[Opendap-tech] OPeNDAP authentication

Patrick West pwest at opendap.org
Fri Aug 28 08:33:16 PDT 2009 

On Aug 28, 2009, at 11:06 AM, John Caron wrote:

> Patrick West wrote:
>> OPeNDAP/G (Gridded OPeNDAP) currently does not support X509  
>> certificates or authentication. The BES does currently support X509  
>> authentication during connection using SSL. And we are currently  
>> developing modifications in the BES to allow for secure connections  
>> and secure requests to be sent to the BES, allowing clients to pass  
>> along security certificates and store them in the BES to be used on  
>> behalf of the client for authorization purposes. This will be  
>> especially useful in a gridded environment or where the BES is  
>> working in paralellel with other BES processes to handle requests.  
>> A module can be written and dynamically loaded into the BES to  
>> handle authorization. There is no generic authorization in the BES.
>> I personally haven't tried it, but since the front-end of Hyrax is  
>> a tomcat servlet that you can utilize any authentication within  
>> tomcat, as is mentioned in another email.
>> To my knowledge, the only client of the BES that supports SSL  
>> authentication is the bescmdln (BES Command Line) client, which is  
>> mostly a testing client. We are developing a Globus module for the  
>> Earth System Grid project that will use the BES authentication.
>> The CEDAR project at UCAR developed a BES plugin to handle simple  
>> user authentication, as well as additional response types and a  
>> reporting mechanism for data usage tracking.
>> Patrick West
>> Rensselaer Polytechnic Institute
>> Tetherless World Constellation
>> http://tw.rpi.edu
>
> Hi Patrick:
>
> Could you explain the relationship of a "BES client" vs an "OPeNDAP  
> client" ? Is this the same?

An OPeNDAP client, in the typical example, sends a OPeNDAP URL to a  
OPeNDAP server. This is the case with the old Server 3 system (CGI) as  
well as the new Server 4 (Hyrax), where the OLFS acts as the front-end  
of the Hyrax server. A browser is a client of the OLFS, or the Matlab  
client, or idl-client, etc... These clients communicate with the OLFS  
using an OPeNDAP URL. The OLFS takes that URL and builds an XML  
request document that is then passed to the BES for processing. The  
OLFS is a client of the BES, in a sense.

A client of the BES communicates with the BES using a OPeNDAP XML  
request document instead of a OPeNDAP URL.

Patrick

More information about the opendap-tech mailing list