SEcurE access to
GEOspatial services
OGC-OGF Collaboration workshop
Open Grid Forum 22 (OGF22)
February, 2007
Chris Higgins
(EDINA, University of Edinburgh)
chris.higgins@ed.ac.uk
EDINA National Data Centre
• A National Data Centre for Tertiary Education
since 1995, based at the University of Edinburgh
• Our mission...
•
to enhance the productivity of research, learning
and teaching in UK higher and further education
• Focus is on services but also undertake r&D
– turn projects  services
• Substantial experience in handling geospatial data
Why interested in Grid?
• Lots of users, eg, ~30000 students registered for our
Ordnance Survey service.
• Need to be able to scale:
– SOA comprised mainly of OGC Web Services for use in the
academic sector: an academic Spatial Data Infrastructure
– high load; dont want to restrict services and cant afford to
buy endless hardware (that sits unused most of the time)
• Supporting eResearch. Grid characteristics and goals
(Technical Strategy OGF 2007-2010):
– infrastructure virtualisation
– resource pooling and sharing
– self monitoring/improvement
– dynamic resource provisioning
– highest Quality of Service
Grid OGC Collision Programme
• JISC (Joint Information Systems Committee)
Programme
• Funded by the UK HFE funding councils
• Supports teaching, learning, research and administration
• Provides strategic guidance to UK HFE on use of ICT
• Grid OGC Collision in context of wider UK einfrastructure
•“…embraces networks, grids, data centres and
collaborative environments, and can include supporting
operations centres, service registries, single-sign on,
certificate authorities, training and help-desk
services. Most importantly, it is the integration of these
that defines e-Infrastructure.”
SEcurE access to GEOspatial services
• Aiming to demonstrate how access to GI on Grid may be
achieved:
• Shibboleth
• WS-Security
• GSI
• OGC Web Services
• Partners: EDINA, NeSC, NCeSS, MIMAS
• Main deliverables are a report and a number of demonstrators:
• National datacentre
• e-Social Science
• Orchestration
• Would welcome your input on next demonstrator
#1 Ordnance Survey MasterMap
•
•
•
•
UK National Topographic Database
400+ million features
Encoded in Geography Markup Language (GML)
EDINA uses Web Feature Servers (WFS) within
our architecture – service launched Sept 2007
• We want to make WFS directly available
Reference:
Identity Provider
GeoDRM Engineering Viewpoint
Elfers, Wagner
OGC meeting San Diego, GeoDRM WG
2006-12-13
Authentication
Service
OWS-4 GeoDRM
Architecture
Deliveryman
Consumer End-User
conditions
Gatekeeper
(Enforcement)
OWSOWSGeoDRM
Client
Client Client
OWS
Service
Authorization
Service (Decision)
Broker
License
Broker
License
Manager
(Administration)
Manager
• Gatekeeper is transparent; extension for OGC W*S
– Adds GeoDRM functionality and information (e.g. capabilities)
– Accepts identity and/or license tokens with the W*S payload
• Authentication Service
– Provides identity tokens for in-band authentication
– Authentication Service could be used as central service in a federation
• Authentication and retrieval of user information
• Single-Sign-On and Single-Log-Out
• Support different authentication methodologies (harmonization)
• Authorization Service is responsible for all authorization and
validity checks
– Integrity, authenticity and origin of messages, signatures, etc.
– Authorization based on local rights (classical access control) as well
as on-the-fly resolved rights from licenses
• License Broker negotiates Licenses with the Client
•
– Different types of Offerings; those define the further negotiationworkflows
– On agreement: Broker stores License in License Manager, Client
receives a Reference Token
License Manager manages Licenses (surprise!)
– License are fetched by the AuthZ-Service using the reference
– Manager could be used as central service in a federation
• Storage in Federation
• Global “License Revoke” (similar to single-log-out)
AuthN: Shibboleth
User
3
1
8
4
Where are
you from
(WAYF)
2
Identity
Provider
(IdP)
Service
5
Provider
(SP)
6
7
1. User attempts to access a Shibbolethprotected resource on the SP site.
2.,3. User is redirected to the WAYF in
order to select home organisation (IdP).
4. IdP ensures that user is authenticated,
by whatever means IdP deems
appropriate.
5. After successful authentication, a onetime handle (session identifier) is
generated for this user session.
6. SP uses the handle to request attribute
information from the IdP for this user.
7. IdP allows or denies attribute
information to be made available to this
SP using the Attribute Release policy.
8. Based on the attribute information
made available, SP allows or denies the
user access to the resource.
UK National Grid Service
• Mission: provide coherent electronic access for UK researchers to
all computational and data based resources and facilities required to
carry out their research, independent of resource or researcher
location
•
•
•
•
•
Largest National Grid Initiative outside US
Claims to have the largest grid PKI infrastructure
Approx 500 registered users (April 2007)
Predominantly focussed on compute and storage at present
“Content” = Services; data, computation, ...NGS will only grow
if the content grows
• Limited data sets available
• Exploring use of their facilities for hosting MasterMap
#2 the SEE-GEO eSocSci exemplar
Refactored as
Web
Processing
Service
OGSA-DAI WPS implementation
• OGSA-DAI activities, a simple pipeline, eg, GDAS getData,
GLS geoLink, WFS getFeature
• Additional GLS implementations simplified if activities already
exist (multiple different ways to implement GLS)
• We can now do the following with relatively little extra work:
• Choose different framework datasets dynamically
• Merge GDAS XML directly into an RDBMS dataset
• Implement filters, eg, bbox, currently must use geolinkage field
values (geolinkids)
• Transfer data using GridFTP
• Protect using Grid Security Infrastructure (GSI)
• Feature based data processing and OGSA-DAI as a toolkit for
building additional WPS.
Security at the moment
Authenticate here
IP restrict services
to OGSA-DAI
server
IP restrict WPS to
application server
Some security options/considerations
•
•
•
•
•
•
•
Workflow Use Cases vital
Different service, different licence
Requirement for secondary authentication
Other possible security options include:
1. Use GSI
2. Web services as in #1
Must avoid solutions that do not scale easily
Need consensus
Need to be closer to production services and not
research
#3 Distributed Federations
• European Persistent Geospatial Testbed for Research and Education
• Collaboration AGILE, EuroSDR and OGC
• Aims:
• research test-bed for collaborative European research in geospatial
interoperability
• aid the assessment of the current standards for geospatial
interoperability in terms of research compatibility, completeness,
consistency and ease of use and extensibilit
• an environment for teaching standards and techniques for geospatial
interoperability
• a resource to AGILE/EuroSDR/OGC for the coordination of research
requirements as well as definition, testing, validation and
development of open standards
SARoNGS
End
Questions?
Chris Higgins
(EDINA, University of Edinburgh)
chris.higgins@ed.ac.uk