€cdocutils.nodes document q)q}q(U nametypesq}q(XgoalqNXtriggersqNXcilogon serviceqˆXsummaryq NX preconditionsq NXpost conditionsq NXuc12q ˆXactorsq NX!use case 12 - user authenticationqNuUsubstitution_defsq}qUparse_messagesq]qUcurrent_sourceqNU decorationqNUautofootnote_startqKUnameidsq}q(hUgoalqhUtriggersqhUcilogon-serviceqh Usummaryqh U preconditionsqh Upost-conditionsqh Uuc12qh UactorsqhUuse-case-12-user-authenticationq uUchildrenq!]q"(cdocutils.nodes target q#)q$}q%(U rawsourceq&X .. _UC12:Uparentq'hUsourceq(Xj/var/lib/jenkins/jobs/API_Documentation_trunk/workspace/api-documentation/source/design/UseCases/12_uc.txtq)Utagnameq*Utargetq+U attributesq,}q-(Uidsq.]Ubackrefsq/]Udupnamesq0]Uclassesq1]Unamesq2]Urefidq3huUlineq4KUdocumentq5hh!]ubcdocutils.nodes section q6)q7}q8(h&Uh'hh(h)Uexpect_referenced_by_nameq9}q:h h$sh*Usectionq;h,}q<(h0]h1]h/]h.]q=(h heh2]q>(hh euh4Kh5hUexpect_referenced_by_idq?}q@hh$sh!]qA(cdocutils.nodes title qB)qC}qD(h&X!Use Case 12 - User AuthenticationqEh'h7h(h)h*UtitleqFh,}qG(h0]h1]h/]h.]h2]uh4Kh5hh!]qHcdocutils.nodes Text qIX!Use Case 12 - User AuthenticationqJ…qK}qL(h&hEh'hCubaubcsphinx.addnodes index qM)qN}qO(h&Uh'h7h(h)h*UindexqPh,}qQ(h.]h/]h0]h1]h2]UentriesqR]qS((UsingleqTX Use Case 12Uindex-0qUUNtqV(hTXauthenticationhUUNtqWeUinlineqX‰uh4Kh5hh!]ubh#)qY}qZ(h&Uh'h7h(h)h*h+h,}q[(h.]h/]h0]h1]h2]h3hUuh4Kh5hh!]ubh6)q\}q](h&Uh'h7h(h)h9}h*h;h,}q^(h0]h1]h/]h.]q_(hhUeh2]q`hauh4K h5hh?}qahUhYsh!]qb(hB)qc}qd(h&XGoalqeh'h\h(h)h*hFh,}qf(h0]h1]h/]h.]h2]uh4K h5hh!]qghIXGoalqh…qi}qj(h&heh'hcubaubcdocutils.nodes paragraph qk)ql}qm(h&XÁUser Authentication - A user or a service operating on behalf of a user authenticates against an identify provider to establish a certificate that can subsequently be used to identify the user.qnh'h\h(h)h*U paragraphqoh,}qp(h0]h1]h/]h.]h2]uh4K h5hh!]qqhIXÁUser Authentication - A user or a service operating on behalf of a user authenticates against an identify provider to establish a certificate that can subsequently be used to identify the user.qr…qs}qt(h&hnh'hlubaubeubh6)qu}qv(h&Uh'h7h(h)h*h;h,}qw(h0]h1]h/]h.]qxhah2]qyh auh4Kh5hh!]qz(hB)q{}q|(h&XSummaryq}h'huh(h)h*hFh,}q~(h0]h1]h/]h.]h2]uh4Kh5hh!]qhIXSummaryq€…q}q‚(h&h}h'h{ubaubhk)qƒ}q„(h&XÏMany operations in the DataONE system require affirmation of user identity to ensure that appropriate access controls can be asserted and other services such as citation and notification operate as expected.q…h'huh(h)h*hoh,}q†(h0]h1]h/]h.]h2]uh4Kh5hh!]q‡hIXÏMany operations in the DataONE system require affirmation of user identity to ensure that appropriate access controls can be asserted and other services such as citation and notification operate as expected.qˆ…q‰}qŠ(h&h…h'hƒubaubhk)q‹}qŒ(h&XÆThe actual identity and authentication framework may exist outside of DataONE, and the first version of the infrastructure will be