Changes between Version 5 and Version 6 of tap

Mar 4, 2015 6:24:53 PM (7 years ago)



  • tap

    v5 v6  
    1 The [ data services] provided by the [ Santander MetGroup] build on a THREDDS Data Server (TDS) implementing a user authentication and data authorization protocol via a THREDDS Administration Panel ([ TAP]). Thus, registration in the TAP is required to access the different datasets. The authentication scheme is defined in terms of groups (e.g. VALUE, CORDEX, EUPORIAS, SPECS, NACLIM, etc.), each of them providing access to a number of datasets (e.g. ERA-Interim for downscaling, System4, WIFEDI, etc.). All public datasets are included under the PUBLIC group.
     1== What is TAP ==
    3  The process to be followed to register and request membership in different groups is described below.
     3The aim of the Thredds Admin Portal (TAP) project lies in the idea of solving the huge problem existing in the Unidata Thredds application with the management of users, roles and dataset access. The Thredds user authentication is delegated to Tomcat Basic which gets users and roles from a given Realm. In order to authorize users, Thredds checks whether the dataset is restricted and if so, gets the user roles to make a decision. TAP manages the datasource mentioned to control user access to protected datasets.
    5 == Registration and Group Membership ==
     5== Environment setup ==
    7 Users can ​register by filling the required information (including the user, email and password) in Alternatively, we are working on a new option to register using the the user's OpenID (e.g. from ESGF); more information will be available soon.
     7This environment consists of:
     8-       Thredds 4.5.5
     9-       TAP 2.4
     10-       Apache derby network
     11-       Apache Tomcat 7.0.59
    9 Dataset authorization is organized in groups, which correspond to different supported projects (EUPORIAS, SPECS and NACLIM) and international initiatives (VALUE, CORDEX-ESD), including also a PUBLIC-DATA group for all public datasets. Therefore, participants in any of these projects/initiatives can request membership in the corresponding groups, which are all moderated with the exception of the PUBLIC group (automatically approved under request). Group membership can be requested after login in the ''My groups'' panel (see figure below). Users are requested to explicitly accept the particular usage terms and conditions upon membership request (scroll down to see the whole license before accepting). Don't forget to click in the ''save'' button (at the bottom of the page once the group(s) selection have been made (see the figure below) so the request is actually sent. After that the selected group(s) should appear under the ''Waiting for approval'' label. Assigned groups appear under the ''Assigned groups'' label.
     13Attached is a preconfigured environment instance. You only need to change the ports and paths in server.xml and start the derby instance. If you are not familiar please read on the following instructions.
    11 [[Image(registration0.png)]]
     15=== Expose our datasource in Tomcat ===
    13 The available datasets are listed in the ''My groups'' panel, which also shows the corresponding data policies. For instance, three public datasets are available in the PUBLIC group: WFDEI (WATCH with  ERA-Interim) gridded observations, NCEP-NCAR reanalysis and CFSv2 seasonal hindcast. VALUE and CORDEX-ESD groups provide access to a subset of predictors from ERA-Interim reanalysis commonly used for statistical downscaling. Finally, the three groups related to the  ECOMS projects (EUPORIAS, SPECS, NACLIM) provide access to different seasonal forecasting products.
     17Tomcat gets users and roles from conf/tomcat-users.xml by default. We are going to change this in order to get users and roles from a given database. For this purpose, we need to add a new resource called “jdbc/admin” in GlobalNamingResurces.
    15 == Data Access ==
     20<Resource name="jdbc/adminDB" auth="Container" type="javax.sql.DataSource" factory="org.apache.tomcat.dbcp.dbcp.BasicDataSourceFactory"
     21    validationQuery="SELECT count(*) FROM users" maxActive="20" maxIdle="10" username="password" password="secret"
     22    driverClassName="org.apache.derby.jdbc.ClientDriver" url="jdbc:derby://localhost:port//derbypath/derbydb" readOnly="false"/>
    17 Users can access the authorized datasets using the standard THREDDS services (e.g. OPeNDAP; see the catalog ). However, some interfaces have been also developed in order to remotely access subsets of the datasets from scientific packages (mainly in R). Examples of these interfaces are included in [ downscaleR] and [ ecoms-udg] R packages.
     25=== Set the realm ===
     26A Realm is a “database” of usernames and passwords that identify valid users of a web application (or set of web applications), plus an enumeration of the list of roles associated with each valid user. The servlet container will be connected to the database and it also be aware of the username and the corresponding roles. Define this realm inside <Engine> in your server.xml:
     29<Realm className="org.apache.catalina.realm.DataSourceRealm" digest="MD5" debug="0" dataSourceName="jdbc/adminDB"
     30    userTable="USERS" userNameCol="USERNAME" userCredCol="PASSWORD" userRoleTable="V_USERS_ROLES" roleNameCol="ROLENAME"/>
     33===  ===