10 likes | 154 Views
Without Third-Party File Transfer. With Third-Party File Transfer. 2. 1. 2. 1. 1. XACML <Policy xmlns="urn:oasis:names:tc:xacml:1.0:policy" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:1.0:policy cs-xacml-schema-policy-01.xsd"
E N D
Without Third-Party File Transfer With Third-Party File Transfer 2 1 2 1 1 XACML <Policy xmlns="urn:oasis:names:tc:xacml:1.0:policy" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:1.0:policy cs-xacml-schema-policy-01.xsd" PolicyId="GridSitePolicy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides"> <Target> <Resources> <Resource> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/path/to/dir</AttributeValue> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ResourceMatch> </Resource> </Resources> <Subjects> <AnySubject/> </Subjects> <Actions> <AnyAction/> </Actions> </Target> <Rule RuleId="Entry1A" Effect="Permit"> <Target> <Subjects> <Subject> ………………….. ………………….. </Policy) GACL <?xml version="1.0"?> <gacl version="0.0.1"> <entry> <person> <dn>/C=UK/CN=shiv</dn> </person> <allow><read/><list/></allow> <deny><exec/><write/></deny> </entry> </gacl> Grid Security and GridSite Shiv Kaushal, Andrew McNab University of Manchester What is the Grid? The analogy most commonly used when describing computational Grids is that of an electricity grid. In an electricity grid there are multiple power stations on a “network” of power lines and consumers connect to it through a standard interface (i.e. a plug in a socket) to get electricity. The consumer does not know where the power was generated and neither do they need to - it just works. The principle of computational Grids is exactly the same except that the resource is not electricity but data storage or processing power, and the “power stations” are computer centres connected by the internet. These centres could be located in the same country or on the opposite sides of the world and still appear as a single resource providing large amounts of storage space and processing power. Grid Security Access to the Grid is dependent on the use of digital certificates - a “single sign-on” which eliminates the need for multiple usernames and passwords to access resources from different sites. A Grid certificate (Figure 1) is an electronic file that uniquely identifies a user using security technologies well established in areas such as online shopping and banking. The uniqueness comes from a string of characters, a Distinguished Name (DN), containing information about the user’s institution, department and their Certificate Authority (the issuer of the certificate). Certificates can thought of as “digital passports”; as well as being used as a digital ID, they can be digitally signed (similar to getting visa stamps) by organisations to prove that a user is a member of that organisation. A user can then present their certificate as proof that they should have access to the corresponding resources on the Grid. User Services The ability for a user to upload their own CGI programs (or services) to a GridSite server has many potential applications but is also raises some security issues. The programs that users upload could potentially interfere with the files on the server and with each other. A model was produced to “sandbox” (i.e. isolate) these programs from each other as well as from the Apache software itself. This is achieved by mapping a Grid certificate DN to one of a pool of standard Unix accounts on the web server. There are two modes of operation supported in order to cater for different types of services. In the first, the program is run by a Unix account associated with the DN of the client (the user accessing it). Any subsequent connections from the same client will be mapped to the same account (until the lease on the Unix account expires, and the file system space is recycled). This allows a service to maintain any required information across multiple connections from the same client and information pertaining to different clients can not conflict with each other. In the second, a Unix account is associated with all of the CGI programs stored in a particular directory and an associated DN. This means that for every connection made to it, the program is run under the same Unix account and is therefore responsible for maintaining separations between different clients. Since each such directory is mapped to a dedicated Unix account, the service still cannot interfere with any other service’s files. Figure 3: Third-party file transfer allows direct copying between two locations for faster transport Access Control Lists All of the site management features of GridSite, while powerful, are potentially destructive. It is important to ensure that only the correct people are able to read or make changes to the pages and files stored on the web server. Access control is based on ACLs (Access Control Lists), which can be written in either GACL (Grid Access Control Language) or the emerging XACML (eXtensible Access Control Markup Language) standard. Initially only GACL was supported but XACML support was added in such a way that