Metadata Security and Authentication (work in progress)

• Implemented basic authentication for KAVE, the web service wrapper for the metadata store.

Scenario

• One metadata database for an entire (virtual?) organization (eg a Lab)
• Password to database only known to system administrator
• Access to metadata based on roles
• Provenance browser the entry point, requiring authentication
  • functionality determined by role

Architecture

• User sends LSID ref and credentials to the Access Point
• Access Point returns data and metadata or denies access as follows:
  1. the credentials are passed to a User Directory
  2. the User Directory passes the corresponding user to the Authorization Authority
  3. the Authorization Authority returns the user attributes in the form of a (possibly signed) SAML assertion
  4. this assertion, together with the lsid and its corresponding metadata are passed to the Policy Enforcement Point (PEP)
  5. the PEP uses these three inputs to form an XACML request that is passed to a Policy Decision Point (PDP) that is preloaded with an XACML Policy Set.
  6. the PDP evaluates the request against its policy set and returns an XACML response to the PEP
  7. the PEP decodes the response and either allows data/metadata to be returned to the user or denies access.

Required Changes

• Define XtensibleAccessControlMarkupLanguage policies, PDP, and PEP (done)
• Access metadata repository via KAVE rather than directly via JDBC
  • ProvenanceGenerator can still use JDBC provided we grant write but not read
• Queries
  • Remove generic queries from KAVE
    • only allow canned queries
    • before submiting query verify that user has right to perform query at all
  • Alternative:
    • operate at LSID level using LSIDCredentials
      • similarly for assigning authority: use argument Properties of assignLSID() to vary type of LSID assigned
• Single sign-on
  • user + password
    • link to Tom's LSIDAuth to use metadata itself to store user/password
  • SecurityAssertionMarkupLanguage (SAML)

To-Do

• Link to my People LSID authority
• Encryption - HTTPS

See Also

• Slides
• SecurityArchitecture

References

• Secure Web Services article in Java World
  • description of the complete stack of available technologies
• Web Services Security in IBM developer works
• Tomcat Security Overview and Analysis
• Web Services Over SSL - HOW TO
• OASIS SAML
• OpenSAML