ndg security: distributed governance, distributed access control, distributed data
DESCRIPTION
NDG Security: Distributed Governance, Distributed Access Control, Distributed Data. Bryan Lawrence (on behalf of a big team). +. +. ]=. +[. +. +. BADC, BODC, CCLRC, PML and SOC. NCAR. Complexity + Volume + Remote Access = Grid Challenge. British Atmospheric Data Centre. - PowerPoint PPT PresentationTRANSCRIPT
BADC, BODC, CCLRC, PML and SOC
NDG Security: Distributed Governance, Distributed Access
Control, Distributed Data.
+ ++ + +[ ]=
Bryan Lawrence(on behalf of a big team)
GO-ESSP June 2006
http://ndg.nerc.ac.uk
British Atmospheric Data Centre
British Oceanographic Data Centre
Complexity + Volume + Remote Access = Grid Challenge
NCAR
GO-ESSP June 2006
NDG Assumptions
1. No one would change their data storage systems!2. Need to support a wide range of “metadata-
maturity”! 3. No NDG-wide user management system possible.
• It is illegal to share user information without each and every user agreeing …• implies no way of having one virtual organisation with common
user management!• With a large enough group it is impossible to agree on
common roles that could be associated with access control.• … but we want single-sign on … and trust relationships
between data providers …
GO-ESSP June 2006
Authentication and Authorisation
Clean separation between concepts:
• Authentication– Identity - Who you are– Users are identified between data providers and services by means of
Proxy Certificates– Proxy Certificates issued by MyProxy services– Users are identified between sessions at the same browser by means of a
cookie which points to the location of a proxy certificate.
• Authorisation– For a user: what you can do e.g. what data they can access– For a data provider: how you determine what a user can and can’t do– NDG Attribute Certificates determine access – Attribute Certificates issued by AttributeAuthorities.
GO-ESSP June 2006
Controlling Access to Data• NDG Attribute Certificate
– Issued to a user by an ATTRIBUTE-AUTHORITY– Contain roles – these determine what the user is authorised to do
• An attribute authority determines on behalf of a data provider what roles a user has, from the list of roles known to that data provider
• e.g. badc has the coapec role which allows access to the coapec data set. If a badc user has a badc issued Attribute Certificate containing coapec then badc will grant access.
– XML based– Issued by the Attribute Authorities on receipt of a valid user Proxy
Certificate– Digitally signed by the Attribute Authority issuer– Contain the user’s identity expressed as a Distinguished Name as
derived from the user’s Proxy Certificate– Has a timebound validity
GO-ESSP June 2006
Key Concepts thus far
• All data providers deploy, or have access to, a myproxy database capable of delivering proxy certificates on request.
• All data providers deploy or have access to a Session Manager instance.– No requirement for the myproxy to visible outside a
firewall, access can be mediated by a Session Manager.• All data providers secure resources by coupling
resources to roles.– There is no assumption that data providers share the same
role names or role definitions.• All data providers deploy, or have access to,
Attribute Authorities that grant NDG Attribute Certificates to users based on their “rights”.
GO-ESSP June 2006
<?xml version="1.0" encoding="utf-8"?><AAmap> <thisHost name="BADC"> <wsdl>badcAttAuthorityURI</wsdl> <loginURI>badcLoginPageURI</loginURI> </thisHost> <trusted name="BODC"> <wsdl>bodcAttAuthorityURI</wsdl> <loginURI>bodcLoginPageURI</loginURI> <role remote="aBODCrole" local="aLocalRole"/> </trusted> <trusted name="escience"> <wsdl>eScienceAttAuthorityURI</wsdl> <role remote="anEScienceRole" local="anotherLocalRole"/> </trusted></AAmap>
Example MapConfig
TRUST
HANDLES AUTHORISATION
HANDLES AUTHENTICATION
LIST OF REMOTE ADDRESSES FOR GETTING AUTHORISATION CREDENTIALS AUTHORISATION
Trust between data providers is established by making BILATERAL agreements on role mapping!
GO-ESSP June 2006
Browser User Authentication
Authenticate when trying to access a secured resource (which has role, AAwsdl).
1. Pole AAwsdl for trusted host list (including self)2. Choose a login
1. Application should redirect to a loginURL2. Login …
1. Login Service establishes an NDG Session Manager, and populates it with proxy certificate/
2. LoginURL sets a cookie and redirects back to originator with cookie details in URL (if not local)
(All redirections done with https)3. Originator sets cookie with session manager details4. Originator establishes local session manager session that knows
about remote session manager via cookie contents.
GO-ESSP June 2006
User Authorisation
smClient•UserSession
•CredWallet
SessionManager WSAAProxyCert, reqAttCert
AttCert
sessionID and smWSDL
reqRole AAwsdl
Returned Proxy Cert. is kept in CredWallet of user’s UserSession instance
FIREWALL
(Installable Library)
Client Application
Calls
Exploits reqAuthorisaton
method
Local smClient talks to local SessionManager which may or may not talk to remote SessionManagers.
