..meta:: :keywords: DataONE, CCIT, 20101201, VTC DataONE Developer Call - 2010-12-01 =================================== :Attendees: Paul Allen, Roger Dahl, Bob Sandusky, Bruce Wilson, Dave Vieglais, Ryan Scherle, Matt Jones, John Kunze, Mark Servilla, Chad Berkley, Rob Nahf :New Actions: - (Mark): Check on Ken Klingensteins PPTs from the Fed Sec workshop for SAML examples. - (Dave): Agenda ------ There are two major, somewhat inter-related topics that could benefit from some discussion: security (authn, authz) and search. 0. Preservation meeting in Chicago - Agenda coming out soon - work at writing narrative, technical assessment perhaps later in conjunction with CCIT - No real documentation / strategy for preservation have been formally described for DataONE - For Jan/Feb need a good story for the review process - Ryan may have a microphone that we can borrow (contact on Friday if necessary) - 1. General discussion and update on Security: Authentication and Authorization * Authentication prototyping plans and status - https://repository.dataone.org/software/AuthNPrototype/ - Branding for CILogon - minimally logo and color - Graphics at https://docs.dataone.org/member-area/documents/copy_of_graphics - Developing a prototype web service that will accept a CILogon cert for verification and generate DataONE specific token for passing around between nodes / method calls - Evaluate PASTA approach for token content - Is SAML overkill, or is there to be a DataONE specific structure - Could also be a library that generates a token locally rather than a service - More scalable than relying a more centralized service * Structure of authentication token * Principal identity * Time stamp * Authentication source / provider * Groups? Example of PASTA Auth Token: uid=mservilla,o=LTER,dc=ecoinformatics,dc=org LJ7LKS(#NLS@VS56LK$ ADMINISTRATOR INFORMATION MANAGER CLIMATE STUDY KBS 90384592342 Need to define Groups in DataONE. (One advantage of a login service might be that it could populate a token with group membership information) - May be able to collapse roles and groups into one - When are attributes injected into a certificate? At the cert request being sent to CILogon? - Sequence diagram: https://repository.dataone.org/software/AuthNPrototype/trunk/CILogonAuthN.png - Is CILogon able to inject any additional attributes into the certificate? - What does the SAML assertion actually contain? (Ken Klingenstein's presnetation at the Fed Sec workshop had some examples) - Could also lookup group information at the authorization stage - but this increases the number of service calls significantly * Authorization * Rules to be expressed * Serialization of rules Matt has been drafting some notes on this: http://mule1.dataone.org/ArchitectureDocs-current/design/Authorization.html - Can gain a lot of efficiency in authz checking by controlling at the service method call level * Implementation approach * Current suggestion of four phases is perhaps too fragmented 2. Search and discovery discussion (Not covered during call - defer to next discussion) * Query syntax that should be supported * Currently "SOLR" * CQL support? * Introspection * List of fields and their types * Distinct terms for a field (and counts) * Scaling search with authorization