Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

how to use this extension #39

Open
amritpal16071988 opened this issue Mar 13, 2017 · 16 comments
Open

how to use this extension #39

amritpal16071988 opened this issue Mar 13, 2017 · 16 comments

Comments

@amritpal16071988
Copy link

I have installed this extension as steps mentioned here but i am not able to find a way out to use it. My current requirement is that is approx 20k datasets which i need to mark as public or private according to the respective users. My data is coming from the context broker.

So now i have two questions:-

  1. Is this the correct solution which i am following ?
  2. If this solution is correct how should i go about it.

Any help regarding this issue will be much appreciated.
@aitormagan
Copy link
Contributor

Using the extension is easy. Once installed and configured, you can enter one dataset and edit its properties. You will see a "Visibility" combobox which will allow you to choose if the dataset is public or private.

BTW, If you data is coming from the context broker, the data will be still publicly available even if you import it into CKAN and mark the dataset as private. @fdelavega can provide you with more information about privatizing/monetizing context broker entities...

@amritpal16071988
Copy link
Author

hi @aitormagan ,

Thanks for the quick response .
@fdelavega could you please help me with more understanding of privatizing/monetizing context broker entities with the use of CKAN.

Thanks for the help in advance .

@fdelavega
Copy link
Contributor

Hi,

There are several options for privatizing context broker stuff. Are you planning to monetize it or just restrict the access?

If you want to monetize it, the easiest way is using our Accounting proxy (https://github.com/FIWARE-TMForum/Accounting-Proxy) which validates that users has acquired the services (or a particular context broker query) before allowing the access. The point is that you need a BAE (https://github.com/FIWARE-TMForum/Business-API-Ecosystem) instance running where the different offering has to be created, etc.

If you just need to control the access, you can use a FIWARE PEP proxy (https://github.com/telefonicaid/fiware-pep-steelskin) for user authentication and a FIWARE PDP (https://github.com/telefonicaid/fiware-keypass) for policy enforcement. With option it is also possible to monetize since the BAE is integrated with this architecture.

In addition, next month we are starting a task to integrate this CKAN plugin with the backend security stuff so managing the access in CKAN (public, private, authorized users, etc) will actually update the security policies in the backend easing the management. Nevertheless, this new feature wont be available a least until may

@jqnatividad
Copy link

Hi @fdelavega ,

In addition, next month we are starting a task to integrate this CKAN plugin with the backend security stuff so managing the access in CKAN (public, private, authorized users, etc) will actually update the security policies in the backend easing the management. Nevertheless, this new feature wont be available a least until may

Just wondering where you are on integrating this plugin" to the backend security stuff".

Thanks in advance!

@fdelavega
Copy link
Contributor

Hi @jqnatividad

We are actually securing the access to the context broker using the FIWARE security framework and in particular a new component called API Umbrella (https://apiumbrella.io/) which is replacing the PEP proxy. The approach is that we are securing the context broker in the typical way and the plugins that allow the publication of context broker queries as dataset resources are injecting the user access token in the request. This way only if the user is authorized also in the backend he will be able to access to the data

@ansh1221
Copy link

Hi, while configuring the plugin for "Securing the Notification Callback", I am unable to do so, as I am not clear with the steps mentioned. if someone can help me in it, have been working on it for a while and not able to make it work for securing the notification callback.

One of the doubts was:

<Location /api/action/dataset_acquired>
       SSLCACertificateFile    <PATH_TO_THE_CA_FILE_CREATED_PREVIOUSLY>
       SSLVerifyClient         require
   </Location>
  • SSLCaCertificateFile is it similar to openssl.cnf
    When i place the path of "openssl.cnf" it throws an error that your library does
    n,t have support for CA kind of it.

Would request if anyone can help me in it.?

Thanks !

@ansh1221
Copy link

Hi @fdelavega @aitormagan @jqnatividad if you guys can please help in any way?

@fdelavega
Copy link
Contributor

fdelavega commented Mar 20, 2019
edited
Loading

SSLCACertificateFile should point the CA certificate that is used by the client in order to sign the request. Basicaly you are configuring SSL client verification in this particular request

@ansh1221
Copy link

While providing the same location /etc/ca-certificates.conf file location it throws me an error:

Your SSL library does not have support for per-directory CA
Action 'configtest' failed.

@fdelavega
Copy link
Contributor

But you don't have to point to a conf file, but to the actual CA digital certificate, probably with .crt or .pem extension in the same way as it is provided in SSL configuration of a site.

@ansh1221
Copy link

ansh1221 commented Mar 20, 2019
edited
Loading

Hi Sir, one more thing that how can I verify the completeness for securing the notification callback?I mean after uploading my certificate, should I access /api/action/dataset_acquired ??
And sir, after generating a certificate.pem using openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem, I still get the same error. can you please help?

@ansh1221
Copy link

Hi @fdelavega sir can you please guide me through this?

@aitormagan
Copy link
Contributor

aitormagan commented Mar 22, 2019 via email

@ansh1221
Copy link

ansh1221 commented Mar 22, 2019
edited
Loading

Hi @aitormagan sir, while working on securing the notification callback https://github.com/conwetlab/ckanext-privatedatasets#securing-the-notification-callback , after executing the steps mentioned. I was unable to do so the same.
Can you please guide me through this process or steps. Have been working on it since long and not able to finish it.??

@ansh1221
Copy link

I am following this URL for generating the certificates: https://www.slashroot.in/how-does-ssltls-chain-certificates-and-its-validation-work

@ansh1221
Copy link

Hi @fdelavega @aitormagan , just one thing please, I have installed all the certificates and when I access /api/action/dataset_acquired it shows , no action dataset_acquired known. Just help me in this issue please.

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@jqnatividad @aitormagan @fdelavega @amritpal16071988 @ansh1221