Hyrax - Managed Access (Authorization)

From OPeNDAP Documentation
Revision as of 00:34, 21 November 2014 by Ndp (talk | contribs) (Created page with " == Overview == The authentication and authorization mechanisms in both the Apache Web Server (''httpd'') and the Tomcat Servlet container are well documented and widely used...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
⧼opendap2-jumptonavigation⧽

Overview

The authentication and authorization mechanisms in both the Apache Web Server (httpd) and the Tomcat Servlet container are well documented and widely used.

We hope to address the following perceived shortcomings of the apache product's authorization components:

  1. Difficult to specify fine grain access control policies for complex heterogeneous service stacks.
  2. The option to centralize the PDP so that multiple services can be controlled from a single policy profile.

A simple policy decision point (SimplPDP) was coded that can accommodate many different types of policies. A simple regex policy was implemented that uses regex matching to white list users, resources, http verbs, and queries.

The remainder of this document describes how to get, build, install, configure, and run the Hyrax Managed Access prototype.

Terms

Authentication
This is the process of confirming the identity of the user. The end result is a User ID (uid or UID) which may be accessed by the software components via (both?) the Apache API (mod_*) and the Java ServletAPI (Tomcat servlets) used to trigger authorization policy chains or may be logged along with relevant request information.
Authorization
Authorization is the function of specifying access rights to resources. A user may be authorized (some say permitted) to access a resource.
Identity Provider (IdP)
Also known as an Identity Assertion Provider an Identity Provider (IdP) is a service that provides authentication and identity information services. An IdP is a kind of provider that creates, maintains, and manages identity information for principals and provides principal authentication to other service providers within a federation, such as with web browser profiles.
Policy Administration Point (PAP)
Point which manages access authorization policies
Policy Decision Point (PDP)
Point which evaluates access requests against authorization policies before issuing access decisions
Policy Enforcement Point (PEP)
Point which intercepts user's access request to a resource, makes a decision request to the PDP to obtain the access decision (i.e. access to the resource is approved or rejected), and acts on the received decision
Policy Information Point (PIP)
The system entity that acts as a source of attribute values (i.e. a resource, subject, environment)
Policy Retrieval Point (PRP)
Point where the XACML access authorization policies are stored, typically a database or the filesystem.
Service Provider (SP)
A Service Provider (SP) is a Web Service that utilizes an IdP service to determine the identity of it's users. Or more broadly, a role donned by a system entity where the system entity provides services to principals or other system entities.


See Service Providers, Identity Providers & Security Token Services explained for more.

Retrieved from "https://docs.opendap.org/index.php?title=Hyrax_-_Managed_Access_(Authorization)&oldid=11018"