Presentation is loading. Please wait.

Presentation is loading. Please wait.

Canada Centre for Remote Sensing - ESS Distributed Access Control System Brian McLeod Canada Centre for Remote Sensing.

Similar presentations


Presentation on theme: "Canada Centre for Remote Sensing - ESS Distributed Access Control System Brian McLeod Canada Centre for Remote Sensing."— Presentation transcript:

1 Canada Centre for Remote Sensing - ESS Distributed Access Control System Brian McLeod Canada Centre for Remote Sensing

2 Canada Centre for Remote Sensing - ESS GeoInnovations (technology development program)

3 Canada Centre for Remote Sensing - ESS WHAT IS DACS? An authentication and access control framework that facilitates secure sharing of http-based web services Web service: any static or computational resource available through a web server using HTTP (HTTPS): E.g., a web page, document, CGI/ASP program, servlet, database query, file upload/download, generated image, gazetteer request, DACS operation

4 Canada Centre for Remote Sensing - ESS WHAT IS DACS? Single Sign-On User doesnt need an account on every system, is authenticated just once Implemented by a customized web server and a set of CGI programs Designed and implemented by DSS as a component of NFIS with participation of the National Forest Information System (NFIS) Project Office and the PFC/IRMS group, with support from GeoConnections

5 Canada Centre for Remote Sensing - ESSFEDERATIONS/JURISDICTIONS Deployed as a federation of jurisdictions Jurisdiction: An administrative entity providing authentication services for its users, web services, or both All interaction is through a web server that provides DACS services for the jurisdiction An organization, department, lab, or workstation can be a jurisdiction The set of jurisdictions and their users is open (not static) Federation: a set of cooperating jurisdictions (NFIS has 7 jurisdictions in the federation)

6 Canada Centre for Remote Sensing - ESS ant.alpha.org air.alpha.org bat.beta.org/arrow.alpha.org boron.beta.org Web server/ DACS Authentication Web server/ DACS Services Web server/ DACS Authentication Web server/ DACS Authentication Services SSL/ TCP/IP Two Federations: alpha.org and beta.org

7 Canada Centre for Remote Sensing - ESSAUTHENTICATION A jurisdiction authenticates its users using its existing mechanisms (e.g., login name and password) If successful, DACS creates encrypted credentials that identify the user and accompany subsequent service requests User presents credentials when making a service request; only DACS can decrypt them

8 Canada Centre for Remote Sensing - ESSAUTHENTICATION Authentication is a DACS service; any authentication method that can be encapsulated by a service request can be supported DACS defines the service protocol by which it requests a jurisdiction to authenticate its users Goal is to minimize jurisdictions implementation effort (common methods have already been implemented)

9 Canada Centre for Remote Sensing - ESS Web server/ DACS Authentication Service Local Authentication Service SSL/ TCP/IP USER AUTHENTICATION HTTP/ XML Local Roles Service HTTP/ XML User Users Jurisdiction DACS Config Authentication info Credentials

10 Canada Centre for Remote Sensing - ESSAUTHENTICATION DACS does not manage user accounts on behalf of jurisdictions Jurisdictions are isolated from implementation details; DACS provides the glue DACS can support cascading requests (server-server service requests)

11 Canada Centre for Remote Sensing - ESS ACCESS CONTROL A jurisdiction is totally responsible for specifying access control for its web services Access control is performed on a service request (a URL) An access control rule specifies: What services the rule applies to (URLs) How the service can be accessed (a predicate) Who the rule applies to (which users)

12 Canada Centre for Remote Sensing - ESS ACCESS CONTROL An access control rule can: refer to elements of the credentials (e.g., users name and jurisdiction) or environment (e.g., the users IP address) refer to service request parameters (e.g., SCALE must be greater than 1000) specify additional parameters to pass to an invoked program (constraints) apply to any member of a defined group of users apply to a DACS service

13 Canada Centre for Remote Sensing - ESS SERVICE REQUEST PROCESSING 1.Incoming service request passed to DACS by the web server 2.DACS validates the users credentials 3.DACS looks for the most specific access control rule that applies to the service request (URL matching) 4.DACS checks if the rule grants permission to this particular user, possibly testing the service requests parameters 5.If permission is granted, the service request is processed normally (DACS exports the identity of the user, etc.) 6.If permission is denied (403 Forbidden), an error handler is invoked

14 Canada Centre for Remote Sensing - ESSGROUPS During authentication, a jurisdiction can associate the user with roles, defining role-based groups A jurisdiction can also define named groups; members are users, role-based groups, or other named groups Group definitions are distributed among the jurisdictions and can be referenced in access control rules throughout the federation

15 Canada Centre for Remote Sensing - ESSIMPLEMENTATION Prototype runs on Linux/Solaris/FreeBSD with Apache (i386 and Sparc architectures) Open source, standards-based, proven technologies Portable – largely platform independent (ANSI C, POSIX) Unix and NT authentication components Design and implementation can be examined for security weaknesses; specifications are available

16 Canada Centre for Remote Sensing - ESS WHY DACS? Special requirements: Architectural model (independent/cooperating jurisdictions, heterogeneous, distributed, available) No client-side code, special installation, etc. Support for a wide variety of services Open set of jurisdictions and users, including guests Needs/requirements not yet well understood Standardization still in progress (e.g., SAML, XACML, …) Existing solutions? Probably not yet.

17 Canada Centre for Remote Sensing - ESSENHANCEMENTS? Port to Microsoft/IIS/ASP Support for user certificates Support for additional authentication components (e.g., PAM, RADIUS, LDAP) Integration with Java? Invocation by applications? Many other possibilities…

18 Canada Centre for Remote Sensing - ESS ADDITIONAL INFORMATION National Foresty Information System (overview) DSS – Distributed Systems Software, Inc. Dr. Barry Brachman, DACS System Architect Pacific Forestry Centre, Integrated Resource Management Systems Rick Morrison, NFIS technical lead Tel: (250)


Download ppt "Canada Centre for Remote Sensing - ESS Distributed Access Control System Brian McLeod Canada Centre for Remote Sensing."

Similar presentations


Ads by Google