[Go-essp-tech] PCMDI9 OpenId's trusted at NCAR

Eric Nienhouse ejn at ucar.edu
Fri Aug 3 16:38:38 MDT 2012 

Hi Luca,

Thanks for the details below.  We're getting proper CMIP5 related group 
attributes from the Attribute Service (ATS) at pcmdi9 when asserting the 
CMIP5 related data access attributes as you note.

We need to make a few changes to the Gateway to issue these SAML 
requests in support of end-to-end authorized file downloads from the TDS 
at ESG-NCAR.

The CMIP5 download tests noted below as not requiring CMIP5 registration 
for access were made to the GFDL datanode.  Other nodes tested (e.g. 
pcmdi9, CMCC.it) require CMIP5 registration as expected.

I'll let you know once this is deployed to the production ESG-NCAR 
Gateway and pcmdi9 OpenIDs can successfully download.  A number of folks 
are out on vacation, so it may be a bit until this is ready.

-Eric

On 8/2/2012 12:33 PM, Cinquini, Luca (3880) wrote:
> Hi Nathan:
>
> On Aug 2, 2012, at 9:13 AM, Nathan Hook wrote:
>
>> Hi Karl and Luca,
>>
>> To be clear authentication (authN) is working, the error that you're 
>> both seeing is an authorization (authZ) issue.
>
> yes correct.
>>
>> When we make a request to the saml attribute service at pcmdi9 
>> (https://pcmdi9.llnl.gov/esgf-idp/saml/soap/secure/attributeService.htm) 
>> we always get an attribute response that has a  user's first name, 
>> last name, and email, but no listing of groups to which that user 
>> belongs.
>>
>> We have tried the following openids in the saml attribute request:
>> https://pcmdi9.llnl.gov/esgf-idp/openid/nathanhook
>> https://www.earthsystemgrid.org/myopenid/nhook
>> https://pcmdi9.llnl.gov/esgf-idp/openid/lucacinquini
>> https://pcmdi3.llnl.gov/esgcet/myopenid/oscar.nienhouse
>> https://pcmdi9.llnl.gov/esgf-idp/openid/taylor13
>>
>> Since we're not getting back any group information from the saml 
>> requests, our system seems to be doing the correct behavior (denying 
>> access) at this time.
>>
>> Is there a different way that we should be authorizing a user's 
>> access to cmip5 data?
>
> Please see below for an example of SAML request to the pcmdi9 
> attribute service, and correspondent HTTP response. Basically, if the 
> client asks for the attributes named "CMIP5 Commercial" and "CMIP5 
> Research", their values will be returned, if found (i.e. the user has 
> obtained CMIP5 membership).
>
>>
>> FYI, I was able to download data directly from 
>> http://pcmdi9.llnl.gov/esgf-web-fe/ with both my pcmdi9 and 
>> www.earthsystemgrid.org <http://www.earthsystemgrid.org> openids 
>> without having to request access to the cmipi5 group.  Has group 
>> registration been turned off or is group registration no longer 
>> required to access cmip5 data?
>
> The security enforcement is really established by the data node, not 
> the web-fe. Which dataset were you trying to download ? I know GFDL 
> provides free access to their data, all other data nodes should 
> require CMIP5 membership. I just verified that, with a new pcmdi9 
> openid, I am asked to register when requesting data from the pcmdi9 
> datanode.
> Also, the old memberships have been transferred to the new system, so 
> your www.earthsystemgrid.org <http://www.earthsystemgrid.org> openid 
> should already be enabled. I can only explain the success of your 
> pcmsi9 openid if:
> a) somehow you had enrolled in CMIP5 at some point
> b) or, you were really downloading free data from GFDL
>
> thanks, Luca
>
>>
>> Thank you for your time.
>>
>> Warm Regards,
>>
>> Nathan H.
>>
>>
>> PS:  We also tried all the above openids against the attribute 
>> service at pcmdi7 
>> (https://pcmdi7.llnl.gov/esgf-security/saml/soap/secure/attributeService.htm). 
>>  All the pcmdi9 openids returned an UnknownPrincipal response, while 
>> the www.earthsystemgrid.org <http://www.earthsystemgrid.org> and 
>> pcmdi3 openids returned appropriate group information.
>
> =====================================================================================================
>
> [DEBUG] esg.security.common.SOAPServiceClient: Querying SOAP endpoint: 
> https://pcmdi9.llnl.gov/esgf-idp/saml/soap/secure/attributeService.htm 
> timeout=10000 milliseconds
> [DEBUG] esg.security.common.SOAPServiceClient: <?xml version="1.0" 
> encoding="UTF-8"?><soap11:Envelope 
> xmlns:soap11="http://schemas.xmlsoap.org/soap/envelope/">
> <soap11:Body>
> <saml2p:AttributeQuery 
> xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" 
> ID="63c0c153-a6dc-42d7-9b50-30801c9f3d57" 
> IssueInstant="2012-08-02T18:21:03.380Z" Version="2.0">
> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" 
> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">ESGF Authorization 
