Whither IP Groups?

[Stephen Marks]

Hi all--

So, I was in IRC complaining about the inability to define IP groups using subnet notation, and a little bird told me that the IP Groups functionality may be removed from 4.0. We currently use this feature to restrict access to certain datasets based on the physical location of the user. I don't see this requirement going away soon, so I'm wondering if the team has thought about this use case.

Typically, the rationale for such a restriction will be around licensing/IP concerns more than hardcore restricted use data type stuff, but it does see a decent amount of use in our DVN instance. 

I'm wondering what your vision is for this functionality. Do you see this institutional affiliation authentication use case as being replaced by Shibboleth authentication? I have concerns around this, as we have a number of schools who just straight up don't support Shib at this time. Of the ones that do, there are still categories of users (e.g., walk-in users) who may be authorized users of the data per the license, but who may not have a Shib login.

I can think of a few other cases where this is relevant functionality as well, and I'm just wondering about the state of this feature in 4.0 and whether or not there is further demand for IP group support.

Thanks!

Steve

[Condon, Kevin]

HI Steve,

It is true we are moving towards authentication that supports Shibboleth, Oauth, and LDAP and that we had considered dropping IP address authentication since it is being dropped by others in favor of single sign on systems. However, we don't want to disrupt partners who may rely on such functionality unnecessarily and are open to hearing reasons for keeping it. 

One approach might be to define an end of life for this type of support so folks can plan ahead. Another might be to keep a minimalistic authentication scheme like IP addressing for configurations that are not as complex.

Thanks for bringing up this issue, we'd be interested in what others think about this topic as well.

Regards,

Kevin

[Sklar, Annelise]

At UC San Diego, we’re mainly using Dataverse to store our purchased datasets, so the IP restriction capability is critical to us. In fact, it’s the main reason we implemented a local installation.

 

Thanks for asking for feedback,

Annelise

 

 

Annelise Sklar

Social Sciences Collections Coordinator

Librarian for Political Science, Law & Society, Environmental Policy, International Government Information, and Social Sciences Data

ask...@ucsd.edu | (858) 822-1993

UC San Diego | 9500 Gilman Dr. #0175R | La Jolla, CA 92093-0175

 

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-commu...@googlegroups.com.
To post to this group, send email to dataverse...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/8552BDDD3DDE294C995A0182F32F976FB024EA16%40HARVANDMBX02.fasmail.priv.
For more options, visit https://groups.google.com/d/optout.

[Jon Crabtree]

Here at UNC Odum Institute we use these ip restrictions as well. We are excited about the addition of Shibboleth but we will also need IP based restrictions for some of our customers and datasets. 

I would hope we can get a group together to talk about the issues

Jon Crabtree

On Jun 25, 2014, at 3:30 PM, Sklar, Annelise <ASk...@ucsd.edu> wrote:

At UC San Diego, we’re mainly using Dataverse to store our purchased datasets, so the IP restriction capability is critical to us. In fact, it’s the main reason we implemented a local installation.

 

Thanks for asking for feedback,

Annelise

 

 

Annelise Sklar

Social Sciences Collections Coordinator

Librarian for Political Science, Law & Society, Environmental Policy, International Government Information, and Social Sciences Data

ask...@ucsd.edu | (858) 822-1993

UC San Diego | 9500 Gilman Dr. #0175R | La Jolla, CA 92093-0175

 

<image001.png>

To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/526ADB3FE6D26A46BCB6BE1AC1F6C94C4C1E39BE%40XMAIL-MBX-BT1.AD.UCSD.EDU.

[Mercè Crosas]

Many thanks, Annelise. Good to know - we will definitely keep this in mind. It does seem we need to continue supporting IP addresses authentication (and improve that functionality).  But just in case, Dataverse had another form of authentication for UC San Diego affiliates, for example through a University LDAP or Shibboleth Authentication provider, would you rather use that than the somewhat less reliable IP addresses? 

Merce

Mercè Crosas, Ph.D.

Director of Data Science, IQSS

Harvard University

http://iq.harvard.edu/merce-crosas

To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/526ADB3FE6D26A46BCB6BE1AC1F6C94C4C1E39BE%40XMAIL-MBX-BT1.AD.UCSD.EDU.

