Hi Ben (and everyone),
The other day you mentioned* that Shibboleth code for DVN 3.6 is being
written by your colleague at
I'm heads down in Solr/search stuff for Dataverse 4.0 right now but I
was thinking... what if we started building one of those DANS
Shibboleth branches and try deploying the code somewhere (probably in
the cloud) so we can learn from what DANS is doing!
Two questions:
1. Is
the best branch to
build from? It seems to be the most recent.
2. If we were to put the code on a server in the cloud, do you have a
preference for what the server is called? Do you want "dans" in the
hostname?
Thanks!
Phil
*
On Wed, Apr 2, 2014 at 1:50 PM, Philip Durbin <philip_durbin(a)harvard.edu>
wrote:
Hi Ben (and all)!
It was great talking to you, Arnoud, and Eko this morning! I really
appreciate you taking the time to summarize our conversation for the
benefit of everyone on this list, or who may stumble upon the archived
version. (Speaking of the archived version, it seems to be cut off but
I'm hoping that this reply will capture your whole message.)
We don't have a lot of experience with OIOSAML but we're happy to help
you through any problems with Glassfish. You're welcome to continue
pinging us in #dvn on freenode IRC[1] or my opening a ticket by
emailing support(a)thedata.org
DVN has always run on PostgreSQL and I suspect their are requirements
baked into the DVN 3.x code but as we work on the Dataverse 4.0 code
base (which is entirely new), we are trying to be aware of not tying
ourselves to a particular database (i.e.
https://redmine.hmdc.harvard.edu/issues/3729 ). No promises though...
I'm sure we'll continue to run PostgreSQL in development and
production. :)
I doubt that Dataverse will run in Tomcat. It's a Java Enterprise
Edition (Java EE) application so it requires a full container such as
Glassfish. It *should* run on Jboss/Wildfly and I hope we aren't
introducing any hard dependencies on Glassfish but it's certainly
possible we accidentally are since we use Glassfish exclusively in
development. I should mention that TomEE only supports the "web
profile" of Java EE (last I checked) but I'm pretty sure we require
the "full profile". Oh, and I'm not sure if SELinux is supported or
not... definitely worth trying.
With regard to Apache httpd, we have never required it to run DVN 3.x
but it's under consideration as a requirement for Dataverse 4.0. As
you've noted, using Apache as a proxy like this allows the Shibboleth
attributes to be exposed as environment variables. Given the trouble
I've had using OIOSAML (especially with ADFS[2]), I'm interested in
looking into the "Fronting Glassfish with Apache to run Shibboleth SP"
option[3] some more. I have some notes on the Apache option at
https://github.com/dvn/shibpoc/tree/master/java/shibsppoc
Perhaps I should send this to the larger dataverse-community list (
https://groups.google.com/group/dataverse-community ) but can I get a
quick pulse from people who run (or may run) Dataverse if they have
any objection to running Glassfish behind Apache?
Phil
1. Lots of good Shibboleth chatter this week starting at
http://irclog.iq.harvard.edu/dvn/2014-03-31
2.
https://github.com/IQSS/dvn/wiki/configuring-ADFS-relying-party
3. Other options include OIOSAML and OpenAM per this "Dataverse
Shibboleth/SAML Design Document" I continue to update:
https://docs.google.com/document/d/1y2axfd_ScmXVICFlV8AuPDdp5xHwTag54pUpV
efzs5g/edit?usp=sharing
On Wed, Apr 2, 2014 at 12:49 PM, Ben Companjen
<ben.companjen(a)dans.knaw.nl> wrote:
Hi all,
As the future network admin of the Dutch Dataverse Network (DDN), I
[0] am
currently involved with the transition of the service responsibility of
this service from the library of the University of Utrecht to Data
Archiving and Networked Services (an institute of the Royal Netherlands
Academy of Arts and Sciences and the Netherlands Organisation for
Scientific Research). My colleagues Eko Indarto and Arnoud Jippes are
working with me on this, as the developer and sysadmin respectively.
