The other day I mentioned loading 498 PBS videos on our QuickTime streaming server—work that’s part of a VIVA (Virtual Library of Virginia) project focused on delivering streaming video to students, faculty and staff. A follow up post today focuses on the challenges of restricting access to authorized users.
At some point in the not-too-distant-future, metadata about these videos will begin showing up in our online catalog. Each record will offer a clickable link to a real-time stream of the video. As you might guess, the most significant technological challenges surround keeping the content away from unauthorized users.
QTSS
QuickTime (H.264) encoding makes a really great looking video. Apple’s QuickTime Streaming Server (QTSS) is a mature and capable product, easy to administer, and free with every copy of OS X Server. You don’t even need Apple hardware—check out the open-source version called Darwin Streaming Server (DSS) which runs on Linux and Windows as well as Macs. Is there a downside? Oh yeah. With QTSS you can restrict content to particular users but they must have an account on the server running QTSS. We’re looking at a potential user population around 30,000 so obviously this sort of “toy” authentication won’t work. Regrettably (and in 2007, inexplicably), QTSS is oblivious to LDAP.
An aside: There is reason to believe/hope this will improve during Fall 2007 when the next release of the QTSS software introduces Open Directory support.
I finally realized sometime last Friday that for now I should just implement a firewall on a QTSS server—restricting its interaction to machines on Mason’s network. That way I wouldn’t have to worry about who the user might be. If they’re on our network, they’re OK.
ipfwÂ
A bit of reading lead me straight to ipfw (a utility that along with ipchains I’ve managed to avoid understanding for years).
A couple of hours into it, I was beginning to get the hang of that special reverse logic that seems to govern firewall configuration when I found a post referring to the easy-to-use GUI that Apple provides to ipfw in the ServerAdmin utility. Doh! Ten minutes later I was ready to start testing.
Basically I defined a group (mason) and said all machines in this group have an IP address that begins 129.174.xxx.xxx. Built on free-BSD, OS X expects that to be written as: 129.174.0.0/16
Then under services I blocked access to all QTSS/RTSP ports for “any” network users and then enabled them for users belonging to my “mason” group.
We now have a server which can provide these PBS videos to any computer on campus. For off campus users, we’re still working on a Shibboleth-based authentication scheme that will be hosted by UVa. That is going to have a longer implementation schedule so perhaps we’ll find that the Leopard release of QTSS with LDAP support will obviate the need for this more complex infrastructure.
If you’re on Mason’s network, you should be able to view these sample PBS videos (American Experience – Douglas McArthur, parts 1 and 2). If you’re not on Mason’s network, your browser or QuickTime will time out waiting to establish a connection.
View in browser:
http://phobos.gmu.edu:7070/PBS/800/pbs_amx025-1_800k.mp4
http://phobos.gmu.edu:7070/PBS/800/pbs_amx025-2_800k.mp4
View with QuickTime Player: