[Go-essp-tech] PCMDI9 OpenId's trusted at NCAR
Eric Nienhouse
ejn at ucar.edu
Thu Sep 6 10:33:11 MDT 2012
Hi Karl, Luca,
We've updated the ESG-NCAR Gateway to address the issues noted below.
Users should now be able to login and successfully download CMIP5 data
using PCMDI9 OpenIDs.
Thanks,
-Eric
On 8/3/2012 4:38 PM, Eric Nienhouse wrote:
> Hi Luca,
>
> Thanks for the details below. We're getting proper CMIP5 related
> group attributes from the Attribute Service (ATS) at pcmdi9 when
> asserting the CMIP5 related data access attributes as you note.
>
> We need to make a few changes to the Gateway to issue these SAML
> requests in support of end-to-end authorized file downloads from the
> TDS at ESG-NCAR.
>
> The CMIP5 download tests noted below as not requiring CMIP5
> registration for access were made to the GFDL datanode. Other nodes
> tested (e.g. pcmdi9, CMCC.it) require CMIP5 registration as expected.
>
> I'll let you know once this is deployed to the production ESG-NCAR
> Gateway and pcmdi9 OpenIDs can successfully download. A number of
> folks are out on vacation, so it may be a bit until this is ready.
>
> -Eric
>
> On 8/2/2012 12:33 PM, Cinquini, Luca (3880) wrote:
>> Hi Nathan:
>>
>> On Aug 2, 2012, at 9:13 AM, Nathan Hook wrote:
>>
>>> Hi Karl and Luca,
>>>
>>> To be clear authentication (authN) is working, the error that you're
>>> both seeing is an authorization (authZ) issue.
>>
>> yes correct.
>>>
>>> When we make a request to the saml attribute service at pcmdi9
>>> (https://pcmdi9.llnl.gov/esgf-idp/saml/soap/secure/attributeService.htm)
>>> we always get an attribute response that has a user's first name,
>>> last name, and email, but no listing of groups to which that user
>>> belongs.
>>>
>>> We have tried the following openids in the saml attribute request:
>>> https://pcmdi9.llnl.gov/esgf-idp/openid/nathanhook
>>> https://www.earthsystemgrid.org/myopenid/nhook
>>> https://pcmdi9.llnl.gov/esgf-idp/openid/lucacinquini
>>> https://pcmdi3.llnl.gov/esgcet/myopenid/oscar.nienhouse
>>> https://pcmdi9.llnl.gov/esgf-idp/openid/taylor13
>>>
>>> Since we're not getting back any group information from the saml
>>> requests, our system seems to be doing the correct behavior (denying
>>> access) at this time.
>>>
>>> Is there a different way that we should be authorizing a user's
>>> access to cmip5 data?
>>
>> Please see below for an example of SAML request to the pcmdi9
>> attribute service, and correspondent HTTP response. Basically, if the
>> client asks for the attributes named "CMIP5 Commercial" and "CMIP5
>> Research", their values will be returned, if found (i.e. the user has
>> obtained CMIP5 membership).
>>
>>>
>>> FYI, I was able to download data directly from
>>> http://pcmdi9.llnl.gov/esgf-web-fe/
>>> <http://pcmdi9.llnl.gov/esgf-web-fe/> with both my pcmdi9 and
>>> www.earthsystemgrid.org <http://www.earthsystemgrid.org> openids
>>> without having to request access to the cmipi5 group. Has group
>>> registration been turned off or is group registration no longer
>>> required to access cmip5 data?
>>
>> The security enforcement is really established by the data node, not
>> the web-fe. Which dataset were you trying to download ? I know GFDL
>> provides free access to their data, all other data nodes should
>> require CMIP5 membership. I just verified that, with a new pcmdi9
>> openid, I am asked to register when requesting data from the pcmdi9
>> datanode.
>> Also, the old memberships have been transferred to the new system, so
>> your www.earthsystemgrid.org <http://www.earthsystemgrid.org> openid
>> should already be enabled. I can only explain the success of your
>> pcmsi9 openid if:
>> a) somehow you had enrolled in CMIP5 at some point
>> b) or, you were really downloading free data from GFDL
>>
>> thanks, Luca
>>
>>>
>>> Thank you for your time.
>>>
>>> Warm Regards,
>>>
>>> Nathan H.
>>>
>>>
>>> PS: We also tried all the above openids against the attribute
>>> service at pcmdi7
>>> (https://pcmdi7.llnl.gov/esgf-security/saml/soap/secure/attributeService.htm).
>>> All the pcmdi9 openids returned an UnknownPrincipal response, while
>>> the www.earthsystemgrid.org <http://www.earthsystemgrid.org> and
>>> pcmdi3 openids returned appropriate group information.
