BADC, BODC, CCLRC, PML and SOC

NDG Security: Distributed Governance, Distributed Access

Control, Distributed Data.

NDG Security: Distributed Governance, Distributed Access

Control, Distributed Data.

+ ++ + +[ ]=

Bryan Lawrence

(on behalf of a big team)

GO-ESSP June 2006

http://ndg.nerc.ac.uk

British Atmospheric Data Centre

British Oceanographic Data Centre

Complexity + Volume + Remote Access = Grid Challenge

NCAR

GO-ESSP June 2006

NDG Assumptions

1. No one would change their data storage systems!2. Need to support a wide range of “metadata-

maturity”! 3. No NDG-wide user management system possible.

• It is illegal to share user information without each and every user agreeing …• implies no way of having one virtual organisation with

common user management!• With a large enough group it is impossible to agree on

common roles that could be associated with access control.

• … but we want single-sign on … and trust relationships between data providers …

GO-ESSP June 2006

Authentication and Authorisation

Clean separation between concepts:

• Authentication– Identity - Who you are– Users are identified between data providers and services by means of

Proxy Certificates– Proxy Certificates issued by MyProxy services– Users are identified between sessions at the same browser by means

of a cookie which points to the location of a proxy certificate.

• Authorisation– For a user: what you can do e.g. what data they can access– For a data provider: how you determine what a user can and can’t do– NDG Attribute Certificates determine access – Attribute Certificates issued by AttributeAuthorities.

GO-ESSP June 2006

Controlling Access to Data

• NDG Attribute Certificate– Issued to a user by an ATTRIBUTE-AUTHORITY– Contain roles – these determine what the user is authorised to do

• An attribute authority determines on behalf of a data provider what roles a user has, from the list of roles known to that data provider

• e.g. badc has the coapec role which allows access to the coapec data set. If a badc user has a badc issued Attribute Certificate containing coapec then badc will grant access.

– XML based– Issued by the Attribute Authorities on receipt of a valid user Proxy

Certificate– Digitally signed by the Attribute Authority issuer– Contain the user’s identity expressed as a Distinguished Name as

derived from the user’s Proxy Certificate– Has a timebound validity

GO-ESSP June 2006

Key Concepts thus far

• All data providers deploy, or have access to, a myproxy database capable of delivering proxy certificates on request.

• All data providers deploy or have access to a Session Manager instance.– No requirement for the myproxy to visible outside a

firewall, access can be mediated by a Session Manager.

• All data providers secure resources by coupling resources to roles.– There is no assumption that data providers share the same

role names or role definitions.

• All data providers deploy, or have access to, Attribute Authorities that grant NDG Attribute Certificates to users based on their “rights”.

GO-ESSP June 2006

<?xml version="1.0" encoding="utf-8"?><AAmap> <thisHost name="BADC"> <wsdl>badcAttAuthorityURI</wsdl> <loginURI>badcLoginPageURI</loginURI> </thisHost> <trusted name="BODC"> <wsdl>bodcAttAuthorityURI</wsdl> <loginURI>bodcLoginPageURI</loginURI> <role remote="aBODCrole" local="aLocalRole"/> </trusted> <trusted name="escience"> <wsdl>eScienceAttAuthorityURI</wsdl> <role remote="anEScienceRole" local="anotherLocalRole"/> </trusted></AAmap>

Example MapConfig

TRUST

HANDLES AUTHORISATION

HANDLES AUTHENTICATION

LIST OF REMOTE ADDRESSES FOR GETTING AUTHORISATION CREDENTIALS AUTHORISATION

Trust between data providers is established by making BILATERAL agreements on role mapping!

GO-ESSP June 2006

Browser User Authentication

Authenticate when trying to access a secured resource (which has role, AAwsdl).

1. Pole AAwsdl for trusted host list (including self)2. Choose a login

1. Application should redirect to a loginURL2. Login …

1. Login Service establishes an NDG Session Manager, and populates it with proxy certificate/

2. LoginURL sets a cookie and redirects back to originator with cookie details in URL (if not local)

(All redirections done with https)

3. Originator sets cookie with session manager details4. Originator establishes local session manager session that knows

about remote session manager via cookie contents.

GO-ESSP June 2006

User Authorisation

smClient

•UserSession•CredWallet

•UserSession•CredWallet

SessionManager WS

AAProxyCert, reqAttCert

AttCert

sessionID and smWSDL

reqRole AAwsdl

Returned Proxy Cert. is kept in CredWallet of user’s UserSession instance

FIREWALL

(Installable Library)

Client Application

Calls

Exploits reqAuthorisaton

method

Local smClient talks to local SessionManager which may or may not talk to remote SessionManagers.

Credential Wallet is populated with attribute certificates as needed.

