Changes between Version 9 and Version 10 of T12_Security


Ignore:
Timestamp:
22/11/06 17:22:38 (13 years ago)
Author:
pjkersha
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • T12_Security

    v9 v10  
    1515As of the Alpha version NDG Security installation is a combination of the installation of 3rd party packages, configuration of parameter files and a distutils setup.  This pages looks at the steps to convert the simple NDG security distutils setup script into a modular configuration of separate python eggs [wiki:TI12_Security/EggifyingNDGsecurity] 
    1616 
    17 = Older Material, may be moved = 
    18  
    19  
    20 ==== Original NDG2 Key Integration Milestones ==== 
    21  
    22  1. Initiation Stage (Sept-Dec 2005): Completed. NDG 1 Security is a working prototype installed at BADC and BODC. 
    23  1. Document for data centres outlining pre-requisites for NDG security H/W and infrastructure [20 Dec 2005] 
    24  1. Alpha Development and Testing Stage (Jan-July 2006) : 
    25  1. H/W baseline agreed for all sites - agree pre-requisites for H/W and infrastructure at data centres to run NDG security [20 Jan 2006] 
    26  1. Data Centres publish their user roles to allow establishment of role mappings [31 Jan 2006] 
    27  1. Security Pre-installation – BODC (update to existing), NOCS, PML [28 Feb 2006] 
    28  1. Integration with Data Extractor [1 May 2006] 
    29  1. Role Mappings finalised for all data centres [30 June 2006] 
    30  1. Security Integration: installation of version 1.0 at all sites [31 July 2006] 
    31  1. Beta Development and Testing Stage (Aug-Jan 2007) 
    32  1. Production System Implementation Stage  (Feb-June 2007)  
    33  1. Reporting and Futures Planning (July-Sept 2007) 
    34  
    35  
    36 == Integration Dependencies == 
    37  
    38  1. BADC User database and user roles <-> Attribute Authority  
    39  1. PML User database and user roles <-> Attribute Authority  
    40  1. NOSC User database and user roles <-> Attribute Authority  
    41  1. PERMIS – authorisation system 
    42  1. THREDDS system (external) 
    43  1. NCAR (external) 
    44  1. World Data Centre for Climate (external) 
    45  
    46  
    47 == Internal Development Stages == 
    48  
    49  1. '''Initiation Stage [Sept-Dec 2006]:'''  
    50  1. NDG 1 Security working prototype installed at BADC and BODC [Completed Nov 2005] 
    51  1. '''Document for data centres outlining pre-requisites for NDG security H/W and infrastructure [20 Dec 2005]''' 
    52  1. Prototype Enhancements 1 [20 Dec 2005]: 
    53  1. [DEFINITE] XML Encryption – allow encryption of NDG security message content between web services where required [3 days]. 
    54  1. [DEFINITE] Session Manager request forwarding – allow local Session Manager to forward browser client requests to the Session Manager where the user’s session resides [3 days]. 
    55  1. '''Alpha Development and Testing Stage [Jan-July 2006]:''' 
    56  1. Prototype Enhancements 2 [30 June 2006]: 
    57    1. [DEFINITE] Cross domain cookies – Problem:  NDG must work across the domains of the different participating data centres. However, a given cookie is only visible to the domain in which it was set.  Look into solutions and following analysis, implement the best.  [2 weeks]. 
    58    1. [DEFINITE] Attribute Authority WS has method getTrustedHosts to allow user to see which hosts a data centre trusts to help when they are trying to get authorisation for a given data set [2 days]. 
    59    1. [DEFINITE] Session Manager SimpleCA Web Services - functionality for certificate revocation [1 week]. 
    60  1. '''H/W baseline agreed for all sites - agree pre-requisites for H/W and infrastructure at data centres to run NDG security[20 Jan 2006]''' 
    61  1. '''Data Centres publish their user roles to allow establishment of role mappings [31 Jan 2006]:''' 
    62    1. [DEFINITE] Liaise with data centres (NOCS and PML) to establish user roles (BADC and BODC have roles set up).   
