1 / 15

Security middleware

Security middleware. Andrew McNab University of Manchester. Outline. GridSite features in gLite 1.2 Some features in detail HTTP Downgrade Web service support suexec and gsexec Secmon boxes. 6 July 2005. Security middleware. GridSite in gLite 1.2. Up to date VOMS support

yaron
Download Presentation

Security middleware

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Security middleware Andrew McNab University of Manchester

  2. Outline • GridSite features in gLite 1.2 • Some features in detail • HTTP Downgrade • Web service support • suexec and gsexec • Secmon boxes 6 July 2005 Security middleware

  3. GridSite in gLite 1.2 • Up to date VOMS support • Attribute Certificates from “gLite”/“LCG” VOMS • XML access policies written in GACL or XACML • File access / scripts / services controlled by X.509, GSI Proxy, VOMS AC, DN List credentials. • HTTP Downgrade • Authentication via HTTPS; bulk file copy via HTTP • gsexec • Run scripts/services in Unix user “sandboxes” 6 July 2005 Security middleware

  4. HTTP Downgrade • This is mostly code from last summer • Renewed interest in bulk HTTP so we're revisiting it • Idea is to offer similar functionality to GridFTP but using standard HTTP(S) tools • HTTPS “control” channel used for authentication • Returns a one-time passcode as a cookie • HTTP GET or PUT request made with passcode • Similar to unencrypted GridFTP data channel • But with Apache performance benefits: sendfile() etc 6 July 2005 Security middleware

  5. HTTP Downgrade (2) • Intend to add support for third-party copies • Use COPY method from RFC 2518 (WebDAV) • Passcode used to authenticate the remote leg of the copy • Add HTTP header with client's estimate of Round Trip Time • Used by server to select correct TCP window size • Work ongoing with networking (Richard Hughes-Jones etc) to demonstrate performance of HTTP on WANs • Evangelise about this a bit more... • eg GridSite's htcp command now used by EGEE WMS 6 July 2005 Security middleware

  6. Web Service support • GridSite architecture can provide security for Web Service tools like gSOAP, with CGI Web Services • We also provide the C/C++ implementation of the EGEE / JRA3 Delegation portType • Java implementation by funded part of JRA3 • mod_gridsite + delegation CGI used by EGEE WMS: • Apache/FastCGI; GridSite (security); gSOAP (SOAP/WS) • Delegated credentials stored in the filesystem • Allows sharing between different CGI languages 6 July 2005 Security middleware

  7. suexec and gsexec • Apache has traditionally provided a wrapper to run CGIs as other Unix users: • Start as root, process as apache, CGI as joeuser • We've modified this to run CGI scripts and services as pool Unix users • Either per-client: the cert in the browser determines which pool user • Or per-directory: all the CGIs in my directory run as the same pool user 6 July 2005 Security middleware

  8. suexec / gsexec (2) • This allows us to sandbox CGI-based services by ensuring that the pool users are of sufficiently low privilege • Different clients or service owners can't interfere with each other • Access control is still via GACL/XACML policy files • X.509, GSI Proxy, VOMS, DN List credentials • We can now offer “third-party” hosting of services • Give a user or VO access to a privileged directory • They deploy their C/C++/Perl/Python services remotely 6 July 2005 Security middleware

  9. GRACE • In adding support for Web Services to GridSite, we started to offer non-Java ways of building service-orientated grids • We're now at the point where this is being taken up • Clearly, this community has a big investment in languages other than Java • But many other scientists and admins do too • So again, want to start evangelising about this model • GRACE: GRidsite/Apache/CGI-scripts/Executables 6 July 2005 Security middleware

  10. SECMON boxes • Had hoped to have SECMON box prototype ready for this meeting • Expect DVD images available in the next week or two • Aim is to provide a simple to install security monitoring box that just sits in the corner of your machine room • Sites don't need to install anything special on CE etc being monitored • Remote administration / monitoring done by Tier-2/Tier-1 staff, but site retains root 6 July 2005 Security middleware

  11. SECMON design • Want to keep things as simple as possible • Unix syslog already provides almost all of what we need • Always installed • Logs from services/daemons and kernel (port scans etc) • Logging interfaces for scripts, C/C++ etc • One line added to syslog.conf can direct the messages over the network to local SECMON box • So we need to provide remote config tools and remote access to log files 6 July 2005 Security middleware

  12. secmon.conf • All configuration in one place • All local choices can be recovered from this file • May want to freeze SECMON hard drive to use as evidence for the Police, so this may be important • secmon.conf currently defines • firewall rules for syslogd, sshd and httpd • services to log (globus-gatekeeper etc) • X.509 DNs of people with different privilege levels 6 July 2005 Security middleware

  13. Implementation • secmond runs as root • monitors secmon.conf for changes • updates config files as a result • filters syslog messages into log files according to service name (sshd, httpd, globus-gatekeeper etc) • Admin CGI (secmon-admin.cgi) runs as user apache • manages secmon.conf • RSS CGI (secmon-rss.cgi) runs as user apache • All remote access controlled by GridSite/GACL policies 6 July 2005 Security middleware

  14. RSS Access • RSS is widely used to allow clients to pull categorised, chronological data (like news headlines) out of webservers, in a programmatic way • Well matched to transporting syslog type alert messages • secmon-rss.cgi queried by service name, severity and/or date range • Only pull out the level of detail we need • Seeks / bisects / reads log file directly to find messages • Access control currently via X.509/GSI Proxy only 6 July 2005 Security middleware

  15. Summary • The current version of GridSite is part of the latest gLite release process • We're providing a system which is used by other middleware, not just websites • Non-Web Service tools from GridSite (htcp etc) are starting to be used too • SECMON box prototype is almost ready 6 July 2005 Security middleware

More Related