1. Introduction

Introduction to the GRIA OGSA-DAI Service

Overview

The GRIA OGSA-DAI service package is a package built around OGSA-DAI WS-I 2.2. It allows clients using the OGSA-DAI libraries access to data resources through a GRIA service. The OGSA-DAI service can be deployed on its own to provide unmanaged access to databases, or it can be used with the GRIA service provider management package to take advantage of its billing and service level agreement functionality.

The software package comes complete with the necessary components to allow the service to query JDBC databases and create new databases in PostgreSQL and MySQL. By following the service developers' guide it is easy to add in the capability to connect to additional RDBMS or other (non-SQL) database systems.

Added Value

The GRIA OGSA-DAI service's focus is on providing a secure system with low maintenance costs, ideal for business deployments.

Easy deployment

The GRIA OGSA-DAI service is provided as a WAR file, ready to be dropped into a standard servlet container such as Tomcat.

Easy configuration

The service provides a web-based configuration and management interface.

GRIA's standard security features

Dynamic security policies to control access to databases and database accounts
Transport level security using SSL
Message level security (WS-Security), providing message authentication and integrity checks

OGSA-DAI session security

The service uses a custom session manager to ensure the security of an OGSA-DAI session.

By also linking the GRIA OGSA-DAI service to the GRIA service provider management package (available separately), additional features are made available:

Monitoring of databases
Restricting access to databases by way of service level agreements (SLAs)
Billing for database access

Components

A GRIA OGSA-DAI service: This is the server component that provides the interfaces for accessing and creating data resources on servers. The service administrator can choose which users are allowed to create and use data resources. The service can be extended to connect to any data resource. Connectors for PostgreSQL and MySQL are provided.
A plugin for the graphical GRIA client: This plugin adds functionality to the graphical GRIA client, enabling clients to access and manage their databases without having to write their own Java applications. While this plugin provides a useful way of experimenting with and demonstrating the OGSA-DAI service, real-world applications would make use of one of the programmatical interfaces.
An AXIS plugin for OGSA-DAI clients: Clients wishing to access databases using the OGSA-DAI client library can install this component to make their SOAP calls compatible with the GRIA authentication and access control systems. Using this component allows GRIA OGSA-DAI services to be accessed just like regular OGSA-DAI services, meaning existing database applications require only minor changes to become compatible with GRIA.
A Java Client API: Clients can use this Java interface to access GRIA OGSA-DAI resources from their own applications.

2. Overview

Overview of the GRIA OGSA-DAI Service

2.1. Architecture

Architecture of GRIA OGSA-DAI Service

Architecture

Overview

The GRIA OGSA-DAI service makes use of three resource types as shown in the diagram below.

Data Resources

The data resource is responsible for storing information about the database that is being accessed. For the default back-ends of MySQL and PostgreSQL this information is in the form of a JDBC URL, such as:

jdbc:mysql://localhost/database

Database resources can be created by either the service provider or users, depending on the access control restrictions that are in place.

Role Resources

A role resource represents the login information for a user in the database (e.g. a username and password combination). In the GRIA OGSA-DAI service different roles can be made visible to different users in order to control who can perform certain operations on the database.

Roles can be created by the service provider and users when connecting an existing database to the OGSA-DAI service. For MySQL and PostgreSQL, when creating a new database the service automatically creates three roles representing RDBMS users with different permissions on that database.

Subscription Resources

Users can open subscriptions to roles which have been made visible to them. Having a subscription allows the user to execute queries on the database.

2.2. Deployment Scenarios

Details the different ways that the GRIA OGSA-DAi Service can be used to manage databases

Deployment Scenarios

Introduction

The GRIA OGSA-DAI service was created with two main use cases in mind:

The service provides users with access to existing data in existing databases.
The service lets users create and access their own databases.

In both these cases, GRIA's access-control and service-level-agreement technologies can be used to create policies controlling which users are allowed access to resources, how many resources they can create/access, and how they will be charged for their use of the service.

The steps taken to implement each of these cases are briefly described below.

Providing Access to Existing Databases

By default, the GRIA OGSA-DAI service can connect to any JDBC database. It is possible to extend the service to connect it to other database back-ends. For further information see the service developers' guide.

The service provider decides which databases he wants to make available. He does this by choosing Connect existing data resource, either in the web-based administration interface or one of the client interfaces, and entering the relevant information (such as a JDBC URL).
The service provider then chooses which existing database usernames and passwords should be exposed in the service. Any number of these database roles can be created to provide different levels of access to different users (e.g. read-only or read-write).
After the roles have been created, the service provider uses GRIA's access control functionality to enter rules which determine who can subscribe to each database role. This is done either in the web-based administration interface or one of the client interfaces.
At this point, users that have been given access to a role will be able to see it in the list of resources returned from the GRIA service. They can use one of the client interfaces to subscribe to the database role and obtain a database subscription.
The user can now run queries on this database subscription using either the GRIA Client using the OGSA-DAI plugin or by using the OGSA-DAI Client API.

Allowing Users to Create Databases

By default, the GRIA OGSA-DAI service can create new databases on MySQL and PostgreSQL. It is possible to extend the service to make it able to create databases on other JDBC resources or other arbitrary database systems. For further information see the service developers' guide.

The service provider uses the web-based administration interface to choose which database server will be used for new databases.
The service provider then uses GRIA's access control tools to specify which users are allowed to create databases. This must also be done using the web-based administration interface.
Users that have been given permission to do so can then create databases using one of the client interfaces. When doing so, the default behaviour is for three database roles to be created automatically for them:
- An administrative role (DAA) that can create and remove tables.
- A read/write role (DAU_RW) that can modify data in existing tables.
- A read only role (DAU_RO) that can only read from existing tables.
The user can now specify which other users can subscribe to his database. If desired, he can give different users access to the different roles above in order to restrict their ability to modify the data in the database.

3. GRIA OGSA-DAI Service

The GRIA OGSA-DAI Service is the server component of the GRIA OGSA-DAI package.

3.1. Overview

Overview of the GRIA OGSA-DAI Service

The GRIA OGSA-DAI Service is the server component of the GRIA OGSA-DAI package. Its purpose is to:

Receive OGSA-DAI perform documents, execute queries on the database and return OGSA-DAI response documents.
Configure and manage resources that are exposed to users. The service provides both a web-service (SOAP) and a web page interface to these operations.

The service is packaged as a web application archive (.WAR file) ready to be deployed to an Apache Tomcat server. The installation instructions explain in detail the procedure for setting up and configuring both Tomcat and the GRIA OGSA-DAI service.

3.2. Installation

Instruction of the installation of the GRIA OGSA-DAI Service

GRIA OGSA-DAI Service Installation

The GRIA OGSA-DAI Service software itself is contained within a single WAR (or "web archive") file gria-ogsadai-service.war, located within the /service directory of this package. Once the pre-requisites have been set-up and the war file has been deployed to Tomcat, the web-based administration interface guides the user through the rest of the installation process.

See the Service Installation Manual for general GRI Ainstallation instructions. Once the initial configuration has been completed see the rest of this manual for OGSA-DAI specific configuration instructions.

3.3. Database Server Configuration

Instructions on setting up MySQL or PostgreSQL for use with the GRIA OGSA-DAI Service

Database Server Configuration

These instructions are of relevance to users who want to use the GRIA OGSA-DAI service with MySQL or PostgreSQL back-ends (and for other RDBMS). If you have a different database back-end, please see the service developers' guide.

