FI-WARE Testbed Access Control temporary solution.
-
Upload
kierra-farran -
Category
Documents
-
view
229 -
download
0
Transcript of FI-WARE Testbed Access Control temporary solution.
FI-WARE Testbed Access Control temporary solution
Introduction
We will define a short and a medium term solution to deal with the issues regarding access control to FI-WARE GEs deployed on the FI-WARE Testbed
The medium term solution will evolve as to incorporate components developed in the FI-WARE Security chapter for the 2nd Release of FI-WARE
Basic ingredients of the solution
Oauth v2.0 Keystone
User Profile Management
Multi-tenancy
Management and access to FI-WARE GE
Authentication
Authorization and Trust Management
Single Sign-On (SSO) among services/apps
Web/JavaScript/APIs access • Client Apps: Web Apps, Server
Apps or Desktop Apps.
MEDIUM TERM Solution
Scenarios to be covered
Client Apps may run on:•Web Servers
•Web Browsers (user agents)
•On top of an Operating Systems (Native apps)
Client Apps running on Web Servers
Three-tier Web applications
Clients that invoke FI-WARE GE APIs run on web servers (e.g., servlets)
Users authenticate via IdM web page
The IdM maintains the confidentiality
FI-WARE Testbed IdM
Client App (WS backend) Keystone FI-Ware GE
InstanceIdM Web
Portal
Access App
Login via Fi-Ware
Login to WebApp via IdM
Send redirect URI with authentication code
Access Redirect URLSend authentication code,
client_id, client_secret
Return access tokenUser logged in
FI-WARE GE API request with token
KeystoneMiddleware
Validate token
OkFI-WARE GE API request
App URL (interaction)
Create Token
User-agent-based Application
It is a public Client App
Downloadable from Web Servers
It runs in a user-agent (e.g., javascript in a web browser)
Users authenticate via IdM web page
Confidentiality is not maintained (Downloaded Client App assumes your identity)
FI-WARE Testbed IdM
KeystoneIdM Web Portal
Access App
Login via Fi-WARE
Login to ClientApp via IdM
Send redirect URI with access token
Create Token
Access Redirect URL
Client App loads token from fragment
Client App (User Agent)
Validate token
OkFI-WARE GE API request
FI-WARE GE API requests with token
KeystoneMiddleware
FI-Ware GE Instance
Native Application
Native apps, scripts, etc.
Credentials are sent via the Client App
User gives credentials to the Client App
Confidentiality is not maintained (Downloaded Client App assumes your identity)
FI-WARE Testbed IdM
Client App KeystoneIdM Web
Portal
Create Token
Return access token
Access with token
KeystoneMiddleware
Validate token
Ok Access
FI-Ware GE Instance
SHORT TERM Solution
FI-WARE Testbed IdM
Client App (WS backend) Keystone FI-Ware GE
InstanceIdM Web
Portal
Access App
Login web page
FI-WARE GE API requests
App URL (interaction)
FI-WARE TestbedFirewall
Registration of IP a.b.c.d
FI-WARE Testbed Admin
Fixed IP: a.b.c.d
Login to ClientApp
ValidationUser Logged In
(1) Validation via request using Keystone API
Validation(1)
FI-WARE Testbed IdM
KeystoneIdM Web Portal
Access App
Login via Fi-WARE
Login to ClientApp via IdM(1)
Validation
Client App (User Agent)
FI-WARE GE API requestsFI-WARE TestbedFirewall
first (temporal) IP: a1.b1.c1.d1
a1.b1.c1.d1
FI-Ware GE Instance
User Logged In
(1) Login via request using Keystone API or via javascript library provided by FI-WARE
(re-login, a2.b2.c2.d2)
FI-WARE Testbed IdM
KeystoneIdM Web Portal
Access App
Client App (User Agent)
FI-WARE GE API requestsFI-WARE TestbedFirewall
first (temporal) IP: a1.b1.c1.d1
(new a2.b2.c2.d2 assigned)
a2.b2.c2.d2
FI-Ware GE Instance
IdM Web Portal functionality in the short term
Every UC project will be associated to an “Organization”
Every UC project will have an admin user account
Using the IdM Web Portal, admin users will be able to create new user accounts linked to the same Organization
MORE DETAILS
IDM Web Portal
Provides Identity Management
Provides OAuth 2 modes
API with Keystone to manage GE tokens• Interface with Keystone to manage tokens and provide them via
OAuth
Keystone
It provides management of•Users, roles and organizations
•Only one Keystone admin
Credentials: username and password
Tuples <user, organization, role>
Tokens associate to <user, organization>
Many roles per user and organization
GEs establish permissions per role
Keystone
Provides management of GE (Services)
Each GE owns a list of endpoint URLs•Users access to these URLs