150 likes | 290 Views
GridPP Security Middleware. Andrew McNab, University of Manchester mcnab@hep.man.ac.uk. Overview:. Concentrate on GridPP-produced middleware. Pool Accounts SlashGrid VO Servers GridSite 0.3 GACL Delegation over HTTPS GridSite 0.9 What’s missing?. Pool Accounts.
E N D
GridPP Security Middleware Andrew McNab, University of Manchester mcnab@hep.man.ac.uk
Overview: Concentrate on GridPP-produced middleware • Pool Accounts • SlashGrid • VO Servers • GridSite 0.3 • GACL • Delegation over HTTPS • GridSite 0.9 • What’s missing?
Pool Accounts • One of first questions/problems we had with “Testbed 0” in 2000 was account creation/management • grid-mapfile has to be populated with lists of certificate names • 1 cert mapped to 1 static account; or N certs mapped to 1 account • Pool Accounts patch add 3rd alternative to Globus grid-mapfile handling: • Each cert mapped to one of a pool of accounts. • Pool accounts leased at request time. • This has considerably simplified site administration • now used by almost all EDG Testbed sites. • Included in EDG Globus and now VDT Globus distributions.
SlashGrid • With pool accounts, files are owned by a specific UID • But UID’s have no long term meaning in Grid context. • SlashGrid allows you to make filesystems where files are controlled/owned by Grid identities not UID. • Grid ACL’s used, with cert names, VO groups etc. • certfs filesystem provides robust, fast, local or NFS-shared disk access, with access controlled by Grid ACL. • System also allows you to build other filesystems: • curlfs demonstrates authenticated access to remote HTTP(S) servers: “ls -l /grid/https/www.gridpp.ac.uk/authz/gridsite/”
Standard Unix User process User process ordinary directory /grid/... SlashGrid open() read() write() stat() open() stat() read() write() /var/spool/slashgrid/grid /dev/cfs0 kernel a real (ext2) disk
VO Servers • Pool accounts make it easier to manage local accounts. • VO Server is other half: makes management of grid-mapfile easier. • EDG VO servers use LDAP to publish lists of certificate subject names, per VO or per subgroup of VO. • mkgridmap used to pull lists from VO servers and make grid-mapfile • Original implementations and API from INFN. • To provide management via web, same API used to publish groups managed via GridSite • Used for GridPP Testbed and BaBar VOs.
GridSite • GridSite grew out of www.gridpp.ac.uk management • Added HTTPS authenticated browsing • First for page editing and file upload. • Then management of per-directory ACLs. • Then management of groups (=> VO server) • Currently at 0.3 on GridPP and ETF/Level 2 Grid sites • Up to this point, GridSite is basically a monolithic, website management system, intended for use by humans, maintaining files to be be read by humans.
GACL • GridSite and SlashGrid both needed Grid Access Control Lists • Straight forward XML ACL format adopted for this: • <gacl><entry> <person><dn>/O=Grid/CN=Andrew</dn></person> <allow><read/></allow> </entry></gacl> • Can also reference VO groups and subgroups, and other/future credentials (VOMS, CAS etc) • libgacl provide C/C++ API for manipulating ACLs • being used by new SE, as well as SlashGrid and GridSite now.
GACL vs VOMS (vs CAS) • VOMS is EDG’s replacement for LDAP VO servers • issues signed attribute certificates which user includes in GSI proxy extensions • VO must define VO-level policy of what users are allowed what attributes (eg “Monte Carlo generation admin”) • servers parse these extensions and apply them “somehow” • GACL allows sites to define local policy • how VO credentials map on to local resources: disk files, queues etc. • This is in constrast to Globus CAS model, where the VO’s CAS server provides all the policy centrally. • (But we aim to understand CAS credentials in GACL too)
Delegation • Delegation is one of the major things the Grid adds to the Web • essential for the kinds of multicomponent Testbeds (UI->RB->CE->SE) we are running / will need • However, delegation isn’t present in standard HTTPS • eg for GridPP BaBarGrid job submission demo, had to upload GSI proxies to website manually • G-HTTP(S) proposal adds methods/headers to HTTP to allow delegation • webservers can prove user’s identity to 3rd parties: submit jobs, get AFS tokens, do restricted queries, get files and cache them, do 3rd party transfers.
G-HTTP(S) implementation • grst-proxy.cgi has example G-HTTP(S) implementation • GET-PROXY-REQ and PUT-PROXY-CERT for delegation • Delegation-ID header allows you to make use of delegated credentials in other, normal web requests • grst-proxy-put command line tool (~ grid-proxy-init) • COPY between remote HTTPS host and webserver using delegated proxy • with any client that lets you specify methods and headers • real work for the above done by functions in libgridsite, built directly on OpenSSL: C/C++ API to appear. • With this in place HTTPS has the key functionality of GridFTP • multistream HTTP/HTTPS implicitly defined by RFC2616
GridSite 0.3/fileGridSite => GridSite 0.9 • GridSite 0.3 manages access to websites • Users and admins load GSI cert + key into unmodified web browsers • We produced a standalone demonstration of an HTTPS fileserver using GridSite components: fileGridSite • In both, ACLs control read and write access to files and directories • Write access either by HTML forms (interactive) or HTTP PUT / DELETE (programmatic) • GridSite 0.9 merges interactive GridSite 0.3 functionality with programmatic functionality of fileGridSite. • Basic access control, page formatting and PUT/DELETE now done by Apache module: mod_gridsite. • Standalone grst-admin.cgi and grst-proxy.cgi provide site admin and G-HTTP(S) (delegation and 3rd party transfer) support. • Can host websites, fileserving and Grid/Web Services on same server.
GridSite 0.9 architecture grst-admin.cgi: page editing, file upload, ACL editing etc. grst-proxy.cgi: G-HTTPS, 3rd party COPY, proxy GET + PUT mod_gridsite: .html headers and footers .shtml, mod_perl CGI, PHP mod_jk: JSP with Tomcat mod_gridsite: PUT, DELETE, MOVE mod_gridsite: GACL access control + GACL > env vars HTTP mod_ssl: plain HTTPS > env vars mod_ssl-GSI: HTTPS with GSI+VOMS+CAS> env vars
What’s missing in security • Authentication pretty much done (CA’s + delegation) • Authorization mapped out (VOMS/CAS + GACL etc) • However, almost nothing has been implemented for Accounting. • Two parts of this: • Accounting of resources used, to enable some kind of real or nominal charging: can be largely retrospective. • Enforcement of quotas, resource limits etc to prevent individuals / jobs running wild: involves the same kind of low level enforcement as authorization. • Many open questions. For example: • “Do we need to do “accounting” on Grid-wide / VO-wide basis?” • or can we do it on bilateral user-site basis?
Summary • GridPP-produced security middleware now a key part of EDG Testbed, BaBarGrid and being taken up elsewhere. • Pool accounts system widely used. • SlashGrid provides Grid-aware filesystems. • GACL acls and library provide a general way of specifying fine-grained, local policy. • G-HTTP(S) provides delegation extensions to HTTPS: example implementation exists. • GridSite currently in production for website management • but GridSite 0.9 has many more possible uses due to modular design • can host websites, fileservers and Web/Grid Services • But still major areas (eg accounting) left to be resolved.