Changes between Version 9 and Version 10 of ESGF


Ignore:
Timestamp:
11/10/10 09:27:04 (9 years ago)
Author:
pjkersha
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • ESGF

    v9 v10  
    11= Security Architecture for the Earth System Grid Federation = 
     2[[PageOutline]] 
    23This page covers collaboration work carried out by the BADC with the ESGF partner organisations for the ESGF to develop an architecture for federated identity management and access control.  
    34 
    45== Architectural Overview == 
     6The ESG architecture is divided into two top-level components, a Gateway and Data Node.  In security terms, the Gateway performs the function of Identity Provider and administrator and controller of authorisation policy.  The Data Node in the Service or ''Resource'' Provider.  It serves data and hosts security components to protect access.  It delegates authorisation policy to its associated Gateway.  There may be a one to many relationship - Gateway => Data Node(s). 
     7 
    58[[Image(source:TI12-security/trunk/NDGSecurity/documentation/ESGF/ESGSecurityOverview.png)]] 
    69 
    710=== Authentication === 
    8 The Earth System Grid security architecture supports OpenID and PKI based authentication for services.  For OPeNDAP based services like TDS, the server side is configured with a filter which intercepts requests and applies these authentication schemes.  OpenID based authentication is suited to interactive login with a browser, whilst PKI based authentication is more suited to non-user interactive clients such as scripts or other programs.  The diagram below shows the interactions in a sequence: 
     11The Earth System Grid security architecture supports OpenID and PKI based authentication for services.  For OPeNDAP based services like TDS, the server side is configured with a filter which intercepts requests and applies these authentication schemes.  OpenID based authentication is suited to interactive login with a browser, whilst PKI based authentication is more suited to non-user interactive clients such as scripts or other programs.  The diagram below shows the interactions in a sequence.  URIs requiring authentication return a redirect response to the client prompting the client to submit a certificate in an SSL handshake with an Authentication Service running under HTTPS.  On successful, login a redirect response from the authentication serivce returns the client to the original request URI so that the resource may be accessed or further prior authorisation policy applied: 
    912 
    1013[[Image(source:TI12-security/trunk/NDGSecurity/documentation/ESGF/OPeNDAPSSLAuthentication.png)]]