how to use this extension

[amritpal16071988]

I have installed this extension as steps mentioned here but i am not able to find a way out to use it. My current requirement is that is approx 20k datasets which i need to mark as public or private according to the respective users. My data is coming from the context broker.

So now i have two questions:-

1) Is this the correct solution which i am following ? 2) If this solution is correct how should i go about it.

Any help regarding this issue will be much appreciated.

[aitormagan]

Using the extension is easy. Once installed and configured, you can enter one dataset and edit its properties. You will see a "Visibility" combobox which will allow you to choose if the dataset is public or private.

BTW, If you data is coming from the context broker, the data will be still publicly available even if you import it into CKAN and mark the dataset as private. @fdelavega can provide you with more information about privatizing/monetizing context broker entities...

[amritpal16071988]

hi @aitormagan ,

Thanks for the quick response . @fdelavega could you please help me with more understanding of privatizing/monetizing context broker entities with the use of CKAN.

Thanks for the help in advance .

[fdelavega]

Hi,

There are several options for privatizing context broker stuff. Are you planning to monetize it or just restrict the access?

If you want to monetize it, the easiest way is using our Accounting proxy (https://github.com/FIWARE-TMForum/Accounting-Proxy) which validates that users has acquired the services (or a particular context broker query) before allowing the access. The point is that you need a BAE (https://github.com/FIWARE-TMForum/Business-API-Ecosystem) instance running where the different offering has to be created, etc.

If you just need to control the access, you can use a FIWARE PEP proxy (https://github.com/telefonicaid/fiware-pep-steelskin) for user authentication and a FIWARE PDP (https://github.com/telefonicaid/fiware-keypass) for policy enforcement. With option it is also possible to monetize since the BAE is integrated with this architecture.

In addition, next month we are starting a task to integrate this CKAN plugin with the backend security stuff so managing the access in CKAN (public, private, authorized users, etc) will actually update the security policies in the backend easing the management. Nevertheless, this new feature wont be available a least until may

[jqnatividad]

Hi @fdelavega ,

In addition, next month we are starting a task to integrate this CKAN plugin with the backend security stuff so managing the access in CKAN (public, private, authorized users, etc) will actually update the security policies in the backend easing the management. Nevertheless, this new feature wont be available a least until may

Just wondering where you are on integrating this plugin" to the backend security stuff".

Thanks in advance!

[fdelavega]

Hi @jqnatividad

We are actually securing the access to the context broker using the FIWARE security framework and in particular a new component called API Umbrella (https://apiumbrella.io/) which is replacing the PEP proxy. The approach is that we are securing the context broker in the typical way and the plugins that allow the publication of context broker queries as dataset resources are injecting the user access token in the request. This way only if the user is authorized also in the backend he will be able to access to the data

[ansh1221]

Hi, while configuring the plugin for "Securing the Notification Callback", I am unable to do so, as I am not clear with the steps mentioned. if someone can help me in it, have been working on it for a while and not able to make it work for securing the notification callback.

One of the doubts was:

 <Location /api/action/dataset_acquired>
        SSLCACertificateFile    <PATH_TO_THE_CA_FILE_CREATED_PREVIOUSLY>
        SSLVerifyClient         require
    </Location>

• SSLCaCertificateFile is it similar to openssl.cnf When i place the path of "openssl.cnf" it throws an error that your library does n,t have support for CA kind of it.

Would request if anyone can help me in it.?

Thanks !

[ansh1221]

Hi @fdelavega @aitormagan @jqnatividad if you guys can please help in any way?

[fdelavega]

SSLCACertificateFile should point the CA certificate that is used by the client in order to sign the request. Basicaly you are configuring SSL client verification in this particular request

[ansh1221]

While providing the same location /etc/ca-certificates.conf file location it throws me an error:

Your SSL library does not have support for per-directory CA
Action 'configtest' failed.

[fdelavega]

But you don't have to point to a conf file, but to the actual CA digital certificate, probably with .crt or .pem extension in the same way as it is provided in SSL configuration of a site.

[ansh1221]

Hi Sir, one more thing that how can I verify the completeness for securing the notification callback?I mean after uploading my certificate, should I access /api/action/dataset_acquired ?? And sir, after generating a certificate.pem using openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem, I still get the same error. can you please help?

[ansh1221]

Hi @fdelavega sir can you please guide me through this?

[aitormagan]

If you access the URL you indicated without providing a certification signed by the CA specified in the config file, the request will fail. When a valid certification is provided, the request will complete.

Un saludo Aitor

El 22 mar 2019, a las 6:38, ansh1221 notifications@github.com escribió:

Hi @fdelavega sir can you please guide me through this?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[ansh1221]

Hi @aitormagan sir, while working on securing the notification callback https://github.com/conwetlab/ckanext-privatedatasets#securing-the-notification-callback , after executing the steps mentioned. I was unable to do so the same. Can you please guide me through this process or steps. Have been working on it since long and not able to finish it.??

[ansh1221]

I am following this URL for generating the certificates: https://www.slashroot.in/how-does-ssltls-chain-certificates-and-its-validation-work

[ansh1221]

Hi @fdelavega @aitormagan , just one thing please, I have installed all the certificates and when I access /api/action/dataset_acquired it shows , no action dataset_acquired known. Just help me in this issue please.