Transcript Ontology Work @ CCRS
Distributed Access Control System
Canada Centre for Remote Sensing - ESS
Brian McLeod
Canada Centre for Remote Sensing
Canada Centre for Remote Sensing - ESS
GeoInnovations (technology development program)
Canada Centre for Remote Sensing - ESS
WHAT IS DACS?
• Web service: any static or computational resource • E.g., a web page, document, CGI/ASP program, servlet, database query, file upload/download, generated image, gazetteer request, DACS operation
Canada Centre for Remote Sensing - ESS
WHAT IS DACS?
• “Single Sign-On” • User doesn’t need an account on every system, is authenticated just once • Designed and implemented by DSS as a component of Information System (NFIS) Project Office and the PFC/IRMS group, with support from GeoConnections
Canada Centre for Remote Sensing - ESS
FEDERATIONS/JURISDICTIONS
• Deployed as a federation of jurisdictions • Jurisdiction: • An administrative entity providing authentication services for its users, web services, or both • All interaction is through a web server that provides DACS services for the jurisdiction • An organization, department, lab, or workstation can be a jurisdiction • The set of jurisdictions and their users is open (not static) • Federation: a set of cooperating jurisdictions (NFIS has 7 jurisdictions in the federation)
Canada Centre for Remote Sensing - ESS
AUTHENTICATION
• A jurisdiction authenticates its users using its existing mechanisms (e.g., login name and password) • If successful, DACS creates encrypted credentials that identify the user and accompany subsequent service requests • User presents credentials when making a service request; only DACS can decrypt them
Canada Centre for Remote Sensing - ESS
AUTHENTICATION
• Authentication is a DACS service; any authentication method that can be encapsulated by a service request can be supported • DACS defines the service protocol by which it requests a jurisdiction to authenticate its users • Goal is to minimize jurisdictions’ implementation effort (common methods have already been implemented)
Canada Centre for Remote Sensing - ESS
AUTHENTICATION
• DACS does not manage user accounts on behalf of jurisdictions • Jurisdictions are isolated from implementation details; DACS provides the “glue” • DACS can support “cascading” requests (server-server service requests)
Canada Centre for Remote Sensing - ESS
ACCESS CONTROL
• A jurisdiction is totally responsible for specifying access control for its web services • Access control is performed on a service request (a URL) • An access control rule specifies: • What services the rule applies to (URLs) • How the service can be accessed (a predicate) • Who the rule applies to (which users)
Canada Centre for Remote Sensing - ESS
ACCESS CONTROL
• An access control rule can: • refer to elements of the credentials (e.g., user’s name and jurisdiction) or environment (e.g., the user’s IP address) • refer to service request parameters (e.g., “SCALE must be greater than 1000”) • specify additional parameters to pass to an invoked program (“constraints”) • apply to any member of a defined group of users • apply to a DACS service
Canada Centre for Remote Sensing - ESS
GROUPS
• During authentication, a jurisdiction can associate the user with roles, defining
role-based groups
• A jurisdiction can also define named groups; members are users, role-based groups, or other named groups • Group definitions are distributed among the jurisdictions and can be referenced in access control rules throughout the federation
Canada Centre for Remote Sensing - ESS
IMPLEMENTATION
• Prototype runs on Linux/Solaris/FreeBSD with Apache (i386 and Sparc architectures) • Open source, standards-based, proven technologies • Portable – largely platform independent (ANSI C, POSIX) • Unix and NT authentication components • Design and implementation can be examined for security weaknesses; specifications are available
Canada Centre for Remote Sensing - ESS
WHY DACS?
• Special requirements: • Architectural model (independent/cooperating jurisdictions, heterogeneous, distributed, available) • No client-side code, special installation, etc.
• Support for a wide variety of services • Open set of jurisdictions and users, including “guests” • Needs/requirements not yet well understood • Standardization still in progress • (e.g., SAML, XACML, …) • Existing solutions? Probably not yet.
Canada Centre for Remote Sensing - ESS
ENHANCEMENTS?
• Port to Microsoft/IIS/ASP • Support for user certificates • Support for additional authentication components (e.g., PAM, RADIUS, LDAP) • Integration with Java?
• Invocation by applications?
• Many other possibilities…
Canada Centre for Remote Sensing - ESS
ADDITIONAL INFORMATION
National Foresty Information System (overview) http://www.opengis.org/press/?page=ogcuser&view=20030929ogc_user#CFS DSS – Distributed Systems Software, Inc.
Dr. Barry Brachman, DACS System Architect [email protected]
http://www.dss.bc.ca
Pacific Forestry Centre, Integrated Resource Management Systems
Rick Morrison, NFIS technical lead Tel: (250) 363-0772 [email protected]