Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Middleware in GridPP2 5 Feb 2004 Security Middleware in GridPP2 Current Status – GridSite GridPP2 Themes – libgridsite.

Published byRudolph Griffin Modified over 8 years ago

Similar presentations

Presentation on theme: "Security Middleware in GridPP2 5 Feb 2004 Security Middleware in GridPP2 Current Status – GridSite GridPP2 Themes – libgridsite."— Presentation transcript:

1 Andrew.McNab@man.ac.uk Security Middleware in GridPP2 5 Feb 2004 Security Middleware in GridPP2 Current Status – GridSite GridPP2 Themes – libgridsite toolkit – Lightweight VOs – “Grid Home Directory” – SlashGrid Dissemination and Interoperation – eSecurity Centre, “gridsite.org”, XACML/SAML

2 Andrew.McNab@man.ac.uk Security Middleware in GridPP2 5 Feb 2004 Current Status GridSite 1.0.0 released on 14 December – In production on www.gridpp.ac.uk Includes – libgridsite: Grid ACL access control + HTTP / X.509 / GSI / VOMS utilities – gridsite-admin.cgi: user editing of pages, groups etc – mod_gridsite: support for GACL / GSI / VOMS in Apache 2.0 – (No longer need patched mod_ssl to support GSI) “Toolkit” approach works with other tools (eg PHP)

3 Andrew.McNab@man.ac.uk Security Middleware in GridPP2 5 Feb 2004 New fileserver features One of the aims of the GridSite 1.0.0 modular architecture is better fileserver functionality With mod_gridsite installed, can now – Do HTTP(S) GET/PUT/DELETE and directory listings without a CGI binary – So no context switch from server to CGI – Full support for GACL access control built in htcp command line tool vs globus-url-copy, scp etc – htcp uses HTTP(S) servers and GSI [VOMS etc] – multistream HTTP being added to htcp client

4 Andrew.McNab@man.ac.uk Security Middleware in GridPP2 5 Feb 2004 Current Users Various web/VO sites: – ManHEP, MCC, grid-support.ac.uk, GOC, Grid Ireland – VOs: BaBar plus MICE, CALICE, DESY (experimental) – BaBarGrid experimenting with GridSite and gsub Three pieces of EDG middleware can use the GACL component (not all deployed) – LCAS: GACL control of gatekeeper access – WP1 Logging and Bookkeeping – Storage Element NorduGrid GridFTP server now supports GACL

5 Andrew.McNab@man.ac.uk Security Middleware in GridPP2 5 Feb 2004 GridPP2 Themes GridPP2 bidding process resulted in – 2.5 Middleware posts – 0.5 VO operations – 1.0 LCG co-ordination The Middleware/VO Ops area has 4 main themes – libgridsite toolkit (from GACL C to XACML C, C++, Java,...?) – Lightweight VOs – “Grid Home Directory” – SlashGrid

6 Andrew.McNab@man.ac.uk Security Middleware in GridPP2 5 Feb 2004 libgridsite toolkit Core functions of GridSite pulled out into a library Currently only C and C-to-C++ API – Will provide Java and OO C++ API Part of the rationale for the original libgacl was to insulate us from Policy Language developments XACML from WS community is likely to become endorsed by GGF etc – We aim to provide a smooth transition (no change?) for users of the API More functionality to be added: parallel HTTP etc.

7 Andrew.McNab@man.ac.uk Security Middleware in GridPP2 5 Feb 2004 Lightweight VOs GridSite supports lightweight VO management – eg the groups published from www.gridpp.ac.uk This implements the GACL concept of a “DN List” – A list of certifcate names, identified by an HTTPS, voms-httpd or LDAP URL. “Lightweight” = they're stored as plain text files – Easy to edit, populate from scripts etc – Not meant to compete with VOMS/VOX etc databases – (But we do have a gateway to produce VOMS certs) Aim to support small VOs, individuals, HEP groups etc

8 Andrew.McNab@man.ac.uk Security Middleware in GridPP2 5 Feb 2004 “Grid Home Directory” This is more a concept than a specific technology BaBarGrid requirements suggests people will want access to filespace they own during running jobs Various ways of doing this: – GridFTP server – AFS + gsiklog – htcp or browser + GridSite server But getting things to interoperate is largely a security problem Provide glue code + recipes for tying these together

9 Andrew.McNab@man.ac.uk Security Middleware in GridPP2 5 Feb 2004 SlashGrid Have now got funding to move this beyond prototype and demonstration stage! Aim to provide a way of making “things” available via the filesystem – Remote files, via standard HTTP(S), GridFTP etc – Dynamic filesystem areas (Logical to physical names; sandboxes; on-demand environments) Do this through a daemon to kernel connector – Loopback NFS for portability/kernel independence Also want to interoperate with NFSv4 + GSI

10 Andrew.McNab@man.ac.uk Security Middleware in GridPP2 5 Feb 2004 Dissemination GridSite and Security Middleware are readily applicable to other projects – All projects need a website – All projects need security (write access control if nothing else) We're talking to other projects which are interested in using GridPP security middleware – In particular, the existing PPARC/MRC distributed cancer analysis project at Dundee/Manchester. Other possibilities in the pipeline...

