canada centre for remote sensing - ess distributed access control system brian mcleod...
Post on 27-Mar-2015
217 Views
Preview:
TRANSCRIPT
Canada Centre for Remote Sensing - ESS
Distributed Access Control SystemDistributed Access Control System
Brian McLeodmcleod@ccrs.nrcan.gc.caCanada Centre for Remote
Sensing
Canada Centre for Remote Sensing - ESS
GeoInnovations (technology development program)
Canada Centre for Remote Sensing - ESS
WHAT IS DACS?WHAT IS DACS?
• An authentication and access control framework that facilitates secure sharing of http-based web services
• Web service: any static or computational resource available through a web server using HTTP (HTTPS):• E.g., a web page, document, CGI/ASP program, servlet,
database query, file upload/download, generated image, gazetteer request, DACS operation
Canada Centre for Remote Sensing - ESS
WHAT IS DACS?WHAT IS DACS?
• “Single Sign-On”• User doesn’t need an account on every system, is
authenticated just once
• Implemented by a customized web server and a set of CGI programs
• Designed and implemented by DSS as a component of NFIS with participation of the National Forest Information System (NFIS) Project Office and the PFC/IRMS group, with support from GeoConnections
Canada Centre for Remote Sensing - ESS
FEDERATIONS/JURISDICTIONSFEDERATIONS/JURISDICTIONS
• Deployed as a federation of jurisdictions• Jurisdiction:
• An administrative entity providing authentication services for its users, web services, or both
• All interaction is through a web server that provides DACS services for the jurisdiction
• An organization, department, lab, or workstation can be a jurisdiction
• The set of jurisdictions and their users is open (not static)
• Federation: a set of cooperating jurisdictions (NFIS has 7 jurisdictions in the federation)
Canada Centre for Remote Sensing - ESS
AUTHENTICATIONAUTHENTICATION
• A jurisdiction authenticates its users using its existing mechanisms (e.g., login name and password)
• If successful, DACS creates encrypted credentials that identify the user and accompany subsequent service requests
• User presents credentials when making a service request; only DACS can decrypt them
Canada Centre for Remote Sensing - ESS
AUTHENTICATIONAUTHENTICATION
• Authentication is a DACS service; any authentication method that can be encapsulated by a service request can be supported
• DACS defines the service protocol by which it requests a jurisdiction to authenticate its users
• Goal is to minimize jurisdictions’ implementation effort (common methods have already been implemented)
Canada Centre for Remote Sensing - ESS
AUTHENTICATIONAUTHENTICATION
• DACS does not manage user accounts on behalf of jurisdictions
• Jurisdictions are isolated from implementation details; DACS provides the “glue”
• DACS can support “cascading” requests (server-server service requests)
Canada Centre for Remote Sensing - ESS
ACCESS CONTROLACCESS CONTROL
• A jurisdiction is totally responsible for specifying access control for its web services
• Access control is performed on a service request (a URL)
• An access control rule specifies:• What services the rule applies to (URLs)• How the service can be accessed (a
predicate)• Who the rule applies to (which users)
Canada Centre for Remote Sensing - ESS
ACCESS CONTROLACCESS CONTROL
• An access control rule can:• refer to elements of the credentials (e.g.,
user’s name and jurisdiction) or environment (e.g., the user’s IP address)
• refer to service request parameters (e.g., “SCALE must be greater than 1000”)
• specify additional parameters to pass to an invoked program (“constraints”)
• apply to any member of a defined group of users
• apply to a DACS service
Canada Centre for Remote Sensing - ESS
GROUPSGROUPS
• During authentication, a jurisdiction can associate the user with roles, defining role-based groups
• A jurisdiction can also define named groups; members are users, role-based groups, or other named groups
• Group definitions are distributed among the jurisdictions and can be referenced in access control rules throughout the federation
Canada Centre for Remote Sensing - ESS
IMPLEMENTATIONIMPLEMENTATION
• Prototype runs on Linux/Solaris/FreeBSD with Apache (i386 and Sparc architectures)
• Open source, standards-based, proven technologies
• Portable – largely platform independent (ANSI C, POSIX)
• Unix and NT authentication components• Design and implementation can be examined
for security weaknesses; specifications are available
Canada Centre for Remote Sensing - ESS
WHY DACS?WHY DACS?
• Special requirements:• Architectural model (independent/cooperating
jurisdictions, heterogeneous, distributed, available)• No client-side code, special installation, etc.• Support for a wide variety of services• Open set of jurisdictions and users, including “guests”• Needs/requirements not yet well understood
• Standardization still in progress• (e.g., SAML, XACML, …)
• Existing solutions? Probably not yet.
Canada Centre for Remote Sensing - ESS
ENHANCEMENTS?ENHANCEMENTS?
• Port to Microsoft/IIS/ASP• Support for user certificates• Support for additional authentication
components (e.g., PAM, RADIUS, LDAP)• Integration with Java?• Invocation by applications?• Many other possibilities…
Canada Centre for Remote Sensing - ESS
ADDITIONAL INFORMATIONADDITIONAL INFORMATION
National Foresty Information System (overview)
http://www.opengis.org/press/?page=ogcuser&view=20030929ogc_user#CFS
DSS – Distributed Systems Software, Inc.
Dr. Barry Brachman, DACS System Architectbrachman@dss.bc.ca
http://www.dss.bc.ca
Pacific Forestry Centre, Integrated Resource Management Systems
Rick Morrison, NFIS technical leadTel: (250) 363-0772rmorriso@pfc.forestry.ca
top related