Скачать презентацию Authentication and Authorization in Sakai Charles Severance Sakai
e81ebf7036c46c0831f0b4ef47bb29ce.ppt
- Количество слайдов: 27
Authentication and Authorization in Sakai Charles Severance Sakai Chief Architect www. dr-chuck. com/talks. php
Outline • Sakai’s Authorization and Authentication Requirements • Sakai’s Internal Authorization and Authentication Structures • Integrating Enterprise Authorization and Authentication information into Sakai Some slides were adapted from John Leasia’s Configuration presentation from the Sakai User Meeting.
Web. Dav Client Browser Web. ISO, Form-based Web Services Client Http/Basic ID/PW Sakai Portal - WSRP Consumer ID/PW and others ID/PW, proxy, trust and others Internal Accounts Enterprise information, User Directory, Course Information, Roster Information, Role Information
• Sakai is intended to be an enterprise application - centrally deployed as the campus-wide or state-wide deployments • Sakai is intended to both solve the “wellknown” collaborative and learning requirements as well as enable significant innovation in collaboration and learning. What is Sakai?
Ideal Model For Campus Security Team mod_xyz App 1 …. mod_xyz App N Web. ISO XYZ System Real Credentials Firewall
Sakai Requirements • Web. ISO is not sufficient • Must be able to validate against “real credentials” - Usually ID/PW • Must handle “guest” accounts - not officially affiliated with the university – Guest lecturers – Colleagues
Web. Dav Client Browser Web. ISO, Form-based Web Services Client Http/Basic ID/PW Sakai Portal - WSRP Consumer ID/PW and others ID/PW, proxy, trust and others Internal Accounts Enterprise information, User Directory, Course Information, Roster Information, Role Information
Sakai Team: We need ID/PW for some cool feature (Web. DAV, Web Services, desktop authoring tool or whatever) Security Team: Use Web. ISO - it is our policy Sakai Team: Web. Dav is not a browser it is a web service client - it cannot handle redirects Security Team: Use Web. ISO - it is our policy Sakai Team: That would require Microsoft and Apple to alter their operating systems because Web. DAV is part of those operating systems Security Team: Too bad - talk to Microsoft about that - Use Web. ISO - it is our policy Security Team (To Faculty): Sorry we cannot support Web. DAV (other cool feature) because of security policies Faculty to CIO: Blah blah we need cool feature… CIO to Security Team: The faculty need the cool feature Security Team: Use Web. ISO - it is our policy CIO: Could you clarify exactly who made that policy? A Conversation about Web. ISO
Web. Dav Client Browser Web. ISO, Form-based Web Services Client Http/Basic ID/PW Sakai Portal - WSRP Consumer ID/PW and others ID/PW, proxy, trust and others Internal Accounts Enterprise information, User Directory, Course Information, Roster Information, Role Information
Sakai’s Internal Security Model • Internally, use fine-grained function based security – Can “this user” perform “this function” on “this object” (in this context) – Can Chuck perform chat. delete on the “office hours chat” (in course EE 100) ? • Roles used to give “easy to use” fine grain security sets handles • The roles and role to fine-grain mapping is flexible on a site by site and user by user basis
Permissions (Functions) and Roles
Site: EE 100 (Course) Instructor: chat. read chat. delete, chat. post Student: chat. read, chat. post Chuck: Instructor Glenn: Student Daphne: Student Sites and Permissions Site: Sakai-Dev (Project) Committer: chat. read chat. delete, chat. post Contributor: chat. read, chat. post Observer: chat. read Daphne: Committer Chuck: Observer Site: HCI 100 (Course) Instructor: chat. read chat. post, chat. delete Student: chat. read Daphne: Instructor Chuck: Student
Site: Type=Course Instructor: chat. read chat. delete, chat. post Student: chat. read, chat. post Site Templates Site: Type=Project Committer: chat. read chat. delete, chat. post Contributor: chat. read, chat. post Observer: chat. read Site: Type=Club President: chat. read chat. post, chat. delete Secretary: chat. delete Member: chat. read, chat. post
