SEcurE access to GEOspatial services

OGC-OGF Collaboration workshopOpen Grid Forum 22 (OGF22)

February, 2007

Chris Higgins (EDINA, University of Edinburgh)

chris.higgins@ed.ac.uk

• A National Data Centre for Tertiary Education since 1995, based at the University of Edinburgh

• Our mission...• to enhance the productivity of research, learning

and teaching in UK higher and further education • Focus is on services but also undertake r&D

– turn projects services• Substantial experience in handling geospatial data

EDINA National Data Centre

• Lots of users, eg, ~30000 students registered for our Ordnance Survey service.

• Need to be able to scale:– SOA comprised mainly of OGC Web Services for use in the

academic sector: an academic Spatial Data Infrastructure– high load; dont want to restrict services and cant afford to

buy endless hardware (that sits unused most of the time)• Supporting eResearch. Grid characteristics and goals

(Technical Strategy OGF 2007-2010):– infrastructure virtualisation– resource pooling and sharing– self monitoring/improvement– dynamic resource provisioning– highest Quality of Service

Why interested in Grid?

• JISC (Joint Information Systems Committee) Programme

• Funded by the UK HFE funding councils

• Supports teaching, learning, research and administration

• Provides strategic guidance to UK HFE on use of ICT

• Grid OGC Collision in context of wider UK e-infrastructure

•“…embraces networks, grids, data centres and collaborative environments, and can include supporting operations centres, service registries, single-sign on, certificate authorities, training and help-desk services.  Most importantly, it is the integration of these that defines e-Infrastructure.”

Grid OGC Collision Programme

• Aiming to demonstrate how access to GI on Grid may be achieved:

• Shibboleth

• WS-Security

• GSI

• OGC Web Services

• Partners: EDINA, NeSC, NCeSS, MIMAS• Main deliverables are a report and a number of demonstrators:

• National datacentre

• e-Social Science

• Orchestration

• Would welcome your input on next demonstrator

SEcurE access to GEOspatial services

#1 Ordnance Survey MasterMap

• UK National Topographic Database• 400+ million features• Encoded in Geography Markup Language (GML)• EDINA uses Web Feature Servers (WFS) within

our architecture – service launched Sept 2007• We want to make WFS directly available

OWSClient

AuthenticationService

Gatekeeper(Enforcement)

OWSService

LicenseManager

(Administration)

LicenseBroker

conditions

Identity Provider

AuthorizationService (Decision)

OWSClient

GeoDRMClient

OWS-4 GeoDRM Architecture

End-UserConsumer Deliveryman

ManagerBroker

Reference:GeoDRM Engineering Viewpoint

Elfers, Wagner

OGC meeting San Diego, GeoDRM WG

2006-12-13

• Gatekeeper is transparent; extension for OGC W*S– Adds GeoDRM functionality and information (e.g. capabilities)

– Accepts identity and/or license tokens with the W*S payload

• Authentication Service– Provides identity tokens for in-band authentication

– Authentication Service could be used as central service in a federation

• Authentication and retrieval of user information

• Single-Sign-On and Single-Log-Out

• Support different authentication methodologies (harmonization)

• Authorization Service is responsible for all authorization and validity checks

– Integrity, authenticity and origin of messages, signatures, etc.

– Authorization based on local rights (classical access control) as well as on-the-fly resolved rights from licenses

• License Broker negotiates Licenses with the Client– Different types of Offerings; those define the further negotiation-

workflows

– On agreement: Broker stores License in License Manager, Client receives a Reference Token

• License Manager manages Licenses (surprise!)

– License are fetched by the AuthZ-Service using the reference

– Manager could be used as central service in a federation

• Storage in Federation

• Global “License Revoke” (similar to single-log-out)

AuthN: Shibboleth1. User attempts to access a Shibboleth-protected resource on the SP site.

2.,3. User is redirected to the WAYF in order to select home organisation (IdP).

4. IdP ensures that user is authenticated, by whatever means IdP deems appropriate.

5. After successful authentication, a one-time handle (session identifier) is generated for this user session.

6. SP uses the handle to request attribute information from the IdP for this user.

7. IdP allows or denies attribute information to be made available to this SP using the Attribute Release policy.

8. Based on the attribute information made available, SP allows or denies the user access to the resource.

User

Where are you from (WAYF)

1

2

34

5

6

7

8

Identity

Provider

(IdP)

Service

Provider

(SP)

• Mission: provide coherent electronic access for UK researchers to all computational and data based resources and facilities required to carry out their research, independent of resource or researcher location

• Largest National Grid Initiative outside US• Claims to have the largest grid PKI infrastructure• Approx 500 registered users (April 2007)• Predominantly focussed on compute and storage at present• “Content” = Services; data, computation, ...NGS will only grow

if the content grows• Limited data sets available• Exploring use of their facilities for hosting MasterMap

UK National Grid Service

#2 the SEE-GEO eSocSci exemplar

Refactored as Web

Processing Service

• OGSA-DAI activities, a simple pipeline, eg, GDAS getData, GLS geoLink, WFS getFeature

• Additional GLS implementations simplified if activities already exist (multiple different ways to implement GLS)

• We can now do the following with relatively little extra work:• Choose different framework datasets dynamically

• Merge GDAS XML directly into an RDBMS dataset

• Implement filters, eg, bbox, currently must use geolinkage field values (geolinkids)

• Transfer data using GridFTP

• Protect using Grid Security Infrastructure (GSI)

• Feature based data processing and OGSA-DAI as a toolkit for building additional WPS.

OGSA-DAI WPS implementation

Security at the moment

Authenticate here

IP restrict services to OGSA-DAI server

IP restrict WPS to application server

Some security options/considerations

• Workflow Use Cases vital• Different service, different licence• Requirement for secondary authentication• Other possible security options include:

1. Use GSI2. Web services as in #1

• Must avoid solutions that do not scale easily• Need consensus• Need to be closer to production services and not

research

#3 Distributed Federations • European Persistent Geospatial Testbed for Research and Education

• Collaboration AGILE, EuroSDR and OGC

• Aims:• research test-bed for collaborative European research in geospatial

interoperability

• aid the assessment of the current standards for geospatial interoperability in terms of research compatibility, completeness, consistency and ease of use and extensibilit

• an environment for teaching standards and techniques for geospatial interoperability

• a resource to AGILE/EuroSDR/OGC for the coordination of research requirements as well as definition, testing, validation and development of open standards

SARoNGS

End

Questions?

Chris Higgins (EDINA, University of Edinburgh)

chris.higgins@ed.ac.uk