utilizing the certificate based services of the `CILogon service`_.h'huh(h)h*hoh,}q(h0]h1]h/]h.]h2]uh4Kh5hh!]qŽ(hIX³The actual identity and authentication framework may exist outside of DataONE, and the first version of the infrastructure will be utilizing the certificate based services of the q…q}q‘(h&X³The actual identity and authentication framework may exist outside of DataONE, and the first version of the infrastructure will be utilizing the certificate based services of the h'h‹ubcdocutils.nodes reference q’)q“}q”(h&X`CILogon service`_Uresolvedq•Kh'h‹h*U referenceq–h,}q—(UnameXCILogon serviceUrefuriq˜Xhttp://www.cilogon.org/serviceq™h.]h/]h0]h1]h2]uh!]qšhIXCILogon serviceq›…qœ}q(h&Uh'h“ubaubhIX.…qž}qŸ(h&X.h'h‹ubeubhk)q }q¡(h&XThe user obtains a certificate from the CILogon service, then uses that certificate to make API calls against DataONE Services.q¢h'huh(h)h*hoh,}q£(h0]h1]h/]h.]h2]uh4Kh5hh!]q¤hIXThe user obtains a certificate from the CILogon service, then uses that certificate to make API calls against DataONE Services.q¥…q¦}q§(h&h¢h'h ubaubhk)q¨}q©(h&X™Alternatively, a long lived certificate may be provided by DataONE for systems such as Member Nodes that need to authenticate with components of DataONE.qªh'huh(h)h*hoh,}q«(h0]h1]h/]h.]h2]uh4Kh5hh!]q¬hIX™Alternatively, a long lived certificate may be provided by DataONE for systems such as Member Nodes that need to authenticate with components of DataONE.q­…q®}q¯(h&hªh'h¨ubaubhk)q°}q±(h&XÙIn each case, the provided certificate contains the subject, alternate subjects, and group memberships of the user. This information is used by services to determine if the caller has access to the requested resource.q²h'huh(h)h*hoh,}q³(h0]h1]h/]h.]h2]uh4K h5hh!]q´hIXÙIn each case, the provided certificate contains the subject, alternate subjects, and group memberships of the user. This information is used by services to determine if the caller has access to the requested resource.qµ…q¶}q·(h&h²h'h°ubaubeubh6)q¸}q¹(h&Uh'h7h(h)h*h;h,}qº(h0]h1]h/]h.]q»hah2]q¼h auh4K#h5hh!]q½(hB)q¾}q¿(h&XActorsqÀh'h¸h(h)h*hFh,}qÁ(h0]h1]h/]h.]h2]uh4K#h5hh!]qÂhIXActorsqÃ…qÄ}qÅ(h&hÀh'h¾ubaubhk)qÆ}qÇ(h&X;User, Member Node, Coordinating Node, Authentication SystemqÈh'h¸h(h)h*hoh,}qÉ(h0]h1]h/]h.]h2]uh4K%h5hh!]qÊhIX;User, Member Node, Coordinating Node, Authentication SystemqË…qÌ}qÍ(h&hÈh'hÆubaubeubh6)qÎ}qÏ(h&Uh'h7h(h)h*h;h,}qÐ(h0]h1]h/]h.]qÑhah2]qÒh auh4K(h5hh!]qÓ(hB)qÔ}qÕ(h&X PreconditionsqÖh'hÎh(h)h*hFh,}q×(h0]h1]h/]h.]h2]uh4K(h5hh!]qØhIX PreconditionsqÙ…qÚ}qÛ(h&hÖh'hÔubaubcdocutils.nodes bullet_list qÜ)qÝ}qÞ(h&Uh'hÎh(h)h*U bullet_listqßh,}qà(UbulletqáX-h.]h/]h0]h1]h2]uh4K*h5hh!]qâcdocutils.nodes list_item qã)qä}qå(h&X(User is not authenticated in the system h'hÝh(h)h*U list_itemqæh,}qç(h0]h1]h/]h.]h2]uh4Nh5hh!]qèhk)qé}qê(h&X'User is not authenticated in the