    63    1. [MAYBE] Meeting with data centres to discuss roles [1 day]  
    64    1. [DEFINITE] Data Centres (NOCS and PML) create list of user roles for their data [1 week each] 
    65  1. Write NOCS and PML roles<–>Attribute Authority interface python plug-ins. [1 week] 
    66  1. Pre-installation preparation [31 January 2006]: 
    67    1. [MAYBE] Installation script – builds Python libraries from C source code.  This may not be necessary if binary install will work [1 week] 
    68    1. [DEFINITE] Installation Guide Complete [1 week] 
    69  1. '''Security Pre-installation – BODC (update to existing), NOCS, PML [28 Feb 2006]:''' 
    70    1. [DEFINITE] Upgrade BADC system from NDG prototype to latest version [1 week] 
    71    1. [DEFINITE] Upgrade BODC system from NDG prototype to latest version [1 week] 
    72    1. [DEFINITE] Install system at NOCS [1 week] 
    73    1. [DEFINITE] Install system at PML [1 week] 
    74  1. !DataDeliveryService – component for matching user authorisation roles with those of data and handling of data download [30 Apr 2006]. 
    75    1. [DEFINITE] Design and analysis - sequence diagrams and use cases to aid analysis as required [1 week] 
    76    1. [DEFINITE] Implementation [2 weeks] 
    77    1. [DEFINITE] Integration testing with BADC system [1 week] 
    78  1. Logging Web Service (database or file based, with web service interface) [15 Apr 2006 – in time for DX integration]. 
    79    1. [DEFINITE] Requirements Document – gather requirements from whom? – data centres? [1 week] 
    80    1. [DEFINITE] Analysis and design [1 week] 
    81    1. [DEFINITE] Implementation [2 weeks] 
    82  1. '''Integration with Data Extractor [1 May 2006]:''' 
    83    1. [DEFINITE] Help Ag with integration [3 days]  
    84  1. '''Role Mappings finalised for all data centres [30 June 2006]:''' 
    85    1. [MAYBE] Meet with Data Centres to discuss roles and role mappings [1 day] 
    86    1. [DEFINITE] Data Centres establish bilateral role maps between them [2 weeks] 
    87  1. '''Security Integration: installation of version 1.0 at all sites [31 July 2006]:'''  
    88    1. [DEFINITE] BADC [1 week] 
    89    1. [DEFINITE] BODC [1 week] 
    90    1. [DEFINITE] NOCS [1 week] 
    91    1. [DEFINITE] PML [1 week] 
    92  1. '''Beta Development and Testing Stage(Aug-Jan 2007):'''  
    93  1. [DEFINITE] Updates to web front ends to include security infrastructure [Developers/System Administrators at each data centre 31 August 2006, 4 weeks each] 
    94  1. [DEFINITE] system testing [31 August 2006, 4 weeks] 
    95  1. [DEFINITE] bug fixes, changes and updates as required [4 weeks] 
    96  1. '''Production System Implementation Stage (Feb-June 2007):''' 
    97  1. '''Reporting and Futures Planning (July-Sept 2007):''' [The following activities organised under this milestone more by relevance to topic than suiting time constraint.  These tasks could be shifted to earlier in the schedule as required] 
    98  1. Using certificates from other CAs in NDG security: 
    99    1. [MAYBE] Analysis – look into changes that would be needed – !MyProxy behaviour etc. 
    100    1. [MAYBE] Implement 
    101  1. Java clients to Web Service Interfaces: 
    102    1. [MAYBE] Write Java stub code for NDG Security Web Services [3 weeks] 
    103    1. [MAYBE] In light of the above, review the WS interfaces and change as necessary – radical change to Document Literal rather than RPC style needed? [1 week] 
    104    1. [MAYBE ] Aug -  updates to BODC, NOCS and PML NDG Security s/w following possible changes to WS interfaces [2 weeks] 
    105  1. PERMIS: 
    106    1. [MAYBE] Investigate replacement of NDG authorisation system with PERMIS. [1 week] 
    107    1. [MAYBE] Implement as of outcome of the above [7 weeks] 
    108  1. Shibboleth: 
    109    1. [MAYBE] Investigate Shibboleth <-> NDG interoperation [1 week] 
    110    1. [MAYBE] Implement as of outcome of the above [5 weeks] 
    111  1. THREDDS: 
    112    1. [MAYBE] engineer a suitable interface to integrate with THREDDS authorisation [4 weeks] 
    113  1. Look into Java implementation of NDG Security components:  
    114    1. [MAYBE] Attribute Authority  – update Neil Bennett’s existing version [3 weeks] 
    115    1. [MAYBE] Session Manager – [4 weeks] 
    116    1. [MAYBE] SimpleCA – [4 weeks] 
    117    1. [MAYBE] ftpService – [4 weeks] 
    118  
    119 == Issues == 
    120  
    121 trusting external certificates (KNOWN CA’s) 
    122  * can we generate certificates for a session only? 
    123  * How to enable NDG security needs to be an early deliverable 
    124  
     17== Older Material:  Security TID == 
     18[wiki:TI12_Security/TID] 
    12519 
    12620See also [wiki:WGSecurity].