Presentation is loading. Please wait.

Presentation is loading. Please wait.

Access Control for NCAR Data Portals A report on work in progress about the future of the NCAR Community Data Portal Luca Cinquini GO-ESSP Workshop, 6-8.

Published byKatherine Parker Modified over 8 years ago

Similar presentations

Presentation on theme: "Access Control for NCAR Data Portals A report on work in progress about the future of the NCAR Community Data Portal Luca Cinquini GO-ESSP Workshop, 6-8."— Presentation transcript:

1 Access Control for NCAR Data Portals A report on work in progress about the future of the NCAR Community Data Portal Luca Cinquini GO-ESSP Workshop, 6-8 June 2006 Acknowledgments: Don Middleton, Rob Markel, Mike Burek

2 Introduction Web-based access to data and services is extremely popular and effective – one of the preferred ways through which scientists and other users find and download their data Several NCAR data portals already exist, are under development or planned: CDP, ESG, GIS, GridBGC, VSTO, EOL, DSS, JOSS,... Necessity to coordinate a unified NCAR strategy for web- based data access  Avoid multiple logins, registration  Present consistent interface and suite of services to users  Avoid duplication of effort

3 Proposal: system of federated NCAR data portals that share technology, data and metadata:  CDP: central gateway to all NCAR data holdings, offers basic services: –Generic search & discovery –Catalogs browsing –Metadata exchange with partner institutions  Multiple discipline-specific portals –Increased discipline-specific functionality –Decentralized management of data holdings and services –Allow “branding” Need common set of services used by all portals to establish access control to shared, distributed resources

4 NCAR Access Control Services GIS EOL Observations CISM Space Weather NACP Carbon Cycle CDP gateway ESG Climate Models VSTO Solar - Terrestrial DATA

5 Access Control Model Objects: users, groups, roles, resources (= data or services) Group: affiliation of a user to a VO (“ccsm”, “vsto”, etc.) Role: level of capability within group (“admin”, “read”, etc) User is assigned one or more privileges: (user, group, role)  (“Johnny”, “ccsm”, “read”) or (“jimmy”, “gis”, “admin”) Resource may be subject to one or more restrictions: (resource, group, role)  (“/disk/data/ccsm”,”ccsm”,”write”)  (“http://host:port/data/ccsm/”,”user”,”read”)  Note: if null, restrictions are inherited from parent resource Authorization: match user privileges to resource restrictions

6 RESOURCEROLE USERGROUP PRIVILEGERESTRICTION

7 Access Control Relational Schema

8 Web-based Registration System

9 Groups Hierarchy

10 Identification of Data Resources Resources must be uniquely identifiable so that restrictions may be set up and looked up By logical id (ex: ucar.cgd.ccsm.b30.004.atm.file1.nc)  Clear distinction between logical resource and physical location  Automatic sharing of restrictions among replicas of a logical resource  Must store logical id - physical location mapping for each replica  Must store restriction on each resource OR restriction on some ancestor and full resources hierarchy By URI (ex: http://host:/data/ccsm.b30.004.atm.file1.nc)  Resources hierarchy is implicit (contained in directory structure)  No separate storage of logical id  Restrictions may be reduced to a minimum (i.e. imposed on directories)  Restrictions must be imposed separately for replicas (and multiple access protocols)

11 Access Control to Data Use Cases 1.Portal-executed authorization Service is embedded within portal Portal contacts Access Control Services to establish authorization before invoking service Service is agnostic to authorization process 2.Service-executed authorization Native client makes request to standalone service via secure protocol (including authentication information) Data service contacts Access Control Services to establish authorization Data service needs to be instrumented as Access Control Services client 3.Portal-delegated authorization Client-service communication is insecure (example: http download) Request is sent first to portal which executes authorization Request is then redirected to service Service validates request

12 Use Case 1: Portal-Executed Authorization

13 Use Case 2: Service-Executed Authorization

14 Use Case 3: Portal-Delegated Authorization

15 Demo restricted http download

16 LAHFS: Lightweight Authorized Http File Server

17 Summary NCAR Community Data Portal is undergoing evolutionary phase: from single portal to gateway of federated, discipline- specific portals Access Control mechanism is a cornerstone of federation model  Some system components already developed and deployed  Software needs to be upgraded and integrated into deployable, production-level package Feedback and suggestions are welcome Progress report at next year GO-ESSP meeting

Download ppt "Access Control for NCAR Data Portals A report on work in progress about the future of the NCAR Community Data Portal Luca Cinquini GO-ESSP Workshop, 6-8."

Similar presentations

Clearinghouse and OGC Web Services Overview Doug Nebert FGDC Secretariat December 4, 2001.

Clearinghouse and OGC Web Services Overview Doug Nebert FGDC Secretariat December 4, 2001.
Data Management Expert Panel - WP2. WP2 Overview.

Data Management Expert Panel - WP2. WP2 Overview.
The CA MDB Revised May 16 2006. © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced.

The CA MDB Revised May © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced.
FI-WARE Testbed Access Control temporary solution.

FI-WARE Testbed Access Control temporary solution.
The Anatomy of the Grid: An Integrated View of Grid Architecture Carl Kesselman USC/Information Sciences Institute Ian Foster, Steve Tuecke Argonne National.

The Anatomy of the Grid: An Integrated View of Grid Architecture Carl Kesselman USC/Information Sciences Institute Ian Foster, Steve Tuecke Argonne National.
Geospatial One-Stop A Federal Gateway to Federal, State & Local Geographic Data

Geospatial One-Stop A Federal Gateway to Federal, State & Local Geographic Data
Inter-Institutional Registration UNC Cause December 4, 2007.

Inter-Institutional Registration UNC Cause December 4, 2007.
NCAR/SCD/VETS The NCAR Community Data Portal

NCAR/SCD/VETS The NCAR Community Data Portal
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
WAP Public Key Infrastructure CSCI 5939.02 – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
Active Directory: Final Solution to Enterprise System Integration

Active Directory: Final Solution to Enterprise System Integration
Software Frameworks for Acquisition and Control European PhD – 2009 Horácio Fernandes.

Software Frameworks for Acquisition and Control European PhD – 2009 Horácio Fernandes.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Metadata Server system software laboratory. Overview metadata service in Grid environment Grid environment Metadata server User query data search information.

Metadata Server system software laboratory. Overview metadata service in Grid environment Grid environment Metadata server User query data search information.
PENN Community Project SUG Presentation April 8, 2002.

PENN Community Project SUG Presentation April 8, 2002.
System Architecture University of Maryland David Henry Office of Information Technology December 6, 2002.

System Architecture University of Maryland David Henry Office of Information Technology December 6, 2002.
The Earth System Grid Discovery and Semantic Web Technologies Line Pouchard Oak Ridge National Laboratory Luca Cinquini, Gary Strand National Center for.

The Earth System Grid Discovery and Semantic Web Technologies Line Pouchard Oak Ridge National Laboratory Luca Cinquini, Gary Strand National Center for.
Authenticating REST/Mobile clients using LDAP and OERealm

Authenticating REST/Mobile clients using LDAP and OERealm
Web-based Portal for Discovery, Retrieval and Visualization of Earth Science Datasets in Grid Environment Zhenping (Jane) Liu.

Web-based Portal for Discovery, Retrieval and Visualization of Earth Science Datasets in Grid Environment Zhenping (Jane) Liu.
Understanding Active Directory

Understanding Active Directory

Similar presentations

Ads by Google