180 likes | 322 Views
SE cur E access to GEO spatial services. OGC-OGF Collaboration workshop Open Grid Forum 22 (OGF22) February, 2007 Chris Higgins (EDINA, University of Edinburgh) chris.higgins@ed.ac.uk. EDINA National Data Centre.
E N D
SEcurE access to GEOspatial services OGC-OGF Collaboration workshop Open Grid Forum 22 (OGF22) February, 2007 Chris Higgins (EDINA, University of Edinburgh) chris.higgins@ed.ac.uk
EDINA National Data Centre • A National Data Centre for Tertiary Education since 1995, based at the University of Edinburgh • Our mission... • to enhance the productivity of research, learning and teaching in UK higher and further education • Focus is on services but also undertake r&D • turn projects services • Substantial experience in handling geospatial data
Why interested in Grid? • Lots of users, eg, ~30000 students registered for our Ordnance Survey service. • Need to be able to scale: • SOA comprised mainly of OGC Web Services for use in the academic sector: an academic Spatial Data Infrastructure • high load; dont want to restrict services and cant afford to buy endless hardware (that sits unused most of the time) • Supporting eResearch. Grid characteristics and goals (Technical Strategy OGF 2007-2010): • infrastructure virtualisation • resource pooling and sharing • self monitoring/improvement • dynamic resource provisioning • highest Quality of Service
Grid OGC Collision Programme • JISC (Joint Information Systems Committee) Programme • Funded by the UK HFE funding councils • Supports teaching, learning, research and administration • Provides strategic guidance to UK HFE on use of ICT • Grid OGC Collision in context of wider UK e-infrastructure • “…embraces networks, grids, data centres and collaborative environments, and can include supporting operations centres, service registries, single-sign on, certificate authorities, training and help-desk services. Most importantly, it is the integration of these that defines e-Infrastructure.”
SEcurE access to GEOspatial services • Aiming to demonstrate how access to GI on Grid may be achieved: • Shibboleth • WS-Security • GSI • OGC Web Services • Partners: EDINA, NeSC, NCeSS, MIMAS • Main deliverables are a report and a number of demonstrators: • National datacentre • e-Social Science • Orchestration • Would welcome your input on next demonstrator
#1 Ordnance Survey MasterMap • UK National Topographic Database • 400+ million features • Encoded in Geography Markup Language (GML) • EDINA uses Web Feature Servers (WFS) within our architecture – service launched Sept 2007 • We want to make WFS directly available
Consumer Broker Manager Deliveryman End-User OWS-4 GeoDRM Architecture Reference: GeoDRM Engineering Viewpoint Elfers, Wagner OGC meeting San Diego, GeoDRM WG 2006-12-13 Identity Provider Authentication Service conditions OWS Client Gatekeeper (Enforcement) OWS Service OWS Client GeoDRM Client Authorization Service (Decision) License Broker License Manager (Administration)
Gatekeeper is transparent; extension for OGC W*S • Adds GeoDRM functionality and information (e.g. capabilities) • Accepts identity and/or license tokens with the W*S payload • Authentication Service • Provides identity tokens for in-band authentication • Authentication Service could be used as central service in a federation • Authentication and retrieval of user information • Single-Sign-On and Single-Log-Out • Support different authentication methodologies (harmonization) • Authorization Service is responsible for all authorization and validity checks • Integrity, authenticity and origin of messages, signatures, etc. • Authorization based on local rights (classical access control) as well as on-the-fly resolved rights from licenses
License Broker negotiates Licenses with the Client • Different types of Offerings; those define the further negotiation-workflows • On agreement: Broker stores License in License Manager, Client receives a Reference Token • License Manager manages Licenses (surprise!) • License are fetched by the AuthZ-Service using the reference • Manager could be used as central service in a federation • Storage in Federation • Global “License Revoke” (similar to single-log-out)
AuthN: Shibboleth 1. User attempts to access a Shibboleth-protected resource on the SP site. 2.,3. User is redirected to the WAYF in order to select home organisation (IdP). 4. IdP ensures that user is authenticated, by whatever means IdP deems appropriate. 5. After successful authentication, a one-time handle (session identifier) is generated for this user session. 6. SP uses the handle to request attribute information from the IdP for this user. 7. IdP allows or denies attribute information to be made available to this SP using the Attribute Release policy. 8. Based on the attribute information made available, SP allows or denies the user access to the resource. User 3 1 8 4 Where are you from (WAYF) 2 Identity Provider (IdP) Service Provider (SP) 5 6 7
UK National Grid Service • Mission: provide coherent electronic access for UK researchers to all computational and data based resources and facilities required to carry out their research, independent of resource or researcher location • Largest National Grid Initiative outside US • Claims to have the largest grid PKI infrastructure • Approx 500 registered users (April 2007) • Predominantly focussed on compute and storage at present • “Content” = Services; data, computation, ...NGS will only grow if the content grows • Limited data sets available • Exploring use of their facilities for hosting MasterMap
#2 the SEE-GEO eSocSci exemplar Refactored as Web Processing Service
OGSA-DAI WPS implementation • OGSA-DAI activities, a simple pipeline, eg, GDAS getData, GLS geoLink, WFS getFeature • Additional GLS implementations simplified if activities already exist (multiple different ways to implement GLS) • We can now do the following with relatively little extra work: • Choose different framework datasets dynamically • Merge GDAS XML directly into an RDBMS dataset • Implement filters, eg, bbox, currently must use geolinkage field values (geolinkids) • Transfer data using GridFTP • Protect using Grid Security Infrastructure (GSI) • Feature based data processing and OGSA-DAI as a toolkit for building additional WPS.
Security at the moment Authenticate here IP restrict services to OGSA-DAI server IP restrict WPS to application server
Some security options/considerations • Workflow Use Cases vital • Different service, different licence • Requirement for secondary authentication • Other possible security options include: • Use GSI • Web services as in #1 • Must avoid solutions that do not scale easily • Need consensus • Need to be closer to production services and not research
#3 Distributed Federations • European Persistent Geospatial Testbed for Research and Education • Collaboration AGILE, EuroSDR and OGC • Aims: • research test-bed for collaborative European research in geospatial interoperability • aid the assessment of the current standards for geospatial interoperability in terms of research compatibility, completeness, consistency and ease of use and extensibilit • an environment for teaching standards and techniques for geospatial interoperability • a resource to AGILE/EuroSDR/OGC for the coordination of research requirements as well as definition, testing, validation and development of open standards
End Questions? Chris Higgins (EDINA, University of Edinburgh) chris.higgins@ed.ac.uk