[Go-essp-tech] TDS access control for OpenDAP requests
    John Caron 
    caron at unidata.ucar.edu
       
    Tue May 17 09:53:40 MDT 2011
    
    
  
On 5/17/2011 8:05 AM, Cinquini, Luca (3880) wrote:
> Hi John:
>
> On May 16, 2011, at 7:25 PM, John Caron wrote:
>
>> On 5/16/2011 11:01 AM, Cinquini, Luca (3880) wrote:
>>> Hi John,
>>> 	how's going ? I have a follow-up question to our brief conversation at GO-ESSP last week. Could you confirm that theoretically the TDS access control model should be able to secure access to http requests ending in .dods, besides those ending in .nc ?
>>>
>>> The reason I am asking is because looking at the log files it seems otherwise. The ESG filters establish whether or not a URL is secure by calling DatasetHandler.findResourceControl(uri). Up to now, we have changed every URL of the form XYZ.nc.dods to XYZ.nc, and fed this last uri to the DatasetHandler, but this approach does not work for aggregations.
>>>
>>> For example, this is what I see in the logs when making an opendap request on a single file:
>>>
>>> 2011-05-16T09:50:28.655 -0700 [     53640][      14] DEBUG - esg.orp.app.tds.TDSPolicyService - URI=/esg_dataroot/obs4cmip5/observations/atmos/hus/mon/grid/NASA-JPL/AQUA/AIRS/r1i1p1/hus_AQUA_AIRS_L3_RetStd-v5_200209-201006.nc.dods resource control=null
>>> 2011-05-16T09:50:28.656 -0700 [     53641][      14] DEBUG - esg.orp.app.tds.TDSPolicyService - Uri changed.
>>> 2011-05-16T09:50:28.656 -0700 [     53641][      14] DEBUG - esg.orp.app.tds.TDSPolicyService - URI=/esg_dataroot/obs4cmip5/observations/atmos/hus/mon/grid/NASA-JPL/AQUA/AIRS/r1i1p1/hus_AQUA_AIRS_L3_RetStd-v5_200209-201006.nc resource control=esg-user is secure=true
>>> 2011-05-16T09:50:28.656 -0700 [     53641][      14] DEBUG - esg.orp.app.AuthenticationFilter - URL=http://test-datanode.jpl.nasa.gov/thredds/dodsC/esg_dataroot/obs4cmip5/observations/atmos/hus/mon/grid/NASA-JPL/AQUA/AIRS/r1i1p1/hus_AQUA_AIRS_L3_RetStd-v5_200209-201006.nc.dods?hus[0:1:0][0:1:0][0:1:0][0:1:0] is secure
>>>
>>> You'll notice that the original URI */hus_AQUA_AIRS_L3_RetStd-v5_200209-201006.nc.dods is NOT secure, but after dropping the last extension, the URI hus_AQUA_AIRS_L3_RetStd-v5_200209-201006.nc IS secure.
>>>
>>> Off course I might be doing something wrong here, but before digging any further I wanted to make sure that you think dods requests are treated just like normal file requests as far as security is concerned. FYI the catalog I am using to test is:
>>>
>>> http://test-datanode.jpl.nasa.gov/thredds/esgcet/1/obs4cmip5.NASA-JPL.AQUA.AIRS.mon.v1.xml
>>>
>>> thanks a lot, it was great seeing you at the workshop,
>>> Luca
>> ok, now that im testing this, im convincing myself that this does work
>> correctly.
>>
>> when one makes a request for<opendap>.dods, TDS has to open the file
>> <opendap>, and so DatasetHandler.findResourceControl(<opendap>) will be
>> correctly restricted, even though
>> DatasetHandler.findResourceControl(<opendap>.dods)will not.  SO i think
>> your test has a false positive.
>>
>> of course, if you can actually access a restricted dataset (eg with
>> .dods or any prefix) then I would be wrong.
> I did some checking... if you use the TDS TomcatAuthorizer this indeed works, because it relies on the request being redirected to the URL<opendap>  to establish access control.
> In our case though we use a different implementation of the Authorizer interface, which relies on the method DatasetHandler.findResourceControl(url) to return the access control attribute associated with that dataset, wether it's a request for<opendap>  or for<opendap>.dods.
>
> Would it be difficult to change the TDS so that DatasetHandler.findResourceControl() can be queried with URLs of any kind ? Otherwise, we could modify our Authorizer to also rely on the eventual redirection to the straight netcdf file - I am not quite sure how difficult this last thing would be.
>
> thanks, Luca
Im not sure i understand. The TDS cant satisfy the request 
<opendap>.dods without opening <opendap>. So Im not sure how one could 
get a response to <opendap>.dods without getting authorization for 
<opendap> ??
    
    
More information about the GO-ESSP-TECH
mailing list