community architecture kevin benson tl dave morris brian mcilwrath paul harris

Community Architecture

Kevin Benson TL

Dave Morris

Brian McIlwrath

Paul Harris

Overview

Architecture Uniqueness Policy Service

– Permission Check– Policy Management

Authentication Process– Token based

General Architecture

Portal

1 - *

Community

DBSQL Compliant

Policy ManagerAdministration

Policy Service

AuthenticationIdentity

Other commonents in the communityEx: myspace, JES, registry.

Unique Community

Community -> domain style recommended Account -> user name@community Group -> group name@community Resource -> community:resource name

Community: MSSL.ucl.ac.uk

Account: kmb@mssl.ucl.ac.uk

Group: Solar@mssl.ucl.ac.uk

Resource: mssl.ucl.ac.uk:registry

Policy Manager Services

Insert/Remove/View Account Insert /Remove/View Community Insert /Remove/View Permission Insert /Remove/View Resources Insert /Remove/View Groups Insert /Remove/View Members Change Password

Policy Service

Check Permission– Account/ Group/ Resource/ Action

Check Membership

Authentication

Token Authenticate Login ( account, password) Create Token ( account token , target) Authenticate Token ( account, token,

target)

Policy Process

Portal

Credentials

InternalKMB@mssl group Solar@mssl Permission: “Read”on “mssl:myspace” resource

External 1KMB@mssl group Solar@mssl Permission: “Read”on “Edinburg:DataCentre”

External 3KMB@mssl Astrophysics@leicester Permission: “Write”on “Jodrel:registry”

External 2KMB@mssl group Solar@leicesterPermission: “Insert”on “leicester:myspace”

Policy ProcessInternalKMB@mssl group Solar@mssl Permission: “Read”on “mssl:myspace” resource

External 1KMB@mssl group Solar@mssl Permission: “Read”on “Edinburg:DataCentre”

External 3KMB@mssl Astrophysics@leicester Permission: “Write”on “Jodrel:registry”

External 2KMB@mssl group Solar@leicesterPermission: “Insert”on “leicester:myspace”

Config fileFlexibility is the key here, this config file can live anywhere on the systembecause we use JNDI (J2EE spec) to read the config file location from theweb.xml. You may also use any webservice technology not just “Axis” or any appserver not just “tomcat” by supplying the necessary config parameters.Community.name – specify your community name.Community.host – the actual domain name of your community (may be empty)Policy.manager.url – admin/manager service url (may be empty)Policy.service.url – service url (may be empty)Authentication.url – authentication webservice (may be empty)Community.security – “on”/”off” do we have https/ssl for the community server.Community.secure.port – “8443”; https secure port for the community server.Portal.security – “on”/”off” – do we have https for the portal.Portal.secure.port – “8443”, https secure port for the portal.Astrogrid.admin – Administrators nameAstrogrid.adminEmail – Administrators e-mail*Database.name – name of the database*Database.config – config file location for the database.*Database.mapping – config file location for JDO mapping with Castor.*myspace.service.url – url of the myspace webservice*Only used for community server side.

Few other details. Deployment is done by a small release kit that is created through an “ant” task.

This kit will build the necessary jar files and descriptors for placing on your community server. Other “ant” tasks have been created to actually install and deploy the community server. But some admins do not wish to do this, they may wish to build it on another system and deploy it. A Readme.txt file is being provided for this.

Security – As you can see from the config file you can turn “off” security, but by all means the default is “on” This configuration can be set for the portal side and/or the community server side. When they are “on” the portal will redirect to an “https” secure connection for anything dealing with passwords which cover “login”, “Insert Account”, and “Change Password”. On the community side if it is turned on it will send a secure web service call through the “https” url.

The only other external web service calls is for “Insert Account” and “Remove Account” where we must notify the myspace server of any account changes.