Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Middleware Andrew McNab University of Manchester.

Published byBrooke Harris Modified over 8 years ago

Similar presentations

Presentation on theme: "Security Middleware Andrew McNab University of Manchester."— Presentation transcript:

1 Security Middleware Andrew McNab University of Manchester

2 14 September 2004Security Middleware Outline ● “Summer” work ● Delegation ● SOAP in GridSite ● www.gridpp.ac.uk ● Publicity! ● EGEE collaboration ● Security toolkit ● Web services ● Setuid

3 14 September 2004Security Middleware Current Status GridSite 1.0.0 is current production release – On www.gridpp.ac.uk – Plus ~half-a-dozen other sites Includes – libgridsite: Grid ACL access control + HTTP / X.509 / GSI / VOMS utilities – gridsite-admin.cgi: user editing of pages, groups etc – mod_gridsite: support for GACL / GSI / VOMS in Apache 2.0 – htcp command line tools (like scp but with GSI/https)

4 14 September 2004Security Middleware Delegation It was relatively straightforward for us to add GSI proxy support to HTTPS servers – but delegation is still missing During EDG we produced a delegation-over-HTTPS extension to GridSite – (protocol implemented for Java Security by WP2) However, EGEE JRA3 has agreed to support delegation via a web services Delegation PortType – We produced a prototype, for the non-Java world – Our WSDL has been adopted as the EGEE “standard”

5 14 September 2004Security Middleware SOAP in GridSite ● Delegation is currently a standalone CGI “service” ● If services want to have their own instance of the delegation portType, they need to accept those messages and use our library functions ● Would be easier if delegation was implemented “higher up” the chain ● With this in mind, we're experimenting with adding some SOAP handling within the mod_gridsite module inside Apache ● May also offer SOAP XML CGI “name=value” mapping: easier to write very simple Web Services

6 14 September 2004Security Middleware GridPP Website ● Effort for this is still part of the security middleware activity ● Some changes to the layout from Sarah and QMUL had to be integrated ● This involved conjuring up various bits of HTML “black magic” to get it working accross browsers ● And changes to the dynamic content scripts (news, member list etc) to deal with the new layout ● Resulting “GridPP 2” website won Gold Award at AHM ● We've also got a new news weblog engine in C, and this is being integrated into the GridPP system

7 14 September 2004Security Middleware Publicity! ● GridSite is about Security (a hot topic since events of September 2001 and the emergence of viruses/worms that now make headlines) ● GridSite is probably the most understandable part of our Grid work if all you're familiar with is a web server ● We're getting more external attention partly due to the above reasons ● eg article in DTI edition of Public Service Review will be reprinted in Home Office edition of PSR ● Some of this (eg Physics World) also due to the events of 3 rd June 2004...

8 14 September 2004Security Middleware EGEE: Security Toolkit ● We provided the GACL/GridSite library to EDG ● This has been inherited by LCG/EGEE ● We've agreed to continute supporting it for C/C++, and to add scripting language modules (Perl/Python/???) ● All “reusable” functions are being done as library functions: ● Delegation operations ● Security credential parsing/creation (GSI, VOMS...) ● Low level HTTP/HTTPS ● Parsing of GACL and XACML access policy languages

9 14 September 2004Security Middleware EGEE: Web Services ● Already mentioned delegation portType. ● Grid security context needed for Java WSs being done by EGEE JRA3 ● We've undertaken hosting of WS in other languages, which rely directly on Apache (either as CGI, or via mod_perl, mod_python etc) ● Will provide Grid security credential parsing in language neutral way ● This is especially important in HEP due to our large investment in code and people familiar with C/C++/Scripts rather than Java.

10 14 September 2004Security Middleware EGEE: Setuid ● Both Apache and Java WS need a way of “becoming” a local Unix UID ● Currently, this is done by Globus gatekeeper ● Apache already has a suEXEC mechanism which almost does this ● We've undertaken to add grid-mapfile/LCMAPS support to this, in a way that can be reused for Java WS too ● This will allow services to be run either as the pool account of the client; or as the service owner. ● By using Unix UIDs to do this, can run semi-trusted binaries in a controlled way.

