Re: [thredds] Proposal for handling authorization credentials in thredds....

To: <mggr@xxxxxxxxx>
Subject: Re: [thredds] Proposal for handling authorization credentials in thredds....
From: <philip.kershaw@xxxxxxxxxx>
Date: Tue, 15 Mar 2011 14:54:59 +0000

Hi Mike,

>Hi Phil (no escaping my mail list lurking!),

Great to hear from you :)

>
>On 14/03/11 19:29, philip.kershaw@xxxxxxxxxx wrote:
>> If for example you had a TDS running, there is standard middleware
>> for ESG that you could front it with to secure it.  If you also had a
>> portal for users to sign in to you would almost certainly have a
>> MyProxy server configured too.  Probably best if I pass on more
>> details off listŠ
>
>Actually, if you have a (reasonably straightforward) howto + caveats, it
>might be rather useful to send it to the list.  I imagine there are a
>lot of people interested in federated logins - we're definitely still
>watching this topic at NEODAAS.

If you want federated login then you could get this with the Earth System
Grid Federation stack.  This has been rolled out at a number of
organisations.  The 'Data Node' includes a TDS configured with security
filters for OpenID and PKI based authentication (accepts credentials from
a MyProxy server).  The 'Gateway' approximates in security terms to an
Identity Provider.  This includes an OpenID Provider and MyProxy server
for OpenID and PKI based single sign on respectively.  If you want to get
involved and try out the code you could join the lists and get in touch:

Gateway: 
http://mailman.earthsystemgrid.org/mailman/listinfo/esg-gateway-dev
Data Node: mailto:majordomo@xxxxxxxxxxxxxx with subscribe
esg-node-dev@xxxxxxxxxxxxxx in the body
GO-ESSP: http://mailman.ucar.edu/mailman/listinfo/go-essp-tech

If you are really after delegation capability - services requesting
resources with privileges delegated from a user then you might be
interested in the MashMyData project.  This builds on ESGF security
infrastructure to enable delegation.  We are chaining a portal to an OGC
Web Processing Service which itself calls ESGF-secured OPeNDAP services.
Delegation is done with GSI - proxy certificates.  The project is
currently underway so it's not at the stage where it's production ready.
I've written up some more info about the security model here:
http://philipkershaw.blogspot.com/2010/12/mash-my-security-for-mashmydata.h
tml

Would be great to hear about any other work going on in this area!

Cheers,
Phil

--
Scanned by iCritical.

2011 messages navigation, sorted by:
1. Thread
2. Subject
3. Author
4. Date
5. ↑ Table Of Contents
Search the thredds archives: