community architecture kevin benson tl dave morris brian mcilwrath paul harris
TRANSCRIPT
Community Architecture
Kevin Benson TL
Dave Morris
Brian McIlwrath
Paul Harris
Overview
Architecture Uniqueness Policy Service
– Permission Check– Policy Management
Authentication Process– Token based
General Architecture
Portal
1 - *
Community
DBSQL Compliant
Policy ManagerAdministration
Policy Service
AuthenticationIdentity
Other commonents in the communityEx: myspace, JES, registry.
Unique Community
Community -> domain style recommended Account -> user name@community Group -> group name@community Resource -> community:resource name
Community: MSSL.ucl.ac.uk
Account: [email protected]
Group: [email protected]
Resource: mssl.ucl.ac.uk:registry
Policy Manager Services
Insert/Remove/View Account Insert /Remove/View Community Insert /Remove/View Permission Insert /Remove/View Resources Insert /Remove/View Groups Insert /Remove/View Members Change Password
Policy Service
Check Permission– Account/ Group/ Resource/ Action
Check Membership
Authentication
Token Authenticate Login ( account, password) Create Token ( account token , target) Authenticate Token ( account, token,
target)
Policy Process
Portal
Credentials
InternalKMB@mssl group Solar@mssl Permission: “Read”on “mssl:myspace” resource
External 1KMB@mssl group Solar@mssl Permission: “Read”on “Edinburg:DataCentre”
External 3KMB@mssl Astrophysics@leicester Permission: “Write”on “Jodrel:registry”
External 2KMB@mssl group Solar@leicesterPermission: “Insert”on “leicester:myspace”
Policy ProcessInternalKMB@mssl group Solar@mssl Permission: “Read”on “mssl:myspace” resource
External 1KMB@mssl group Solar@mssl Permission: “Read”on “Edinburg:DataCentre”
External 3KMB@mssl Astrophysics@leicester Permission: “Write”on “Jodrel:registry”
External 2KMB@mssl group Solar@leicesterPermission: “Insert”on “leicester:myspace”
Config fileFlexibility is the key here, this config file can live anywhere on the systembecause we use JNDI (J2EE spec) to read the config file location from theweb.xml. You may also use any webservice technology not just “Axis” or any appserver not just “tomcat” by supplying the necessary config parameters.Community.name – specify your community name.Community.host – the actual domain name of your community (may be empty)Policy.manager.url – admin/manager service url (may be empty)Policy.service.url – service url (may be empty)Authentication.url – authentication webservice (may be empty)Community.security – “on”/”off” do we have https/ssl for the community server.Community.secure.port – “8443”; https secure port for the community server.Portal.security – “on”/”off” – do we have https for the portal.Portal.secure.port – “8443”, https secure port for the portal.Astrogrid.admin – Administrators nameAstrogrid.adminEmail – Administrators e-mail*Database.name – name of the database*Database.config – config file location for the database.*Database.mapping – config file location for JDO mapping with Castor.*myspace.service.url – url of the myspace webservice*Only used for community server side.
Few other details. Deployment is done by a small release kit that is created through an “ant” task.
This kit will build the necessary jar files and descriptors for placing on your community server. Other “ant” tasks have been created to actually install and deploy the community server. But some admins do not wish to do this, they may wish to build it on another system and deploy it. A Readme.txt file is being provided for this.
Security – As you can see from the config file you can turn “off” security, but by all means the default is “on” This configuration can be set for the portal side and/or the community server side. When they are “on” the portal will redirect to an “https” secure connection for anything dealing with passwords which cover “login”, “Insert Account”, and “Change Password”. On the community side if it is turned on it will send a secure web service call through the “https” url.
The only other external web service calls is for “Insert Account” and “Remove Account” where we must notify the myspace server of any account changes.