Access Control for NCAR Data Portals A report on work in progress about the future of the NCAR Community Data Portal Luca Cinquini GO-ESSP Workshop, 6-8.

Slides:

Advertisements

Similar presentations

Clearinghouse and OGC Web Services Overview Doug Nebert FGDC Secretariat December 4, 2001.

Advertisements

Data Management Expert Panel - WP2. WP2 Overview.

The CA MDB Revised May © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced.

FI-WARE Testbed Access Control temporary solution.

The Anatomy of the Grid: An Integrated View of Grid Architecture Carl Kesselman USC/Information Sciences Institute Ian Foster, Steve Tuecke Argonne National.

Geospatial One-Stop A Federal Gateway to Federal, State & Local Geographic Data

Inter-Institutional Registration UNC Cause December 4, 2007.

NCAR/SCD/VETS The NCAR Community Data Portal

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

Active Directory: Final Solution to Enterprise System Integration

Software Frameworks for Acquisition and Control European PhD – 2009 Horácio Fernandes.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

Metadata Server system software laboratory. Overview metadata service in Grid environment Grid environment Metadata server User query data search information.

PENN Community Project SUG Presentation April 8, 2002.

System Architecture University of Maryland David Henry Office of Information Technology December 6, 2002.

The Earth System Grid Discovery and Semantic Web Technologies Line Pouchard Oak Ridge National Laboratory Luca Cinquini, Gary Strand National Center for.

Authenticating REST/Mobile clients using LDAP and OERealm

Web-based Portal for Discovery, Retrieval and Visualization of Earth Science Datasets in Grid Environment Zhenping (Jane) Liu.

Understanding Active Directory

System Design/Implementation and Support for Build 2 PDS Management Council Face-to-Face Mountain View, CA Nov 30 - Dec 1, 2011 Sean Hardman.

GEOSS Common Infrastructure: A practical tour Doug Nebert U.S. Geological Survey September 2008.

Nassau Community College

WP6: Grid Authorization Service Review meeting in Berlin, March 8 th 2004 Marcin Adamski Michał Chmielewski Sergiusz Fonrobert Jarek Nabrzyski Tomasz Nowocień.

About CUAHSI The Consortium of Universities for the Advancement of Hydrologic Science, Inc. (CUAHSI) is an organization representing 120+ universities.

Copyright © cs-tutorial.com. Introduction to Web Development In 1990 and 1991,Tim Berners-Lee created the World Wide Web at the European Laboratory for.

C Copyright © 2009, Oracle. All rights reserved. Appendix C: Service-Oriented Architectures.

CIS 375—Web App Dev II Microsoft’s.NET. 2 Introduction to.NET Steve Ballmer (January 2000): Steve Ballmer "Delivering an Internet-based platform of Next.

Presented by The Earth System Grid: Turning Climate Datasets into Community Resources David E. Bernholdt, ORNL on behalf of the Earth System Grid team.

M i SMob i S Mob i Store - Mobile i nternet File Storage Platform Chetna Kaur.

OASIS ebXML Registry Standard Open Forum 2003 on Metadata Registries 10:30 – 11:15 January 20, 2003 Kathryn Breininger The Boeing Company Chair, OASIS.

A Metadata Catalog Service for Data Intensive Applications Presented by Chin-Yi Tsai.

1 School of Computer, National University of Defense Technology A Profile on the Grid Data Engine (GridDaEn) Xiao Nong

ESP workshop, Sept 2003 the Earth System Grid data portal presented by Luca Cinquini (NCAR/SCD/VETS) Acknowledgments: ESG.

Computer and Information Science Ch1.3 Computer Networking Ch1.3 Computer Networking Chapter 1.

Module 7 Active Directory and Account Management.

Computer Emergency Notification System (CENS)

1 Schema Registries Steven Hughes, Lou Reich, Dan Crichton NASA 21 October 2015.

CYBERINFRASTRUCTURE FOR THE GEOSCIENCES Data Replication Service Sandeep Chandra GEON Systems Group San Diego Supercomputer Center.

Fisheries Oceanography Collaboration Software Donald Denbo NOAA/PMEL-UW/JISAO Presented by Nancy Soreide NOAA/PMEL AMS 2002/IIPS 10.3.

Overview of the SAS® Management Console

Linking Tasks, Data, and Architecture Doug Nebert AR-09-01A May 2010.

Leveraging Globus Services to Support Climate Model Data Access Through the Earth System Grid Federation (ESGF) Brian Knosp 1, Luca Cinquini 1, Lukasz.

Secure Systems Research Group - FAU SW Development methodology using patterns and model checking 8/13/2009 Maha B Abbey PhD Candidate.

NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.

Web Portal Design Workshop, Boulder (CO), Jan 2003 Luca Cinquini (NCAR, ESG) The ESG and NCAR Web Portals Luca Cinquini NCAR, ESG Outline: 1.ESG Data Services.

NIEeS Workshop, Cambridge (UK), Sep 2002 Luca Cinquini for the Earth System Grid METADATA DEVELOPMENT for the EARTH SYSTEM GRID Luca Cinquini (SCD/NCAR)

The NCAR Community Data Portal (CDP) Experiences with OAI metadata record federation presented by Michael Burek (NCAR/SCD/VETS) Acknowledgments:

Case Study.  Client needed to build data collection agents for various mobile platform  This needs to be integrated with the existing J2ee server 

Connect. Communicate. Collaborate The MetaData Service Distributing trust in AAI confederations Manuela Stanica, DFN.

May 6, 2002Earth System Grid - Williams The Earth System Grid Presented by Dean N. Williams PI’s: Ian Foster (ANL); Don Middleton (NCAR); and Dean Williams.