11 14 September 2004Security Middleware Summary ● Various pieces of work going on since tail end of GridPP1/EDG ● Some of immediate application (website) ● Some of medium term need (EGEE delegation) ● Some longer term (SOAP in GridSite) ● We've achieved a certain amount of positive publicity for GridPP. ● We've agreed areas of collaboration with EGEE, based on the above foundation.

Download ppt "Security Middleware Andrew McNab University of Manchester."

Similar presentations

30-31 Jan 2003J G Jensen, RAL/WP5 Storage Elephant Grid Access to Mass Storage.

30-31 Jan 2003J G Jensen, RAL/WP5 Storage Elephant Grid Access to Mass Storage.
Security middleware Andrew McNab University of Manchester.

Security middleware Andrew McNab University of Manchester.
DataGrid is a project funded by the European Union CHEP 2003 – 24-28 March 2003 – Grid-based access control – n° 1 Grid-based access control for Unix environments,

DataGrid is a project funded by the European Union CHEP 2003 – March 2003 – Grid-based access control – n° 1 Grid-based access control for Unix environments,
29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
Andrew McNab - Manchester HEP - 24 May 2001 WorkGroup H: Software Support Both middleware and application support Installation tools and expertise Communication.

Andrew McNab - Manchester HEP - 24 May 2001 WorkGroup H: Software Support Both middleware and application support Installation tools and expertise Communication.
The GridSite Toolbar Shiv Kaushal The University of Manchester All Hands Meeting 2006.

The GridSite Toolbar Shiv Kaushal The University of Manchester All Hands Meeting 2006.
Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.

Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.
Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.

Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
The GridSite Security Framework Andrew McNab University of Manchester.

The GridSite Security Framework Andrew McNab University of Manchester.
20 March 2007 VOMS etc - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.

20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.
Andrew McNab - Manchester HEP - 6 November 2001 www.gridpp.ac.uk Old version of website was maintained from Unix command line => needed (gsi)ssh access.

Andrew McNab - Manchester HEP - 6 November Old version of website was maintained from Unix command line => needed (gsi)ssh access.
Kate Keahey Argonne National Laboratory University of Chicago Globus Toolkit® 4: from common Grid protocols to virtualization.

Kate Keahey Argonne National Laboratory University of Chicago Globus Toolkit® 4: from common Grid protocols to virtualization.
EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.

EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.
10 May 2007 HTTP - - User data via HTTP(S) Andrew McNab University of Manchester.

10 May 2007 HTTP - - User data via HTTP(S) Andrew McNab University of Manchester.
Andrew McNab - GACL - 16 Dec 2003 Grid Access Control Language Andrew McNab, University of Manchester

Andrew McNab - GACL - 16 Dec 2003 Grid Access Control Language Andrew McNab, University of Manchester
3 May 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org Web Services for Grids in Scripts and C using GridSite Andrew McNab University of.

3 May 2006 GridSite Andrew McNabwww.gridsite.org Web Services for Grids in Scripts and C using GridSite Andrew McNab University of.
Andrew McNab - EDG Access Control - 17 Jan 2003 EDG Site Access Control (ie Local Authorisation and Accounts) Andrew McNab, University of Manchester

Andrew McNab - EDG Access Control - 17 Jan 2003 EDG Site Access Control (ie Local Authorisation and Accounts) Andrew McNab, University of Manchester
Andrew McNab - Manchester HEP - 26 June 2001 WG-H / Support status Packaging / RPM’s UK + EU DG CA’s central grid-users file www.gridpp.ac.uk grid “ping”

Andrew McNab - Manchester HEP - 26 June 2001 WG-H / Support status Packaging / RPM’s UK + EU DG CA’s central grid-users file grid “ping”
Security Middleware and VOMS service status Andrew McNab Grid Security Research Fellow University of Manchester.

Security Middleware and VOMS service status Andrew McNab Grid Security Research Fellow University of Manchester.

Similar presentations

Ads by Google