systemqëh'häh(h)h*hoh,}qì(h0]h1]h/]h.]h2]uh4K*h!]qíhIX'User is not authenticated in the systemqî…qï}qð(h&hëh'héubaubaubaubeubh6)qñ}qò(h&Uh'h7h(h)h*h;h,}qó(h0]h1]h/]h.]qôhah2]qõhauh4K-h5hh!]qö(hB)q÷}qø(h&XTriggersqùh'hñh(h)h*hFh,}qú(h0]h1]h/]h.]h2]uh4K-h5hh!]qûhIXTriggersqü…qý}qþ(h&hùh'h÷ubaubhÜ)qÿ}r(h&Uh'hñh(h)h*hßh,}r(háX-h.]h/]h0]h1]h2]uh4K/h5hh!]r(hã)r}r(h&X&A user logs on to the DataONE system. h'hÿh(h)h*hæh,}r(h0]h1]h/]h.]h2]uh4Nh5hh!]rhk)r}r(h&X%A user logs on to the DataONE system.r h'jh(h)h*hoh,}r (h0]h1]h/]h.]h2]uh4K/h!]r hIX%A user logs on to the DataONE system.r …r }r(h&j h'jubaubaubhã)r}r(h&X/A user needs to access a restricted operation. h'hÿh(h)h*hæh,}r(h0]h1]h/]h.]h2]uh4Nh5hh!]rhk)r}r(h&X.A user needs to access a restricted operation.rh'jh(h)h*hoh,}r(h0]h1]h/]h.]h2]uh4K1h!]rhIX.A user needs to access a restricted operation.r…r}r(h&jh'jubaubaubeubeubh6)r}r(h&Uh'h7h(h)h*h;h,}r(h0]h1]h/]h.]rhah2]rh auh4K4h5hh!]r (hB)r!}r"(h&XPost Conditionsr#h'jh(h)h*hFh,}r$(h0]h1]h/]h.]h2]uh4K4h5hh!]r%hIXPost Conditionsr&…r'}r((h&j#h'j!ubaubhÜ)r)}r*(h&Uh'jh(h)h*hßh,}r+(háX-h.]h/]h0]h1]h2]uh4K6h5hh!]r,(hã)r-}r.(h&XaA certificate is returned to the user that can be used by DataONE services to identify the user. h'j)h(h)h*hæh,}r/(h0]h1]h/]h.]h2]uh4Nh5hh!]r0hk)r1}r2(h&X`A certificate is returned to the user that can be used by DataONE services to identify the user.r3h'j-h(h)h*hoh,}r4(h0]h1]h/]h.]h2]uh4K6h!]r5hIX`A certificate is returned to the user that can be used by DataONE services to identify the user.r6…r7}r8(h&j3h'j1ubaubaubhã)r9}r:(h&XNIn the event of authentication failure the certificate will not be available. h'j)h(h)h*hæh,}r;(h0]h1]h/]h.]h2]uh4Nh5hh!]r<hk)r=}r>(h&XMIn the event of authentication failure the certificate will not be available.r?h'j9h(h)h*hoh,}r@(h0]h1]h/]h.]h2]uh4K9h!]rAhIXMIn the event of authentication failure the certificate will not be available.rB…rC}rD(h&j?h'j=ubaubaubeubcsphinxcontrib.plantuml plantuml rE)rF}rG(h&X.. uml:: @startuml images/12_seq_a.png actor User participant CILogon participant IDP <> participant CN <> note right of CILogon DataONE Authentication Service https://cilogon.org/?skin=dataone end note User -> CILogon: Authenticate activate CILogon CILogon -> User: auth_using_IDP note right of IDP User selected Identity Provider end note User -> IDP: authenticate activate IDP IDP -> CILogon: user metadata deactivate IDP CILogon -> CN: getSubjectInfo activate CN CN -> CILogon: SubjectInfo deactivate CN CILogon -> CILogon: generate certificate CILogon -> User: certificate_download_tool User -> CILogon: download certificate CILogon -> User: certificate deactivate CILogon @enduml h'jh(h)h*UplantumlrHh,}rI(h.]h/]h0]h1]h2]UumlrJXÖ@startuml images/12_seq_a.png actor User participant CILogon participant IDP <> participant CN <> note right of CILogon DataONE Authentication Service https://cilogon.org/?skin=dataone