Database Drivers

Before configuring your database server(s) on the OGSA-DAI service you must install the correct JDBC driver(s) into the webapp. The JDBC drivers must be placed into library directory of the GRIA OGSA-DAI service webapp:
<path to Tomcat>/webapps/gria-ogsadai-service/WEB-INF/lib
Instructions are provided here for MySQL and PostgreSQL, but other drivers may also be used.

Installing the MySQL driver

Download the MySQL JDBC connecter from the homepage: http://www.mysql.com/products/connector/j/
Extract the .jar file from the downloaded package (eg. mysql-connector-java-3.1.13-bin.jar)
Copy the .jar to the webapp lib directory.

Installing the PostgreSQL driver

Download the PostgreSQL JDBC driver from the homepage: http://jdbc.postgresql.org
Copy the downloaded .jar to the webapp lib directory.

Note that users of PostgreSQL need to follow special instructions when creating new tables in databases created by the OGSA-DAI service.

The Configuration Tool

After installing the GRIA OGSA-DAI service and performing the initial service configuration, you will be asked to perform the database configuration. This involves giving details of the database server on which you want new databases and users to be created.

The database configuration tool is accessed by clicking the "OGSA-DAI Service" link on the service webpage, located at http://<servername>:8080/gria-ogsadai-service.

A screenshot of the form used to enter the database details is shown below:

Database Details

The Database type and Database URL fields provide the type and address of the database server. The server specified here is used when a user requests the creation of a new database.

The Database URL field should contain the JDBC URL of the database server. This JDBC URL should not contain a database name, and should be of the following format:

jdbc:mysql://host[:port]/
jdbc:postgresql://host[:port]/

The System database field specifies which database on the RDBMS to connect to when adding/removing databases and users.

The Database credentials fields should give the username and password of a database user who has permission to create and drop databases and users.

Username Details

If the GRIA OGSA-DAI service is used to create new databases it will also create three database users with appropriate permissions. The "Username prefix" field give you the opportunity to customise the naming scheme used for these automatically generated users.

Usernames are assembled as follows:
<prefix><unique number><suffix>

The suffix is defined elsewhere.

3.4. Access Control

Setting access control to your server using the web interface

Overview

The GRIA OGSA-DAI service uses PBAC (Process Based Access Control) to protect calls to its methods. The three important points of access control are:

Access to the connectDataResrouce method (and the legacy connectDatabase method).
Access to the createDataResource method (and the legacy createDatabase method).
Permission to subscribe to individual database roles.

The first two points can be controlled under the "Permissions" heading on the web-based administration tool. Access to individual database roles can be set up either by clicking the "Permissions" link in the "Databases" section of the web interface, or by using the graphical GRIA client.

Controlling who can connect and create databases

In order to be able to call the connectDataResource / connectDatabase or createDataResource / createDatabase methods on the web service, a user must match the connect-dataresource or create-dataresource PBAC roles respectively. A user matches a PBAC role if he matches at least one Sufficient rule and no Deny rules. Rules are added and removed by using the web-based administration interface, under the "Permissions" heading.

Figure 1: Existing databases can only be connected by a user with the certificate pineau.it-innovation.soton.ac.uk. Nobody can create new databases.

Figure 2: All users can create new databases. Nobody can connect existing databases.

Note that users of the web-based administration interface can perform both these operations regardless of PBAC rules. So in the situation depicted by Figure 2 above, only the service provider can connect existing databases.

Controlling who can subscribe to database roles

By default, when a database role is created only the owner can see and subscribe to it. To allow others to subscribe to a database role the owner can either use the web-based administration interface if he is the service provider, or the graphical GRIA client.

Using the web-based interface

Click the "Permissions" button beside the role you wish to modify.

Figure 3: The permissions button beside a database role

This will open the PBAC administration page for that resource in a new window.

Figure 4: The PBAC administration page for a role resource

Rules can now be added to the access control list for the resource. Users are able to see and subscribe to a database role if they match the client role on the access control list. In the example in Figure 4 above, we have added a rule such that everyone can see and subscribe to this database role.

Using the graphical GRIA client

Left click the role you wish to modify and select "Load Access Control Rules".

Figure 5: Opening the access control list for a role resource

This will open a window displaying the current rules on the resource.

Figure 6: Adding a new rule to a resource

Rules can now be added to the access control list for the resource. Users are able to see and subscribe to a database role if they match the client role on the access control list. In the example in Figure 6 above, we are about to add a rule such that everyone can see and subscribe to this database role.

3.5. Managing Database Resources

The web-based administration interface allows the service provider to view and modify all the databases, roles and subscriptions currently existing in the service.

3.5.1. Connecting Existing Data Resources

Manage an existing data resource with the GRIA OGSA-DAI Service

This feature allows the service provider to expose existing data resources containing existing data to users of the GRIA OGSA-DAI service.

Connecting an existing data resource

Click the "Connect existing data resource" button.
Enter the JDBC URL of the data resource you wish to connect to. You can also enter a description.
Click the "Save changes" button to apply the changes.

Adding Roles

You will now need to add one or more data resource roles to your data resource. Roles allow you to specify which username and password combinations to use on the data resource backend.

Adding a role to a data resource

Click the "Add role" button beside the data resource you wish to modify.
Enter the username and password details of the user you are adding.
Entering a Metric URI allows you to create Service Level Agreements (SLAs) that constrain on specific data resource roles. See the Metrics and SLAs section for more details.
Repeat steps 1 and 2 if you need to add more than one role.
Click the "Save changes" button to apply the changes.

The role has now been created.

Setting Permissions on Resources

See the Access Control section to learn how you can control which users have permission to subscribe to your new resources.

3.5.2. Creating New Data Resources

Instructions on how to create new data resources from the web interface

Creating New Databases

This feature allows the service provider to create a new data resources that users can subscribe to and fill with data.

Creating a new data resource

Click the "Create new data resource" button.
Enter a description for the new data resource.
You can optionally enter a Metric URI, a modified version of which will be assigned to the three automatically generated roles. Doing this allows you to create Service Level Agreements (SLAs) that constrain on specific data resource roles. See the Metrics and SLAs section for more details.
Click the "Save changes" button to apply the changes.

The new data resource has now been created. You will notice the OGSA-DAI service has automatically generated three data resource roles. These have the following permissions:

Administrative role: can view data, modifiy data, and create and delete tables.
Read/write role: can view and modify data in existing tables.
Read only role: can view data in existing tables.

Setting Permissions on Resources

See the Access Control section to learn how you can control which users have permission to subscribe to your new resources.

3.5.3. Viewing and Creating Subscriptions

How to view and create subscriptions from the web interface

Viewing Subscriptions

It is possible to create a subscription from the web interface.

Creating a data resource role subscription

Click the subscribe button on a particular role.
Enter description of new subscription.
Click save changes button.

After carrying out these steps you should see something similar to that below.

Click the icon circled in red to view your newly created subscription.

Setting Permissions on Resources

See the Access Control section to learn how you can control which users have permission to use your new subscription.

3.6. Metrics and SLAs

Using the GRIA OGSA-DAI Service with the GRIA SLA Service

3.6.1. Overview

Description of integration between GRIA OGSA-DAI Service and GRIA SLA Service

The GRIA service provider management package contains an SLA service that can be used to limit the number of resources users can create and charge them for those that they use. The OGSA-DAI service defines a number of metrics that the service provider can use when creating SLAs. The service generates usage reports using these metrics whenever a user creates a new resource. The SLA service collects these usage reports and charges the user accordingly.

