Changes between Version 15 and Version 16 of ESGF


Ignore:
Timestamp:
14/12/10 13:39:41 (9 years ago)
Author:
pjkersha
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • ESGF

    v15 v16  
    1010 
    1111=== Authentication === 
    12 The Earth System Grid security architecture supports OpenID and PKI based authentication for services.  For OPeNDAP based services like TDS, the server side is configured with a filter which intercepts requests and applies these authentication schemes.  OpenID based authentication is suited to interactive login with a browser, whilst PKI based authentication is more suited to non-user interactive clients such as scripts or other programs.   
     12The Earth System Grid security architecture supports OpenID and PKI based authentication for services.  For OPeNDAP based services like TDS, the server side is configured with a filter which intercepts requests and applies these authentication schemes.  OpenID based authentication is suited to interactive login with a browser, whilst PKI based authentication is more suited to non-user interactive clients such as scripts or other programs.  PKI based authentication is supported to enable the use of GridFTP as well as HTTP based data access services. 
    1313 
    14 ==== PKI Based Authentication ==== 
     14==== PKI Based Authentication over HTTP ==== 
    1515The diagram below shows the interactions in a sequence.  URIs requiring authentication return a redirect response to the client prompting the client to submit a certificate in an SSL handshake with an Authentication Service running under HTTPS.  On successful, login a redirect response from the authentication serivce returns the client to the original request URI so that the resource may be accessed or further prior authorisation policy applied: 
    1616 
     
    2323 
    2424=== Authorisation === 
     25Applications are secured with an authorisation filter, middleware to intercept incoming requests and refer authorisation decisions to an Authorisation Service over a SAML/SOAP interface.  This is true of GridFTP and HTTP based services such as TDS.  These services are hosted on a Data Node.  Any number of Data Nodes can link to a Authorisation Service hosted at a Gateway. 
     26 
     27The diagram below shows the configuration for securing a Python based OPeNDAP service, PyDAP along with an Authorisation Service.  The service shown uses a XACML based authorisation engine.  There is just an example and there is no standard authorisation engine for ESGF, only it must adhere to the SAML interface and support role based access control.  The interfaces to the box constitute the ESGF authorisation interface whilst the contents show the XACML specific implementation written for NDG Security. 
     28 
    2529[[Image(source:TI12-security/trunk/NDGSecurity/documentation/ESGF/PyDAPAuthorisation.png)]] 
     30 
     31The Authorisation Service itself can pull additional attribute information about a given principal (user) to help it make an authorisation decision.  PCMDI hosts a key Attribute Service in the federation in that it controls registration for Federation-wide scope CMIP5 access roles.  Should a user request attempt access to CMIP5 related data, the PCMDI Attribute Service is queried to check the principal's registration status to the required CMIP5 role.