wiki:TI12_Security/TID

Version 1 (modified by pjkersha, 13 years ago) (diff)

--

Security TID (Now superceded)

Original NDG2 Key Integration Milestones

  1. Initiation Stage (Sept-Dec 2005): Completed. NDG 1 Security is a working prototype installed at BADC and BODC.
  2. Document for data centres outlining pre-requisites for NDG security H/W and infrastructure [20 Dec 2005]
  3. Alpha Development and Testing Stage (Jan-July 2006) :
  4. H/W baseline agreed for all sites - agree pre-requisites for H/W and infrastructure at data centres to run NDG security [20 Jan 2006]
  5. Data Centres publish their user roles to allow establishment of role mappings [31 Jan 2006]
  6. Security Pre-installation – BODC (update to existing), NOCS, PML [28 Feb 2006]
  7. Integration with Data Extractor [1 May 2006]
  8. Role Mappings finalised for all data centres [30 June 2006]
  9. Security Integration: installation of version 1.0 at all sites [31 July 2006]
  10. Beta Development and Testing Stage (Aug-Jan 2007)
  11. Production System Implementation Stage (Feb-June 2007)
  12. Reporting and Futures Planning (July-Sept 2007)

Integration Dependencies

  1. BADC User database and user roles <-> Attribute Authority
  2. PML User database and user roles <-> Attribute Authority
  3. NOSC User database and user roles <-> Attribute Authority
  4. PERMIS – authorisation system
  5. THREDDS system (external)
  6. NCAR (external)
  7. World Data Centre for Climate (external)

Internal Development Stages

  1. Initiation Stage [Sept-Dec 2006]:
  2. NDG 1 Security working prototype installed at BADC and BODC [Completed Nov 2005]
  3. Document for data centres outlining pre-requisites for NDG security H/W and infrastructure [20 Dec 2005]
  4. Prototype Enhancements 1 [20 Dec 2005]:
  5. [DEFINITE] XML Encryption – allow encryption of NDG security message content between web services where required [3 days].
  6. [DEFINITE] Session Manager request forwarding – allow local Session Manager to forward browser client requests to the Session Manager where the user’s session resides [3 days].
  7. Alpha Development and Testing Stage [Jan-July 2006]:
  8. Prototype Enhancements 2 [30 June 2006]:
    1. [DEFINITE] Cross domain cookies – Problem: NDG must work across the domains of the different participating data centres. However, a given cookie is only visible to the domain in which it was set. Look into solutions and following analysis, implement the best. [2 weeks].
    2. [DEFINITE] Attribute Authority WS has method getTrustedHosts to allow user to see which hosts a data centre trusts to help when they are trying to get authorisation for a given data set [2 days].
    3. [DEFINITE] Session Manager SimpleCA Web Services - functionality for certificate revocation [1 week].
  9. H/W baseline agreed for all sites - agree pre-requisites for H/W and infrastructure at data centres to run NDG security[20 Jan 2006]
  10. Data Centres publish their user roles to allow establishment of role mappings [31 Jan 2006]:
    1. [DEFINITE] Liaise with data centres (NOCS and PML) to establish user roles (BADC and BODC have roles set up).
    2. [MAYBE] Meeting with data centres to discuss roles [1 day]
    3. [DEFINITE] Data Centres (NOCS and PML) create list of user roles for their data [1 week each]
  11. Write NOCS and PML roles<–>Attribute Authority interface python plug-ins. [1 week]
  12. Pre-installation preparation [31 January 2006]:
    1. [MAYBE] Installation script – builds Python libraries from C source code. This may not be necessary if binary install will work [1 week]
    2. [DEFINITE] Installation Guide Complete [1 week]
  13. Security Pre-installation – BODC (update to existing), NOCS, PML [28 Feb 2006]:
    1. [DEFINITE] Upgrade BADC system from NDG prototype to latest version [1 week]
    2. [DEFINITE] Upgrade BODC system from NDG prototype to latest version [1 week]
    3. [DEFINITE] Install system at NOCS [1 week]
    4. [DEFINITE] Install system at PML [1 week]
  14. DataDeliveryService – component for matching user authorisation roles with those of data and handling of data download [30 Apr 2006].
    1. [DEFINITE] Design and analysis - sequence diagrams and use cases to aid analysis as required [1 week]
    2. [DEFINITE] Implementation [2 weeks]
    3. [DEFINITE] Integration testing with BADC system [1 week]
  15. Logging Web Service (database or file based, with web service interface) [15 Apr 2006 – in time for DX integration].
    1. [DEFINITE] Requirements Document – gather requirements from whom? – data centres? [1 week]
    2. [DEFINITE] Analysis and design [1 week]
    3. [DEFINITE] Implementation [2 weeks]
  16. Integration with Data Extractor [1 May 2006]:
    1. [DEFINITE] Help Ag with integration [3 days]
  17. Role Mappings finalised for all data centres [30 June 2006]:
    1. [MAYBE] Meet with Data Centres to discuss roles and role mappings [1 day]
    2. [DEFINITE] Data Centres establish bilateral role maps between them [2 weeks]
  18. Security Integration: installation of version 1.0 at all sites [31 July 2006]:
    1. [DEFINITE] BADC [1 week]
    2. [DEFINITE] BODC [1 week]
    3. [DEFINITE] NOCS [1 week]
    4. [DEFINITE] PML [1 week]
  19. Beta Development and Testing Stage(Aug-Jan 2007):
  20. [DEFINITE] Updates to web front ends to include security infrastructure Administrators at each data centre 31 August 2006, 4 weeks each?
  21. [DEFINITE] system testing [31 August 2006, 4 weeks]
  22. [DEFINITE] bug fixes, changes and updates as required [4 weeks]
  23. Production System Implementation Stage (Feb-June 2007):
  24. Reporting and Futures Planning (July-Sept 2007): [The following activities organised under this milestone more by relevance to topic than suiting time constraint. These tasks could be shifted to earlier in the schedule as required]
  25. Using certificates from other CAs in NDG security:
    1. [MAYBE] Analysis – look into changes that would be needed – MyProxy behaviour etc.
    2. [MAYBE] Implement
  26. Java clients to Web Service Interfaces:
    1. [MAYBE] Write Java stub code for NDG Security Web Services [3 weeks]
    2. [MAYBE] In light of the above, review the WS interfaces and change as necessary – radical change to Document Literal rather than RPC style needed? [1 week]
    3. [MAYBE ] Aug - updates to BODC, NOCS and PML NDG Security s/w following possible changes to WS interfaces [2 weeks]
  27. PERMIS:
    1. [MAYBE] Investigate replacement of NDG authorisation system with PERMIS. [1 week]
    2. [MAYBE] Implement as of outcome of the above [7 weeks]
  28. Shibboleth:
    1. [MAYBE] Investigate Shibboleth <-> NDG interoperation [1 week]
    2. [MAYBE] Implement as of outcome of the above [5 weeks]
  29. THREDDS:
    1. [MAYBE] engineer a suitable interface to integrate with THREDDS authorisation [4 weeks]
  30. Look into Java implementation of NDG Security components:
    1. [MAYBE] Attribute Authority – update Neil Bennett’s existing version [3 weeks]
    2. [MAYBE] Session Manager – [4 weeks]
    3. [MAYBE] SimpleCA – [4 weeks]
    4. [MAYBE] ftpService – [4 weeks]

Issues

trusting external certificates (KNOWN CA’s)

  • can we generate certificates for a session only?
  • How to enable NDG security needs to be an early deliverable