end note User -> CILogon: Authenticate activate CILogon CILogon -> User: auth_using_IDP note right of IDP User selected Identity Provider end note User -> IDP: authenticate activate IDP IDP -> CILogon: user metadata deactivate IDP CILogon -> CN: getSubjectInfo activate CN CN -> CILogon: SubjectInfo deactivate CN CILogon -> CILogon: generate certificate CILogon -> User: certificate_download_tool User -> CILogon: download certificate CILogon -> User: certificate deactivate CILogon @endumluh4K^h5hh!]ubhk)rK}rL(h&XK**Figure 1.** Obtaining a client side certificate from the CILogon service.rMh'jh(h)h*hoh,}rN(h0]h1]h/]h.]h2]uh4K_h5hh!]rO(cdocutils.nodes strong rP)rQ}rR(h&X **Figure 1.**h,}rS(h0]h1]h/]h.]h2]uh'jKh!]rThIX Figure 1.rU…rV}rW(h&Uh'jQubah*UstrongrXubhIX> Obtaining a client side certificate from the CILogon service.rY…rZ}r[(h&X> Obtaining a client side certificate from the CILogon service.h'jKubeubjE)r\}r](h&X7.. uml:: @startuml images/12_seq_b.png actor User participant CA <> participant CertProvider note right of CA DataONE Certificate Authority. Requires manual interaction with DataONE administrators to generate certificate. end note User -> CA: Request certificate activate CA CA -> CA: Generate certificate CA -> User: Certificate retrieval information deactivate CA User -> CertProvider: download Certificate activate CertProvider CertProvider -> User: Certificate deactivate CertProvider @enduml h'jh(h)h*jHh,}r^(h.]h/]h0]h1]h2]jJX@startuml images/12_seq_b.png actor User participant CA <> participant CertProvider note right of CA DataONE Certificate Authority. Requires manual interaction with DataONE administrators to generate certificate. end note User -> CA: Request certificate activate CA CA -> CA: Generate certificate CA -> User: Certificate retrieval information deactivate CA User -> CertProvider: download Certificate activate CertProvider CertProvider -> User: Certificate deactivate CertProvider @endumluh4Kyh5hh!]ubhk)r_}r`(h&XJ**Figure 2.** Obtaining a long-lived client side certificate from DataONE.rah'jh(h)h*hoh,}rb(h0]h1]h/]h.]h2]uh4Kzh5hh!]rc(jP)rd}re(h&X **Figure 2.**h,}rf(h0]h1]h/]h.]h2]uh'j_h!]rghIX Figure 2.rh…ri}rj(h&Uh'jdubah*jXubhIX= Obtaining a long-lived client side certificate from DataONE.rk…rl}rm(h&X= Obtaining a long-lived client side certificate from DataONE.h'j_ubeubjE)rn}ro(h&X].. uml:: @startuml images/12_seq_c.png actor User participant MN <> note right of MN Member Node is shown, however process is the same for both Member and Coordianting Nodes end note User -> MN: restricted operation activate MN MN -> MN: verify credentials MN -> User: response deactivate MN @enduml h'jh(h)h*jHh,}rp(h.]h/]h0]h1]h2]jJX5@startuml images/12_seq_c.png actor User participant MN <> note right of MN Member Node is shown, however process is the same for both Member and Coordianting Nodes end note User -> MN: restricted operation activate MN MN -> MN: verify credentials MN -> User: response deactivate MN @endumluh4Kh5hh!]ubhk)rq}rr(h&X_**Figure 3.