Скачать презентацию NDG Security Distributed Governance Distributed Access Control Distributed Скачать презентацию NDG Security Distributed Governance Distributed Access Control Distributed

e2953debadbb6b12b901a6338e244ab3.ppt

  • Количество слайдов: 29

NDG Security: Distributed Governance, Distributed Access Control, Distributed Data. Bryan Lawrence (on behalf of NDG Security: Distributed Governance, Distributed Access Control, Distributed Data. Bryan Lawrence (on behalf of a big team) + + +[ BADC, BODC, CCLRC, PML and SOC ]=

Complexity + Volume + Remote Access = Grid Challenge British Atmospheric Data Centre NCAR Complexity + Volume + Remote Access = Grid Challenge British Atmospheric Data Centre NCAR British Oceanographic Data Centre GO-ESSP June 2006 http: //ndg. nerc. ac. uk

NDG Assumptions 1. No one would change their data storage systems! 2. Need to NDG Assumptions 1. No one would change their data storage systems! 2. Need to support a wide range of “metadatamaturity”! 3. No NDG-wide user management system possible. • It is illegal to share user information without each and every user agreeing … • • • implies no way of having one virtual organisation with common user management! With a large enough group it is impossible to agree on common roles that could be associated with access control. … but we want single-sign on … and trust relationships between data providers … GO-ESSP June 2006

Authentication and Authorisation Clean separation between concepts: • Authentication – Identity - Who you Authentication and Authorisation Clean separation between concepts: • Authentication – Identity - Who you are – Users are identified between data providers and services by means of Proxy Certificates – Proxy Certificates issued by My. Proxy services – Users are identified between sessions at the same browser by means of a cookie which points to the location of a proxy certificate. • Authorisation – For a user: what you can do e. g. what data they can access – For a data provider: how you determine what a user can and can’t do – NDG Attribute Certificates determine access – Attribute Certificates issued by Attribute. Authorities. GO-ESSP June 2006

Controlling Access to Data • NDG Attribute Certificate – Issued to a user by Controlling Access to Data • NDG Attribute Certificate – Issued to a user by an ATTRIBUTE-AUTHORITY – Contain roles – these determine what the user is authorised to do • An attribute authority determines on behalf of a data provider what roles a user has, from the list of roles known to that data provider • e. g. badc has the coapec role which allows access to the coapec data set. If a badc user has a badc issued Attribute Certificate containing coapec then badc will grant access. – XML based – Issued by the Attribute Authorities on receipt of a valid user Proxy Certificate – Digitally signed by the Attribute Authority issuer – Contain the user’s identity expressed as a Distinguished Name as derived from the user’s Proxy Certificate – Has a timebound validity GO-ESSP June 2006

Key Concepts thus far • All data providers deploy, or have access to, a Key Concepts thus far • All data providers deploy, or have access to, a myproxy database capable of delivering proxy certificates on request. • All data providers deploy or have access to a Session Manager instance. – No requirement for the myproxy to visible outside a firewall, access can be mediated by a Session Manager. • All data providers secure resources by coupling resources to roles. – There is no assumption that data providers share the same role names or role definitions. • All data providers deploy, or have access to, Attribute Authorities that grant NDG Attribute Certificates to users based on their “rights”. GO-ESSP June 2006

TRUST Trust between data providers is established by making BILATERAL agreements on role mapping! TRUST Trust between data providers is established by making BILATERAL agreements on role mapping! HANDLES AUTHORISATION badc. Att. Authority. URI badc. Login. Page. URI HANDLES AUTHENTICATION bodc. Att. Authority. URI bodc. Login. Page. URI LIST OF REMOTE ADDRESSES FOR e. Science. Att. Authority. URI GETTING AUTHORISATION CREDENTIALS Example Map. Config GO-ESSP June 2006 AUTHORISATION

Browser User Authentication Authenticate when trying to access a secured resource (which has role, Browser User Authentication Authenticate when trying to access a secured resource (which has role, AAwsdl). 1. Pole AAwsdl for trusted host list (including self) 2. Choose a login 1. Application should redirect to a login. URL 2. Login … 1. Login Service establishes an NDG Session Manager, and populates it with proxy certificate/ 2. Login. URL sets a cookie and redirects back to originator with cookie details in URL (if not local) (All redirections done with https) 3. Originator sets cookie with session manager details 4. Originator establishes local session manager session that knows about remote session manager via cookie contents. GO-ESSP June 2006

User Authorisation sm. Client session. ID and sm. WSDL req. Role AAwsdl (Installable Library) User Authorisation sm. Client session. ID and sm. WSDL req. Role AAwsdl (Installable Library) Session. Manager WS • User. Session • Cred. Wallet AA Att. Cert Returned Proxy Cert. is kept in Cred. Wallet of user’s User. Session instance Calls Client Application Proxy. Cert, req. Att. Cert FIREWALL Exploits req. Authorisaton method Local sm. Client talks to local Session. Manager which may or may not talk to remote Session. Managers. Credential Wallet is populated with attribute certificates as needed. GO-ESSP June 2006

How to Deploy a system • What’s needed to represent ID? – – [User How to Deploy a system • What’s needed to represent ID? – – [User Data. Base of some sort] [PKI/Proxy Certificates] [My. Proxy Server] [Session Manager] • What’s needed to grant access rights to a user? – [Attribute Authority] – [Session Manager] – Some “database” binding resources to roles and AA [Indicate that a minimally configured data provider can use remote resources to provide these services] GO-ESSP June 2006

