1 / 15

GridPP Security Middleware

GridPP Security Middleware. Andrew McNab, University of Manchester mcnab@hep.man.ac.uk. Overview:. Concentrate on GridPP-produced middleware. Pool Accounts SlashGrid VO Servers GridSite 0.3 GACL Delegation over HTTPS GridSite 0.9 What’s missing?. Pool Accounts.

sydnee
Download Presentation

GridPP Security Middleware

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. GridPP Security Middleware Andrew McNab, University of Manchester mcnab@hep.man.ac.uk

  2. Overview: Concentrate on GridPP-produced middleware • Pool Accounts • SlashGrid • VO Servers • GridSite 0.3 • GACL • Delegation over HTTPS • GridSite 0.9 • What’s missing?

  3. Pool Accounts • One of first questions/problems we had with “Testbed 0” in 2000 was account creation/management • grid-mapfile has to be populated with lists of certificate names • 1 cert mapped to 1 static account; or N certs mapped to 1 account • Pool Accounts patch add 3rd alternative to Globus grid-mapfile handling: • Each cert mapped to one of a pool of accounts. • Pool accounts leased at request time. • This has considerably simplified site administration • now used by almost all EDG Testbed sites. • Included in EDG Globus and now VDT Globus distributions.

  4. SlashGrid • With pool accounts, files are owned by a specific UID • But UID’s have no long term meaning in Grid context. • SlashGrid allows you to make filesystems where files are controlled/owned by Grid identities not UID. • Grid ACL’s used, with cert names, VO groups etc. • certfs filesystem provides robust, fast, local or NFS-shared disk access, with access controlled by Grid ACL. • System also allows you to build other filesystems: • curlfs demonstrates authenticated access to remote HTTP(S) servers: “ls -l /grid/https/www.gridpp.ac.uk/authz/gridsite/”

  5. Standard Unix User process User process ordinary directory /grid/... SlashGrid open() read() write() stat() open() stat() read() write() /var/spool/slashgrid/grid /dev/cfs0 kernel a real (ext2) disk

  6. VO Servers • Pool accounts make it easier to manage local accounts. • VO Server is other half: makes management of grid-mapfile easier. • EDG VO servers use LDAP to publish lists of certificate subject names, per VO or per subgroup of VO. • mkgridmap used to pull lists from VO servers and make grid-mapfile • Original implementations and API from INFN. • To provide management via web, same API used to publish groups managed via GridSite • Used for GridPP Testbed and BaBar VOs.

  7. GridSite • GridSite grew out of www.gridpp.ac.uk management • Added HTTPS authenticated browsing • First for page editing and file upload. • Then management of per-directory ACLs. • Then management of groups (=> VO server) • Currently at 0.3 on GridPP and ETF/Level 2 Grid sites • Up to this point, GridSite is basically a monolithic, website management system, intended for use by humans, maintaining files to be be read by humans.

  8. GACL • GridSite and SlashGrid both needed Grid Access Control Lists • Straight forward XML ACL format adopted for this: • <gacl><entry> <person><dn>/O=Grid/CN=Andrew</dn></person> <allow><read/></allow> </entry></gacl> • Can also reference VO groups and subgroups, and other/future credentials (VOMS, CAS etc) • libgacl provide C/C++ API for manipulating ACLs • being used by new SE, as well as SlashGrid and GridSite now.

  9. GACL vs VOMS (vs CAS) • VOMS is EDG’s replacement for LDAP VO servers • issues signed attribute certificates which user includes in GSI proxy extensions • VO must define VO-level policy of what users are allowed what attributes (eg “Monte Carlo generation admin”) • servers parse these extensions and apply them “somehow” • GACL allows sites to define local policy • how VO credentials map on to local resources: disk files, queues etc. • This is in constrast to Globus CAS model, where the VO’s CAS server provides all the policy centrally. • (But we aim to understand CAS credentials in GACL too)

  10. Delegation • Delegation is one of the major things the Grid adds to the Web • essential for the kinds of multicomponent Testbeds (UI->RB->CE->SE) we are running / will need • However, delegation isn’t present in standard HTTPS • eg for GridPP BaBarGrid job submission demo, had to upload GSI proxies to website manually • G-HTTP(S) proposal adds methods/headers to HTTP to allow delegation • webservers can prove user’s identity to 3rd parties: submit jobs, get AFS tokens, do restricted queries, get files and cache them, do 3rd party transfers.

  11. G-HTTP(S) implementation • grst-proxy.cgi has example G-HTTP(S) implementation • GET-PROXY-REQ and PUT-PROXY-CERT for delegation • Delegation-ID header allows you to make use of delegated credentials in other, normal web requests • grst-proxy-put command line tool (~ grid-proxy-init) • COPY between remote HTTPS host and webserver using delegated proxy • with any client that lets you specify methods and headers • real work for the above done by functions in libgridsite, built directly on OpenSSL: C/C++ API to appear. • With this in place HTTPS has the key functionality of GridFTP • multistream HTTP/HTTPS implicitly defined by RFC2616

  12. GridSite 0.3/fileGridSite => GridSite 0.9 • GridSite 0.3 manages access to websites • Users and admins load GSI cert + key into unmodified web browsers • We produced a standalone demonstration of an HTTPS fileserver using GridSite components: fileGridSite • In both, ACLs control read and write access to files and directories • Write access either by HTML forms (interactive) or HTTP PUT / DELETE (programmatic) • GridSite 0.9 merges interactive GridSite 0.3 functionality with programmatic functionality of fileGridSite. • Basic access control, page formatting and PUT/DELETE now done by Apache module: mod_gridsite. • Standalone grst-admin.cgi and grst-proxy.cgi provide site admin and G-HTTP(S) (delegation and 3rd party transfer) support. • Can host websites, fileserving and Grid/Web Services on same server.

  13. GridSite 0.9 architecture grst-admin.cgi: page editing, file upload, ACL editing etc. grst-proxy.cgi: G-HTTPS, 3rd party COPY, proxy GET + PUT mod_gridsite: .html headers and footers .shtml, mod_perl CGI, PHP mod_jk: JSP with Tomcat mod_gridsite: PUT, DELETE, MOVE mod_gridsite: GACL access control + GACL > env vars HTTP mod_ssl: plain HTTPS > env vars mod_ssl-GSI: HTTPS with GSI+VOMS+CAS> env vars

  14. What’s missing in security • Authentication pretty much done (CA’s + delegation) • Authorization mapped out (VOMS/CAS + GACL etc) • However, almost nothing has been implemented for Accounting. • Two parts of this: • Accounting of resources used, to enable some kind of real or nominal charging: can be largely retrospective. • Enforcement of quotas, resource limits etc to prevent individuals / jobs running wild: involves the same kind of low level enforcement as authorization. • Many open questions. For example: • “Do we need to do “accounting” on Grid-wide / VO-wide basis?” • or can we do it on bilateral user-site basis?

  15. Summary • GridPP-produced security middleware now a key part of EDG Testbed, BaBarGrid and being taken up elsewhere. • Pool accounts system widely used. • SlashGrid provides Grid-aware filesystems. • GACL acls and library provide a general way of specifying fine-grained, local policy. • G-HTTP(S) provides delegation extensions to HTTPS: example implementation exists. • GridSite currently in production for website management • but GridSite 0.9 has many more possible uses due to modular design • can host websites, fileservers and Web/Grid Services • But still major areas (eg accounting) left to be resolved.

More Related