** Authenticated interaction with service provided by a Member or Coordinating Node.h'jh(h)h*hoh,}rs(h0]h1]h/]h.]h2]uh4KŽh5hh!]rt(jP)ru}rv(h&X **Figure 3.**h,}rw(h0]h1]h/]h.]h2]uh'jqh!]rxhIX Figure 3.ry…rz}r{(h&Uh'juubah*jXubhIXR Authenticated interaction with service provided by a Member or Coordinating Node.r|…r}}r~(h&XR Authenticated interaction with service provided by a Member or Coordinating Node.h'jqubeubh#)r}r€(h&X3.. _CILogon service: http://www.cilogon.org/serviceU referencedrKh'jh(h)h*h+h,}r‚(h˜h™h.]rƒhah/]h0]h1]h2]r„hauh4K’h5hh!]ubeubeubeh&UU transformerr…NU footnote_refsr†}r‡Urefnamesrˆ}r‰Xcilogon service]rŠh“asUsymbol_footnotesr‹]rŒUautofootnote_refsr]rŽUsymbol_footnote_refsr]rU citationsr‘]r’h5hU current_liner“NUtransform_messagesr”]r•(cdocutils.nodes system_message r–)r—}r˜(h&Uh,}r™(h0]UlevelKh.]h/]Usourceh)h1]h2]UlineKUtypeUINFOršuh!]r›hk)rœ}r(h&Uh,}rž(h0]h1]h/]h.]h2]uh'j—h!]rŸhIX*Hyperlink target "uc12" is not referenced.r …r¡}r¢(h&Uh'jœubah*houbah*Usystem_messager£ubj–)r¤}r¥(h&Uh,}r¦(h0]UlevelKh.]h/]Usourceh)h1]h2]UlineKUtypejšuh!]r§hk)r¨}r©(h&Uh,}rª(h0]h1]h/]h.]h2]uh'j¤h!]r«hIX-Hyperlink target "index-0" is not referenced.r¬…r­}r®(h&Uh'j¨ubah*houbah*j£ubeUreporterr¯NUid_startr°KU autofootnotesr±]r²U citation_refsr³}r´Uindirect_targetsrµ]r¶Usettingsr·(cdocutils.frontend Values r¸or¹}rº(Ufootnote_backlinksr»KUrecord_dependenciesr¼NU rfc_base_urlr½Uhttps://tools.ietf.org/html/r¾U tracebackr¿ˆUpep_referencesrÀNUstrip_commentsrÁNU toc_backlinksrÂUentryrÃU language_coderÄUenrÅU datestamprÆNU report_levelrÇKU _destinationrÈNU halt_levelrÉKU strip_classesrÊNhFNUerror_encoding_error_handlerrËUbackslashreplacerÌUdebugrÍNUembed_stylesheetrΉUoutput_encoding_error_handlerrÏUstrictrÐU sectnum_xformrÑKUdump_transformsrÒNU docinfo_xformrÓKUwarning_streamrÔNUpep_file_url_templaterÕUpep-%04drÖUexit_status_levelr×KUconfigrØNUstrict_visitorrÙNUcloak_email_addressesrÚˆUtrim_footnote_reference_spacerÛ‰UenvrÜNUdump_pseudo_xmlrÝNUexpose_internalsrÞNUsectsubtitle_xformr߉U source_linkràNUrfc_referencesráNUoutput_encodingrâUutf-8rãU source_urlräNUinput_encodingråU utf-8-sigræU_disable_configrçNU id_prefixrèUU tab_widthréKUerror_encodingrêUUTF-8rëU_sourcerìh)Ugettext_compactríˆU generatorrîNUdump_internalsrïNU smart_quotesrð‰U pep_base_urlrñU https://www.python.org/dev/peps/ròUsyntax_highlightróUlongrôUinput_encoding_error_handlerrõjÐUauto_id_prefixröUidr÷Udoctitle_xformrø‰Ustrip_elements_with_classesrùNU _config_filesrú]Ufile_insertion_enabledrûˆU raw_enabledrüKU dump_settingsrýNubUsymbol_footnote_startrþKUidsrÿ}r(hjhh\hhñh h7hjhhuhUh\hh¸hh7hhÎuUsubstitution_namesr}rh*h5h,}r(h0]h.]h/]Usourceh)h1]h2]uU footnotesr]rUrefidsr}r(h]rh$ahU]r hYauub.