The service provider may wish to set up different pricing terms for individual databases or roles. For example he may wish to charge for read/write access to a database while making read only access free. In this situation the service provider can specify a custom metric URI for each role, and then set up the SLA to constrain on those.

It would be helpful to read this section in conjunction with the SLA Management Service manual.

3.6.2. Provided Metrics

Usage of the metrics provided with the GRIA OGSA-DAI Service

The OGSA-DAI service provides metrics for each of the resource types:

Resource type	Description	Metric URI
Databases	Generated for users who create a new database or connect an existing database.	http://www.gria.org/sla/metric/activity/ogsadai/db
Database roles	Generated for each database role that is created.	http://www.gria.org/sla/metric/activity/ogsadai/role
Database subscriptions	Generated for the user who subscribes to a database role.	http://www.gria.org/sla/metric/activity/ogsadai/subscription
Database subscribers	Generated for the owner of a database role when somebody subscribes to it.	http://www.gria.org/sla/metric/resource/ogsadai/subscriber

Example

User A has been given permission by the service provider to create databases. He wants to create a new database, create some tables in that database, and then give User B read/write access to those tables.

User A calls createDatabase.

Usage report for User A - Database
http://www.gria.org/sla/metric/activity/ogsadai/db
Total now: 1

Usage report for User A - Administrative Role
http://www.gria.org/sla/metric/activity/ogsadai/role
Total now: 1

Usage report for User A - Read/Write Role
http://www.gria.org/sla/metric/activity/ogsadai/role
Total now: 2

Usage report for User A - Read Only Role
http://www.gria.org/sla/metric/activity/ogsadai/role
Total now: 3
User A calls subscribe on his administrative role so he can create a table.

Usage report for User A - Subscription
http://www.gria.org/sla/metric/activity/ogsadai/subscription
Total now: 1

Usage report for User A - Subscriber
http://www.gria.org/sla/metric/resource/ogsadai/subscriber
Total now: 1
User A calls perform on his subscription, creating a table.
User A gives User B permission to subscribe to his Read/Write role.
User B calls subscribe on the Read/Write role.

Usage report for User B - Subscription
http://www.gria.org/sla/metric/activity/ogsadai/subscription
Total now: 1

Usage report for User A - Subscriber
http://www.gria.org/sla/metric/resource/ogsadai/subscriber
Total now: 2
User B executes some queries on his Read/Write subscription.

At the end of this example, the usage for the two users is as follows:

User A's usage
1 database
3 database roles
1 subscription
2 subscribers

User B's usage
1 subscription

3.6.3. Custom Metric URI

Using custom metrics with the GRIA OGSA-DAI Service

In some situations the service provider may wish to charge or constrain differently for different databases or database roles. For example, he may want to make read-only access to a database free while charging for read/write access.

This can be implemented through the use of custom metric URIs. There are two places where a custom URI can be entered:

When adding a new role.
When creating a new database (the automatically generated roles get assigned metric URIs based on the one provided).

When a user subscribes to a database role that uses custom metric URIs he generates one usage report for the standard subscription metric (http://www.gria.org/sla/metric/activity/ogsadai/subscription) and one for the custom metric. This is different from subscribing to a role without a custom metric URI, where the user would only generate a usage report for the standard subscription metric.

Providing a custom metric URI when creating a new database will assign similar metric URIs to the three automatically generated database roles. These URIs are generated using the same rules as username generation - the three postfixes are appended onto the end of the metric URI for each of the three roles.

For example, supposing you keep the default values for the username postfixes (eg, ".a" for the administrative role and ".r" for the read-only role), and specify a metric URI http://www.test.com/metric/test_database, the following metric URIs would be generated for the three roles:

Administrative role: http://www.test.com/metric/test_database.a
Read/write role: http://www.test.com/metric/test_database.w
Read Only role: http://www.test.com/metric/test_database.r

3.6.4. SLA Templates

How to use SLA templates to constrain metrics

SLA templates can be created to constrain on any of the above metrics. Several example sections of SLA templates are given below. See the GRIA user documentation for information on constructing full SLA template XML documents.

Limiting database creation

When inserted into the <constraints> section of an SLA template, this capacity constaint will limit the user to creating only one database. The user may still subscribe to other databases, and other users may subscribe to his database.

<constraint type='INSTANTANEOUS'>
    <metric type='ACTIVITY'>
        <uri>http://www.gria.org/sla/metric/activity/ogsadai/db</uri>
        <description>
            <description>database</description>

        </description>
        <units type='DECIMAL'>
            <instantaneous>database</instantaneous>
        </units>
    </metric>

    <bound>LE</bound>
    <private>false</private>
    <limit>1.0</limit>
    <contention>1.0</contention>

    <repeating>false</repeating>
</constraint>

Limiting subscriptions

When inserted into the <constraints> section of an SLA template, these capacity constraints will allow the user to subscribe to three database roles, and have one person subscribe to any roles he creates. The user can create an unlimited number of databases.

<constraint type='INSTANTANEOUS'>
    <metric type='ACTIVITY'>
        <uri>http://www.gria.org/sla/metric/activity/ogsadai/subscription</uri>
        <description>
            <description>subscription</description>

        </description>
        <units type='DECIMAL'>
        <instantaneous>subscription</instantaneous>
    </units>
    </metric>

    <bound>LE</bound>
    <private>false</private>
    <limit>3.0</limit>
    <contention>1.0</contention>

    <repeating>false</repeating>
</constraint>

<constraint type='INSTANTANEOUS'>
    <metric type='RESOURCE'>
        <uri>http://www.gria.org/sla/metric/resource/ogsadai/subscriber</uri>

        <description>
            <description>subscriber</description>
        </description>
        <units type='DECIMAL'>
            <instantaneous>subscriber</instantaneous>

        </units>
    </metric>
    <bound>LE</bound>
    <private>false</private>
    <limit>1.0</limit>

    <contention>1.0</contention>
    <repeating>false</repeating>
</constraint>

4. GRIA Graphical Client Plugin

GRIA OGSA-DAI ships with a plug in for the GRIA client that allows you to manage your data-resources and perform basic functions on them

4.1. Installation

Installing the GRIA OGSA-DAI client plugin

Installing the GRIA client package

The GRIA client package can be downloaded from www.gria.org.

Installation instructions are available in the GRIA user guide.

Installing the GRIA OGSA-DAI plugin

The gria-ogsadai-client-1.1.jar file must be copied into the /conf/plugins directory inside your GRIA client installation.
Remove the gria-client-helpers-1.1.jar file from the /lib directory inside your GRIA client installation.

Note: the gria ogsa-dai-client-5.2 plugin is only compatible with the 5.1 GRIA Client and later.

4.2. Usage

The client plugin extends the GRIA graphical client with the features necessary to manage the resources on a GRIA OGSA-DAI service.

4.2.1. Accessing a GRIA OGSA-DAI Service

Instructions on Accessing a GRIA OGSA-DAI Service from the GRIA Client

Visit the URL of the GRIA OGSA-DAI Service you wish to access and drag the wsdl link from the webpage in to the service view of the client.

Connecting to an OGSA-DAI Service from Client

If you are running the GRIA OGSA-DAI 1.0 client drag the OGSA-DAI Service legacy link, otherwise use the OGSA-DAI Service link. It is most likely that you are using a 5.2 client.