Site: / Sys. Admin: *. * Mary: Sys. Admin Site: Eng (College) Dean: *. * Jane: Dean Site: EE (Dept) Mary: Instructor Site: EE 100 (Course) Instructor: chat. read chat. delete, chat. post Student: chat. read, chat. post Chuck: Instructor Glenn: Student Daphne: Student Site: HCI (Dept) *role*: disallow chat. delete Site: HCI 100 (Course) Instructor: chat. read chat. post, chat. delete Student: chat. read Daphne: Instructor Chuck: Student Site: Sakai-Dev (Project) Committer: chat. read chat. delete, chat. post Contributor: chat. read, chat. post Observer: chat. read Daphne: Committer Chuck: Observer Add Hierarchy (Sakai 2. 1)
Web. Dav Client Browser Web. ISO, Form-based Web Services Client Http/Basic ID/PW Sakai Portal - WSRP Consumer ID/PW and others ID/PW, proxy, trust and others Internal Accounts Enterprise information, User Directory, Course Information, Roster Information, Role Information
Sakai Velocity Support Sakai JSF Support Sakai Velocity Tools Sakai JSF Tools Providers in Sakai Servlet Tools Sakai Application Services Sakai Framework Services Sakai Common Services Role Provider Course/Site Provider Sakai Kernel and Request. Filter Enterprise Data User Provider
User Directory Provider • Very mature - since Sakai 1. 0 • User type is controlled by provider - this controls the user template when the user is created • Can provide fully populated User objects or just answer ID/PW queries • Consulted at log-in • Supports special “properties” known to the provider • Sample providers in release 2. 0: JLDAP, Open. LDAP, Kerberos, and IMS Enterprise in a database
Course Provider • Does not auto-populate courses • Provides the course list when instructor is making a new worksite • Consulted during “New Site” operation • Significant work needed here – Need to make into a Site provider – Need to be able to set site type from provider – Need to come up with auto population mechanism
Where does this list come from?
public List get. Instructor. Courses(String instructor. Id, String term. Year, String term. Term) ID: 2005, FALL, , SMPL, 001 TERMID: FALL 2005 TITLE: Sample Course
Exploding the Course ID AT UM Unit Section 2005, FALL, A, SMPL, 001 Campus Course This is like a GUID - Not the user visible Title. public String get. Course. Name(String course. Id) Are there any semantics on this ID beyond a GUID?
When Multiple Course ID’s are checked… Five Sections Two Sections 2002, 2, A, EDUC, 504, [001, 002, 003, 004, 006]+2002, 2, A, LSA, 101, [002, 003] Two External “Courses”
Exploding the External Provider ID 2002, 2, A, EDUC, 504, [001, 002, 003, 004, 006]+2002, 2, A, LSA, 101, [002, 003] Realm Information comes from these Course ID’s: 2002, 2, A, EDUC, 504, 001 2002, 2, A, EDUC, 504, 002 2002, 2, A, EDUC, 504, 003 2002, 2, A, EDUC, 504, 004 2002, 2, A, EDUC, 504, 006 2002, 2, A, LSA, 101, 002 2002, 2, A, LSA, 101, 003
Realm Provider (Role) • Consulted at login • What are the sites and roles within each site for this user • If the system is using many different roles throughout, this code must feed the proper site the proper role • Sakai internal tables are updated as changes from the provider are noticed.
When Worksite Setup is Done Site: FFEB Type: Course Title: SI 653 001 Realm: /site/FFEB E-Provider: 2002, 2, A, EDUC, 504, [00 1, 002, 003, 004, 006]+ 2002, 2, A, LSA, 101, [002, 003] Student: chat. read Instructor: chat. read, chat. delete Chuck is Maintain Active/Internal 2002, 2, A, EDUC, 504, [001, 002, 003, 004, 006]+2002, 2, A, LSA, 101, [002, 003]
Site: FFEB Type: Course Title: SI 653 001 Realm: /site/FFEB E-Provider: 2002, 2, A, EDUC, 504, [00 1, 002, 003, 004, 006]+ 2002, 2, A, LSA, 101, [002, 003] Student: chat. read Glenn is Student David is Student Zhen is Student Provided roles Instructor: chat. read, chat. delete Chuck Maintain Active/Internal Glenn is Student Active/External David is TA Active/Internal Zhen is Student Inactive/Internal Provider wins Internal wins to protect. Inactive over rides