[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: FW: Securing OPeNDAP Question



Hi Philip:

I didnt follow all of the conversation below, but Ill just jump in and you tell 
me what I might be missing, or other info you need:

We do have various security possibilities in the TDS. These apply to any of the 
data services, including opendap. 

1) One could trivially just put anything you want under https using tomcat 
mechanisms. 

2) Luca and I last year worked out a more complicated scheme that does 
authentication with https, then switches back to http for the actual data 
transfer. As a default it uses Tomcat authorization, but you can also plug in 
other software, including your own. We tested it with CAS and CAMS, and Luca 
tested it with his plugin I think. It was a hand-rolled solution and had a few 
problems, but worked at the time.

3) We are Springifying TDS curerntly, and will try to use Spring Security 
(formerly Ageci) for future security implementations, if possible.

I understand that security implementation has changed again for ESG, and Luca 
and I agreed that when things settled down for him in a few months, we would 
take this up again to make sure TDS was a useable component for ESG. One of the 
issues remains browser based authentication vs software agent (eg a visualizer 
like IDV, or a Matlab program). My impression is that different solutions are 
required in ESG.

In short, we have been waiting for ESG to have a clear requirement defined and, 
I assume, an implementation strategy, and then we will incorporate into the TDS

Regards,
John

Kershaw, PJ (Philip) wrote:
> Hi John,
> 
> I wanted to forward to you this discussion about security OPeNDAP and 
> THREDDS.  You may remember we spoke a little about security at GO-ESSP some 
> weeks ago.  I work at the BADC on the security system for the NERC DataGrid.  
> I've been oc-ordinating with Luca and other members of the ESG team on a 
> security solution for IPCC AR5 data access.
> 
> Luca mentions the possibility of configuring security into THREDDS for 
> OPeNDAP requests.  Is this something that is worked out already or is it in 
> future plans for THREDDS?
> 
> Cheers,
> Phil
> ____________________________________________
>  
> Philip Kershaw
> The British Atmospheric Data Centre
> Space Science & Technology Department
> Rutherford Appleton Laboratory
> Chilton, Didcot
> OX11 0QX
> UK
>  
> Tel: +44 (0)1235 446495
> Fax: +44 (0)1235 445848
>  
> www:    http://badc.nerc.ac.uk
>         http://www.sstd.rl.ac.uk/
> e-mail: address@hidden
> ____________________________________________
> 
> 
> 
>> -----Original Message-----
>> From: Kershaw, PJ (Philip) 
>> Sent: 09 October 2008 14:28
>> To: 'Luca Cinquini'
>> Cc: address@hidden; Don Middleton; Stephan Kindermann; 
>> Eric Nienhouse; Roland Schweitzer; Rachana Ananthakrishnan; 
>> Frank Siebenlist; Williams Dean; Lawrence, BN (Bryan)
>> Subject: RE: Securing OPeNDAP Question
>>
>>
>> Thanks Luca.  
>>
>> So my next questions :) ... 
>>
>>>     the basic answer is that we don't know yet how to
>>> secure opendap  
>>> requests with TDS
>> When do you think you will be looking at this for ESG and in 
>> turn how does it impact on AR5 interoperability work?  We 
>> worked out a solution for the browser based profile at the 
>> GO-ESSP security meeting but there is this amongst things to 
>> work out for the non-browser use case.
>>
>> We've already got the work with the Attribute Service and 
>> SAML interfaces scheduled into the new year so I'm guessing 
>> it will be likewise with solutions for example for securing 
>> OPeNDAP and the non-browser based profile?
>>
>>> Just as an idea, another filter implementation could open up
>>> the X509 certificate that the client connects with for opendap  
>>> requests, retrieve the openid identifier, and use that to make an  
>>> authorization call. 
>> Yes, I had some ideas for this looking at how a simple wget 
>> client might work with username/password over SSL using HTTP 
>> Auth for the non-browser based case.  It implies that the 
>> user trusts the resource provider with their password and 
>> there's the Where Are You From? problem for the filter 
>> processing the user's credentials.  The username string could 
>> contain the location of an authN service e.g. 
>> address@hidden to enable the filter to 
>> authenticate.  MyProxy might be the better way to go but the 
