Personal tools
You are here: Home GRIA Documentation Documentation 5.3 Reference Manuals OGSA-DAI User Guide
 

OGSA-DAI User Guide

Note: Return to reference manual view.

This guide describes how to use the GRIA OGSA-DAI Package for publication of structured data resources (relational, XML and bespoke) for trusted subscribers.

1. Introduction

Introduction to the GRIA OGSA-DAI Service

Overview

The GRIA OGSA-DAI service package is a package built around OGSA-DAI WS-I 2.2. It allows clients using the OGSA-DAI libraries access to data resources through a GRIA service. The OGSA-DAI service can be deployed on its own to provide unmanaged access to databases, or it can be used with the GRIA service provider management package to take advantage of its billing and service level agreement functionality.

The software package comes complete with the necessary components to allow the service to query JDBC databases and create new databases in PostgreSQL and MySQL. By following the service developers' guide it is easy to add in the capability to connect to additional RDBMS or other (non-SQL) database systems.

Added Value

The GRIA OGSA-DAI service's focus is on providing a secure system with low maintenance costs, ideal for business deployments.

 

Easy deployment
The GRIA OGSA-DAI service is provided as a WAR file, ready to be dropped into a standard servlet container such as Tomcat.
Easy configuration
The service provides a web-based configuration and management interface.
GRIA's standard security features
  • Dynamic security policies to control access to databases and database accounts
  • Transport level security using SSL
  • Message level security (WS-Security), providing message authentication and integrity checks
OGSA-DAI session security
The service uses a custom session manager to ensure the security of an OGSA-DAI session.

By also linking the GRIA OGSA-DAI service to the GRIA service provider management package (available separately), additional features are made available:

  • Monitoring of databases
  • Restricting access to databases by way of service level agreements (SLAs)
  • Billing for database access

Components

A GRIA OGSA-DAI service
This is the server component that provides the interfaces for accessing and creating data resources on servers. The service administrator can choose which users are allowed to create and use data resources. The service can be extended to connect to any data resource. Connectors for PostgreSQL and MySQL are provided.

 

A plugin for the graphical GRIA client
This plugin adds functionality to the graphical GRIA client, enabling clients to access and manage their databases without having to write their own Java applications. While this plugin provides a useful way of experimenting with and demonstrating the OGSA-DAI service, real-world applications would make use of one of the programmatical interfaces.
An AXIS plugin for OGSA-DAI clients
Clients wishing to access databases using the OGSA-DAI client library can install this component to make their SOAP calls compatible with the GRIA authentication and access control systems. Using this component allows GRIA OGSA-DAI services to be accessed just like regular OGSA-DAI services, meaning existing database applications require only minor changes to become compatible with GRIA.
A Java Client API
Clients can use this Java interface to access GRIA OGSA-DAI resources from their own applications.

2. Overview

Overview of the GRIA OGSA-DAI Service

2.1. Architecture

Architecture of GRIA OGSA-DAI Service

Overview

The GRIA OGSA-DAI service makes use of three resource types as shown in the diagram below.

Data Resources

The data resource is responsible for storing information about the database that is being accessed. For the default back-ends of MySQL and PostgreSQL this information is in the form of a JDBC URL, such as:

jdbc:mysql://localhost/database

Database resources can be created by either the service provider or users, depending on the access control restrictions that are in place.

Role Resources

A role resource represents the login information for a user in the database (e.g. a username and password combination). In the GRIA OGSA-DAI service different roles can be made visible to different users in order to control who can perform certain operations on the database.

Roles can be created by the service provider and users when connecting an existing database to the OGSA-DAI service. For MySQL and PostgreSQL, when creating a new database the service automatically creates three roles representing RDBMS users with different permissions on that database.

Subscription Resources

Users can open subscriptions to roles which have been made visible to them. Having a subscription allows the user to execute queries on the database.

2.2. Deployment Scenarios

Details the different ways that the GRIA OGSA-DAi Service can be used to manage databases

Deployment Scenarios

Introduction

The GRIA OGSA-DAI service was created with two main use cases in mind:

  1. The service provides users with access to existing data in existing databases.
  2. The service lets users create and access their own databases.

