fi ware testbed access control temporary solution n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
FI-WARE Testbed Access Control temporary solution PowerPoint Presentation
Download Presentation
FI-WARE Testbed Access Control temporary solution

Loading in 2 Seconds...

play fullscreen
1 / 20

FI-WARE Testbed Access Control temporary solution - PowerPoint PPT Presentation


  • 93 Views
  • Uploaded on

FI-WARE Testbed Access Control temporary solution. Introduction. We will define a short and a medium term solution to deal with the issues regarding access control to FI-WARE GEs deployed on the FI-WARE Testbed

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

FI-WARE Testbed Access Control temporary solution


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
    Presentation Transcript
    1. FI-WARE Testbed Access Control temporary solution

    2. Introduction • We will define a short and a medium term solution to deal with the issues regarding access control to FI-WARE GEs deployed on the FI-WARE Testbed • The medium term solution will evolve as to incorporate components developed in the FI-WARE Security chapter for the 2nd Release of FI-WARE

    3. Oauth v2.0 Keystone User Profile Management Multi-tenancy Management and access to FI-WARE GE Authentication Authorization and Trust Management Single Sign-On (SSO) among services/apps Web/JavaScript/APIs access Client Apps: Web Apps, Server Apps or Desktop Apps. Basic ingredients of the solution

    4. MEDIUM TERM Solution

    5. Scenarios to be covered • Client Apps may run on: • Web Servers • Web Browsers (user agents) • On top of an Operating Systems (Native apps)

    6. Client Apps running on Web Servers • Three-tier Web applications • Clients that invoke FI-WARE GE APIs run on web servers (e.g., servlets) • Users authenticate via IdMweb page • The IdM maintains the confidentiality

    7. FI-WARE TestbedIdM Client App (WS backend) IdM Web Portal Keystone FI-Ware GE Instance Access App Login via Fi-Ware Create Token Login to WebAppvia IdM Send redirect URI with authentication code Access Redirect URL Keystone Middleware Send authentication code, client_id, client_secret Return access token User logged in App URL (interaction) FI-WARE GE API request with token Validate token Ok FI-WARE GE API request

    8. User-agent-based Application • It is a public Client App • Downloadable from Web Servers • It runs in a user-agent (e.g., javascript in a web browser) • Users authenticate via IdM web page • Confidentiality is not maintained (Downloaded Client App assumes your identity)

    9. FI-WARE TestbedIdM Client App (User Agent) IdM Web Portal Keystone FI-Ware GE Instance Access App Login via Fi-WARE Create Token Login to ClientApp via IdM Send redirect URI with access token Keystone Middleware Access Redirect URL Client App loads token from fragment FI-WARE GE API requests with token Validate token Ok FI-WARE GE API request

    10. Native Application • Native apps, scripts, etc. • Credentials are sent via the Client App • User gives credentials to the Client App • Confidentiality is not maintained (Downloaded Client App assumes your identity)

    11. FI-WARE TestbedIdM Client App IdM Web Portal Keystone FI-Ware GE Instance Create Token Return access token Keystone Middleware Access with token Validate token Access Ok

    12. SHORT TERM Solution

    13. Fixed IP: a.b.c.d FI-WARE TestbedIdM Client App (WS backend) IdM Web Portal Keystone FI-Ware GE Instance Access App Login web page Login to ClientApp Validation(1) Validation User Logged In App URL (interaction) FI-WARE Testbed Firewall FI-WARE GE API requests Registration of IP a.b.c.d FI-WARE Testbed Admin (1) Validation via request using Keystone API

    14. first (temporal) IP: a1.b1.c1.d1 FI-WARE TestbedIdM Client App (User Agent) IdM Web Portal Keystone FI-Ware GE Instance Access App Login via Fi-WARE Login to ClientApp via IdM(1) a1.b1.c1.d1 Validation User Logged In FI-WARE Testbed Firewall FI-WARE GE API requests (1) Login via request using Keystone API or via javascript library provided by FI-WARE

    15. first (temporal) IP: a1.b1.c1.d1 FI-WARE TestbedIdM Client App (User Agent) IdM Web Portal Keystone FI-Ware GE Instance Access App (new a2.b2.c2.d2 assigned) (re-login, a2.b2.c2.d2) a2.b2.c2.d2 FI-WARE Testbed Firewall FI-WARE GE API requests

    16. IdM Web Portal functionality in the short term • Every UC project will be associated to an “Organization” • Every UC project will have an admin user account • Using the IdM Web Portal, admin users will be able to create new user accounts linked to the same Organization

    17. MORE DETAILS

    18. IDM Web Portal • ProvidesIdentity Management • ProvidesOAuth 2 modes • API withKeystonetomanage GE tokens • Interface withKeystonetomanagetokens and providethemviaOAuth

    19. Keystone • It provides management of • Users, roles and organizations • Only one Keystone admin • Credentials: username and password • Tuples <user, organization, role> • Tokens associate to <user, organization> • Many roles per user and organization • GEs establish permissions per role

    20. Keystone • Provides management of GE (Services) • Each GE owns a list of endpoint URLs • Users access to these URLs