wiki:T12_Security

Version 7 (modified by lawrence, 13 years ago) (diff)

--

Security

This page reflects issues and discussions associated with both the NDG and the  DEWS projects.

This activity provides a software infrastructure to provide controlled access to resources, and logging of such access (in the case of NDG, DEWS uses another infrastructure for logging).

Although it applies in both DEWS and NDG, hereafter we will call the security infrastructure discussed here NDG-security, to distinguish it from other security paradigms and infrastructures.

Current (as of August, 2006 issues) are being discussed at Security0607!

Older Material, may be moved

Original NDG2 Key Integration Milestones

  1. Initiation Stage (Sept-Dec 2005): Completed. NDG 1 Security is a working prototype installed at BADC and BODC.
  2. Document for data centres outlining pre-requisites for NDG security H/W and infrastructure [20 Dec 2005]
  3. Alpha Development and Testing Stage (Jan-July 2006) :
  4. H/W baseline agreed for all sites - agree pre-requisites for H/W and infrastructure at data centres to run NDG security [20 Jan 2006]
  5. Data Centres publish their user roles to allow establishment of role mappings [31 Jan 2006]
  6. Security Pre-installation – BODC (update to existing), NOCS, PML [28 Feb 2006]
  7. Integration with Data Extractor [1 May 2006]
  8. Role Mappings finalised for all data centres [30 June 2006]
  9. Security Integration: installation of version 1.0 at all sites [31 July 2006]
  10. Beta Development and Testing Stage (Aug-Jan 2007)
  11. Production System Implementation Stage (Feb-June 2007)
  12. Reporting and Futures Planning (July-Sept 2007)

Integration Dependencies

  1. BADC User database and user roles <-> Attribute Authority
  2. PML User database and user roles <-> Attribute Authority
  3. NOSC User database and user roles <-> Attribute Authority
  4. PERMIS – authorisation system
  5. THREDDS system (external)
  6. NCAR (external)
  7. World Data Centre for Climate (external)