In both these cases, GRIA's access-control and service-level-agreement technologies can be used to create policies controlling which users are allowed access to resources, how many resources they can create/access, and how they will be charged for their use of the service.

The steps taken to implement each of these cases are briefly described below.

Providing Access to Existing Databases

By default, the GRIA OGSA-DAI service can connect to any JDBC database. It is possible to extend the service to connect it to other database back-ends. For further information see the service developers' guide.

  1. The service provider decides which databases he wants to make available. He does this by choosing Connect existing data resource, either in the web-based administration interface or one of the client interfaces, and entering the relevant information (such as a JDBC URL).
  2. The service provider then chooses which existing database usernames and passwords should be exposed in the service. Any number of these database roles can be created to provide different levels of access to different users (e.g. read-only or read-write).
  3. After the roles have been created, the service provider uses GRIA's access control functionality to enter rules which determine who can subscribe to each database role. This is done either in the web-based administration interface or one of the client interfaces.
  4. At this point, users that have been given access to a role will be able to see it in the list of resources returned from the GRIA service. They can use one of the client interfaces to subscribe to the database role and obtain a database subscription.
  5. The user can now run queries on this database subscription using either the GRIA Client using the OGSA-DAI plugin or by using the OGSA-DAI Client API.

Allowing Users to Create Databases

By default, the GRIA OGSA-DAI service can create new databases on MySQL and PostgreSQL. It is possible to extend the service to make it able to create databases on other JDBC resources or other arbitrary database systems. For further information see the service developers' guide.

  1. The service provider uses the web-based administration interface to choose which database server will be used for new databases.
  2. The service provider then uses GRIA's access control tools to specify which users are allowed to create databases. This must also be done using the web-based administration interface.
  3. Users that have been given permission to do so can then create databases using one of the client interfaces. When doing so, the default behaviour is for three database roles to be created automatically for them:
    • An administrative role (DAA) that can create and remove tables.
    • A read/write role (DAU_RW) that can modify data in existing tables.
    • A read only role (DAU_RO) that can only read from existing tables.
  4. The user can now specify which other users can subscribe to his database. If desired, he can give different users access to the different roles above in order to restrict their ability to modify the data in the database.

3. GRIA OGSA-DAI Service

The GRIA OGSA-DAI Service is the server component of the GRIA OGSA-DAI package.

3.1. Overview

Overview of the GRIA OGSA-DAI Service

The GRIA OGSA-DAI Service is the server component of the GRIA OGSA-DAI package. Its purpose is to:

  • Receive OGSA-DAI perform documents, execute queries on the database and return OGSA-DAI response documents.
  • Configure and manage resources that are exposed to users. The service provides both a web-service (SOAP) and a web page interface to these operations.

The service is packaged as a web application archive (.WAR file) ready to be deployed into a servlet container (e.g. Tomcat or JBoss). The installation instructions explain in detail the procedure for installing and configuring all GRIA services.

3.2. Installation

Instruction of the installation of the GRIA OGSA-DAI Service

GRIA OGSA-DAI Service Installation

The GRIA OGSA-DAI Service software itself is contained within a single WAR (or "web archive") file gria-ogsadai-service.war, located within the /service directory of this package. Once the pre-requisites have been set-up and the war file has been deployed to Tomcat, the web-based administration interface guides the user through the rest of the installation process.

See the Service Installation Manual for general GRIA installation instructions. Once the initial configuration has been completed see the rest of this manual for OGSA-DAI specific configuration instructions.

3.3. Database Server Configuration

Instructions on setting up MySQL or PostgreSQL for use with the GRIA OGSA-DAI Service

Database Server Configuration

These instructions are of relevance to users who want to use the GRIA OGSA-DAI service with MySQL or PostgreSQL back-ends (and for other RDBMS). If you have a different database back-end, please see the service developers' guide.

Database Drivers

Before configuring your database server(s) on the OGSA-DAI service you must install the correct JDBC driver(s) into the webapp. The JDBC drivers must be placed into library directory of the GRIA OGSA-DAI service webapp:
<path to Tomcat>/webapps/gria-ogsadai-service/WEB-INF/lib
Instructions are provided here for MySQL and PostgreSQL, but other drivers may also be used.