moving between the two options is simple. Interfaces were also added to the GridSite library to allow other programs to make use of the XACML handling functionality in GridSite. While this is not a full implementation of the XACML specification, there is enough implemented to allow conversion between GACL and XACML formats and is the only open source implementation not written in Java. Sun Microsystems offer a full Java implementation which was used to test the XACML output of the GridSite functions. Why should you care? One of the first “real” uses of Grid technologies will be for the Large Hadron Collider (LHC) at CERN, due to go online in 2007. The LHC’s Computing Grid project estimates that the LHC will produce 15 Petabytes of data a year, roughly equivalent to 20 million CDs. Around 15 years of this data (plus backups) will need to be stored by the end of the project. The data will also need to be analysed for any new physics discoveries to be made. These requirements are a significant hurdle for success of the LHC project. The Grid is an ideal solution to this problem. The distributed nature of the Grid means that no single site would need to house all of the equipment needed to meet the computing requirements, but the combined resources of sites across Europe (and beyond) would be accessible as a single resource. Physics is not the only discipline that can benefit from Grid technologies. There are many other areas that could benefit from the large amount of processing power that Grids can provide. These include data/processing intensive projects such as bio-medical protein folding simulations, astrophysics “virtual observatories” and Earth observation projects. Figure 2: GridSite allows complete site management, using certificates for authentication GridSite GridSite is an extension that adds support for accepting Grid certificates to the Apache web server, originally developed as a management tool for the GridPP web site. This is a natural extension, given that Grid certificates can be loaded into standard web browsers. It enables users to perform a variety of tasks, using their Grid certificate to determine what level of access they should have. It can be used to define who has access to particular files or pages on a web site but can also allow users to change the content of the pages, upload new files and create entirely new sections on the web site (Figure 2) while they are browsing the site. GridSite has also moved beyond this functionality to provide more advanced features. These include a high speed file transfer protocol (GridHTTP), third-party file transfer (Figure 3), and allowing users to create and upload custom CGI programs to provide dynamic site content. GridSite also supports the creation of these CGI services in a variety of programming languages, as opposed to the usual Java-based approach commonly found in Grid projects. This is of great value to communities that want to create and use Grid technologies, but have a large investment in other programming languages – as with particle physics and C/C++. Much of this functionality is provided by command line tools as well as in a C/C++ library for use in other Grid applications. Figure 5: Firefox extensions can make GridSite functionality easily accessible Firefox Extensions Many of the features of GridSite, are currently only accessible through command line programs written specifically for the task. In an attempt to make these more accessible, work is underway on an extension to the popular Firefox web browser. The extension aims to allow the use of these features from within the browser, taking advantage of the fact that certificates can be loaded into the browser. The first element to receive this treatment is the GridHTTP protocol (Figure 5), implemented by a simple right-click option. Future plans include support for features such as certificate expiry notification, support for loading certificates with extra group membership information and a supporting interface to simplify the deployment of user-defines services as described above. Figure 4: Editing GACL and XACML access control lists is greatly simplified by GridSite’s ACL editor GACL and XACML are both XML based languages and are, as a result, difficult to read, create and edit by hand (more so in the case of XACML). Figure 4 shows a comparison of equivalent ACLs in GACL and XACML as well as showing the web-based ACL editor created to modify them. The editor allows designated administrators to edit and create ACLs on a GridSite server from a web browser without the need for looking at any XML. This ensures that administrators cannot create invalid ACLs (i.e. with incorrect syntax) and also that they cannot accidentally deny themselves administrator access. Figure 1: Grid certificates are “digital passports”, uniquely and securely identifying users ACKNOWLEDGEMENTS This work is being carried out with financial support from PPARC. FURTHER INFORMATION GridSite: http://www.gridsite.org LHC Computing Grid: http://lcg.web.cern.ch/LCG GridPP: http://www.gridpp.ac.uk XACML Specification: http://www.oasis-open.org