Kershaw, Philip and Ananthakrishnan, Rachana and Cinquini, Luca and Lawrence, Bryan and Pascoe, Stephen and Siebenlist, Frank (2010) A Flexible Component based Access Control Architecture for OPeNDAP Services. In: European Geosciences Union General Assembly 2010, 2-7 May 2010, Vienna.
|Archive (ZIP) (EGU2010 Presentation on Securing OPeNDAP Services) - Presentation|
Network data access services such as OPeNDAP enable widespread access to data across user communities. However, without ready means to restrict access to data for such services, data providers and data owners are constrained from making their data more widely available. Even with such capability, the range of different security technologies available can make interoperability between services and user client tools a challenge. OPeNDAP is a key data access service in the infrastructure under development to support the CMIP5 (Couple Model Intercomparison Project Phase 5). The work is being carried out as part of an international collaboration including the US Earth System Grid and Curator projects and the EU funded IS-ENES and Metafor projects. This infrastructure will bring together Petabytes of climate model data and associated metadata from over twenty modelling centres around the world in a federation with a core archive mirrored at three data centres. A security system is needed to meet the requirements of organisations responsible for model data including the ability to restrict data access to registered users, keep them up to date with changes to data and services, audit access and protect ﬁnite computing resources. Individual organisations have existing tools and services such as OPeNDAP with which users in the climate research community are already familiar. The security system should overlay access control in a way which maintains the usability and ease of access to these services. The BADC (British Atmospheric Data Centre) has been working in collaboration with the Earth System Grid development team and partner organisations to develop the security architecture. OpenID and MyProxy were selected at an early stage in the ESG project to provide single sign-on capability across the federation of participating organisations. Building on the existing OPeNDAP speciﬁcation an architecture based on pluggable server side compo- nents has been developed at the BADC. These components ﬁlter requests to the service they protect and apply the required authentication and authorisation schemes. Filters have been developed for OpenID and SSL client based authentication. The latter enabling access with MyProxy issued credentials. By preserving a clear separation between the security and application functionality, multiple authentication technologies may be supported without the need for modiﬁcation to the underlying OPeNDAP application. The software has been developed in the Python programming language securing the Python based OPeN- DAP implementation, PyDAP. This utilises the Python WSGI (Web Server Gateway Interface) speciﬁcation to create distinct security ﬁlter components. Work is also currently underway to develop a parallel Java based ﬁlter implementation to secure the THREDDS Data Server. Whilst the ability to apply this ﬂexible approach to the server side security layer is important, the development of compatible client software is vital to the take up of these services across a wide user base. To date PyDAP and wget based clients have been tested and work is planned to integrate the required security interface into the netCDF API. This forms part of ongoing collaboration with the OPeNDAP user and development community to ensure interoperability.
|Item Type:||Conference or Workshop Item (Speech)|
|Uncontrolled Keywords:||Security, Access Control, OPeNDAP, Earth System Grid|
|Subjects:||Data and Information|
|Deposited By:||Mr Philip Kershaw|
|Deposited On:||17 May 2010 15:15|
|Last Modified:||17 May 2010 15:15|
Repository Staff Only: item control page