4.2.2. Connecting Existing Data Resources and Adding Roles

Using existing data resources with the GRIA OGSA-DAI Service

This feature allows you to expose existing databases containing existing data to users of the GRIA OGSA-DAI service. To use this feature you need to have been given access to the connect-database PBAC role on the OGSA-DAI service. See the Access Control section for more information.

Before starting you should ensure that the OGSA-DAI service is listed in your client. If it does not exist you can add it by either left clicking on the "Services" menu item and selecting "Add a service", or dragging the service's WSDL link onto the "Services" entry.

Right click on the OGSA-DAI service and select "Connect existing resource".

This will open a dialog box where you can enter the details of the database you wish to connect. You are able to enter the JDBC URL of any type of database here, and also a short description of the database. No checks as to the validity of the JDBC URL are made.

Once you have connected you data resource you are able to add roles. Right click on the connected data resource and select "Connect role".

Enter a description plus the username and password of the role on your database.

After clicking "OK", the role you have created is added to the list.

Setting Permissions on Roles

See the Access Control section to learn how you can control which users have permission to subscribe to your new data resource role.

4.2.3. Creating New Data Resources

Creating data resources from the GRIA Client

Creating New Data Resources

This feature allows you to create new data resources which you can either subscribe to and use yourself, or give permission for others to use. To create new data resource you need to have been given access to the create-dataresource PBAC role on the OGSA-DAI service. See the Access Control section for more information.

Before starting you should ensure that the OGSA-DAI service is listed in your client. If it does not exist you can add it by either left clicking on the "Services" entry and selecting "Add a service", or dragging the service's WSDL link into the client.

Right click on the OGSA-DAI service and select "Create new dataresource".

Enter a description and press ok.

The database and its three roles have now been created.

Setting Permissions on Data Resources

See the Access Control section to learn how you can control which users have permission to subscribe to your new data resources.

4.2.4. Subscribing to a Data Resource

Describes how to subscribe to a Data Resource allowing execution of OgsaDai activities

Getting a subscription to a database role allows you to execute queries (perform documents) on it. By default you are allowed to subscribe to roles created by yourself. To be able to subscribe to roles created by other people, they need to have given you the client PBAC role on their resource. See the Access Control section for more information.

If you have been given access to a role and it does not appear in your client, try right clicking on the OGSA-DAI service and selecting "Discover existing resources".

Before starting you should ensure that the OGSA-DAI service is listed in your client. If it does not exist you can add it by either left clicking on the "Services" menu item and selecting "Add a service", or dragging the service's WSDL link into the client.

Right click on the role you wish to subscribe to and select "Subscribe". You will be asked to enter a short description for the subscription.

The subscription is now listed in your client. You can execute SQL queries on it directly from the client by right clicking on it and selecting one of "Execute query" or "Execute update" entries. Note this only works on SQL Database types of data resources.

4.2.5. Delegating Access to a Subscription

How to delegate access to a subscription that you own so that another user can use but not manage it.

Usage

Delegating access to a Subscription

This feature allows you to permit another user to execute database queries using your subscription. Note that the delegate only gets access to a subset of methods on your subscription:

Action	Owner	Delegate
Executing perform documents	Permitted	Permitted
Running SELECT queries	Permitted	Permitted
Running UPDATE queries	Permitted	Permitted
Viewing and editing access control lists	Permitted	Denied
Destroying the resource	Permitted	Denied
Renaming the resource	Permitted	Denied

Left click on the database subscription that you wish to delegate access to, and select "Access control list".

Now add a new access control rule for the "delegate" role. In the screenshot below we are adding a rule such that everyone is considered a delegate to this subscription, and will be able to run perform documents on it.

4.2.6. Destroying Resources

Destroying resources from the GRIA Client

The GRIA client allows you to destroy any of the resources for which you have the owner PBAC role. To do this simply right click on the resource and select "Destroy".

Destroying Data Resources

When destroying a data resource that was created by the OGSA-DAI service (ie. by using the create new data resource feature), all tables and data in that database will be removed from the RDBMS.

Destroying a data resource that already existed (and was configured using the connect existing database feature) will only remove the link between the OGSA-DAI service and the back-end, and will leave the data intact.

Destroying a database will cause all roles and subscriptions on the database to be destroyed in addition to the database resource itself.

Destroying Role Resources

Destroying a role resource will also destroy any subscriptions that use that role.

Note you cannot destroy roles that were automatically created by the OGSA-DAI service. These roles exist until the database that they belong to is destroyed.

Destroying Subscription Resources

Removing a subscription resource will prevent any further queries from being run using that subscription.

5. Special Notes for PostgreSQL

Some extra steps need to be taken to get PostgreSQL to work with the GRIA OGSA-DAI Service

Creating the plpgsql language

The GRIA OGSA-DAI service makes use of functions written in the plpgsql language. Before using the GRIA OGSA-DAI service, you need to enable this language in the template database.

Login to the database server using the "template1" database.
eg. psql -U postgres -W template1
Execute the following command:
CREATE LANGUAGE plpgsql;

Creating tables

Due to a limitation of PostgreSQL, it is not possible to automatically set the correct permissions on new tables on databases created by the OGSA-DAI service. After executing a CREATE TABLE command, you are required to execute the following function:

SELECT grant_access_to_table(table_name);

For example, to create a table named testtable, you should perform the following SQL queries:

CREATE TABLE testtable (testcolumn TEXT);
SELECT grant_access_to_table('testtable');

Note that this is only necessary on databases created by users of the OGSA-DAI service. It is not needed for existing databases that have been connected to the service.

6. Developers' Guide

This section discusses the GRIA Java API for managing OGSA-DAI data resources and subscriptions, how to use the OGSA-DAI API with the GRIA OGSA-DAI service and how to extend the GRIA OGSA-DAI service by writing activities and by integrating additional data resource types.

6.1. Client Developer

Information on how to use the GRIA OGSA-DAI client and how to use the vanilla OGSA-DAI API with the GRIA OGSA-DAI service

6.1.1. Using the GRIA API

The GRIA API is used to create and manage the GRIA resources representing databases, roles and subscriptions. See the AXIS plugin for OGSA-DAI clients document for instructions for using the OGSA-DAI API for OGSA-DAI operations (e.g. "perform").

Please see the JavaDoc for a detailed descrition of the API.

The GRIA API is used to create and manage the GRIA resources representing databases, roles and subscriptions. See the AXIS plugin for OGSA-DAI clients document for instructions for using the OGSA-DAI API for OGSA-DAI operations (e.g. "perform").

Configuring your Classpath

To use the GRIA OGSA-DAI libraries from your own application, ensure that all of the following are in your application's classpath:

All the jars from the standard graphical client's lib directory, except for gria-client-cli-2.jar, which is the default client itself.
The gria-ogsadai-client-5.2.jar and gria-ogsadai-common-5.2.jar file from inside the client directory of this package.
The client-config.wsdd and implementationfactory.properties files from inside gria-client-cli-2.jar.
The WSDD file causes messages to be signed correctly and contains type mappings telling Axis how to serialise various types.
The crypto.properties file from the client's conf directory, which gives details of the keystore to use.

The StateRepository

A StateRepository stores resources (accounts, SLAs, databases, roles and subscriptions) and services. There are two implementations provided with the GRIA library:

FileStateRepository stores them in an XML format file.
MemoryStateRepository only stores them in memory. Quitting the application will cause them to be forgotten.

