Skip to content

ESGF_workflow_browser

Jump to bottom Edit New page
Stephen Pascoe edited this page Apr 9, 2014 · 3 revisions
Wiki Reorganisation
This page has been classified for reorganisation. It has been given the category MOVE.
The content of this page will be revised and moved to one or more other pages in the new wiki structure.

Secure TDS Data Download via Web Browser

This page describes the complete workflow that takes place when a user uses a web browser to download a restricted data file served by a Thredds Data Server (TDS) that is secured with the ESGF security infrastructure. It is assumed that the user has previously registered with one of the ESGF sites.

  1. The user uses a browser to browse the TDS dataset hierarchy, until he reaches the HTTP link for a restricted file download.
  2. Upon clicking on the HTTP download link, the Authentication Filter in front of the TDS redirects the user to the Openid Relying Party (ORP) and presents the user with an OpenID entry form
  3. Upon entering the OpenID, the user is redirected to the Identity Provider (IdP)
  4. The user enters the password at the IdP, and is redirected to the ORP. The ORP establishes that the user is authenticated, and encodes this information as a session-scope cookie that is valid for all URLs on that site (so that the user doesn't have to authenticate again when accessing any other restricted URLs on that site).
  5. The the ORP redirects the user to the original TDS URL, which is intercepted by the Authorization Filter in front of the TDS.
  6. The Authorization Filter queries the configured Authorization Service to determine whether the user is authorized to access that particular URL.
  7. The Authorization Filter parses the response from the Authorization Service: 1. If the user was authorized, the Authorization Filter validates the requests and passes it on to the TDS data server 2. If the user was not authorized because of insufficient privileges, the request is intercepted by the Registration Filter in front of the TDS, which redirects the user to the ORP registration request page.
  8. The user browser request the ORP group registration page for the given resource.
  9. Upon receiving a GET request, the ORP registration endpoint invokes the ESGF Policy Service to determine which access control group(s) are required to download the data URL. The Policy Service replies with a list of group names and their corresponding registration endpoints. The ORP displays this list to the user
  10. The user clicks on one of the registration links to submit a POST request to the ORP registration endpoint.
  11. Upon receiving a POST request, the ORP registration endpoint submits a request, on behalf of the user, for registration in the requested group, with the requested role. The ESGF Registration Service processes the request and sends back a result code to the ORP. The ORP displays a page with the registration result to the user.
  12. Assuming the user registration took effect immediately, the ORP page contains a direct link to the original data URL. The user clicks on the link to download the data.

ESGF_workflow_browser.png

Add a custom footer
Add a custom sidebar
Clone this wiki locally