Identity Management at IRIS - April 2022 Update
In a followup to our previous newsletter article and our email bulletin regarding Identity Management efforts at IRIS, we want to bring you up to date on where we are at with developments and address some specific issues that you in the research community have raised.
Firstly, we are internally testing our user login and registration portal, which is being jointly developed with UNAVCO. The results are proving to be quite functional and should be ready soon for wider evaluation. In anticipation of the upcoming merger to form EarthScope, we have made the decision to unify our login and user profile database so that we will retain your login information as we make the organizational transition.
In addition, UNAVCO and IRIS have jointly developed language that clearly articulates our protection of and respect for your privacy as an identified user of our services. We will be posting privacy polices on our IRIS web site. We take the security of your personal identify information and service usage seriously and will act in accordance with all privacy laws, both domestic and international.
As a reminder of scope, our initial rollout at IRIS will only focus on authentication for data access, leaving metadata, derivative products, and other services in their current mode of operation. These data access services already possess an authentication endpoint for restricted data access (‘/queryauth’), so the changes to your access behavior should be minimal and familiar to many. We will present announcements in the future when the scope of authenticated access is increased. Our goal is to best understand our user community and patterns of use so that we can make informed decisions on how to improve our accessibility and level of service.
Work is proceeding on the internal authorization mechanisms to facilitate wide use of authenticated data access. When you log in to IRIS through our website, you will be presented with a profile page that will allow you to request an access token to carry out your activities. Since IRIS web services use a username and password approach to authorize your transactions, this token will serve as your password and we will use your primary email address for the user name. These credentials can be saved to your local filesystem for automated reuse in your scripts and applications. For IRIS web applications, browsers have the advantage of storing your session state automatically, so your data activities should be seamless.
The most common question we have received is ‘how will my application be affected by this change?’ One example is that their utility may carry out station searches and display the information on a map, allowing the user to select a station and see a plot on the screen of the waveforms from that station.
Our answer is that there is good news on that front. For ‘casual’ data access and display activities, you will still be able to connect anonymously to our web services via the ‘/query’ endpoint. However, our expectation is that this access is low volume and performance is not a premium. For high volume access in large computations and data acquisitions, we will be pointing developers to switch to authenticated access, which is where we will be applying sufficient resources for your big data needs.
Another user question is related to the running of automated download systems, which operate unattended and are operated by a staff and not any one person. How will IRIS’s identity management system accommodate these systems?
The answer is that we will be offering an alternative form of authentication suitable for non-person, fixed installations of software. IRIS will present a form that will allow an institution to register their application, indicate the site where it will run, and describe what the general purpose of use is. A primary contact email will be required, but it does not have to be a specific person. Once accepted, a special login user and token will be sent to the primary contact email address for use on that system, specifically. An important consideration for ‘institutional’ logins is that access to restricted data will not be possible, at least for the foreseeable future.
A final question we have received relates to federated access to data or access to multiple data centers in the FDSN. Our answer is this: If you are making use of the IRIS Fedcatalog for multiple data center access, the tool will need to access the ‘/queryauth’ endpoint when accessing the IRIS ws-dataselect service. This means you will want your IRIS credentials at the ready when carrying out your federated queries. A library like ObsPy will opt for the ‘/queryauth’ endpoint instead of the ‘/query’ endpoint when a user supplies credentials. The Fedcatalog itself does not prescribe which of these endpoints to call, so the client must make this choice.
As a final note, we are still on schedule for a June release. In fact, we have a Short Course at the upcoming SAGE/GAGE Workshop on Identity Management, presented by IRIS and UNAVCO jointly. There, we will walk through practical examples of getting registered, logging in, and getting busy with tools and utilities for authenticated data access. We would be thrilled if you can attend in June. [SAGE/GAGE Workshop Home Page].
We will continue to post frequent bulletins to the community through our IRIS Message Center mailing lists, so you are highly encouraged to go there and subscribe to one of these lists to get the latest information and notifications of our release dates.
IRIS General Announcements [iris-announce AT lists.ds.iris.edu]
DMC General Announcements [dmc-announcements AT lists.ds.iris.edu]
DMC Software [software-info AT lists.ds.iris.edu]
Web Services [webservices AT lists.ds.iris.edu]
by Rob Casey (IRIS Data Management Center)