1 / 20

FI-WARE Testbed Access Control temporary solution

FI-WARE Testbed Access Control temporary solution. Introduction. We will define a short and a medium term solution to deal with the issues regarding access control to FI-WARE GEs deployed on the FI-WARE Testbed

javan
Télécharger la présentation

FI-WARE Testbed Access Control temporary solution

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. FI-WARE Testbed Access Control temporary solution

  2. Introduction • We will define a short and a medium term solution to deal with the issues regarding access control to FI-WARE GEs deployed on the FI-WARE Testbed • The medium term solution will evolve as to incorporate components developed in the FI-WARE Security chapter for the 2nd Release of FI-WARE

  3. Oauth v2.0 Keystone User Profile Management Multi-tenancy Management and access to FI-WARE GE Authentication Authorization and Trust Management Single Sign-On (SSO) among services/apps Web/JavaScript/APIs access Client Apps: Web Apps, Server Apps or Desktop Apps. Basic ingredients of the solution

  4. MEDIUM TERM Solution

  5. Scenarios to be covered • Client Apps may run on: • Web Servers • Web Browsers (user agents) • On top of an Operating Systems (Native apps)

  6. Client Apps running on Web Servers • Three-tier Web applications • Clients that invoke FI-WARE GE APIs run on web servers (e.g., servlets) • Users authenticate via IdMweb page • The IdM maintains the confidentiality

  7. FI-WARE TestbedIdM Client App (WS backend) IdM Web Portal Keystone FI-Ware GE Instance Access App Login via Fi-Ware Create Token Login to WebAppvia IdM Send redirect URI with authentication code Access Redirect URL Keystone Middleware Send authentication code, client_id, client_secret Return access token User logged in App URL (interaction) FI-WARE GE API request with token Validate token Ok FI-WARE GE API request

  8. User-agent-based Application • It is a public Client App • Downloadable from Web Servers • It runs in a user-agent (e.g., javascript in a web browser) • Users authenticate via IdM web page • Confidentiality is not maintained (Downloaded Client App assumes your identity)

  9. FI-WARE TestbedIdM Client App (User Agent) IdM Web Portal Keystone FI-Ware GE Instance Access App Login via Fi-WARE Create Token Login to ClientApp via IdM Send redirect URI with access token Keystone Middleware Access Redirect URL Client App loads token from fragment FI-WARE GE API requests with token Validate token Ok FI-WARE GE API request

  10. Native Application • Native apps, scripts, etc. • Credentials are sent via the Client App • User gives credentials to the Client App • Confidentiality is not maintained (Downloaded Client App assumes your identity)

  11. FI-WARE TestbedIdM Client App IdM Web Portal Keystone FI-Ware GE Instance Create Token Return access token Keystone Middleware Access with token Validate token Access Ok

  12. SHORT TERM Solution

  13. Fixed IP: a.b.c.d FI-WARE TestbedIdM Client App (WS backend) IdM Web Portal Keystone FI-Ware GE Instance Access App Login web page Login to ClientApp Validation(1) Validation User Logged In App URL (interaction) FI-WARE Testbed Firewall FI-WARE GE API requests Registration of IP a.b.c.d FI-WARE Testbed Admin (1) Validation via request using Keystone API

  14. first (temporal) IP: a1.b1.c1.d1 FI-WARE TestbedIdM Client App (User Agent) IdM Web Portal Keystone FI-Ware GE Instance Access App Login via Fi-WARE Login to ClientApp via IdM(1) a1.b1.c1.d1 Validation User Logged In FI-WARE Testbed Firewall FI-WARE GE API requests (1) Login via request using Keystone API or via javascript library provided by FI-WARE

  15. first (temporal) IP: a1.b1.c1.d1 FI-WARE TestbedIdM Client App (User Agent) IdM Web Portal Keystone FI-Ware GE Instance Access App (new a2.b2.c2.d2 assigned) (re-login, a2.b2.c2.d2) a2.b2.c2.d2 FI-WARE Testbed Firewall FI-WARE GE API requests

  16. IdM Web Portal functionality in the short term • Every UC project will be associated to an “Organization” • Every UC project will have an admin user account • Using the IdM Web Portal, admin users will be able to create new user accounts linked to the same Organization

  17. MORE DETAILS

  18. IDM Web Portal • ProvidesIdentity Management • ProvidesOAuth 2 modes • API withKeystonetomanage GE tokens • Interface withKeystonetomanagetokens and providethemviaOAuth

  19. Keystone • It provides management of • Users, roles and organizations • Only one Keystone admin • Credentials: username and password • Tuples <user, organization, role> • Tokens associate to <user, organization> • Many roles per user and organization • GEs establish permissions per role

  20. Keystone • Provides management of GE (Services) • Each GE owns a list of endpoint URLs • Users access to these URLs

More Related