11 Andrew.McNab@man.ac.uk Security Middleware in GridPP2 5 Feb 2004 eSecurity Centre Joint project between – Manchester HEP – Manchester Computer Science – e-Science North West – Salford Computer Science – (Roughly equal to UK GGF Authorization involvement) Aim to promote communication and use of standards based security tools in UK e-Science, LCG/EGEE, JISC-funded academia, NHS etc. – Eg aim to add support for Salford's PERMIS to GridSite, alongside existing VOMS support

12 Andrew.McNab@man.ac.uk Security Middleware in GridPP2 5 Feb 2004 “gridsite.org” Shorthand for making GridSite an Open Source project, with external involvement We noticed that most of the users installed the software without first asking for help/support We're trying to encourage this: – Source and binary distributions – User, Admin, Install guides, man pages etc – Publically available CVS + Bugtrack (thanks to EDG and now LCG Savannah) – Public announcement and discussion mailing lists – Pointers to free/cheap/lightweight X.509 CAs

13 Andrew.McNab@man.ac.uk Security Middleware in GridPP2 5 Feb 2004 Interoperation Already mentioned PERMIS in parallel with VOMS – Attribute certificate format of these now converging Other protocols are also around – SAML for asking external servers questions like “can the user do this?” – XACML as a policy language like GACL We want to support these for the usual reasons – Avoid duplication of effort by using external tools – Want other systems to use our stuff – Sites don't want to run multiple incompatible services

14 Andrew.McNab@man.ac.uk Security Middleware in GridPP2 5 Feb 2004 Authorization Architecture Policy Enforcement Point (libgridsite) Policy Decision Point (PERMIS, LCAS + libgridsite + GACL or XACML) User Attribute Authority (VOMS, CAS, PERMIS, GridSite VO) Resource Internal PDP Request => <= Results VOMS etc GSI [+ VOMS etc] SAML HTTPS, voms-httpd, VO LDAP

15 Andrew.McNab@man.ac.uk Security Middleware in GridPP2 5 Feb 2004 Summary GridPP1 security middleware in (increasing) use Funding now available to expand this – (subject to final agreement of deliverables) Aim to provide reusable components...... and documented off-the-shelf implementations Most of the GridPP2 deliverables provide missing pieces of the authorization machinery Also looking outside GridPP for additional funding to apply HEP security tools to Medical use, general academic infrastructure etc.

Download ppt "Security Middleware in GridPP2 5 Feb 2004 Security Middleware in GridPP2 Current Status – GridSite GridPP2 Themes – libgridsite."

Similar presentations

30-31 Jan 2003J G Jensen, RAL/WP5 Storage Elephant Grid Access to Mass Storage.

30-31 Jan 2003J G Jensen, RAL/WP5 Storage Elephant Grid Access to Mass Storage.
Security middleware Andrew McNab University of Manchester.

Security middleware Andrew McNab University of Manchester.
DataGrid is a project funded by the European Union CHEP 2003 – 24-28 March 2003 – Grid-based access control – n° 1 Grid-based access control for Unix environments,

DataGrid is a project funded by the European Union CHEP 2003 – March 2003 – Grid-based access control – n° 1 Grid-based access control for Unix environments,
5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK

5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK
Andrew McNab - Manchester HEP - 17 September 2002 Putting Existing Farms on the Testbed Manchester DZero/Atlas and BaBar farms are available via the Testbed.

Andrew McNab - Manchester HEP - 17 September 2002 Putting Existing Farms on the Testbed Manchester DZero/Atlas and BaBar farms are available via the Testbed.
29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
Andrew McNab - Manchester HEP - 24 May 2001 WorkGroup H: Software Support Both middleware and application support Installation tools and expertise Communication.

Andrew McNab - Manchester HEP - 24 May 2001 WorkGroup H: Software Support Both middleware and application support Installation tools and expertise Communication.
Andrew McNab - Manchester HEP - 22 April 2002 EU DataGrid Testbed EU DataGrid Software releases Testbed 1 Job Lifecycle Authorisation at your site More.

Andrew McNab - Manchester HEP - 22 April 2002 EU DataGrid Testbed EU DataGrid Software releases Testbed 1 Job Lifecycle Authorisation at your site More.
Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.

Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.
Andrew McNab - Manchester HEP - 31 January 2002 Testbed Release in the UK Integration Team UK deployment TB1 Job Lifecycle VO: Authorisation VO: GIIS and.

Andrew McNab - Manchester HEP - 31 January 2002 Testbed Release in the UK Integration Team UK deployment TB1 Job Lifecycle VO: Authorisation VO: GIIS and.
Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.

Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.
Plateforme de Calcul pour les Sciences du Vivant SRB & gLite V. Breton.

Plateforme de Calcul pour les Sciences du Vivant SRB & gLite V. Breton.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
The GridSite Security Framework Andrew McNab University of Manchester.

The GridSite Security Framework Andrew McNab University of Manchester.
Make Secure Information Sharing (SIS) Easy and an Reality C. Edward Chow, PI Osama Khaleel Bill Kretschmer C. Edward Chow, PI Osama Khaleel Bill Kretschmer.

Make Secure Information Sharing (SIS) Easy and an Reality C. Edward Chow, PI Osama Khaleel Bill Kretschmer C. Edward Chow, PI Osama Khaleel Bill Kretschmer.
20 March 2007 VOMS etc - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.

20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.
Andrew McNab - Manchester HEP - 6 November 2001 www.gridpp.ac.uk Old version of website was maintained from Unix command line => needed (gsi)ssh access.

Andrew McNab - Manchester HEP - 6 November Old version of website was maintained from Unix command line => needed (gsi)ssh access.
30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK

30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK
EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.

EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.
10 May 2007 HTTP - - User data via HTTP(S) Andrew McNab University of Manchester.

10 May 2007 HTTP - - User data via HTTP(S) Andrew McNab University of Manchester.

Similar presentations

Ads by Google