[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
Re: TDS access control for OpenDAP requests
- Subject: Re: TDS access control for OpenDAP requests
- Date: Mon, 16 May 2011 12:06:34 -0700
Hi John,
right now, the JPL server only has a few... but the goal is, for
example, to host on the order of tens of thousands of datasets on the PCMDI
node, when the CMIP5 archive is almost complete.
thanks, Luca
On May 16, 2011, at 12:58 PM, John Caron wrote:
> ok, btw, how many of these datasets (that are protected) are in one
> server? just trying to get a feel for the scale.
>
> On 5/16/2011 12:35 PM, Cinquini, Luca (3880) wrote:
>> Thanks John, could you please let us know when we can download a new TDS
>> version and try again ?
>> thanks a lot,
>> Luca
>>
>> On May 16, 2011, at 12:31 PM, John Caron wrote:
>>
>>> On 5/16/2011 11:01 AM, Cinquini, Luca (3880) wrote:
>>>> Hi John,
>>>> how's going ? I have a follow-up question to our brief conversation at
>>>> GO-ESSP last week. Could you confirm that theoretically the TDS access
>>>> control model should be able to secure access to http requests ending in
>>>> .dods, besides those ending in .nc ?
>>>>
>>>> The reason I am asking is because looking at the log files it seems
>>>> otherwise. The ESG filters establish whether or not a URL is secure by
>>>> calling DatasetHandler.findResourceControl(uri). Up to now, we have
>>>> changed every URL of the form XYZ.nc.dods to XYZ.nc, and fed this last uri
>>>> to the DatasetHandler, but this approach does not work for aggregations.
>>>>
>>>> For example, this is what I see in the logs when making an opendap request
>>>> on a single file:
>>>>
>>>> 2011-05-16T09:50:28.655 -0700 [ 53640][ 14] DEBUG -
>>>> esg.orp.app.tds.TDSPolicyService -
>>>> URI=/esg_dataroot/obs4cmip5/observations/atmos/hus/mon/grid/NASA-JPL/AQUA/AIRS/r1i1p1/hus_AQUA_AIRS_L3_RetStd-v5_200209-201006.nc.dods
>>>> resource control=null
>>>> 2011-05-16T09:50:28.656 -0700 [ 53641][ 14] DEBUG -
>>>> esg.orp.app.tds.TDSPolicyService - Uri changed.
>>>> 2011-05-16T09:50:28.656 -0700 [ 53641][ 14] DEBUG -
>>>> esg.orp.app.tds.TDSPolicyService -
>>>> URI=/esg_dataroot/obs4cmip5/observations/atmos/hus/mon/grid/NASA-JPL/AQUA/AIRS/r1i1p1/hus_AQUA_AIRS_L3_RetStd-v5_200209-201006.nc
>>>> resource control=esg-user is secure=true
>>>> 2011-05-16T09:50:28.656 -0700 [ 53641][ 14] DEBUG -
>>>> esg.orp.app.AuthenticationFilter -
>>>> URL=http://test-datanode.jpl.nasa.gov/thredds/dodsC/esg_dataroot/obs4cmip5/observations/atmos/hus/mon/grid/NASA-JPL/AQUA/AIRS/r1i1p1/hus_AQUA_AIRS_L3_RetStd-v5_200209-201006.nc.dods?hus[0:1:0][0:1:0][0:1:0][0:1:0]
>>>> is secure
>>>>
>>>> You'll notice that the original URI
>>>> */hus_AQUA_AIRS_L3_RetStd-v5_200209-201006.nc.dods is NOT secure, but
>>>> after dropping the last extension, the URI
>>>> hus_AQUA_AIRS_L3_RetStd-v5_200209-201006.nc IS secure.
>>>>
>>>> Off course I might be doing something wrong here, but before digging any
>>>> further I wanted to make sure that you think dods requests are treated
>>>> just like normal file requests as far as security is concerned. FYI the
>>>> catalog I am using to test is:
>>>>
>>>> http://test-datanode.jpl.nasa.gov/thredds/esgcet/1/obs4cmip5.NASA-JPL.AQUA.AIRS.mon.v1.xml
>>>>
>>>> thanks a lot, it was great seeing you at the workshop,
>>>> Luca
>>> hi luca:
>>>
>>> this is a bug in our code. its looking for exact matches on access paths
>>> . i will get a fix asap. thanks for finding it.
>>>
>>> john
>