Credential Wallet is populated with attribute certificates as needed.
GO-ESSP June 2006
How to Deploy a system
• What’s needed to represent ID? – [User DataBase of some sort]– [PKI/Proxy Certificates]– [MyProxy Server]– [Session Manager]
• What’s needed to grant access rights to a user?– [Attribute Authority]– [Session Manager]– Some “database” binding resources to roles and AA
[Indicate that a minimally configured data provider can use remote resources to provide these services]
GO-ESSP June 2006
Python Browser Applicationclass YourClass:
''' Dummy class encapsulating key ndg security concepts from a browser application developers perspective '''
def __init__(self,stuff): ... self.cookie=... #set cookie self.config=... #read from config file, includes local smWSDL …. self.makeGateway() ...
def makeGateway(self,cookie=None):''' Make connection to NDG security and load what is necessary for
an NDG cookie to be written ''' # - the requestURL so that a redirect can come back, and to pass # any URL components which have come back from one ... # - your local smWSDL address, and your cookie ...
self.ndgGate=securityGateway(self.requestURL,self.cookie,self.config)
def goforit(self): ''' your actions ... trying to access a URI for which you may have constraints''' ... if constraints.exist: result=self.ndgGate.check((role,AAwsdl)) if result=='AccessGranted': access=1 else: access=0
GO-ESSP June 2006
NDG Security Current Status
• NDG Started Phase 2 in 2006 with Alpha Stage milestone this week:– Target secure data resource with NDG security– Done (both for A and B metadata)– Engineered NDG security into BBFTP …
• Working prototype implemented in Python:– Deployed at partner sites: British Oceanographic Data Centre,
National Oceanography Centre Southampton, Plymouth Marine Lab and Centre for Ecology and Hydrology
– Supports single sign on– Uses XML Signature and XML encryption but not WS-Security
compliant (yet)– Uses WSDL– Open Source
GO-ESSP June 2006
Security Next Steps
• WS interfaces need to be adapted to be compliant to WS-Security– Produce Java implementation for DEWS– Adapt ZSI Python WS libraries– Possibly use LBL libraries – pyGridWare
• Latest status info: NDG Project Management Trac site (http://proj.badc.rl.ac.uk/ndg/)
GO-ESSP June 2006
DEWS
Department of Trade and Industry funding …- health stream (new WFS)- Marine stream (new WCS based on GADS)- NDG Security- Prototype for commercial activity
Delivering Environmental Web Services
Current Status
GO-ESSP June 2006
Architecture: NDG Metadata Taxonomy
… not one schema, not one solution!
CSMLNCML+CF
MOLES THREDDS(… NMM, SENSORML etc)
DIF -> ISO19115
CLADDIER
GO-ESSP June 2006
Architecture: Deployment Data
ProvidersNDG Core Services
Users
NDG GUI Interface(s)
Vocab Services
GO-ESSP June 2006
Architecture: Deployment
NDG Core Services
Users
NDG GUI Interface(s)
Vocab Services
GO-ESSP June 2006
Architecture: Deployment
Users
NDG GUI Interface(s)
Vocab Services
GO-ESSP June 2006
Architecture: Deployment
UsersVocab Services
GO-ESSP June 2006
MOLES: implementation
Core linking concept is the deployment
Deployment
Activity
on behalf of an Activityof a Data Production Tool at an Observation Station
that produces a Data EntityData
ProductionTool
ObservationStation
Data Entity
Each of the main metadata objects has security data attached to it. This means that this can be applied to queries on the metadata
Links the metadata records into a structure that can be turned into a navigable structure
GO-ESSP June 2006
NDG “Pseudo-Demo”
EXPLOITING DISCOVERY WEB
SERVICE(running interface on my laptop last night)
GO-ESSP June 2006
More Browse
Scrolling Down
GO-ESSP June 2006
MOLES Navigation
Actually, this is where we plan to use NMM
GO-ESSP June 2006
MOLES to Secure Dx
GO-ESSP June 2006
NDG Authentication
Offering up trusted host list …
GO-ESSP June 2006
Data Extractor
GO-ESSP June 2006
Geosplat
GO-ESSP June 2006
NDG Timeline
NDG2 runs until September 2007:• NDG-Alpha (June 2006)
– Not all components in place (particularly delivery broker)– Not many (maybe only DX) products will be deployable by non-NDG
participants(too much hard work installing things that haven’t been optimised for
installation)– Discovery portal will be (is now) usable, linking to NCAR data etc, but
isn’t very user friendly (options not obvious etc).• NDG-Beta (Feb 2007)
– Most components should work, but deployment of software may still be difficult by non-participants
• NDG-Prod (Jun 2007)– Should be deployable and far more user friendly (spending from Feb-
June working on deployment and friendliness, no new functionality)• Last few months working on sustainability etc
http://proj.badc.rl.ac.uk/trac/roadmap