GridSite status

1. GridSite status Andrew McNab University of Manchester

2. Outline • “Web” status • “EGEE” features • Delegation • GACL / XACML • Globus/non-Globus SSL • VOMS AC support • Next steps 24 February 2005 GridSite status

3. Current “web” status • GridSite 1.0.4 is current production release for websites • On www.gridpp.ac.uk • Used by several GridPP/LCG sites (eg GOCDB) • Plus ~half-a-dozen other sites • Includes • libgridsite: Grid ACL access control + HTTP / X.509 / GSI / VOMS utilities • gridsite-admin.cgi: user editing of pages, groups etc • mod_gridsite: support for GACL / GSI / VOMS in Apache 2.0 • htcp command line tools (like scp but with GSI/https) 24 February 2005 GridSite status

4. “EGEE” status • Version 1.1.6 in the EGEE CVS has additional features, relevant to the EGEE/gLite environment • Aim to support grid/web services on Apache/CGI • Delegation library functions and standalone delegation service • libgridsite and libgridsite_globus for binaries built with system OpenSSL or Globus OpenSSL. • Original GACL support still in place (XACML to be added) • VOMS attributes read from proxy chain if present 24 February 2005 Gridsite status

5. Delegation • Implements JRA3-agreed delegation portType • Core functions (GRSTx509MakeProxyRequest() etc) are in libgridsite, and can be used by C/C++. • Standalone gridsite-delegation.cgi also provided as example • Proxies are created in proxycache directory following JRA3-agree hash-based names • So can share proxies between multiple CGIs/Java • findproxyfile command line utility provided for scripts • But need to agree file ownerships of cached proxies 24 February 2005 GridSite status

6. GACL (... XACML) • GACL API largely unchanged since EDG • gridsite-gacl.h supplied for strict compatability • GACL handles credentials, ACL rules and permissions as C “objects” (structs + access methods) • ACLs are stored in XML, but loaded into structs for evaluation • Functions are provided to build up ACLs and write out • gridsite-admin.cgi provides GUI for editing ACLs • Outside of the EGEE CVS, we have basic XACML support • Read/write XACML instead of GACL XML 24 February 2005 GridSite status

7. GACL's XACML GACL: <person><dn>/C=UK/CN=shiv</dn></person> GACL-XACML: <Subject> <SubjectMatch MatchId=”urn:oasis:names:tc:xacml:1.0:function:string-equal”> <AttributeValue DataType=”http://www.w3.org/2001/XMLScheme#string”>/C=UK/CN=shiv</AttributeValue> <SubjectAttributeDesignator AttributeId=”person” DataType=”http://www.w3.org/2001/XMLSchema#string”/> <SubjectMatch> </Subject> 24 February 2005 GridSite status

8. Globus vs OpenSSL • libgridsite uses several OpenSSL functions, especially for handling proxies and certificates • Original intent was to avoid Globus dependencies • However, some programs using GridSite need to be linked with Globus • Usually this involves linking with Globus's copy of OpenSSL rather than the system copy • To resolve this, we now provide libgridsite and libgridsite_globus, built with the appropriate headers • mod_gridsite and gridsite binaries still use non-Globus version of OpenSSL 24 February 2005 GridSite status

9. VOMS AC support • One of the casualities of the Globus problems was VOMS AC support in GridSite • This needs to work in mod_gridsite, inside Apache, but we don't want to relink Apache to use Globus's (out of date) OpenSSL. • But using VOMS C API would involve a Globus dependency • Finally resolved this by writing a parser for ASN.1 / X.509 attribute certs / VOMS ACs that only depends on OpenSSL • This now in EGEE CVS (GridSIte 1.1.6) 24 February 2005 GridSite status

10. GridSite ASN.1 parsing • ASN.1 complex objects in X.509 extensions take the form of a tree, containing variable length objects and lists. • Official OpenSSL way is to define callbacks for your special objects (eg VOMS ACs) and then pass ASN.1 data to OpenSSL. • We've used a simpler strategy. • Due to the X.509 AC (and VOMS) standards, the structure of the tree is constant. • So we assign a co-ordinate to each node, and search for those each time we parse an extension. 24 February 2005 GridSite status

11. GridSite ASN.1 parsing Co-ordinates are sibling numbers for each depth in the tree (-1,-1-1,-1-2,-2,-2-1,-2-2,-2-3 etc) In this example, if multiple FQANs are present then would need to go through ...-1, ...-2, ...-3 etc -1-1-1-1-7-1-2-1-2 324:d=8 hl=2 l= 33 cons: SEQUENCE -1-1-1-1-7-1-2-1-2-1 326:d=9 hl=2 l= 31 prim: OCTET STRING :/EGEE/Role=NULL/Capability=NULL 24 February 2005 GridSite status

12. ASN.1/VOMS API Write VOMS FQANs from X509 extension into string creds: int GRSTx509ParseVomsExt(int *lastcred, int maxcreds, size_t credlen, char *creds, time_t time1_time, time_t time2_time, X509_EXTENSION *ex, char *ucuserdn, char *vomsdir) • Also functions to parse ASN.1 and make co-ordinates lookup table; and to search for particular objects by co-ordinate; and then utility functions for ASN.1 times etc. • For CGI web services running on Apache/mod_gridsite the API is just an env variable with times and FQAN 24 February 2005 GridSite status

13. Next steps • Documentation for web use of GridSite is reasonably good. • Need to match this with much better API and example config files for web services, delegation, VOMS usage etc. • Need to clarify API: what should be internal and what exposed to users of the library. • Others things already on the roadmap (suexec, OCSP support, XAMCL in EGEE version...) 24 February 2005 GridSite status