Creating a StateRepository

To create a new memory repository:

StateRepository repository = new MemoryStateRepository();

To create a new repository that stores its state in a file called client.state (this is what the standard client uses):

StateRepository repository = new FileStateRepository("client.state");

It is probably easiest to use FileStateRepository as you can create objects using the standard client and then use them from your own program.

Adding services to a repository

Just as when using the graphical client interface, services must be added to the repository before they can be used. All the details about an object in a StateRepository are represented as a WS-Addressing EndpointReference. For example, to add a RemoteOgsaDaiService proxy to an OGSA-DAI service:

EndpointReference serviceEPR = new EndpointReference("https://.../services/DataService");

RemoteOgsaDaiService ogsaDaiService = repository.getOrCreateObject(RemoteOgsaDaiService.class, serviceEPR);

The getOrCreateObject method takes an EPR for the object you want, and a Java interface for the resulting object. If the object is already in the respository then it returns it, otherwise it creates a new one, adds it to the repository, and returns that.

Billing Information

For methods which create new resources, the client software will automatically add a SOAP header containing the billing information (i.e. the ID of the SLA managing the resource).

Useful Methods

The following methods will be the most useful when using the OGSA-DAI service. For a full list of classes and methods see the Javadoc.

Methods on RemoteOgsaDaiService (the service)

getResources()

Methods on RemoteOgsaDaiServiceHelpers (the client's service helper class)

createDataResource(String label)
connectDataResource(String label, Map<String, String> attributes)

Methods on OgsaDaiResourceConversationHelpers (the client's helper class for data resources)

connectDataResourceRole(String label, Map<String, String> attributes)

Methods on OgsaDaiRoleConversationHelpers (the client's helper class for data resource roles)

createSubscription(String label)

Methods on OgsaDaiSubscriptionConversationHelpers (the client's helper class for data resource role subscriptions)

Once you have a subscription resource ID, the standard OGSA-DAI API should be used for querying the database. See example code.

Many classes have the following common methods:

destroy()
setLabel(String label)
GetValidRoles()
getAccessControlRules()
addAccessControlRule(MatchRule rule)
removeAccessControlRule(MatchRule rule)

6.1.2. Axis Handlers for the OGSA-DAI API

How to modify existing OGSA-DAI applications to use the GRIA OGSA-DAI service

6.1.2.1. Setting up Message Handlers

Setting up the Axis message handlers for use with programs that use the OGSA-DAI client API

Overview

The SOAP messages that are generated by the OGSA-DAI client-side library require slight modifications to become compatible with the GRIA OGSA-DAI client. These modifications include:

Removing the Data Resource ID from the URL so that all calls go to a single remote service.
Adding the Data Resource ID as a SOAP header inside the message.
Signing the request with the user's certificate, and verifying the signature of the response from the service.
Including user authentication information to ensure that other users cannot access any OGSA-DAI sessions you create.
Adding tokens to assert group membership.

These modifications are performed by an AXIS message handler chain - a collection of Java classes that can change the SOAP message at various stages during its processing. More information about message handlers is available in the Axis documentation.

Bundling JAR files

In order to use the GRIA OGSA-DAI service in an existing OGSA-DAI client application, you must bundle the following additional JAR files with your application:

From the GRIA client distribution:

commons-httpclient-3.0.1.jar
commons-codec-1.3.jar
gria-account-common-2.jar
gria-infra-common-2.jar
gria-sla-common-2.jar
wss4j-1.5.0-itinnov-1.jar
xalan-2.7.0.jar
xmlsec-1.3.0-itinnov-1.jar

From the GRIA OGSA-DAI Client distribution:

gria-ogsadai-clienthandlers-5.2.jar
gria-ogsadai-client-5.2.jar

Configuring the Implementation Factory

GRIA uses an ImplementationFactory class to locate implementations for a given interface. You should add the following line to an implementationfactory.properties in your classpath:

uk.ac.soton.itinnovation.grid.utils.Transport = uk.ac.soton.ecs.iam.grid.comms.client.AxisTransport

Setting the Keystore

The message handlers need to use a certificate to sign all outgoing SOAP messages. Information about which certificate to use is held in a crypto.properties file loaded from the classpath. Your application should prompt the user for a keystore and generate this file automatically.

A sample crypto.properties file is shown below:

org.apache.ws.security.crypto.merlin.file=/home/bob/my-keystore.ks
org.apache.ws.security.crypto.merlin.keystore.password=password
org.apache.ws.security.crypto.merlin.keystore.alias=Bob
org.apache.ws.security.crypto.merlin.alias.password=password
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=JKS

The GRIA Client generates a crypto.properties file the first time it is run, saving it in the conf directory relative to the gridcli executable. If you have used the GRIA Client before you can use this file to test your OGSA-DAI application.

Note that your application will need to tell Java to use your keystore before making any calls to OGSA-DAI. This can be done by using the OgsaDaiSSLHelper class once on application startup:

OgsaDaiSSLHelper.setupKeystore();

Configuring the WSSD

Axis loads a client-config.wsdd file from the classpath to retrieve information about the message handler chains you wish to use in your application.

A suitable client-config.wsdd file is shown below. If you already have such a file in your application you will need to adapt it to include the sections shown in this example.

<?xml version='1.0'?>
<deployment xmlns="http://xml.apache.org/axis/wsdd/"
    	    xmlns:grid-acct="http://www.it-innovation.soton.ac.uk/uk/ac/soton/itinnovation/grid/service/types"
    	    xmlns:grid="http://www.it-innovation.soton.ac.uk/2004/grid"
    	    xmlns:service-types="http://www.it-innovation.soton.ac.uk/uk/ac/soton/itinnovation/grid/service/types"
    	    xmlns:grid-types="http://www.it-innovation.soton.ac.uk/uk/ac/soton/itinnovation/grid/types"
	    xmlns:wsa="http://www.w3.org/2005/08/addressing"
            xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">

 <globalConfiguration>
 <parameter name="attachment_encapsulation_format" value="axis.attachment.style.dime"/>
 <parameter name="disablePrettyXML" value="true"/>
 <parameter name="enableNamespacePrefixOptimization" value="false" />

 <parameter name="enableSignatureConfirmation" value="false"/>	 <!-- Needed for .NET compat -->
  <requestFlow>
   
<handler type="java:uk.ac.soton.itinnovation.grid.client.ogsadai.OgsaDaiRequestHandler" />
   
<handler type="java:uk.ac.soton.itinnovation.grid.utils.wss4j.handler.WSOutboundHandler" >
    
<handler type="java:uk.ac.soton.itinnovation.grid.client.ogsadai.OgsaDaiSAMLHandler" >

<parameter name="action" value="Timestamp Signature"/>

    <parameter name="signaturePropFile" value="crypto.properties" />
    <parameter name="signatureKeyIdentifier" value="DirectReference" />
    

<parameter name="signatureParts" value="{}{http://schemas.xmlsoap.org/soap/envelope/}Body;{}{http://it-innovation.soton.ac.uk/2005/grid}ConversationID;{}{http://it-innovation.soton.ac.uk/2005/grid}BillingInformation;{}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{}{http://it-innovation.soton.ac.uk/2005/grid}OwnerRule"/>
    

<parameter name="passwordCallbackClass" 
      value="uk.ac.soton.itinnovation.grid.utils.PWCallback"/>
   </handler>
  </requestFlow>