Installing the MySQL driver

  1. Download the MySQL JDBC connecter from the homepage: http://www.mysql.com/products/connector/j/
  2. Extract the .jar file from the downloaded package (eg. mysql-connector-java-3.1.13-bin.jar)
  3. Copy the .jar to the webapp lib directory.

Installing the PostgreSQL driver

  1. Download the PostgreSQL JDBC driver from the homepage: http://jdbc.postgresql.org
  2. Copy the downloaded .jar to the webapp lib directory.

Note that users of PostgreSQL need to follow special instructions when creating new tables in databases created by the OGSA-DAI service.

The Configuration Tool

After installing the GRIA OGSA-DAI service and performing the initial service configuration, you will be asked to perform the database configuration. This involves giving details of the database server on which you want new databases and users to be created.

The database configuration tool is accessed by clicking the "OGSA-DAI Service" link on the service webpage, located at http://<servername>:8080/gria-ogsadai-service.

A screenshot of the form used to enter the database details is shown below:

Database Details

The Database type and Database URL fields provide the type and address of the database server. The server specified here is used when a user requests the creation of a new database.

The Database URL field should contain the JDBC URL of the database server. This JDBC URL should not contain a database name, and should be of the following format:

  • jdbc:mysql://host[:port]/
  • jdbc:postgresql://host[:port]/

The System database field specifies which database on the RDBMS to connect to when adding/removing databases and users.

The Database credentials fields should give the username and password of a database user who has permission to create and drop databases and users.

Username Details

If the GRIA OGSA-DAI service is used to create new databases it will also create three database users with appropriate permissions. The "Username prefix" field give you the opportunity to customise the naming scheme used for these automatically generated users.

Usernames are assembled as follows:
<prefix><unique number><suffix>

The suffix is defined elsewhere.

3.4. Access Control

Setting access control to your server using the web interface

Overview

The GRIA OGSA-DAI service uses PBAC (Process Based Access Control) to protect calls to its methods. The three important points of access control are:

  • Access to the connectDataResource method (and the legacy connectDatabase method).
  • Access to the createDataResource method (and the legacy createDatabase method).
  • Permission to subscribe to individual database roles.

The first two points can be controlled under the "Permissions" heading on the web-based administration tool. Access to individual database roles can be set up either by clicking the "Permissions" link in the "Databases" section of the web interface, or by using the graphical GRIA client.

Controlling who can connect and create databases

In order to be able to call the connectDataResource / connectDatabase or createDataResource / createDatabase methods on the web service, a user must match the connect-dataresource or create-dataresource PBAC roles respectively. A user matches a PBAC role if he matches at least one Sufficient rule and no Deny rules. Rules are added and removed by using the web-based administration interface, under the "Permissions" heading.

Figure 1: Existing databases can only be connected by a user with the certificate pineau.it-innovation.soton.ac.uk. Nobody can create new databases.

Figure 2: All users can create new databases. Nobody can connect existing databases.

Note that users of the web-based administration interface can perform both these operations regardless of PBAC rules. So in the situation depicted by Figure 2 above, only the service provider can connect existing databases.

Controlling who can subscribe to database roles

By default, when a database role is created only the owner can see and subscribe to it. To allow others to subscribe to a database role the owner can either use the web-based administration interface if he is the service provider, or the graphical GRIA client.

Using the web-based interface

Click the "Permissions" button beside the role you wish to modify.

Figure 3: The permissions button beside a database role

This will open the PBAC administration page for that resource in a new window.

Figure 4: The PBAC administration page for a role resource

Rules can now be added to the access control list for the resource. Users are able to see and subscribe to a database role if they match the client role on the access control list. In the example in Figure 4 above, we have added a rule such that everyone can see and subscribe to this database role.

Using the graphical GRIA client

Left click the role you wish to modify and select "Load Access Control Rules".

Figure 5: Opening the access control list for a role resource

This will open a window displaying the current rules on the resource.