As Philip Durbin wrote in his email of October 3, 2013 [1], the DVN
(v3.3)
was patched with OIOSAML to support federated login using personal
accounts supplied by Dutch higher educational institutions via
SURFconext.
The patch is available and supports not only login, but account
creation
with basic role assignment on first login based on SAML attributes as
well. It has worked for the current participating (and paying)
institutions, although the patch doesn't do session management very
well.
After logging in for the first time, an account is created, but the
user
needs to quit and restart the browser to be able to login for the first
time. This may also be why logging in when browsing studies takes the
user
back to the homepage instead of the study that the user was looking at.
In this transition, we're upgrading the DVN software to 3.6.2, on a new
RHEL 6 with SELinux server. Next is to reconnect to SURFconext, the
federated login provider for Dutch higher education institutions. By
May
1st the transition must be complete and it looks like we'll make it.
However, the "getting OIOSAML to work with 3.6.2" part has not been
easy,
partly due to lack of experience with Glassfish and OIOSAML.
From a system administration point of view, consolidation of deployment
environments continues to be important to us. Our Java applications are
deployed in Tomcat and use MySQL as DBMS with an Apache proxy in front
of
Tomcat. This has also allowed us to use Shibboleth for federated login
for
one of our other services, the long-term preservation archive EASY
[2]. I
personally don't know the details, but setting up Shibboleth and the
connection to SURFconext has been harder than building software support
for Shibboleth, which I'm told boils down to getting attribute values
from
environment variables. (We did need Shibboleth's lazy session mode
enabled.)
This environment and knowledge made us try patch the patch with
Shibboleth
support. That includes fronting Glassfish with Apache. By the end of
this
week I hope to know whether we succeeded :)
We (Eko, Arnoud and I) had a Skype call with Philip today, to exchange
some of our experiences with SAML and learn that DVN v4 will focus on
Shibboleth (because the demand was highest for Shibboleth). Support for
more generic authentication frameworks had crossed all our minds
before,
but implementing such support is beyond any current plan (as I
understood).
Although more a thought than a design, we suggested a plugin framework
for
DVN to allow e.g. account creation/management as part of the login
procedure. With such a framework in place, we could create a plugin
instead of a patch that chooses a authentication provider, redirects to
the login page and performs the logic of assigning roles to new
accounts
(i.e. authorisation) in between authentication and session start. One
plugin could be created for the Dutch environment, another for the US
environment (with InCommon) and perhaps yet another for Facebook
authentication.
We further asked about known DVN production environments in which DVN
is
deployed in Tomcat and/or uses MySQL, but it appears that DVN relies on
some JavaEE features that Tomcat does not support. Perhaps TomEE might
help here, but Philip has no experience with this product. PostgreSQL
dependencies have been requested to be removed in DVN 4.
It was great to discuss DVN via Skype today, but we understand that
keeping the discussion open generally helps the wider community. We're
learning too, and would love to hear about experiences with
environments
similar to ours, or different.
Regards,
Ben
[0]:
http://dans.knaw.nl/en/content/ben-companjen (bencomp on Freenode,
@bencomp on Twitter)
[1]:
https://lists.iq.harvard.edu/pipermail/dvn-auth/2013-October/000001.html
[2]:
https://easy.dans.knaw.nl/ui/home
Ben Companjen
Information scientist
ben.companjen(a)dans.knaw.nl
+31 6 1334 9717
Data Archiving and Networked Services (DANS)
DANS promotes sustained access to digital research data. See
<http://www.dans.knaw.nl/> for more information and contact details.
DANS
is an institute of KNAW and NWO.
DANS | Anna van Saksenlaan 51 | 2593 HW The Hague | P.O. Box 93067 |
2509
AB The Hague | +31 70 349 44 50 | info(a)dans.knaw.nl |
www.dans.knaw.nl
<http://www.dans.knaw.nl/>
_______________________________________________
dvn-auth mailing list
dvn-auth(a)lists.iq.harvard.edu
To unsubscribe from this list or get other information:
https://lists.iq.harvard.edu/mailman/listinfo/dvn-auth
--
Philip Durbin
Software Developer for
http://thedata.org
http://www.iq.harvard.edu/people/philip-durbin