Security Architecture for the Earth System Grid Federation

This page covers collaboration work carried out by the BADC with the ESGF partner organisations for the ESGF to develop an architecture for federated identity management and access control.

Architectural Overview

The ESG architecture is divided into two top-level components, a Gateway and Data Node. In security terms, the Gateway performs the function of Identity Provider and administrator and controller of authorisation policy. The Data Node in the Service or Resource Provider. It serves data and hosts security components to protect access. It delegates authorisation policy to its associated Gateway. There may be a one to many relationship - Gateway => Data Node(s).



The Earth System Grid security architecture supports OpenID and PKI based authentication for services. For OPeNDAP based services like TDS, the server side is configured with a filter which intercepts requests and applies these authentication schemes. OpenID based authentication is suited to interactive login with a browser, whilst PKI based authentication is more suited to non-user interactive clients such as scripts or other programs. PKI based authentication is supported to enable the use of GridFTP as well as HTTP based data access services.

PKI Based Authentication over HTTP

The diagram below shows the interactions in a sequence. URIs requiring authentication return a redirect response to the client prompting the client to submit a certificate in an SSL handshake with an Authentication Service running under HTTPS. On successful, login a redirect response from the authentication serivce returns the client to the original request URI so that the resource may be accessed or further prior authorisation policy applied:


OpenID Based Authentication

This diagram show how OpenID based authentication can be offered alongside PKI based authentication using the same configuration and endpoints. The server is agnostic to the client's authentication request type. If a certificate is passed in the SSL handshake, then this method is used, if not then the default is OpenID based sign in:



Applications are secured with an authorisation filter, middleware to intercept incoming requests and refer authorisation decisions to an Authorisation Service over a SAML/SOAP interface. This is true of GridFTP and HTTP based services such as TDS. These services are hosted on a Data Node. Any number of Data Nodes can link to a Authorisation Service hosted at a Gateway.

The diagram below shows the configuration for securing a Python based OPeNDAP service, PyDAP along with an Authorisation Service. The service shown uses a XACML based authorisation engine. There is just an example and there is no standard authorisation engine for ESGF, only it must adhere to the SAML interface and support role based access control. The interfaces to the "CEDA Authorisation Service" component constitute the ESGF authorisation interface whilst the contents show the XACML specific implementation written for NDG Security.


The Authorisation Service itself can pull additional attribute information about a given principal (user) to help it make an authorisation decision. PCMDI hosts a key Attribute Service in the federation in that it controls registration for Federation-wide scope CMIP5 access roles. Should a user request attempt access to CMIP5 related data, the PCMDI Attribute Service is queried to check the principal's registration status to the required CMIP5 role.


This page includes a discussion of options to support user delegation for ESGF.