Figure 6: Adding a new rule to a resource

Rules can now be added to the access control list for the resource. Users are able to see and subscribe to a database role if they match the client role on the access control list. In the example in Figure 6 above, we are about to add a rule such that everyone can see and subscribe to this database role.

3.5. Managing Database Resources

The web-based administration interface allows the service provider to view and modify all the databases, roles and subscriptions currently existing in the service.

3.5.1. Connecting Existing Data Resources

Manage an existing data resource with the GRIA OGSA-DAI Service

This feature allows the service provider to expose existing data resources containing existing data to users of the GRIA OGSA-DAI service.

Connecting an existing data resource

  1. Click the "Connect existing data resource" button.
  2. Enter the JDBC URL of the data resource you wish to connect to. You can also enter a description.
  3. Click the "Save changes" button to apply the changes.

Adding Roles

You will now need to add one or more data resource roles to your data resource. Roles allow you to specify which username and password combinations to use on the data resource backend.

Adding a role to a data resource

  1. Click the "Add role" button beside the data resource you wish to modify.
  2. Enter the username and password details of the user you are adding.
    Entering a Metric URI allows you to create Service Level Agreements (SLAs) that constrain on specific data resource roles. See the Metrics and SLAs section for more details.
    Repeat steps 1 and 2 if you need to add more than one role.
  3. Click the "Save changes" button to apply the changes.

The role has now been created.

Setting Permissions on Resources

See the Access Control section to learn how you can control which users have permission to subscribe to your new resources.

3.5.2. Creating New Data Resources

Instructions on how to create new data resources from the web interface

Creating New Databases

This feature allows the service provider to create a new data resources that users can subscribe to and fill with data.

Creating a new data resource

  1. Click the "Create new data resource" button.
  2. Enter a description for the new data resource.
    You can optionally enter a Metric URI, a modified version of which will be assigned to the three automatically generated roles. Doing this allows you to create Service Level Agreements (SLAs) that constrain on specific data resource roles. See the Metrics and SLAs section for more details.
  3. Click the "Save changes" button to apply the changes.

The new data resource has now been created. You will notice the OGSA-DAI service has automatically generated three data resource roles. These have the following permissions:

  • Administrative role: can view data, modifiy data, and create and delete tables.
  • Read/write role: can view and modify data in existing tables.
  • Read only role: can view data in existing tables.

Setting Permissions on Resources

See the Access Control section to learn how you can control which users have permission to subscribe to your new resources.

3.5.3. Viewing and Creating Subscriptions

How to view and create subscriptions from the web interface

Viewing Subscriptions

It is possible to create a subscription from the web interface.

Creating a data resource role subscription

  1. Click the subscribe button on a particular role.
  2. Enter description of new subscription.
  3. Click save changes button.

After carrying out these steps you should see something similar to that below.

Click the icon circled in red to view your newly created subscription.

Setting Permissions on Resources

See the Access Control section to learn how you can control which users have permission to use your new subscription.

3.6. Metrics and SLAs

Using the GRIA OGSA-DAI Service with the GRIA SLA Service

3.6.1. Overview

Description of integration between GRIA OGSA-DAI Service and GRIA SLA Service

The GRIA service provider management package contains an SLA service that can be used to limit the number of resources users can create and charge them for those that they use. The OGSA-DAI service defines a number of metrics that the service provider can use when creating SLAs. The service generates usage reports using these metrics whenever a user creates a new resource. The SLA service collects these usage reports and charges the user accordingly.

The service provider may wish to set up different pricing terms for individual databases or roles. For example he may wish to charge for read/write access to a database while making read only access free. In this situation the service provider can specify a custom metric URI for each role, and then set up the SLA to constrain on those.

It would be helpful to read this section in conjunction with the SLA Management Service manual.

