User Tools

Site Tools


metamod:security_plans

Change of Authentication in Metamod 2.X

Overview of Metamod authorization and authentication before 2.1

Type Access Authentication Password-store
Administration of Metamod http://server/adm BasicAuth-apache .htaccess-file
Administration of Tomcat http://server:XXXX/manager BasicAuth-tomcat tomcat-users-file
Access to upload-environment http://server/upl metamod metamod-file
Access to upload-environment ftp://server passwd PAM-configured
Administration of Metamod-server ssh:server passwd PAM-configured

Wishlist

The current implementation has some drawback, which are addressed by the following wishlist:

  1. one password store should be enough
  2. authentication methods security-level should be industry standard compliant
  3. single sign on

Idea

Password storage

Using a directory server for authentication. The directory server needs to support user, passwords and groups. This can be i.e. any LDAP server.

Industry Standard compliance

  • BasicAuth is industry standard, with moderate to low security (depending on https).
  • ftp is industry standard, with low security.
  • ssh is industry standard, with moderate security.
  • metamod security is not tested. Metamod-application authentication will require lots of testing to become comparable to industry-standard. Simplest to switch to BasicAuth-apache.

Single Sign On

No solution! Evaluated:

  • Using Kerberos, requires kerberos-support from client-side, i.e. http://negotiateauth.mozdev.org/ . Since client-side support usually does not exist, supporting it on the server is useless.
  • Using SAML, that is SSO on application-level. This will be hard to impossible to implement since we don't have control of Thredds, ssh and ftp.
  • Using tomcat within apache (mod_jk, mod_proxy), having same security realm. This would be a good solution for SSO on the http-side (simply having one application), but might require extra care when setting up protection for one data-catalog, which can be seen from apache as up to 3 (eventually more) http-pathes (opendap, http, WCS).

Changes needed

BasicAuth for /upl

  • .htaccess protection for all /upl/* pages
  • Registration and password changes outside /upl
  • Only username known to metamod $_SERVER{REMOTE_USER} after login, not institution/working directory. This information should be stored in another place.

(Optional) upload-area per user

  • each user should have a user-directory, where he can upload files via ftp

~~DISCUSSION~~

metamod/security_plans.txt · Last modified: 2008-11-27 10:16:53 by heikok