Internal Development Stages

  1. Initiation Stage [Sept-Dec 2006]:
  2. NDG 1 Security working prototype installed at BADC and BODC [Completed Nov 2005]
  3. Document for data centres outlining pre-requisites for NDG security H/W and infrastructure [20 Dec 2005]
  4. Prototype Enhancements 1 [20 Dec 2005]:
  5. [DEFINITE] XML Encryption – allow encryption of NDG security message content between web services where required [3 days].
  6. [DEFINITE] Session Manager request forwarding – allow local Session Manager to forward browser client requests to the Session Manager where the user’s session resides [3 days].
  7. Alpha Development and Testing Stage [Jan-July 2006]:
  8. Prototype Enhancements 2 [30 June 2006]:
    1. [DEFINITE] Cross domain cookies – Problem: NDG must work across the domains of the different participating data centres. However, a given cookie is only visible to the domain in which it was set. Look into solutions and following analysis, implement the best. [2 weeks].
    2. [DEFINITE] Attribute Authority WS has method getTrustedHosts to allow user to see which hosts a data centre trusts to help when they are trying to get authorisation for a given data set [2 days].
    3. [DEFINITE] Session Manager SimpleCA Web Services - functionality for certificate revocation [1 week].
  9. H/W baseline agreed for all sites - agree pre-requisites for H/W and infrastructure at data centres to run NDG security[20 Jan 2006]
  10. Data Centres publish their user roles to allow establishment of role mappings [31 Jan 2006]:
    1. [DEFINITE] Liaise with data centres (NOCS and PML) to establish user roles (BADC and BODC have roles set up).
    2. [MAYBE] Meeting with data centres to discuss roles [1 day]
    3. [DEFINITE] Data Centres (NOCS and PML) create list of user roles for their data [1 week each]
  11. Write NOCS and PML roles<–>Attribute Authority interface python plug-ins. [1 week]
  12. Pre-installation preparation [31 January 2006]:
    1. [MAYBE] Installation script – builds Python libraries from C source code. This may not be necessary if binary install will work [1 week]
    2. [DEFINITE] Installation Guide Complete [1 week]
  13. Security Pre-installation – BODC (update to existing), NOCS, PML [28 Feb 2006]:
    1. [DEFINITE] Upgrade BADC system from NDG prototype to latest version [1 week]
    2. [DEFINITE] Upgrade BODC system from NDG prototype to latest version [1 week]
    3. [DEFINITE] Install system at NOCS [1 week]
    4. [DEFINITE] Install system at PML [1 week]
  14. DataDeliveryService – component for matching user authorisation roles with those of data and handling of data download [30 Apr 2006].
    1. [DEFINITE] Design and analysis - sequence diagrams and use cases to aid analysis as required [1 week]
    2. [DEFINITE] Implementation [2 weeks]
    3. [DEFINITE] Integration testing with BADC system [1 week]
  15. Logging Web Service (database or file based, with web service interface) [15 Apr 2006 – in time for DX integration].
    1. [DEFINITE] Requirements Document – gather requirements from whom? – data centres? [1 week]
    2. [DEFINITE] Analysis and design [1 week]
    3. [DEFINITE] Implementation [2 weeks]
  16. Integration with Data Extractor [1 May 2006]:
    1. [DEFINITE] Help Ag with integration [3 days]
  17. Role Mappings finalised for all data centres [30 June 2006]:
    1. [MAYBE] Meet with Data Centres to discuss roles and role mappings [1 day]
    2. [DEFINITE] Data Centres establish bilateral role maps between them [2 weeks]
  18. Security Integration: installation of version 1.0 at all sites [31 July 2006]:
    1. [DEFINITE] BADC [1 week]
    2. [DEFINITE] BODC [1 week]
    3. [DEFINITE] NOCS [1 week]
    4. [DEFINITE] PML [1 week]
  19. Beta Development and Testing Stage(Aug-Jan 2007):
  20. [DEFINITE] Updates to web front ends to include security infrastructure Administrators at each data centre 31 August 2006, 4 weeks each?
  21. [DEFINITE] system testing [31 August 2006, 4 weeks]
  22. [DEFINITE] bug fixes, changes and updates as required [4 weeks]
  23. Production System Implementation Stage (Feb-June 2007):
  24. Reporting and Futures Planning (July-Sept 2007): [The following activities organised under this milestone more by relevance to topic than suiting time constraint. These tasks could be shifted to earlier in the schedule as required]
  25. Using certificates from other CAs in NDG security:
    1. [MAYBE] Analysis – look into changes that would be needed – MyProxy behaviour etc.
    2. [MAYBE] Implement
  26. Java clients to Web Service Interfaces:
    1. [MAYBE] Write Java stub code for NDG Security Web Services [3 weeks]
    2. [MAYBE] In light of the above, review the WS interfaces and change as necessary – radical change to Document Literal rather than RPC style needed? [1 week]
    3. [MAYBE ] Aug - updates to BODC, NOCS and PML NDG Security s/w following possible changes to WS interfaces [2 weeks]
  27. PERMIS:
    1. [MAYBE] Investigate replacement of NDG authorisation system with PERMIS. [1 week]
    2. [MAYBE] Implement as of outcome of the above [7 weeks]
  28. Shibboleth:
    1. [MAYBE] Investigate Shibboleth <-> NDG interoperation [1 week]
    2. [MAYBE] Implement as of outcome of the above [5 weeks]
  29. THREDDS:
    1. [MAYBE] engineer a suitable interface to integrate with THREDDS authorisation [4 weeks]
  30. Look into Java implementation of NDG Security components:
    1. [MAYBE] Attribute Authority – update Neil Bennett’s existing version [3 weeks]
    2. [MAYBE] Session Manager – [4 weeks]
    3. [MAYBE] SimpleCA – [4 weeks]
    4. [MAYBE] ftpService – [4 weeks]

Issues

trusting external certificates (KNOWN CA’s)

  • can we generate certificates for a session only?
  • How to enable NDG security needs to be an early deliverable

See also WGSecurity.

See also SecDiagrams