Monday 24 January 2011

It's nice when it just works

Last week we deployed the full access control infrastructure with our TDS (THREDDS Data Server) part of the Data Node component we are hosting at the BADC as part of the Earth System Grid Federation (ESGF).  What's been pleasing is that we have been able to mix independent implementations together and yet combine them easily in a working system.

The ESGF in terms of software implementation is predominantly Java based but within the context of access control there is a parallel Python based 'NDG Security' implementation here.     We now have TDS deployed too but hooked up to the same system.   This follow-ups from a previous post on the authorisation infrastructure for ESG where I showed PyDAP, a Python implementation of OPeNDAP deployed with our authorisation system.  TDS is of course Java based and we run it within Tomcat fronted with a servlet based authorisation filter.   The common interface to the authorisation system is via a SAML web service callout from the filter to an Authorisation Service.   ESGF has a Java based Authorisation Service implementation but here we've deployed with a Python based one from NDG Security which shares the same interface.  Plugging in the TDS to this was simply a question of making the connection settings and adding the additional rules needed in the XACML policy.

So below, a user's NetCDF (could equally be a browser) client can talk to two apps PyDAP and TDS to make OPeNDAP queries.  PyDAP is deployed with mod_wsgi / Apache.     Each service is fronted by an authorisation filter (In practice, authentication filters too but omitted here for simplicity).   The respective filters intercept requests and query the authorisation service to make an access control decision.   The Authorisation Service is itself a Python app is also running under mod_wsgi/Apache.

Within the Authorisation Service, a context handler translates the incoming SAML decision request query to XACML (yes, XACML could have been used instead between the filters and Authorisation Service) and feeds the request to the Policy Decision Point.  The PDP has a XACML policy fed to it at start-up.  When making an access decision, it can also query for additional attributes by requesting the context handler query the Policy Information Point.  The PIP can query for federation wide attributes from an Attribute Service at PCMDI.  PCMDI have a key role administering access in the federation.  The PDP makes its decision and a response is sent via the Context handler back to the filter fronting the respective app.