Python Browser Application class Your. Class: ''' Dummy class encapsulating key ndg security concepts Python Browser Application class Your. Class: ''' Dummy class encapsulating key ndg security concepts from a browser application developerspective ''' def __init__(self, stuff): . . . self. cookie=. . . #set cookie self. config=. . . #read from config file, includes local sm. WSDL …. self. make. Gateway(). . . def make. Gateway(self, cookie=None): ''' Make connection to NDG security and load what is necessary for an NDG cookie to be written ''' # - the request. URL so that a redirect can come back, and to pass # any URL components which have come back from one. . . # - your local sm. WSDL address, and your cookie. . . self. ndg. Gate=security. Gateway(self. request. URL, self. cookie, self. config) def goforit(self): ''' your actions. . . trying to access a URI for which you may have constraints'''. . . if constraints. exist: result=self. ndg. Gate. check((role, AAwsdl)) if result=='Access. Granted': access=1 else: access=0 GO-ESSP June 2006

NDG Security Current Status • NDG Started Phase 2 in 2006 with Alpha Stage NDG Security Current Status • NDG Started Phase 2 in 2006 with Alpha Stage milestone this week: – Target secure data resource with NDG security – Done (both for A and B metadata) – Engineered NDG security into BBFTP … • Working prototype implemented in Python: – Deployed at partner sites: British Oceanographic Data Centre, National Oceanography Centre Southampton, Plymouth Marine Lab and Centre for Ecology and Hydrology – Supports single sign on – Uses XML Signature and XML encryption but not WSSecurity compliant (yet) – Uses WSDL – Open Source GO-ESSP June 2006

Security Next Steps • WS interfaces need to be adapted to be compliant to Security Next Steps • WS interfaces need to be adapted to be compliant to WS-Security – Produce Java implementation for DEWS – Adapt ZSI Python WS libraries – Possibly use LBL libraries – py. Grid. Ware • Latest status info: NDG Project Management Trac site (http: //proj. badc. rl. ac. uk/ndg/) GO-ESSP June 2006

DEWS Delivering Environmental Web Services Department of Trade and Industry funding … - health DEWS Delivering Environmental Web Services Department of Trade and Industry funding … - health stream (new WFS) - Marine stream (new WCS based on GADS) - NDG Security - Prototype for commercial activity GO-ESSP June 2006

Current Status Current Status

Architecture: NDG Metadata Taxonomy CSML NCML+CF MOLES THREDDS (… NMM, SENSORML etc) CLADDIER DIF Architecture: NDG Metadata Taxonomy CSML NCML+CF MOLES THREDDS (… NMM, SENSORML etc) CLADDIER DIF -> ISO 19115 … not one schema, not one solution! GO-ESSP June 2006

Vocab Services Users NDG GUI Interface(s) Architecture: Deployment NDG Core Services GO-ESSP June 2006 Vocab Services Users NDG GUI Interface(s) Architecture: Deployment NDG Core Services GO-ESSP June 2006 Data Providers

Vocab Services NDG GUI Interface(s) Architecture: Deployment NDG Core Services GO-ESSP June 2006 Users Vocab Services NDG GUI Interface(s) Architecture: Deployment NDG Core Services GO-ESSP June 2006 Users

Vocab Services NDG GUI Interface(s) Architecture: Deployment GO-ESSP June 2006 Users Vocab Services NDG GUI Interface(s) Architecture: Deployment GO-ESSP June 2006 Users

Vocab Services Architecture: Deployment GO-ESSP June 2006 Users Vocab Services Architecture: Deployment GO-ESSP June 2006 Users

MOLES: implementation Core linking concept is the deployment of a Data Production Tool at MOLES: implementation Core linking concept is the deployment of a Data Production Tool at an Observation Station on behalf of an Activity that produces a Data Entity Activity Links the metadata records into a structure that can be turned into a navigable structure Data Production Tool Deployment Data Entity GO-ESSP June 2006 Observation Station Each of the main metadata objects has security data attached to it. This means that this can be applied to queries on the metadata

NDG “Pseudo-Demo” EXPLOITING DISCOVERY WEB SERVICE (running interface on my laptop last night) GO-ESSP NDG “Pseudo-Demo” EXPLOITING DISCOVERY WEB SERVICE (running interface on my laptop last night) GO-ESSP June 2006

More Browse Scrolling Down GO-ESSP June 2006 More Browse Scrolling Down GO-ESSP June 2006

MOLES Navigation Actually, this is where we plan to use NMM GO-ESSP June 2006 MOLES Navigation Actually, this is where we plan to use NMM GO-ESSP June 2006

MOLES to Secure Dx GO-ESSP June 2006 MOLES to Secure Dx GO-ESSP June 2006

NDG Authentication Offering up trusted host list … GO-ESSP June 2006 NDG Authentication Offering up trusted host list … GO-ESSP June 2006

Data Extractor GO-ESSP June 2006 Data Extractor GO-ESSP June 2006

Geosplat GO-ESSP June 2006 Geosplat GO-ESSP June 2006

NDG Timeline NDG 2 runs until September 2007: • NDG-Alpha (June 2006) – Not NDG Timeline NDG 2 runs until September 2007: • NDG-Alpha (June 2006) – Not all components in place (particularly delivery broker) – Not many (maybe only DX) products will be deployable by non-NDG participants (too much hard work installing things that haven’t been optimised for installation) – Discovery portal will be (is now) usable, linking to NCAR data etc, but isn’t very user friendly (options not obvious etc). • NDG-Beta (Feb 2007) – Most components should work, but deployment of software may still be difficult by non-participants • NDG-Prod (Jun 2007) – Should be deployable and far more user friendly (spending from Feb-June working on deployment and friendliness, no new functionality) • Last few months working on sustainability etc http: //proj. badc. rl. ac. uk/trac/roadmap GO-ESSP June 2006