Version 17 (modified by pjkersha, 10 years ago) (diff)


Security / ndg_security


These pages give the details of the Python code base for NDG Security. It uses the ndg_saml, ndg_xacml and MyProxyClient packages. For an overview of NDG Security see wiki:.

NDG Security uses a modular server side architecture based on the Python WSGI. WSGI filters front applications to be protected enforcing access control. Attribute and Authorisation web services, OpenID applications are all built around the WSGI specification. Using PasteDeploy, it is possible to make a flexibile configuration at deployment by arranging the filters and applications by following a simple ini file syntax.


The code base has been tested on a variety of Linux distributions including Ubuntu and SUSE. Python 2.6 is required for the ndg_security version 2.0.0. The 1.5.x branch works with Python 2.5. For server deployment, Apache2 with mod_wsgi are the recommended containers for running applications and filters. Links to installation and configuration details are given below.


Code is maintained in a SubVersion Repository Access the trunk. For the latest stable release, refer to the Releases section below.


Code is released as Python eggs and uploaded to the NERC DataGrid Python distributions repository at Releases once created are copied into the tags SVN directory. Branches are maintained where an earlier release has forked from the main development trunk e.g. the here 1.5.x branch


Includes support for ESGF Group/Role? attribute value type for SAML queries and XACML policy. Also contains fix for clock skew tolerance check in SAML message validation.


Adds integration with XACML 2.0 implementation ndg_xacml, and SAML authorisation service interface.

1.5.x Branch

Maintained for some existing deployments. Uses custom authorisation interface.

See here for SubVersion development branch. See here for release snapshots.


Code can be installed from the NDG distributions repository. To install the eggs e.g.

$ easy_install -f ndg_security

To include the XACML based authorisation (optional):

$ easy_install ndg_xacml

To pick up unit and integration tests:

$ easy_install -f ndg_security_test

tar.gz based distributions will be added soon for  PIP support.

A full set of configuration instructions will follow soon (as of writing 07/01/11).


For server side components, the recommended configuration is with mod_wsgi with Apache2:

Apache2 and mod_wsgi configuration

See wiki:ndg_security/Apache2?.


  1. Install buildout
    $ easy_install zc.buildout
  2. Make a directory for holding the buildout configuration:
    $ mkdir /usr/local/ndg-security
  3. Initialise buildout environment
    $ cd /usr/local/ndg-security
    $ buildout init
    $ buildout bootstrap
  4. Edit the buildout configuration file buildout.cfg and make a part to install a local Python interpreter with the required eggs:
    parts = interpreter
    recipe = zc.recipe.egg
    interpreter = py
    find-links =
    unzip = true
    eggs =  ndg_security_server==2.2.0
    Nb. This assumes connection to a Postgres database (psycopg2 package). Alter to suit your needs. The database package is needed for the Attribute Service and OpenID Provider only.
  5. Run buildout to install the eggs:
    $ ./bin/buildout