>>
>> =====================================================================================================
>>
>> [DEBUG] esg.security.common.SOAPServiceClient: Querying SOAP
>> endpoint:
>> https://pcmdi9.llnl.gov/esgf-idp/saml/soap/secure/attributeService.htm timeout=10000
>> milliseconds
>> [DEBUG] esg.security.common.SOAPServiceClient: <?xml version="1.0"
>> encoding="UTF-8"?><soap11:Envelope
>> xmlns:soap11="http://schemas.xmlsoap.org/soap/envelope/">
>> <soap11:Body>
>> <saml2p:AttributeQuery
>> xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
>> ID="63c0c153-a6dc-42d7-9b50-30801c9f3d57"
>> IssueInstant="2012-08-02T18:21:03.380Z" Version="2.0">
>> <saml2:Issuer
>> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">ESGF
>> Authorization Service</saml2:Issuer>
>> <saml2:Subject
>> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
>> <saml2:NameID
>> Format="urn:esg:openid">*https://pcmdi9.llnl.gov/esgf-idp/openid/lucacinquini*</saml2:NameID>
>> </saml2:Subject>
>> <saml2:Attribute
>> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Name="CMIP5
>> Commercial" NameFormat="http://www.w3.org/2001/XMLSchema#string"/>
>> <saml2:Attribute
>> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Name="*CMIP5
>> Research*" NameFormat="http://www.w3.org/2001/XMLSchema#string"/>
>> <saml2:Attribute
>> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>> Name="urn:esg:group:role"
>> NameFormat="http://www.w3.org/2001/XMLSchema#string"/>
>> </saml2p:AttributeQuery>
>> </soap11:Body>
>> </soap11:Envelope>
>>
>> [DEBUG] esg.security.common.SOAPServiceClient: Response header
>> name=Server value=Apache-Coyote/1.1
>> [DEBUG] esg.security.common.SOAPServiceClient: Response header
>> name=Content-Type value=text/xml
>> [DEBUG] esg.security.common.SOAPServiceClient: Response header
>> name=Content-Length value=1760
>> [DEBUG] esg.security.common.SOAPServiceClient: Response header
>> name=Date value=Thu, 02 Aug 2012 18:21:03 GMT
>> [DEBUG] esg.security.common.SOAPServiceClient: <?xml version="1.0"
>> encoding="UTF-8"?><soap11:Envelope
>> xmlns:soap11="http://schemas.xmlsoap.org/soap/envelope/">
>> <soap11:Body>
>> <saml2p:Response
>> xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
>> ID="543c8eb4-1958-4f90-b763-e00aadc9249d"
>> InResponseTo="63c0c153-a6dc-42d7-9b50-30801c9f3d57"
>> IssueInstant="2012-08-02T18:21:03.528Z" Version="2.0">
>> <saml2:Issuer
>> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">ESGF
>> Attribute Service</saml2:Issuer>
>> <saml2p:Status>
>> <saml2p:StatusCode
>> Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
>> </saml2p:Status>
>> <saml2:Assertion
>> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>> ID="51ca7a30-42a4-4af5-b704-275e4cc5b91d"
>> IssueInstant="2012-08-02T18:21:03.531Z" Version="2.0">
>> <saml2:Issuer
>> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">ESGF
>> Attribute Service</saml2:Issuer>
>> <saml2:Subject>
>> <saml2:NameID
>> Format="urn:esg:openid">*https://pcmdi9.llnl.gov/esgf-idp/openid/lucacinquini*</saml2:NameID>
>> </saml2:Subject>
>> <saml2:Conditions NotBefore="2012-08-02T18:21:03.531Z"
>> NotOnOrAfter="2012-08-03T18:21:03.531Z"/>
>> <saml2:AttributeStatement>
>> <saml2:Attribute Name="*CMIP5 Research*"
>> NameFormat="http://www.w3.org/2001/XMLSchema#string">
>> <saml2:AttributeValue
>> xmlns:xs="http://www.w3.org/2001/XMLSchema"
>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>> xsi:type="xs:string">*user*</saml2:AttributeValue>
>> </saml2:Attribute>
>> </saml2:AttributeStatement>
>> </saml2:Assertion>
>> </saml2p:Response>
>> </soap11:Body>
>> </soap11:Envelope>
>>
>> =========================================================================================
>>>
>>>
>>>
>>> On 8/1/2012 9:36 AM, Karl Taylor wrote:
>>>> Hi Nate,
>>>>
>>>> Even with a pcmdi9 openid, I get this error:
>>>>
>>>>
>>>> so something is not quite right yet.
>>>>
>>>> thanks,
>>>> Karl
>>>>
>>>>
>>>> On 8/1/12 7:52 AM, Cinquini, Luca (3880) wrote:
>>>>> Hi Nate,
>>>>> thanks, this is a good step forward. I noticed the following though:
>>>>>
>>>>> o The authorization system on the TDS server still doesn't seem to
>>>>> be compatible with P2P - I got an "Access Denied" when trying to
>>>>> download a file with my CMIP5-enabled pcmdi9 openid.
>>>>>
>>>>> o Is there any plan to support authentication with any P2P openid,
>>>>> not just pcmdi9 ?
>>>>>
>>>>> thanks, Luca
>>>>>
>>>>> On Jul 31, 2012, at 2:16 PM, Nathan Wilhelmi wrote:
>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> To follow up from the last telco, PCMDI9 OpenID's can now be used
>>>>>> at the
>>>>>> NCAR site.
>>>>>>
>>>>>> Thanks!
>>>>>> -Nate
>>>>>> _______________________________________________
>>>>>> GO-ESSP-TECH mailing list
>>>>>> GO-ESSP-TECH at ucar.edu <mailto:GO-ESSP-TECH at ucar.edu>
>>>>>> http://mailman.ucar.edu/mailman/listinfo/go-essp-tech
>>>>> _______________________________________________
>>>>> GO-ESSP-TECH mailing list
>>>>> GO-ESSP-TECH at ucar.edu <mailto:GO-ESSP-TECH at ucar.edu>
>>>>> http://mailman.ucar.edu/mailman/listinfo/go-essp-tech
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> GO-ESSP-TECH mailing list
>>>> GO-ESSP-TECH at ucar.edu <mailto:GO-ESSP-TECH at ucar.edu>
>>>> http://mailman.ucar.edu/mailman/listinfo/go-essp-tech
>>
>>
>>
>> _______________________________________________
>> GO-ESSP-TECH mailing list
>> GO-ESSP-TECH at ucar.edu
>> http://mailman.ucar.edu/mailman/listinfo/go-essp-tech
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ucar.edu/pipermail/go-essp-tech/attachments/20120906/9e34a9e9/attachment-0001.html
More information about the GO-ESSP-TECH
mailing list