  <responseFlow>
   <handler type="java:org.apache.ws.axis.security.WSDoAllReceiver">
    <parameter name="action" value="Signature"/>
    <parameter name="signaturePropFile" value="crypto.properties" />
   </handler>
  </responseFlow>

 </globalConfiguration>

 <handler name="LocalResponder" type="java:org.apache.axis.transport.local.LocalResponder"/>
 <handler name="URLMapper" type="java:org.apache.axis.handlers.http.URLMapper"/>

 <typeMapping qname="grid-types:X509Certificate"
    languageSpecificType="java:java.security.cert.X509Certificate"
    serializer="uk.ac.soton.itinnovation.grid.types.CertificateSerializerFactory"
    deserializer="uk.ac.soton.itinnovation.grid.types.CertificateDeserializerFactory"
    encodingStyle=""/>

 <typeMapping qname="wsa:EndpointReferenceType"
    languageSpecificType="java:org.apache.axis.message.addressing.EndpointReferenceType"
    serializer="org.apache.axis.encoding.ser.BeanSerializerFactory"
    deserializer="org.apache.axis.encoding.ser.BeanDeserializerFactory"    
    encodingStyle=""/>

 <typeMapping qname="wsa:ReferenceParametersType"
    languageSpecificType="java:org.apache.axis.message.addressing.ReferenceParametersType"
    serializer="org.apache.axis.encoding.ser.BeanSerializerFactory"
    deserializer="org.apache.axis.encoding.ser.BeanDeserializerFactory"    
    encodingStyle=""/>

 <typeMapping qname="xsd:anyURI"
    xmlns:xsd="http://www.w3.org/2001/XMLSchema"
    languageSpecificType="java:java.net.URL"
    serializer="org.apache.axis.encoding.ser.SimpleSerializerFactory"
    deserializer="org.apache.axis.encoding.ser.SimpleDeserializerFactory"    
    encodingStyle=""/>
    
 <typeMapping qname="service-types:SLATemplate"
    languageSpecificType="java:uk.ac.soton.itinnovation.grid.service.types.SLATemplate"
    serializer="org.apache.axis.encoding.ser.BeanSerializerFactory"
    deserializer="org.apache.axis.encoding.ser.BeanDeserializerFactory"    
    encodingStyle=""/>
 <typeMapping qname="service-types:SLAProposal"
    languageSpecificType="java:uk.ac.soton.itinnovation.grid.service.types.SLAProposal"
    serializer="org.apache.axis.encoding.ser.BeanSerializerFactory"
    deserializer="org.apache.axis.encoding.ser.BeanDeserializerFactory"    
    encodingStyle=""/>

 <typeMapping qname="service-types:Constraint"
    languageSpecificType="java:uk.ac.soton.itinnovation.grid.service.types.Constraint"
    serializer="org.apache.axis.encoding.ser.BeanSerializerFactory"
    deserializer="org.apache.axis.encoding.ser.BeanDeserializerFactory"    
    encodingStyle=""/>

 <typeMapping qname="service-types:Bound"
    languageSpecificType="java:uk.ac.soton.itinnovation.grid.service.types.Bound"
    serializer="org.apache.axis.encoding.ser.EnumSerializerFactory"
    deserializer="org.apache.axis.encoding.ser.EnumDeserializerFactory"    
    encodingStyle=""/>
    
 <typeMapping qname="service-types:TimePeriod"
    languageSpecificType="java:uk.ac.soton.itinnovation.grid.service.types.TimePeriod"
    serializer="org.apache.axis.encoding.ser.BeanSerializerFactory"
    deserializer="org.apache.axis.encoding.ser.BeanDeserializerFactory"    
    encodingStyle=""/>
    
 <typeMapping qname="service-types:PermittedService"
    languageSpecificType="java:uk.ac.soton.itinnovation.grid.service.types.PermittedService"
    serializer="org.apache.axis.encoding.ser.BeanSerializerFactory"
    deserializer="org.apache.axis.encoding.ser.BeanDeserializerFactory"    
    encodingStyle=""/>

 <typeMapping qname="service-types:Metric"
    languageSpecificType="java:uk.ac.soton.itinnovation.grid.service.types.Metric"
    serializer="org.apache.axis.encoding.ser.BeanSerializerFactory"
    deserializer="org.apache.axis.encoding.ser.BeanDeserializerFactory"    
    encodingStyle=""/>
    
 <typeMapping qname="service-types:PricingTerm"
    languageSpecificType="java:uk.ac.soton.itinnovation.grid.service.types.PricingTerm"
    serializer="org.apache.axis.encoding.ser.BeanSerializerFactory"
    deserializer="org.apache.axis.encoding.ser.BeanDeserializerFactory"    
    encodingStyle=""/>

 <typeMapping qname="grid-acct:StatementEvent"
    languageSpecificType="java:uk.ac.soton.itinnovation.grid.service.types.StatementEvent"
    serializer="org.apache.axis.encoding.ser.BeanSerializerFactory"
    deserializer="org.apache.axis.encoding.ser.BeanDeserializerFactory"
    encodingStyle=""/>

 <typeMapping qname="grid-acct:AccountStatement"
    languageSpecificType="java:uk.ac.soton.itinnovation.grid.service.types.AccountStatement"
    serializer="org.apache.axis.encoding.ser.BeanSerializerFactory"
    deserializer="org.apache.axis.encoding.ser.BeanDeserializerFactory"
    encodingStyle=""/>

 <typeMapping qname="grid-types:SubjectDescription"
    languageSpecificType="java:uk.ac.soton.itinnovation.grid.types.SubjectDescription"
    serializer="org.apache.axis.encoding.ser.BeanSerializerFactory"
    deserializer="org.apache.axis.encoding.ser.BeanDeserializerFactory"
    encodingStyle=""/>

 <typeMapping qname="grid:IDType"
    languageSpecificType="java:uk.ac.soton.itinnovation.grid.types.IDType"
    serializer="org.apache.axis.encoding.ser.BeanSerializerFactory"
    deserializer="org.apache.axis.encoding.ser.BeanDeserializerFactory"
    encodingStyle=""/>

 <typeMapping qname="grid-acct:account-statementType"
    languageSpecificType="java:uk.ac.soton.itinnovation.grid.service.types.AccountStatement"
    serializer="org.apache.axis.encoding.ser.BeanSerializerFactory"
    deserializer="org.apache.axis.encoding.ser.BeanDeserializerFactory"
    encodingStyle=""/>

  <typeMapping qname="grid-types:MatchRule"
    languageSpecificType="java:uk.ac.soton.itinnovation.grid.types.MatchRule"
    serializer="org.apache.axis.encoding.ser.BeanSerializerFactory"
    deserializer="org.apache.axis.encoding.ser.BeanDeserializerFactory"
    encodingStyle=""/>

  <typeMapping qname="service-types:UsageReport"
    languageSpecificType="java:uk.ac.soton.itinnovation.grid.service.types.UsageReport"
    serializer="org.apache.axis.encoding.ser.BeanSerializerFactory"
    deserializer="org.apache.axis.encoding.ser.BeanDeserializerFactory"
    encodingStyle=""/>

 <typeMapping qname="service-types:Metric"
    languageSpecificType="java:uk.ac.soton.itinnovation.grid.service.types.Metric"
    serializer="org.apache.axis.encoding.ser.BeanSerializerFactory"
    deserializer="org.apache.axis.encoding.ser.BeanDeserializerFactory"
    encodingStyle=""/>

  <!-- This prevents "Could not convert org.apache.axis.types.URI" errors when sending EndpointReferenceTypes as arguments -->

  <typeMapping qname="wsa:AttributedURI"
    languageSpecificType="java:org.apache.axis.message.addressing.AttributedURI"
    serializer="org.apache.axis.encoding.ser.SimpleSerializerFactory"
    deserializer="org.apache.axis.encoding.ser.SimpleDeserializerFactory"
    encodingStyle=""/>

 <transport name="http" pivot="java:org.apache.axis.transport.http.CommonsHTTPSender"/>
 <transport name="local">
  <responseFlow>
   <handler type="LocalResponder"/>
  </responseFlow>

 </transport>


</deployment>

6.1.2.2. Integration with the GRIA Membership Service

The OgsaDaiSAMLHandler gets SAML tokens from a GRIA Membership Service and includes them with OGSA-DAI client methods.