3.6.2. Provided Metrics

Usage of the metrics provided with the GRIA OGSA-DAI Service

The OGSA-DAI service provides metrics for each of the resource types:

Resource type Description Metric URI
Databases Generated for users who create a new database or connect an existing database. http://www.gria.org/sla/metric/activity/ogsadai/db
Database roles Generated for each database role that is created. http://www.gria.org/sla/metric/activity/ogsadai/role
Database subscriptions Generated for the user who subscribes to a database role. http://www.gria.org/sla/metric/activity/ogsadai/subscription
Database subscribers Generated for the owner of a database role when somebody subscribes to it. http://www.gria.org/sla/metric/resource/ogsadai/subscriber

Example

User A has been given permission by the service provider to create databases. He wants to create a new database, create some tables in that database, and then give User B read/write access to those tables.

  • User A calls createDatabase.

    Usage report for User A - Database
    http://www.gria.org/sla/metric/activity/ogsadai/db
    Total now: 1
    Usage report for User A - Administrative Role
    http://www.gria.org/sla/metric/activity/ogsadai/role
    Total now: 1
    Usage report for User A - Read/Write Role
    http://www.gria.org/sla/metric/activity/ogsadai/role
    Total now: 2
    Usage report for User A - Read Only Role
    http://www.gria.org/sla/metric/activity/ogsadai/role
    Total now: 3

  • User A calls subscribe on his administrative role so he can create a table.

    Usage report for User A - Subscription
    http://www.gria.org/sla/metric/activity/ogsadai/subscription
    Total now: 1
    Usage report for User A - Subscriber
    http://www.gria.org/sla/metric/resource/ogsadai/subscriber
    Total now: 1

  • User A calls perform on his subscription, creating a table.

  • User A gives User B permission to subscribe to his Read/Write role.

  • User B calls subscribe on the Read/Write role.

    Usage report for User B - Subscription
    http://www.gria.org/sla/metric/activity/ogsadai/subscription
    Total now: 1
    Usage report for User A - Subscriber
    http://www.gria.org/sla/metric/resource/ogsadai/subscriber
    Total now: 2

  • User B executes some queries on his Read/Write subscription.

At the end of this example, the usage for the two users is as follows:

User A's usage
1 database
3 database roles
1 subscription
2 subscribers
User B's usage
1 subscription

3.6.3. Custom Metric URI

Using custom metrics with the GRIA OGSA-DAI Service

In some situations the service provider may wish to charge or constrain differently for different databases or database roles. For example, he may want to make read-only access to a database free while charging for read/write access.

This can be implemented through the use of custom metric URIs. There are two places where a custom URI can be entered:

  • When adding a new role.
  • When creating a new database (the automatically generated roles get assigned metric URIs based on the one provided).

When a user subscribes to a database role that uses custom metric URIs he generates one usage report for the standard subscription metric (http://www.gria.org/sla/metric/activity/ogsadai/subscription) and one for the custom metric. This is different from subscribing to a role without a custom metric URI, where the user would only generate a usage report for the standard subscription metric.

Providing a custom metric URI when creating a new database will assign similar metric URIs to the three automatically generated database roles. These URIs are generated using the same rules as username generation - the three postfixes are appended onto the end of the metric URI for each of the three roles.

For example, supposing you keep the default values for the username postfixes (eg, ".a" for the administrative role and ".r" for the read-only role), and specify a metric URI http://www.test.com/metric/test_database, the following metric URIs would be generated for the three roles:

  • Administrative role: http://www.test.com/metric/test_database.a
  • Read/write role: http://www.test.com/metric/test_database.w
  • Read Only role: http://www.test.com/metric/test_database.r

3.6.4. SLA Templates

How to use SLA templates to constrain metrics

SLA templates can be created to constrain on any of the above metrics. Several example sections of SLA templates are given below. See the GRIA user documentation for information on constructing full SLA template XML documents.

Limiting database creation

When inserted into the <constraints> section of an SLA template, this capacity constaint will limit the user to creating only one database. The user may still subscribe to other databases, and other users may subscribe to his database.

<constraint type='INSTANTANEOUS'>
    <metric type='ACTIVITY'>
        <uri>http://www.gria.org/sla/metric/activity/ogsadai/db</uri>
        <description>
            <description>database</description>

        </description>
        <units type='DECIMAL'>
            <instantaneous>database</instantaneous>
        </units>
    </metric>

    <bound>LE</bound>
    <private>false</private>
    <limit>1.0</limit>
    <contention>1.0</contention>

    <repeating>false</repeating>
</constraint>

Limiting subscriptions

When inserted into the <constraints> section of an SLA template, these capacity constraints will allow the user to subscribe to three database roles, and have one person subscribe to any roles he creates. The user can create an unlimited number of databases.

