Changes between Version 3 and Version 4 of T12_Security


Ignore:
Timestamp:
05/04/06 17:00:12 (13 years ago)
Author:
pjkersha
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • T12_Security

    v3 v4  
    88To support the information required to show usage of services, and potentially form the basis of charging structures should they be appropriate. 
    99 
    10 Product components 
     10 
     11=== Product components === 
     12 
    1113 1. Underlying library (SecLibrary) 
    1214 1. Software package which deploys an Attribute Authority as a web service. ([wiki:SecAA]) 
     
    1719 1. Logging Web Service (database or file based, with web service interface). (SecLog) 
    1820 
     21 
     22== Key Integration Milestones == 
     23 
     24 1. Initiation Stage (Sept-Dec 2005): Completed. NDG 1 Security is a working prototype installed at BADC and BODC. 
     25 1. Document for data centres outlining pre-requisites for NDG security H/W and infrastructure [20 Dec 2005] 
     26 1. Alpha Development and Testing Stage (Jan-July 2006) : 
     27 1. H/W baseline agreed for all sites - agree pre-requisites for H/W and infrastructure at data centres to run NDG security [20 Jan 2006] 
     28 1. Data Centres publish their user roles to allow establishment of role mappings [31 Jan 2006] 
     29 1. Security Pre-installation – BODC (update to existing), NOCS, PML [28 Feb 2006] 
     30 1. Integration with Data Extractor [1 May 2006] 
     31 1. Role Mappings finalised for all data centres [30 June 2006] 
     32 1. Security Integration: installation of version 1.0 at all sites [31 July 2006] 
     33 1. Beta Development and Testing Stage (Aug-Jan 2007) 
     34 1. Production System Implementation Stage  (Feb-June 2007)  
     35 1. Reporting and Futures Planning (July-Sept 2007) 
     36 
     37 
     38== Integration Dependencies == 
     39 
     40 1. BADC User database and user roles <-> Attribute Authority  
     41 1. PML User database and user roles <-> Attribute Authority  
     42 1. NOSC User database and user roles <-> Attribute Authority  
     43 1. PERMIS – authorisation system 
     44 1. THREDDS system (external) 
     45 1. NCAR (external) 
     46 1. World Data Centre for Climate (external) 
     47 
     48 
     49== Internal Development Stages == 
     50 
     51 1. '''Initiation Stage [Sept-Dec 2006]:'''  
     52 1. NDG 1 Security working prototype installed at BADC and BODC [Completed Nov 2005] 
     53 1. '''Document for data centres outlining pre-requisites for NDG security H/W and infrastructure [20 Dec 2005]''' 
     54 1. Prototype Enhancements 1 [20 Dec 2005]: 
     55 1. [DEFINITE] XML Encryption – allow encryption of NDG security message content between web services where required [3 days]. 
     56 1. [DEFINITE] Session Manager request forwarding – allow local Session Manager to forward browser client requests to the Session Manager where the user’s session resides [3 days]. 
     57 1. '''Alpha Development and Testing Stage [Jan-July 2006]:''' 
     58 1. Prototype Enhancements 2 [30 June 2006]: 
     59   1. [DEFINITE] Cross domain cookies – Problem:  NDG must work across the domains of the different participating data centres. However, a given cookie is only visible to the domain in which it was set.  Look into solutions and following analysis, implement the best.  [2 weeks]. 
     60   1. [DEFINITE] Attribute Authority WS has method getTrustedHosts to allow user to see which hosts a data centre trusts to help when they are trying to get authorisation for a given data set [2 days]. 
     61   1. [DEFINITE] Session Manager SimpleCA Web Services - functionality for certificate revocation [1 week]. 
     62 1. '''H/W baseline agreed for all sites - agree pre-requisites for H/W and infrastructure at data centres to run NDG security[20 Jan 2006]''' 
     63 1. '''Data Centres publish their user roles to allow establishment of role mappings [31 Jan 2006]:''' 
     64   1. [DEFINITE] Liaise with data centres (NOCS and PML) to establish user roles (BADC and BODC have roles set up).   
     65   1. [MAYBE] Meeting with data centres to discuss roles [1 day]  
     66   1. [DEFINITE] Data Centres (NOCS and PML) create list of user roles for their data [1 week each] 
     67 1. Write NOCS and PML roles<–>Attribute Authority interface python plug-ins. [1 week] 
     68 1. Pre-installation preparation [31 January 2006]: 
