bryan Lawrence (on behalf.
Haga clic para cambiar el estilo de título Haga clic para modificar el estilo de subtítulo del patrón DIRAC Framework A.Casajus and R.Graciani (Universitat.

Haga clic para cambiar el estilo de título Haga clic para modificar el estilo de subtítulo del patrón DIRAC Framework A.Casajus and R.Graciani (Universitat.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
Make Secure Information Sharing (SIS) Easy and an Reality C. Edward Chow, PI Osama Khaleel Bill Kretschmer C. Edward Chow, PI Osama Khaleel Bill Kretschmer.

Make Secure Information Sharing (SIS) Easy and an Reality C. Edward Chow, PI Osama Khaleel Bill Kretschmer C. Edward Chow, PI Osama Khaleel Bill Kretschmer.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
Bryan Lawrence on behalf of BADC, BODC, CCLRC, PML and SOC The British Atmospheric Data Centre and the NERC DataGrid (for) + ++ + +[ ]=

Bryan Lawrence on behalf of BADC, BODC, CCLRC, PML and SOC The British Atmospheric Data Centre and the NERC DataGrid (for) [ ]=
NERC Data Grid Helen Snaith and the NDG consortium …

NERC Data Grid Helen Snaith and the NDG consortium …
Globus Computing Infrustructure Software Globus Toolkit 11-2.

Globus Computing Infrustructure Software Globus Toolkit 11-2.
Web-based Portal for Discovery, Retrieval and Visualization of Earth Science Datasets in Grid Environment Zhenping (Jane) Liu.

Web-based Portal for Discovery, Retrieval and Visualization of Earth Science Datasets in Grid Environment Zhenping (Jane) Liu.
Talend 5.4 Architecture Adam Pemble Talend Professional Services.

Talend 5.4 Architecture Adam Pemble Talend Professional Services.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 18 Slide 1 Software Reuse 2.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 18 Slide 1 Software Reuse 2.
OnTimeMeasure Integration with Gush Prasad Calyam, Ph.D. (PI) Tony Zhu (Software Programmer) Alex Berryman (REU Student) GEC10 Selected.

OnTimeMeasure Integration with Gush Prasad Calyam, Ph.D. (PI) Tony Zhu (Software Programmer) Alex Berryman (REU Student) GEC10 Selected.
DIRAC Web User Interface A.Casajus (Universitat de Barcelona) M.Sapunov (CPPM Marseille) On behalf of the LHCb DIRAC Team.

DIRAC Web User Interface A.Casajus (Universitat de Barcelona) M.Sapunov (CPPM Marseille) On behalf of the LHCb DIRAC Team.
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
C Copyright © 2009, Oracle. All rights reserved. Appendix C: Service-Oriented Architectures.

C Copyright © 2009, Oracle. All rights reserved. Appendix C: Service-Oriented Architectures.
Bryan Lawrence on behalf of BADC, BODC, CCLRC, PML and SOC An Introduction to NDG concepts + ++ + +[ ]=

Bryan Lawrence on behalf of BADC, BODC, CCLRC, PML and SOC An Introduction to NDG concepts [ ]=
Integrating with UCSF’s Shibboleth system

Integrating with UCSF’s Shibboleth system
Standalone Java Application vs. Java Web Application

Standalone Java Application vs. Java Web Application
Designing System for Internet Commerce 6. Functional Architecture Jinwon Lee.

Designing System for Internet Commerce 6. Functional Architecture Jinwon Lee.

Similar presentations

Ads by Google