>> client needs to have the software installed.  It would be 
>> nice if there was a simple way of integrating security hooks 
>> into ncopen.
>>
>> Cheers,
>> Phil
>>> -----Original Message-----
>>> From: Luca Cinquini [mailto:address@hidden
>>> Sent: 07 October 2008 20:37
>>> To: Kershaw, PJ (Philip)
>>> Cc: address@hidden; Don Middleton; Stephan Kindermann; 
>>> Eric Nienhouse; Roland Schweitzer; Rachana Ananthakrishnan; 
>>> Frank Siebenlist; Williams Dean; Lawrence, BN (Bryan)
>>> Subject: Re: Securing OPeNDAP Question
>>>
>>>
>>> Hi Phil,
>>>     the basic answer is that we don't know yet how to
>>> secure opendap  
>>> requests with TDS, and we didn't talk to John about it.
>>>
>>> The more detailed answer is that in the past we have collaborated
>>> with John in securing other types of TDS requests, namely the full- 
>>> file requests, and we have done so by implementing an Authorizer  
>>> filter in front of the normal TDS processing chain. This 
>> filter can  
>>> do pretty much anything you want: the current 
>> implementation accepts  
>>> a limited lifetime authorization token and validates against the  
>>> server. Just as an idea, another filter implementation 
>> could open up  
>>> the X509 certificate that the client connects with for opendap  
>>> requests, retrieve the openid identifier, and use that to make an  
>>> authorization call. But we obviously have never tried...
>>>
>>> thanks, Luca
>>>
>>> On Oct 7, 2008, at 8:24 AM, Kershaw, PJ (Philip) wrote:
>>>
>>>> Hi Luca,
>>>>
>>>> Thanks for the info.  For ESG then, you have TDSs 
>> deployed as part 
>>>> of data nodes: do you have a means to secure these e.g. some kind
>>>> of set-up whereby they're only exposed to valid ESG Gateways?
>>>>
>>>>> The only effort I know about is from our ESG collegues at
>>> HAO, which
>>>>> are setting up the Hyrax server to use X509 certificates.
>>>> ...Then it's based on SSL client authentication?
>>>>
>>>> I spoke to John Caron a little at the meeting about security 
>>>> solutions and I know Bryan has been in touch with him in the past
>>>> about the security hooks for THREDDS.  We talked about a 
>> mechanism  
>>>> for client requests whereby an initial security step was carried  
>>>> out over SSL followed by data transfer over http in order 
>> to avoid  
>>>> the performance hit with large datasets.  It would be great 
>>> to come
>>>> up with something simple with minimal impact on client apps.
>>>>
>>>> I'll contact John, but is securing OPeNDAP via THREDDS something 
>>>> you've discussed already for the ESG security non-browser based
>>>> profile?
>>>>
>>>> Hope you're not too buried in system integration :)
>>>>
>>>> Cheers,
>>>> Phil
>>>>
>>>>> -----Original Message-----
>>>>> From: Luca Cinquini [mailto:address@hidden
>>>>> Sent: 02 October 2008 15:46
>>>>> To: Kershaw, PJ (Philip)
>>>>> Cc: address@hidden; Don Middleton; Stephan 
>> Kindermann; Eric
>>>>> Nienhouse; Roland Schweitzer; Rachana Ananthakrishnan; Frank 
>>>>> Siebenlist; Williams Dean
>>>>> Subject: Re: Securing OPeNDAP Question
>>>>>
>>>>>
>>>>> Hi Phil,
>>>>>   to my knowledge, security with opendap is still very
>>> preliminary.
>>>>> The only effort I know about is from our ESG collegues at
>>> HAO, which
>>>>> are setting up the Hyrax server to use X509 certificates. 
>>>>> Unfortunately, the most common OpenDAP server we will be 
>> using is 
>>>>> TDS, ot Hyrax, which is not currently setup to accept 
>> X509 certs. 
>>>>> But that being a Tomcat application, it should be 
>> possible to take
>>>>> advantage of Tomcat support for client certificate 
>> authentication,
>>>>> perhaps.
>>>>> Luca
>>>>>
>>>>> On Oct 1, 2008, at 7:14 AM, Kershaw, PJ (Philip) wrote:
>>>>>
>>>>>> Hi all,
>>>>>>
>>>>>> There was some mention of OPeNDAP and security at 
>> GO-ESSP.  I was
>>>>>> wondering if any of you could tell me more about what 
>>> activity there
>>>>>> is in this area.  Are there solutions already
>>>>> available or is
>>>>>> it something still under development?
>>>>>>
>>>>>> Cheers,
>>>>>> Phil
>>>>>
>>>> --
>>>> Scanned by iCritical for STFC.
>>>


NOTE: All email exchanges with Unidata User Support are recorded in the Unidata inquiry tracking system and then made publicly available through the web. If you do not want to have your interactions made available in this way, you must let us know in each email you send to us.