Changes between Version 4 and Version 5 of MashMyData/MyProxy


Ignore:
Timestamp:
12/07/10 13:36:18 (9 years ago)
Author:
pjkersha
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • MashMyData/MyProxy

    v4 v5  
    11= !MashMyData Delegation with !MyProxy = 
     2[[PageOutline]] 
    23== Sequence == 
     4=== Actors === 
     5 1. User 
     6 1. User's browser 
     7 1. !MashMyData web portal application 
     8 1. Portal Trust Registry: a registry containing a list of trusted services one per user.  These are services which the user has previously agreed to delegate to act on their behalf.  Trust settings could be set with an expiry.  For the purposes of this project, this service could be co-located with the portal.  For production use it would be likley to be associated with the user's IdP (Identity Provider) 
     9 1. CEDA WPS (OGC Web Processing Service): this will execute a job for the portal on behalf of the user.  The job involves pulling data from another service, a TDS (THREDDS Data Server) also hosted at CEDA.  Both services have access control in place. 
     10 1. CEDA TDS 
     11 1. CEDA Token Service: issues OAuth request and access tokens for the WPS and TDS.  There is at least one Token Service per OAuth realm.  IT could be implemented as a filter in front of both the WPS and TDS. 
     12 
     13=== Process === 
     14 1. The user signs in at the portal using OpenID (deliberately shown compressed into a single step for simplicity). 
    315 
    416[[Image(source:TI12-security/trunk/NDGSecurity/documentation/MashMyData/MyProxyWorkflow.png)]] 
    517 
    618== Example == 
    7 This shows how: 
     19This illustrates how delegation can work with proxy certificates and two !MyProxy servers.  One !MyProxy server is used to obtain credentials.  The second is used to upload delegated credentials which another delegate service can use: 
    820 1. Obtain a user credential from a !MyProxy server 
    921 1. Upload it to another !MyProxy server delegating permission for a given service to access it 
     
    1426$ myproxy-logon -s my.idp.ac.uk -o creds.pem 
    1527}}} 
    16  1. Upload to another !MyProxy server so that CEDA's WPS can obtain a delegated credential from it: 
     28 1. They or some portal or middleware upload it to another !MyProxy server so that a service, CEDA's WPS can obtain a delegated credential from it: 
    1729{{{ 
    18 $ myproxy-init myproxy-init -s myproxy-service.ceda.ac.uk -x -Z "/C=UK/O=CEDA/OU=MashMyData/CN=host/wps.ceda.ac.uk" -d -n 
     30$ myproxy-init -s myproxy-service.ceda.ac.uk -x -Z "/C=UK/O=CEDA/OU=MashMyData/CN=host/wps.ceda.ac.uk" -d -n 
    1931}}} 
    20  1. The CEDA WPS, obtains a delegated credential so that it run a job on the user's behalf: 
     32    A proxy certificate has been uploaded to `myproxy-service.ceda.ac.uk` which only the CEDA WPS is allowed to delegate from. 
     33 1. The CEDA WPS, obtains a delegated credential so that it can run a job on the user's behalf: 
    2134{{{ 
    2235$ myproxy-logon -s myproxy-service.ceda.ac.uk -l "/O=MyIdP/CN=myusername" -n