UKOLN: The potential use of Athens by NewsAgent

Athens for NewsAgent?

This report gives a brief (very brief!) introduction to the NISS Athens authentication system and discusses its applicability for the NewsAgent system. It is based on a short discussion with Ed Zedlewski from NISS and on the various materials available on the Web that describe the Athens system.

<URL:http://www.niss.ac.uk/authentication/>
<URL:http://www.niss.ac.uk/authentication/present2/index.htm>

Athens architecture

The NISS Athens system is based on the standard HTTP 'Simple' authentication model where each each browser request for a restricted document on the Web server will only be satisfied if the browser can supply a correct username/password pair. (For an introduction to user athentication using the Apache Web server see Apache Week). Web server requests for authentication from the browser are marked as being within a particular 'realm' so that the client can cache username/password pairs and only prompt the user for them once per realm. All Athens based services will operate within the same realm.

Normally each Web server maintains it's own set of username/password pairs in a local file (typically similar to the standard UNIX /etc/passwd file). The Athens system provides a shared set of many thousands of usernames and passwords that are available over the network and that are maintained using the Sybase database system.

The Athens system can be simply integrated into both the Apache and Netscape Web servers using 'off the shelf' server 'agents'. Other configurations are achievable using Athens specific libraries written in C++.

<URL:http://www.niss.ac.uk/authentication/present2/sld010.htm>

Athens user accounts

The NISS Athens system arranges user accounts in a hierarchical way. For the purposes of this discussion we will consider two sorts of Athens accounts, Access accounts and Personal accounts.

<URL:http://www.niss.ac.uk/authentication/present2/sld017.htm>

Access accounts

Access accounts are similar to the type of accounts currently offered by the BIDS service. They are typically site-wide or departmental accounts. Management of access accounts can be devolved to site or departmental contacts. If enabled, access accounts can be used to create personal accounts, i.e. anyone knowing the username/password pair for an access account can create their own personal account.

Access to resources using an access account is based on both the correct username/password pair and on the client's IP address.

Personal accounts

Personal accounts have in some sense more priveledge that access accounts. In particular, access to resources using personal accounts does not depend on the access being made from a particular client IP address.

Once set up, personal accounts can be modified and deleted by the owner of the account.

<URL:http://www.niss.ac.uk/authentication/present2/sld023.htm>

Document protection

The resources to which access can be controlled using the Athens system can be both static pages, normal HTML pages for example, and dynamically generated pages using CGI scripts. In both cases access rights are determined by looking at Access Control Lists (ACLs) maintained within the Athens system. In the case of CGI scripts, various parameters about the authenticated user are also passed to the script so that it can determine what level of output to generate.

<URL:http://www.niss.ac.uk/authentication/present2/sld024.htm>

Athens Usernames

Athens can support 20 character usernames but the main UK HE data centres will implement usernames with the format 'sssnnnnn', where:

sss: is a fixed site code (alpha)
nnnnn: is the responsibility of the site (alpha-numeric).

All Athens usernames are mapped to lowercase.

<URL:http://www.niss.ac.uk/authentication/present2/sld026.htm>

The User Perspective

From the user's perspective there would be very little difference between a NewsAgent system with authentication based on Athens and one with authentication based on the current internal system. The significant thing would be that instead of typing in a NewsAgent specific username/password pair they would be typing in their Athens username and password. Indeed if they had already visited some other Athens based system in the current browser session they would not be prompted for a username/password pair at all (because all Athens based services operate within the same 'realm').

In order to gain access to the NewsAgent service they would first have to obtain an Athens personal account - but they are likely to need to do that anyway to access other UK HE services like BIDS. They would create their own Athens personal account using their existing site-wide or departmental access account. Having got an Athens personal account they would then need to 'register' with NewsAgent by telling the system the name of the account they are going to use.

The Administrator Perspective

From the administrator point of view there is some effort required to configure NewsAgent to use the Athens system.

Server configuration: Clearly the NewsAgent Web servers will need to be modified to use the Athens system. Without seeing the system for real it is hard to be sure but I would expect this work to amount to little more than recompiling the Apache Web servers used at UKOLN and LITC to build in the Athens 'agent'.
ACLs: We will have to set up ACLs within the Athens system but I would expect this to be relatively trivial. We require resticted access to all of the CGI generated NewsAgent Web pages. I suspect this will amount to one or two entries in the Athens ACL files per NewsAgent server.
Usernames: Finally we will have to map Athens usernames onto the Oracle usernames used internally within NewsAgent in some way. Once set up, the CGI scripts that enable access to the various parts of NewsAgent can pass the Athens username that was used to obtain access to the script to the underlying calls into the Oracle database.
There two ways in which Oracle username (and passwords??? Do the NewsAgent CGI scripts pass a username and password to Oracle or just a username?) can be set up initially. Either we modify the NewsAgent 'registration' pages to prompt the user for an existing Athens username, or we configure the NewsAgent CGI scripts to look for accesses by 'new' users (i.e. using Athens usernames that we haven't seen before) and automatically send those users the registration page.

Timescales

The version of Athens described here (version ???) is still under development. Initial deployment with some of the larger UK HE data services, for example BIDS, is expected during September 1997. Realistically we should not expect to be able to use Athens until after January 1988. Clearly this is outside the timescales for the initial implementation of a NewsAgent service.

In the meantime, if we plan on ultimately basing the NewsAgent service on Athens, we could suggest to users that they obtain an Athens personal account for themselves anyway and then use that username and password within the current NewsAgent system. This will make the transition of NewsAgent to Athens in the future relatively painless for the users.

Conclusions

These notes have considered the applicability of the NISS Athens system to NewsAgent. I have only really considered Web access to the NewsAgent database. Access using Z39.50 clients or the proprietary DALI client has not been considered.

This report does not currently consider the issue of how we handle NewsAgent users who are outside of UK HE and who therefore will not have (or be able to have) Athens accounts.

My guess is that using Athens as the underlying authentication system within a Web based NewsAgent system would be relatively simple to achieve. There would be some benefits in doing this - not least from the user's perspective where they would use the same username/password for NewsAgent as for BIDS and several other services.

Maintained by: Andy Powell
Last updated: 14-Jul-1997