GO-ESSP June 2006

How to Deploy a system

• What’s needed to represent ID? – [User DataBase of some sort]– [PKI/Proxy Certificates]– [MyProxy Server]– [Session Manager]

• What’s needed to grant access rights to a user?– [Attribute Authority]– [Session Manager]– Some “database” binding resources to roles and AA

[Indicate that a minimally configured data provider can use remote resources to provide these services]

GO-ESSP June 2006

Python Browser Applicationclass YourClass:

''' Dummy class encapsulating key ndg security concepts from a browser application developers perspective '''

def __init__(self,stuff): ... self.cookie=... #set cookie self.config=... #read from config file, includes local smWSDL …. self.makeGateway() ...

def makeGateway(self,cookie=None):''' Make connection to NDG security and load what is necessary for

an NDG cookie to be written ''' # - the requestURL so that a redirect can come back, and to pass # any URL components which have come back from one ... # - your local smWSDL address, and your cookie ...

self.ndgGate=securityGateway(self.requestURL,self.cookie,self.config)

def goforit(self): ''' your actions ... trying to access a URI for which you may have constraints''' ... if constraints.exist: result=self.ndgGate.check((role,AAwsdl)) if result=='AccessGranted': access=1 else: access=0

GO-ESSP June 2006

NDG Security Current Status

• NDG Started Phase 2 in 2006 with Alpha Stage milestone this week:– Target secure data resource with NDG security– Done (both for A and B metadata)– Engineered NDG security into BBFTP …

• Working prototype implemented in Python:– Deployed at partner sites: British Oceanographic Data Centre,

National Oceanography Centre Southampton, Plymouth Marine Lab and Centre for Ecology and Hydrology

– Supports single sign on– Uses XML Signature and XML encryption but not WS-Security

compliant (yet)– Uses WSDL– Open Source

GO-ESSP June 2006

Security Next Steps

• WS interfaces need to be adapted to be compliant to WS-Security– Produce Java implementation for DEWS– Adapt ZSI Python WS libraries– Possibly use LBL libraries – pyGridWare

• Latest status info: NDG Project Management Trac site (http://proj.badc.rl.ac.uk/ndg/)

GO-ESSP June 2006

DEWS

Department of Trade and Industry funding …

- health stream (new WFS)

- Marine stream (new WCS based on GADS)

- NDG Security

- Prototype for commercial activity

Delivering Environmental Web Services

Current Status

GO-ESSP June 2006

Architecture: NDG Metadata Taxonomy

… not one schema, not one solution!

CSMLNCML+CF

MOLES THREDDS

(… NMM, SENSORML etc)

DIF -> ISO19115

CLADDIER

GO-ESSP June 2006

Architecture:

Deployment Data Providers

NDG Core Services

Users

NDG GUI Interface(s)

Vocab Services

GO-ESSP June 2006

Architecture:

Deployment

NDG Core Services

Users

NDG GUI Interface(s)

Vocab Services

GO-ESSP June 2006

Architecture:

Deployment

Users

NDG GUI Interface(s)

Vocab Services

GO-ESSP June 2006

Architecture:

Deployment

UsersVocab Services

GO-ESSP June 2006

MOLES: implementation

Core linking concept is the deployment

Deployment

Activity

on behalf of an Activity

of a Data Production Tool at an Observation Station

that produces a Data Entity

DataProduction

Tool

ObservationStation

Data Entity

Each of the main metadata objects has security data attached to it. This means that this can be applied to queries on the metadata

Links the metadata records into a structure that can be turned into a navigable structure

GO-ESSP June 2006

NDG “Pseudo-Demo”

EXPLOITING DISCOVERY WEB

SERVICE

(running interface on my laptop last night)

GO-ESSP June 2006

More Browse

Scrolling Down

GO-ESSP June 2006

MOLES Navigation

Actually, this is where we plan to use NMM

GO-ESSP June 2006

MOLES to Secure Dx

GO-ESSP June 2006

NDG Authentication

Offering up trusted host list …

GO-ESSP June 2006

Data Extractor

GO-ESSP June 2006

Geosplat

GO-ESSP June 2006

NDG Timeline

NDG2 runs until September 2007:• NDG-Alpha (June 2006)

– Not all components in place (particularly delivery broker)– Not many (maybe only DX) products will be deployable by non-NDG

participants(too much hard work installing things that haven’t been optimised for

installation)– Discovery portal will be (is now) usable, linking to NCAR data etc, but

isn’t very user friendly (options not obvious etc).• NDG-Beta (Feb 2007)

– Most components should work, but deployment of software may still be difficult by non-participants

• NDG-Prod (Jun 2007)– Should be deployable and far more user friendly (spending from Feb-

June working on deployment and friendliness, no new functionality)• Last few months working on sustainability etc

http://proj.badc.rl.ac.uk/trac/roadmap