<constraint type='INSTANTANEOUS'>
    <metric type='ACTIVITY'>
        <uri>http://www.gria.org/sla/metric/activity/ogsadai/subscription</uri>
        <description>
            <description>subscription</description>

        </description>
        <units type='DECIMAL'>
        <instantaneous>subscription</instantaneous>
    </units>
    </metric>

    <bound>LE</bound>
    <private>false</private>
    <limit>3.0</limit>
    <contention>1.0</contention>

    <repeating>false</repeating>
</constraint>

<constraint type='INSTANTANEOUS'>
    <metric type='RESOURCE'>
        <uri>http://www.gria.org/sla/metric/resource/ogsadai/subscriber</uri>

        <description>
            <description>subscriber</description>
        </description>
        <units type='DECIMAL'>
            <instantaneous>subscriber</instantaneous>

        </units>
    </metric>
    <bound>LE</bound>
    <private>false</private>
    <limit>1.0</limit>

    <contention>1.0</contention>
    <repeating>false</repeating>
</constraint>

4. GRIA Graphical Client Plugin

GRIA OGSA-DAI ships with a plug in for the GRIA client that allows you to manage your data-resources and perform basic functions on them

4.1. Installation

Installing the GRIA OGSA-DAI client plugin

Installing the GRIA client package

The GRIA OGSA-DAI plugin comes pre-installed with the GRIA 5.3 client.

4.2. Usage

The client plugin extends the GRIA graphical client with the features necessary to manage the resources on a GRIA OGSA-DAI service.

4.2.1. Accessing a GRIA OGSA-DAI Service

Instructions on Accessing a GRIA OGSA-DAI Service from the GRIA Client

Visit the URL of the GRIA OGSA-DAI Service you wish to access and drag the wsdl link from the webpage in to the service view of the client.

Connecting to an OGSA-DAI Service from Client

Connecting to an OGSA-DAI Service from Client

If you are running the GRIA OGSA-DAI 1.0 client drag the OGSA-DAI Service legacy link, otherwise use the OGSA-DAI Service link. It is most likely that you are using a 5.2 client.

4.2.2. Connecting Existing Data Resources and Adding Roles

Using existing data resources with the GRIA OGSA-DAI Service

This feature allows you to expose existing databases containing existing data to users of the GRIA OGSA-DAI service. To use this feature you need to have been given access to the connect-database PBAC role on the OGSA-DAI service. See the Access Control section for more information.

Before starting you should ensure that the OGSA-DAI service is listed in your client. If it does not exist you can add it by either left clicking on the "Services" menu item and selecting "Add a service", or dragging the service's WSDL link onto the "Services" entry.

Right click on the OGSA-DAI service and select "Connect existing resource".

This will open a dialog box where you can enter the details of the database you wish to connect. You are able to enter the JDBC URL of any type of database here, and also a short description of the database.  No checks as to the validity of the JDBC URL are made.

Once you have connected you data resource you are able to add roles.  Right click on the connected data resource and select "Connect role".

Enter a description plus the username and password of the role on your database.

After clicking "OK", the role you have created is added to the list.

Setting Permissions on Roles

See the Access Control section to learn how you can control which users have permission to subscribe to your new data resource role.

4.2.3. Creating New Data Resources

Creating data resources from the GRIA Client

Creating New Data Resources

This feature allows you to create new data resources which you can either subscribe to and use yourself, or give permission for others to use. To create new data resource you need to have been given access to the create-dataresource PBAC role on the OGSA-DAI service. See the Access Control section for more information.

Before starting you should ensure that the OGSA-DAI service is listed in your client. If it does not exist you can add it by either left clicking on the "Services" entry and selecting "Add a service", or dragging the service's WSDL link into the client.

Right click on the OGSA-DAI service and select "Create new dataresource".

Enter a description and press ok.

The database and its three roles have now been created.