> Service</saml2:Issuer>
> <saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
> <saml2:NameID 
> Format="urn:esg:openid">*https://pcmdi9.llnl.gov/esgf-idp/openid/lucacinquini*</saml2:NameID>
> </saml2:Subject>
> <saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" 
> Name="CMIP5 Commercial" 
> NameFormat="http://www.w3.org/2001/XMLSchema#string"/>
> <saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" 
> Name="*CMIP5 Research*" 
> NameFormat="http://www.w3.org/2001/XMLSchema#string"/>
> <saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" 
> Name="urn:esg:group:role" 
> NameFormat="http://www.w3.org/2001/XMLSchema#string"/>
> </saml2p:AttributeQuery>
> </soap11:Body>
> </soap11:Envelope>
>
> [DEBUG] esg.security.common.SOAPServiceClient: Response header 
> name=Server value=Apache-Coyote/1.1
> [DEBUG] esg.security.common.SOAPServiceClient: Response header 
> name=Content-Type value=text/xml
> [DEBUG] esg.security.common.SOAPServiceClient: Response header 
> name=Content-Length value=1760
> [DEBUG] esg.security.common.SOAPServiceClient: Response header 
> name=Date value=Thu, 02 Aug 2012 18:21:03 GMT
> [DEBUG] esg.security.common.SOAPServiceClient: <?xml version="1.0" 
> encoding="UTF-8"?><soap11:Envelope 
> xmlns:soap11="http://schemas.xmlsoap.org/soap/envelope/">
> <soap11:Body>
> <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" 
> ID="543c8eb4-1958-4f90-b763-e00aadc9249d" 
> InResponseTo="63c0c153-a6dc-42d7-9b50-30801c9f3d57" 
> IssueInstant="2012-08-02T18:21:03.528Z" Version="2.0">
> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" 
> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">ESGF Attribute 
> Service</saml2:Issuer>
> <saml2p:Status>
> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
> </saml2p:Status>
> <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" 
> ID="51ca7a30-42a4-4af5-b704-275e4cc5b91d" 
> IssueInstant="2012-08-02T18:21:03.531Z" Version="2.0">
> <saml2:Issuer 
> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">ESGF Attribute 
> Service</saml2:Issuer>
> <saml2:Subject>
> <saml2:NameID 
> Format="urn:esg:openid">*https://pcmdi9.llnl.gov/esgf-idp/openid/lucacinquini*</saml2:NameID>
> </saml2:Subject>
> <saml2:Conditions NotBefore="2012-08-02T18:21:03.531Z" 
> NotOnOrAfter="2012-08-03T18:21:03.531Z"/>
> <saml2:AttributeStatement>
> <saml2:Attribute Name="*CMIP5 Research*" 
> NameFormat="http://www.w3.org/2001/XMLSchema#string">
> <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" 
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
> xsi:type="xs:string">*user*</saml2:AttributeValue>
> </saml2:Attribute>
> </saml2:AttributeStatement>
> </saml2:Assertion>
> </saml2p:Response>
> </soap11:Body>
> </soap11:Envelope>
>
> =========================================================================================
>>
>>
>>
>> On 8/1/2012 9:36 AM, Karl Taylor wrote:
>>> Hi Nate,
>>>
>>> Even with a pcmdi9 openid, I get this error:
>>>
>>>
>>> so something is not quite right yet.
>>>
>>> thanks,
>>> Karl
>>>
>>>
>>> On 8/1/12 7:52 AM, Cinquini, Luca (3880) wrote:
>>>> Hi Nate,
>>>> thanks, this is a good step forward. I noticed the following though:
>>>>
>>>> o The authorization system on the TDS server still doesn't seem to 
>>>> be compatible with P2P - I got an "Access Denied" when trying to 
>>>> download a file with my CMIP5-enabled pcmdi9 openid.
>>>>
>>>> o Is there any plan to support authentication with any P2P openid, 
>>>> not just pcmdi9 ?
>>>>
>>>> thanks, Luca
>>>>
>>>> On Jul 31, 2012, at 2:16 PM, Nathan Wilhelmi wrote:
>>>>
>>>>> Hello,
>>>>>
>>>>> To follow up from the last telco, PCMDI9 OpenID's can now be used 
>>>>> at the
>>>>> NCAR site.
>>>>>
>>>>> Thanks!
>>>>> -Nate
>>>>> _______________________________________________
>>>>> GO-ESSP-TECH mailing list
>>>>> GO-ESSP-TECH at ucar.edu <mailto:GO-ESSP-TECH at ucar.edu>
>>>>> http://mailman.ucar.edu/mailman/listinfo/go-essp-tech
>>>> _______________________________________________
>>>> GO-ESSP-TECH mailing list
>>>> GO-ESSP-TECH at ucar.edu <mailto:GO-ESSP-TECH at ucar.edu>
>>>> http://mailman.ucar.edu/mailman/listinfo/go-essp-tech
>>>
>>>
>>>
>>> _______________________________________________
>>> GO-ESSP-TECH mailing list
>>> GO-ESSP-TECH at ucar.edu <mailto:GO-ESSP-TECH at ucar.edu>
>>> http://mailman.ucar.edu/mailman/listinfo/go-essp-tech
>
>
>
> _______________________________________________
> GO-ESSP-TECH mailing list
> GO-ESSP-TECH at ucar.edu
> http://mailman.ucar.edu/mailman/listinfo/go-essp-tech

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ucar.edu/pipermail/go-essp-tech/attachments/20120803/045a650b/attachment-0001.html

More information about the GO-ESSP-TECH mailing list