If access to a data resource subscription is controlled by a membership group (i.e. a SAML token is required to use it) then the token must be included in the OGSA-DAI API calls made to the service. This is done through one of the Axis handlers. The token is retrieved from the same default membership group as used in the normal GRIA client and the configuration is stored in the client.state file.

Run the GRIA Client as normal, drag the wsdl link from your membership service in to the client. Right click on the group you want to make your default and select "Set as default group"

Client selecting default membership group

Copy the client.state file from the gria client in to the classpath of your application.

It is recommended that you backup the client.state file in your copy of the GRIA Client prior to this process and remove this client.state file from the GRIA client's classpath. This will make a fresh client.state file when you do the above process.

6.1.2.3. Example Code

Example using OGSA-DAI client api with the GRIA OGSA-DAI Service

Overview

Full documentation for creating an OGSA-DAI client is available in the OGSA-DAI documentation. This page aims to provide a simple example to get started with the OGSA-DAI client library.

Before trying this example remember to follow the instructions on Setting up Message Handlers.

import java.sql.ResultSet;


import uk.ac.soton.itinnovation.grid.client.ogsadai.OgsaDaiSSLHelper;
import uk.org.ogsadai.client.toolkit.GenericServiceFetcher;
import uk.org.ogsadai.client.toolkit.ResourceID;
import uk.org.ogsadai.client.toolkit.Response;
import uk.org.ogsadai.client.toolkit.activity.ActivityRequest;
import uk.org.ogsadai.client.toolkit.activity.sql.SQLQuery;

import uk.org.ogsadai.client.toolkit.activity.sql.WebRowSet;
import uk.org.ogsadai.client.toolkit.properties.DAIVersion;
import uk.org.ogsadai.client.toolkit.service.DataService;


public class Test
{
  public static void main(String[] args)
  {
    try

    {
      // Loads the keystore specified in the crypto.properties file
      // This only needs to be done once on application startup.
      OgsaDaiSSLHelper.setupKeystore();

      // This is the URL of the GRIA OGSA-DAI service
      String handle = "https://www.changeme.com:8443/gria-ogsadai-service/services/OgsaDaiServiceI2";
      
      DataService service = GenericServiceFetcher.getInstance().getDataService(handle, null);
      
      // Fetch the OGSA-DAI version
      DAIVersion version = service.getVersion();
      System.out.println("Version: " + version.getMajorVersion() + "." + version.getMinorVersion());
      
      // Get a list of data resources we can access

      // This will return our database subscriptions
      // (those for which we have the "owner" or "client" role)
      ResourceID[] resources = service.getResourceIDs();
      for (int i=0; i<resources.length; i++)
      {
        System.out.println(resources[i].getName());
      }
      
      if (resources.length < 1)
        return;
      
      // In this example we shall perform a query on the first subscription that is returned

      service.setResourceID(resources[0]);
      
      // Create a query to list the tables in the database
      SQLQuery query = new SQLQuery("show tables");
      WebRowSet rowset = new WebRowSet(query.getOutput());
      
      ActivityRequest request = new ActivityRequest();
      request.add(query);
      request.add(rowset);
      
      // Perform the request

      Response response = service.perform(request);
      
      // Get and display the results
      ResultSet result = rowset.getResultSet();
      while (result.next())
      {
        String tableName = result.getString(1);
        System.out.println(tableName);
      }
    }
    catch (Throwable e)
    {
      e.printStackTrace();
    }
  }
}

6.2. Service Developer

Information about how to customise and extend the GRIA OGSA-DAI service

6.2.1. Adding an Additional JDBC Database

How to add additional JDBC databases to be used by the RDBMS data resource type

Overview

The service comes complete with interfaces to MySQL and PostgreSQL. There are minor differences between the required interface for one JDBC database and another. To integrate the GRIA OGSA-DAI service with a different JDBC database, follow the method below.

Method

Implement an additional BackendHelper class. For reference, see the MySQLBackendHelper and PostgreSQLBackendHelper.
Put the new class on the classpath of the webapp.
Don't forget to put the JDBC driver jar for the database in the tomcat classpath.
In the database server configuration tool of the service's web interface, add the class name of the new BackendHelper and save changes.

6.2.2. Integrating Different Data Resource Types

How to integrate a OGSA-DAI Data Resource with the GRIA OGSA-DAI Service

Overview

In order to add a completely different data resource to the service, implementations for several interfaces must be written. The implementations are loaded through the ImplementationFactory and the implementing classes must be defined in the implementationfactory.properties file.

The GRIA OGSA-DAI service makes the distinction between connecting and creating data resources and data resource roles (e.g. databases and database users). The term "connecting" means configuring the service to make use of pre-existing data resources or users. The term "creating" refers to the service instructing the back-end system to create new data resources or users. A new implementation may want to just provide the facility to connect to existing data resources.

Method

Implement a DataResourceManager

The abstract class OgsaDaiDataResourceManager is the OGSA-DAI service's implementation of the DataResourceManager interface. It contains convenience functions useful for handling OGSA-DAI configuration files. It must be extended by a class specific to the back-end system. The only class that extends it so far is the RDBMSDataResourceManager.

One of the functions of the DataResourceManager is to connect an existing data resource. In order to do this, a new OGSA-DAI instance must be created and deployed. The RDBMSDataResourceManager creates the configuration files of the new OGSA-DAI instance by using template files contained within WEB-INF/etc/skeletons in the GRIA OGSA-DAI webapp. The templates are transformed into complete configuration files and written into the defined configuration directory of the GRIA OGSA-DAI service.

Two of the methods of DataResourceManager are createDataResource and connectDataResource

Implement the Presentation Interface

This is used by both the web interface and SOAP clients to provide presentation information about the OgsaDaiDataResourceManager subclass that is being used. The only class that implements it so far is RDBMSPresentation, which through the implementation of the DataResourceManager (see above) also saves the configuration data entered in the web interface. When extending OgsaDaiDataResourceManager another implementation for this class must also be written.

Loaded by the ImplementationFactory
Presentation Javadoc
RDBMSPresentation Javadoc

Implement the OGSA-DAI RoleMapper Interface

The OGSA-DAI RoleMapper provides the OGSA-DAI SQL activities with credentials for data resources they need to access. The interface defined by OGSA-DAI takes a string defining the credentials and a string defining the database to be used and returns an OGSA-DAI Role object containing whatever is required to log in to the database.