Setting Permissions on Data Resources

See the Access Control section to learn how you can control which users have permission to subscribe to your new data resources.

4.2.4. Subscribing to a Data Resource

Describes how to subscribe to a Data Resource allowing execution of OgsaDai activities

Getting a subscription to a database role allows you to execute queries (perform documents) on it. By default you are allowed to subscribe to roles created by yourself. To be able to subscribe to roles created by other people, they need to have given you the client PBAC role on their resource. See the Access Control section for more information.

If you have been given access to a role and it does not appear in your client, try right clicking on the OGSA-DAI service and selecting "Discover existing resources".

Before starting you should ensure that the OGSA-DAI service is listed in your client. If it does not exist you can add it by either left clicking on the "Services" menu item and selecting "Add a service", or dragging the service's WSDL link into the client.

Right click on the role you wish to subscribe to and select "Subscribe". You will be asked to enter a short description for the subscription.

The subscription is now listed in your client. You can execute SQL queries on it directly from the client by right clicking on it and selecting one of "Execute query" or "Execute update" entries.  Note this only works on SQL Database types of data resources.

4.2.5. Delegating Access to a Subscription

How to delegate access to a subscription that you own so that another user can use but not manage it.

Usage

Delegating access to a Subscription

This feature allows you to permit another user to execute database queries using your subscription. Note that the delegate only gets access to a subset of methods on your subscription:

Action Owner Delegate
Executing perform documents Permitted Permitted
Running SELECT queries Permitted Permitted
Running UPDATE queries Permitted Permitted
Viewing and editing access control lists Permitted Denied
Destroying the resource Permitted Denied
Renaming the resource Permitted Denied

Left click on the database subscription that you wish to delegate access to, and select "Access control list".

Now add a new access control rule for the "delegate" role. In the screenshot below we are adding a rule such that everyone is considered a delegate to this subscription, and will be able to run perform documents on it.

4.2.6. Destroying Resources

Destroying resources from the GRIA Client

The GRIA client allows you to destroy any of the resources for which you have the owner PBAC role. To do this simply right click on the resource and select "Destroy".

Destroying Data Resources

When destroying a data resource that was created by the OGSA-DAI service (ie. by using the create new data resource feature), all tables and data in that database will be removed from the RDBMS.

Destroying a data resource that already existed (and was configured using the connect existing database feature) will only remove the link between the OGSA-DAI service and the back-end, and will leave the data intact.

Destroying a database will cause all roles and subscriptions on the database to be destroyed in addition to the database resource itself.

Destroying Role Resources

Destroying a role resource will also destroy any subscriptions that use that role.

Note you cannot destroy roles that were automatically created by the OGSA-DAI service. These roles exist until the database that they belong to is destroyed.

Destroying Subscription Resources

Removing a subscription resource will prevent any further queries from being run using that subscription.

5. Special Notes for PostgreSQL

Some extra steps need to be taken to get PostgreSQL to work with the GRIA OGSA-DAI Service

Creating the plpgsql language

The GRIA OGSA-DAI service makes use of functions written in the plpgsql language. Before using the GRIA OGSA-DAI service, you need to enable this language in the template database.

  1. Login to the database server using the "template1" database.
    eg. psql -U postgres -W template1
  2. Execute the following command:
    CREATE LANGUAGE plpgsql;

Creating tables

Due to a limitation of PostgreSQL, it is not possible to automatically set the correct permissions on new tables on databases created by the OGSA-DAI service. After executing a CREATE TABLE command, you are required to execute the following function:

SELECT grant_access_to_table(table_name);

For example, to create a table named testtable, you should perform the following SQL queries:

CREATE TABLE testtable (testcolumn TEXT);
SELECT grant_access_to_table('testtable');

Note that this is only necessary on databases created by users of the OGSA-DAI service. It is not needed for existing databases that have been connected to the service.

Destroying resources

When destroying a data resource that was created by the OGSA-DAI service, it is necessary to drop first all the tables that were created in that database using the automatically created role resources. This can be done using a subscription to execute DROP TABLE SQL commands or DROP OWNED (for PostgreSQL >= 8.2).