[Sklar, Annelise]

At some point, we’ll probably be more interested in Shibboleth, but right now all of our library databases are IP restricted and I’d rather not be the guinea pig. (We also regularly have issues with various quasi-affiliated researchers, usually legitimately visiting scholars, not being granted by our campus IT the single-sign-on credentials they need to access resources like EBL ebooks.)

 

Thanks,

Annelise

To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/CAPAYmDPr6GPCBaNG-9w3R41ss8j8XF72A3yyhbNX%3D_c7Uym3TA%40mail.gmail.com.

[Stephen Marks]

Thanks for the responsiveness, and it's really interesting to hear that others are using this feature as well. Annelise pretty much summed up our situation better than I did.

I should say that in general, I'm very supportive of a move to authentication based on establishing the identity of an actual person, but I guess I am not convinced our user base can fully support it yet.

If it's a question of compromising the way authentication works, it makes no difference to me whether this is implemented as an actual part of the authentication system, or as a simpler access control on the data. But whatever it is, it should support subnet notation. ;)

Steve

To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/526ADB3FE6D26A46BCB6BE1AC1F6C94C4C1E3A87%40XMAIL-MBX-BT1.AD.UCSD.EDU.

[Katherine McNeill]

I will chime in that we too value the IP authentication (for access to library-licensed data) and would need to investigate in more detail how well alternatives (like Shibboleth, which we would value as an addition) would work.  And the case that Steve mentioned

“there are still categories of users (e.g., walk-in users) who may be authorized users of the data per the license, but who may not have a Shib login.”

 

that most certainly applies to us (we have a policy to allow walk-ins who are not MIT affiliated, both members of the general public as well as students/faculty of other area universities w/which we collaborate).  So we could help to discuss this in more detail, but I wanted to at least say an initial reaction.

 

Sincerely,

Kate McNeill

___________________________________

Katherine McNeill

Social Science Data Services and Economics Librarian

Massachusetts Institute of Technology

mcne...@mit.edu | 617-253-0787

To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/CAAurRK38HYyg8KzTsWBcwfnFTAFm9YzGX2dtQKp2sk2E5eHDkg%40mail.gmail.com.

[Mercè Crosas]

Great. Thanks for the feedback. We'll follow up with more soon.

Merce

Mercè Crosas, Ph.D.

Director of Data Science, IQSS

Harvard University

http://iq.harvard.edu/merce-crosas

To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/526ADB3FE6D26A46BCB6BE1AC1F6C94C4C1E3A87%40XMAIL-MBX-BT1.AD.UCSD.EDU.

[Philip Durbin]

Thanks for the feedback, everyone. For tracking purposes, here's the development ticket we created: https://redmine.hmdc.harvard.edu/issues/4156

I linked back to this helpful thread.

Phil

To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/CAPAYmDNQ1%3DtyT0fbbXPXpC4rLwLLP3zi0cmMQU2Q%3DTgk3wBtAw%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

--

Philip Durbin
Software Developer for http://dataverse.org
http://www.iq.harvard.edu/people/philip-durbin

[Joerg Messer]

Greetings,

I'd also like to weigh in on the side of retaining IP based authentication.  I'm all for introducing more flexible authentication options but the access management world can move quite slowly.  At the UBC Library, we manage our DVN instance as a consortial resource and some of our members do not yet fully support Shib.  If IP authentication disappeared it may make it impossible for use to migrate to the new version in a timely fashion.  I would consider this quite unfortunate. 

//Joerg

[Philip Durbin]

Thanks again, everyone, for your input on this. I just wanted to mention quick that IP-based groups are definitely making their way into our design, not that this image is at all final: https://github.com/IQSS/dataverse/blob/master/doc/Architecture/UsersAndGroups.png

Phil

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-commu...@googlegroups.com.
To post to this group, send email to dataverse...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/5ddc0403-adea-42fa-92f9-354f8c249e54%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Philip Durbin]

Me again. I just wanted to mention that you can read about our
proposed support for IP groups in Dataverse 4.0 at
https://github.com/IQSS/dataverse/blob/master/doc/Architecture/auth.md

Phil