For the GRIA OGSA-DAI service RDBMSSubscriptionRoleMapper has been written. It takes a DataResourceSubscription ID for the credentials and a DataResource ID for the database specifier. As the DataResourceSubscription is already in the context of a user on a database, it just uses the DataResourceSubscription to retrieve the username and password from the parent DataResourceRole object and returns them in the OGSA-DAI DatabaseRole object (a standard implementation of Role).

It is suggested that custom OGSA-DAI activities also use the RoleMapper system for obtaining login credentials. If the database login only requires a username and password then the existing implementation (RDBMSSubscriptionRoleMapper) will be sufficient, otherwise another implementation for this class and for the OGSA-DAI Role class must also be written.

Loaded by specifying a class name in the OGSA-DAI configuration files.
RoleMapper Javadoc
Role Javadoc
DatabaseRole Javadoc
RDBMSSubscriptionRoleMapper Javadoc

Supporting Additional Activities

A whitelist of permitted OGSA-DAI activities is specified in the activityConfig.xml file in OGSA-DAI's configuration directory. This file is generated by RDBMSDataResourceManager from a template (WEB-INF/etc/skeletons/activityConfigRelational.xml in the webapp). In order to support new types of activity, a replacement for RDBMSDataResourceManager would have to be created to generate these different configuration files (see above). This new implementation would also need to interface differently with whatever back-end it used (RDBMS has a BackendHelper to do this). It would likely still be able to use OgsaDaiInstance (a protected field inherited from OgsaDaiDataResourceManager) to deploy and undeploy data resources on OGSA-DAI.

Modifying the Client Plug-in

The GRIA OGSA-DAI service client plug-in provides maangement abilities for OGSA-DAI resources. For subscription resources it also has menu options for executing SQL select and update statements. These methods are provided just for convenience and it is not expected that anyone would use them for serious work. It would be possible to write an alternative client plug-in that provided similar convenience methods for whatever operations were useful for the alternative back-end.

OgsaDaiClientPlugin Javadoc

6.2.3. Writing an OGSA-DAI Activity that has Access to the Current User's Identity Details

Instructions on how to access the identity details of the current user as checked by WSS4J.

Overview

In some cases, an Activity executed by the OGSA-DAI service may require the identity details (X.509 distinguished name, additional tokens, etc) of the client that invoked the service. These details are available from the user's SubjectDescription object. This is stored in a HashMap keyed off the unique name of each activity.

Example Code

The following is an example of using the current users SubjectDescription to make a call on another GRIA OGSA-DAI Service. The example is of the processBlock method in an OGSA-DAI activity implementation.

public void processBlock() {
	StateRepository repos = new MemoryStateRepository();
	EndpointReferenceType epr = ConversationID.getEPR("https://bodegas.it-innovation.soton.ac.uk:8443/gria-ogsadai-service/services/OgsaDaiSubscription#ff808181-14fede48-0114-fef342c9-0006");
    	
	OgsaDaiSubscriptionConversation convo = repos.getOrCreateObject(OgsaDaiSubscriptionConversation.class, epr);

	try {		
		//getName() returns a unique string for each activity instance.  
		//The SubjectDescription of the user that made the perform call that initiated the activity
		//Is stored in the OgsaDaiServiceImpl.activityClientMap
		SubjectDescription client = OgsaDaiServiceImpl.activityClientMap.get(getName());

		convo.checkPolicyRule(client,"perform");
	} catch (RemoteException e) {
		setError(e);
	}
}

Example Scenario

One specific example where the client's credentials are required is when the OGSA-DAI service is acting on behalf of many clients, for instance if the OGSA-DAI service is installed as an intermediary between the client and the final GRIA OGSA-DAI service. This situation is represented in a simplified form in the following figure.

A GRIA OGSA-DAI service acting as an intermediary

In the figure, Client A sends a request to Service B (step 1). Service B executes an OGSA-DAI activity that requires access to Service C (for instance, Service B may be in place to rewrite the query in a different query language). For Service B to access Service C (step 3) it must be authorised in the usual way on Service C, but it is a security loop-hole if step 3 is carried out with no further access control checks. In step 2, Service B checks that Client A is permitted to access Service C and only if Client A can access Service C will Service B access Service C on Client A's behalf.

There is no context displayed in the figure, instead the context of each call is listed below:

perform (Client A to Service B)

Identity: Client A's X.509 identity plus additional tokens from membership groups etc
Resource: The query is performed on a data resource subscription from Service B
Parameters:

The query
The endpoint reference for Client A's data resource subscription at Service C

checkPolicyRule (Service B to Service C)

Identity: Service B's X.509 identity
Resource: The endpoint reference for Client A's data resource subscription at Service C
Parameters

Client A's identity (found using the activityClientMap as shown above)
The operation name ("perform")

perform (Service B to Service C)

Identity: Service B's X.509 identity
Resource: The endpoint reference for Client A's data resource subscription at Service C
Parameters

The query Service B wants to execute on Client A's behalf

For this scenario to operate, Client A will have to authorise Service B to use Client A's data resource subscription at Service C (e.g. as a "delegate").

With these steps in place Client A can only access data at Service C that Client A is permitted to see. If step 2 is not used then a different client ("Client Z") who was authorised on Service B but not Service C, could find out the endpoint reference of Client A's subscription at Service C and perform the same query on Service B as above. Service B would then blindly perform a query on Service C and return the results to Client Z, exposing the data.

Sections

Personal tools

OGSA-DAI User Guide

1. Introduction

Overview

Added Value

Components

2. Overview

2.1. Architecture

Overview

Data Resources

Role Resources

Subscription Resources

2.2. Deployment Scenarios

Deployment Scenarios

Introduction

Providing Access to Existing Databases

Allowing Users to Create Databases

3. GRIA OGSA-DAI Service

3.1. Overview

3.2. Installation

GRIA OGSA-DAI Service Installation

3.3. Database Server Configuration

Database Server Configuration

Database Drivers

Installing the MySQL driver

Installing the PostgreSQL driver

The Configuration Tool

Database Details

Username Details

3.4. Access Control

Overview

Controlling who can connect and create databases

Controlling who can subscribe to database roles

Using the web-based interface

Using the graphical GRIA client

3.5. Managing Database Resources

3.5.1. Connecting Existing Data Resources

Adding Roles

Setting Permissions on Resources

3.5.2. Creating New Data Resources

Creating New Databases

Setting Permissions on Resources

3.5.3. Viewing and Creating Subscriptions

Viewing Subscriptions

Setting Permissions on Resources

3.6. Metrics and SLAs

3.6.1. Overview

3.6.2. Provided Metrics

Example

3.6.3. Custom Metric URI

3.6.4. SLA Templates

Limiting database creation

Limiting subscriptions

4. GRIA Graphical Client Plugin

4.1. Installation

Installing the GRIA client package

Installing the GRIA OGSA-DAI plugin

4.2. Usage

4.2.1. Accessing a GRIA OGSA-DAI Service

4.2.2. Connecting Existing Data Resources and Adding Roles

Setting Permissions on Roles

4.2.3. Creating New Data Resources

Creating New Data Resources

Setting Permissions on Data Resources

4.2.4. Subscribing to a Data Resource

4.2.5. Delegating Access to a Subscription

Usage

Delegating access to a Subscription

4.2.6. Destroying Resources

Destroying Data Resources

Destroying Role Resources

Destroying Subscription Resources

5. Special Notes for PostgreSQL

Creating the plpgsql language

Creating tables

6. Developers' Guide

6.1. Client Developer

6.1.1. Using the GRIA API

Configuring your Classpath