     69   1. [MAYBE] Installation script – builds Python libraries from C source code.  This may not be necessary if binary install will work [1 week] 
     70   1. [DEFINITE] Installation Guide Complete [1 week] 
     71 1. '''Security Pre-installation – BODC (update to existing), NOCS, PML [28 Feb 2006]:''' 
     72   1. [DEFINITE] Upgrade BADC system from NDG prototype to latest version [1 week] 
     73   1. [DEFINITE] Upgrade BODC system from NDG prototype to latest version [1 week] 
     74   1. [DEFINITE] Install system at NOCS [1 week] 
     75   1. [DEFINITE] Install system at PML [1 week] 
     76 1. DataDeliveryService – component for matching user authorisation roles with those of data and handling of data download [30 Apr 2006]. 
     77   1. [DEFINITE] Design and analysis - sequence diagrams and use cases to aid analysis as required [1 week] 
     78   1. [DEFINITE] Implementation [2 weeks] 
     79   1. [DEFINITE] Integration testing with BADC system [1 week] 
     80 1. Logging Web Service (database or file based, with web service interface) [15 Apr 2006 – in time for DX integration]. 
     81   1. [DEFINITE] Requirements Document – gather requirements from whom? – data centres? [1 week] 
     82   1. [DEFINITE] Analysis and design [1 week] 
     83   1. [DEFINITE] Implementation [2 weeks] 
     84 1. '''Integration with Data Extractor [1 May 2006]:''' 
     85   1. [DEFINITE] Help Ag with integration [3 days]  
     86 1. '''Role Mappings finalised for all data centres [30 June 2006]:''' 
     87   1. [MAYBE] Meet with Data Centres to discuss roles and role mappings [1 day] 
     88   1. [DEFINITE] Data Centres establish bilateral role maps between them [2 weeks] 
     89 1. '''Security Integration: installation of version 1.0 at all sites [31 July 2006]:'''  
     90   1. [DEFINITE] BADC [1 week] 
     91   1. [DEFINITE] BODC [1 week] 
     92   1. [DEFINITE] NOCS [1 week] 
     93   1. [DEFINITE] PML [1 week] 
     94 1. '''Beta Development and Testing Stage(Aug-Jan 2007):'''  
     95 1. [DEFINITE] Updates to web front ends to include security infrastructure [Developers/System Administrators at each data centre 31 August 2006, 4 weeks each] 
     96 1. [DEFINITE] system testing [31 August 2006, 4 weeks] 
     97 1. [DEFINITE] bug fixes, changes and updates as required [4 weeks] 
     98 1. '''Production System Implementation Stage (Feb-June 2007):''' 
     99 1. '''Reporting and Futures Planning (July-Sept 2007):''' [The following activities organised under this milestone more by relevance to topic than suiting time constraint.  These tasks could be shifted to earlier in the schedule as required] 
     100 1. Using certificates from other CAs in NDG security: 
     101   1. [MAYBE] Analysis – look into changes that would be needed – MyProxy behaviour etc. 
     102   1. [MAYBE] Implement 
     103 1. Java clients to Web Service Interfaces: 
     104   1. [MAYBE] Write Java stub code for NDG Security Web Services [3 weeks] 
     105   1. [MAYBE] In light of the above, review the WS interfaces and change as necessary – radical change to Document Literal rather than RPC style needed? [1 week] 
     106   1. [MAYBE ] Aug -  updates to BODC, NOCS and PML NDG Security s/w following possible changes to WS interfaces [2 weeks] 
     107 1. PERMIS: 
     108   1. [MAYBE] Investigate replacement of NDG authorisation system with PERMIS. [1 week] 
     109   1. [MAYBE] Implement as of outcome of the above [7 weeks] 
     110 1. Shibboleth: 
     111   1. [MAYBE] Investigate Shibboleth <-> NDG interoperation [1 week] 
     112   1. [MAYBE] Implement as of outcome of the above [5 weeks] 
     113 1. THREDDS: 
     114   1. [MAYBE] engineer a suitable interface to integrate with THREDDS authorisation [4 weeks] 
     115 1. Look into Java implementation of NDG Security components:  
     116   1. [MAYBE] Attribute Authority  – update Neil Bennett’s existing version [3 weeks] 
     117   1. [MAYBE] Session Manager – [4 weeks] 
     118   1. [MAYBE] SimpleCA – [4 weeks] 
     119   1. [MAYBE] ftpService – [4 weeks] 
     120 
     121== Issues == 
     122 
     123trusting external certificates (KNOWN CA’s) 
     124 * can we generate certificates for a session only? 
     125 * How to enable NDG security needs to be an early deliverable 
     126 
     127 
    19128See also [wiki:WGSecurity]. 
    20129