wiki:MashMyData

MashMyData

These pages are concerned with the security model for  MashMyData.

Requirements

Users can access a Portal which enables them to upload their own data and combine it with other datasets pulled from data services at other sites. MashMyData will make use of the software infrastructure deployed at CEDA which has been developed for Earth System Grid / CMIP5 (Coupled Model Intercompariosn Project, Phase 5). This has it's own security model which uses OpenID and PKI based authentication and single sign on, and OpenID AX and SAML for attribute management and SAML for authorisation interfaces.

User authentication to the Portal is expected to OpenID based. The Portal's ability to access datasets from other sites on the user's behalf implies delegation: the portal and others services are delegated the authority from the user to act on their behalf.

Use Cases

User logs into Portal and requests CEDA's OGC WPS (Web Processing Service), perform some operation on multiple datasets. The WPS itself will access another CEDA OPeNDAP service and perhaps other OPeNDAP services in the federation. Each service has access control in place to secure access to datasets.

Solutions for Access Control with Delegation

  1. Static PKI based: No delegation, services authenticate with other services based on their static PKI based credentials.
    • Pros: simple, will work with the current ESG security infrastructure
    • Cons: no concept of delegation, a given service A accessed by another B has no idea who the user is who service A is acting on behalf of. It only knows the identity of A. Consequently authorisation policy can only be coarse grained.
  2.  Proxy certificates: There are different ways of implementing this:
    1. MyProxy Based: use  MyProxy as a credential store. The portal uploads a user credential to (a) MyProxy server(s) which services can access on the users behalf and use to obtain delegated user credentials in order to access other secured services. - Service A, is trusted by the MyProxy server C. Before accessing service B, it requests a delegated user credential from C. It uses the user credential to access service B.
    2. Without MyProxy: the principle of services obtaining delegated credentials remains the same but there is no MyProxy server to acts as a broker of user credentials. The  IVOA Credential Delegation Model provides an elegant RESTful interface for brokering proxy credentials between services in a workflow.
    • Pros:
      1. Well tried and tested solution in the Grid community, enables integration with other Grids e.g. Climate-G.
      2. ESG Security already supports PKI based authentication and hosts MyProxy based services, but ...
    • Cons:
      1. Currently no ESG Java implementation to support authentication using proxy certificates. A filter would need to be implemented. CEDA's Python implementation does already support proxy certificates.
      2. An additional sign in step may be required at the portal in order to obtain a credential from a MyProxy server. Non-ESG Federation users would need to register with a MyProxy server.
      3. For the !Myproxy based solution, there is a service discovery problem: how does the Portal know which MyProxy server to upload credentials to and how do delegates know which MyProxy server to callout to to get a delegated credential.
  3.  OAuth:
    • Pros:
      1. No need to re-authenticate as with MyProxy based solution.
      2. No need for custom PKI interfaces to support Proxy certificates.
      3. No service discovery problem. OAuth protocol allows required information to be passed in tokens.
      4. Python and Java libraries available
    • Cons:
      1. untried in this scenario but  OGC OWS-6 testbed demonstrated a RESTful interface with delegation based on OpenID and OAuth.
      2. User approval interface required with perhaps a registry of approved delegates. User approval will need to be out of band of HTTP so some other communication mechanism is required. e-mail, SMS or chat protocol would work but are these secure enough?
  4. OAuth/MyProxy hybrid:  CILogon project will use a hybrid of the two technologies. This or a similar solution could take advantage of the best of both.

In More Depth