1 Overall Architectural Design of the Earth System Grid.

System/SDWG Update Management Council Face-to-Face Flagstaff, AZ August 22-23, 2011 Sean Hardman.

1 Gateways. 2 The Role of Gateways  Generally associated with primary sites in ESG-CET  Provides a community-facing web presence  Can be branded as.

1 Summary. 2 ESG-CET Purpose and Objectives Purpose  Provide climate researchers worldwide with access to data, information, models, analysis tools,

ESG-CET Meeting, Boulder, CO, April 2008 Gateway Implementation 4/30/2008.

1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.

SCD User Briefing The Community Data Portal and the Earth System Grid Don Middleton with presentation material developed by Luca Cinquini, Mary Haley,

EGI-Engage Data Services and Solutions Part 1: Data in the Grid Vincenzo Spinoso EGI.eu/INFN Data Services.

RDA Data Support Section. Topics 1.What is it? 2.Who cares? 3.Why does the RDA need CISL? 4.What is on the horizon?

Digital libraries research IG Cataloging and metadata IG Web services and metadata switch February 2003 Web services and metadata switch February 2003.

The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.

Networks ∙ Services ∙ People Mandeep Saini TNC15, Porto, Portugal Virtual organisation Authorisation Management Practices in Research and.

DM Collaboration – OMA & BBF: Deployment Scenarios Group Name: WG5 - MAS Source: Tim Carey, ALU, Meeting Date:

Software Architecture Patterns (3) Service Oriented & Web Oriented Architecture source: microsoft.

REST API to develop application for mobile devices Mario Torrisi Dipartimento di Fisica e Astronomia – Università degli Studi.

Data Grids, Digital Libraries and Persistent Archives: An Integrated Approach to Publishing, Sharing and Archiving Data. Written By: R. Moore, A. Rajasekar,

ArcGIS for Server Security: Advanced

CollegeSource Security Application &

HAO/SCD: VO, metadata, catalogs, ontologies, querying

Presentation transcript:

Access Control for NCAR Data Portals A report on work in progress about the future of the NCAR Community Data Portal Luca Cinquini GO-ESSP Workshop, 6-8 June 2006 Acknowledgments: Don Middleton, Rob Markel, Mike Burek

Introduction Web-based access to data and services is extremely popular and effective – one of the preferred ways through which scientists and other users find and download their data Several NCAR data portals already exist, are under development or planned: CDP, ESG, GIS, GridBGC, VSTO, EOL, DSS, JOSS,... Necessity to coordinate a unified NCAR strategy for web- based data access  Avoid multiple logins, registration  Present consistent interface and suite of services to users  Avoid duplication of effort

Proposal: system of federated NCAR data portals that share technology, data and metadata:  CDP: central gateway to all NCAR data holdings, offers basic services: –Generic search & discovery –Catalogs browsing –Metadata exchange with partner institutions  Multiple discipline-specific portals –Increased discipline-specific functionality –Decentralized management of data holdings and services –Allow “branding” Need common set of services used by all portals to establish access control to shared, distributed resources

NCAR Access Control Services GIS EOL Observations CISM Space Weather NACP Carbon Cycle CDP gateway ESG Climate Models VSTO Solar - Terrestrial DATA

Access Control Model Objects: users, groups, roles, resources (= data or services) Group: affiliation of a user to a VO (“ccsm”, “vsto”, etc.) Role: level of capability within group (“admin”, “read”, etc) User is assigned one or more privileges: (user, group, role)  (“Johnny”, “ccsm”, “read”) or (“jimmy”, “gis”, “admin”) Resource may be subject to one or more restrictions: (resource, group, role)  (“/disk/data/ccsm”,”ccsm”,”write”)  (“  Note: if null, restrictions are inherited from parent resource Authorization: match user privileges to resource restrictions

RESOURCEROLE USERGROUP PRIVILEGERESTRICTION

Access Control Relational Schema

Web-based Registration System

Groups Hierarchy

Identification of Data Resources Resources must be uniquely identifiable so that restrictions may be set up and looked up By logical id (ex: ucar.cgd.ccsm.b atm.file1.nc)  Clear distinction between logical resource and physical location  Automatic sharing of restrictions among replicas of a logical resource  Must store logical id - physical location mapping for each replica  Must store restriction on each resource OR restriction on some ancestor and full resources hierarchy By URI (ex:  Resources hierarchy is implicit (contained in directory structure)  No separate storage of logical id  Restrictions may be reduced to a minimum (i.e. imposed on directories)  Restrictions must be imposed separately for replicas (and multiple access protocols)

Access Control to Data Use Cases 1.Portal-executed authorization Service is embedded within portal Portal contacts Access Control Services to establish authorization before invoking service Service is agnostic to authorization process 2.Service-executed authorization Native client makes request to standalone service via secure protocol (including authentication information) Data service contacts Access Control Services to establish authorization Data service needs to be instrumented as Access Control Services client 3.Portal-delegated authorization Client-service communication is insecure (example: http download) Request is sent first to portal which executes authorization Request is then redirected to service Service validates request

Use Case 1: Portal-Executed Authorization

Use Case 2: Service-Executed Authorization

Use Case 3: Portal-Delegated Authorization

Demo restricted http download

LAHFS: Lightweight Authorized Http File Server

Summary NCAR Community Data Portal is undergoing evolutionary phase: from single portal to gateway of federated, discipline- specific portals Access Control mechanism is a cornerstone of federation model  Some system components already developed and deployed  Software needs to be upgraded and integrated into deployable, production-level package Feedback and suggestions are welcome Progress report at next year GO-ESSP meeting