Security Middleware Andrew McNab University of Manchester.

Slides:

Advertisements

Similar presentations

30-31 Jan 2003J G Jensen, RAL/WP5 Storage Elephant Grid Access to Mass Storage.

Advertisements

Security middleware Andrew McNab University of Manchester.

DataGrid is a project funded by the European Union CHEP 2003 – March 2003 – Grid-based access control – n° 1 Grid-based access control for Unix environments,

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

Andrew McNab - Manchester HEP - 24 May 2001 WorkGroup H: Software Support Both middleware and application support Installation tools and expertise Communication.

The GridSite Toolbar Shiv Kaushal The University of Manchester All Hands Meeting 2006.

Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.

Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

The GridSite Security Framework Andrew McNab University of Manchester.

20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.

Andrew McNab - Manchester HEP - 6 November Old version of website was maintained from Unix command line => needed (gsi)ssh access.

Kate Keahey Argonne National Laboratory University of Chicago Globus Toolkit® 4: from common Grid protocols to virtualization.

EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.

10 May 2007 HTTP - - User data via HTTP(S) Andrew McNab University of Manchester.

Andrew McNab - GACL - 16 Dec 2003 Grid Access Control Language Andrew McNab, University of Manchester

3 May 2006 GridSite Andrew McNabwww.gridsite.org Web Services for Grids in Scripts and C using GridSite Andrew McNab University of.

Andrew McNab - EDG Access Control - 17 Jan 2003 EDG Site Access Control (ie Local Authorisation and Accounts) Andrew McNab, University of Manchester

Andrew McNab - Manchester HEP - 26 June 2001 WG-H / Support status Packaging / RPM’s UK + EU DG CA’s central grid-users file grid “ping”

Security Middleware and VOMS service status Andrew McNab Grid Security Research Fellow University of Manchester.

Andrew McNab - GridPP Security - 24 Feb 2003 GridPP Security Middleware Andrew McNab, University of Manchester

Andrew McNab - SlashGrid, HTTPS, fileGridSite SlashGrid, HTTPS and fileGridSite 30 October 2002 Andrew McNab, University of Manchester

Andrew McNab - GridSite/G-HTTPS - 17 Feb 2003 GridSite and G-HTTPS update Andrew McNab, University of Manchester

Grid Security work in 2006 Andrew McNab Grid Security Research Fellow University of Manchester.

1 HKU CSIS DB Seminar: HKU CSIS DB Seminar: Web Services Oriented Data Processing and Integration Speaker: Eric Lo.

Grid Security and VO Management Andrew McNab University of Manchester.

The GridSite Security System Andrew McNab and Shiv Kaushal University of Manchester.

Security Area in GridPP2 4 Mar 2004 Security Area in GridPP2 “Proforma-2 posts” overview Deliverables – Local Access – Local Usage.

Andrew McNab - Access Control - 28 May 2002 Access Control and User Management (ie Local Authorisation and Accounts) Andrew McNab, University of Manchester.

SAML support in VOMS Valerio Venturi EGEE JRA1 AH Meeting, Amsterdam 20/23 February 2008.

EU DataGrid (EDG) & GridPP Authorization and Access Control User VOMS C CA 2. certificate dn, ca, key 1. request 3. certificate 4. VOMS cred: VO, groups,

Δ Storage Middleware GridPP10 What’s new since GridPP9? CERN, June 2004.

EGEE is a project funded by the European Union under contract IST Gap analysis draft v2 Olle Mulmo, David Groep, Joni Hahkala JRA3 Gap, 10.

Security Middleware in GridPP2 5 Feb 2004 Security Middleware in GridPP2 Current Status – GridSite GridPP2 Themes – libgridsite.

Andrew McNab - GridSite/EDG/GGF - 29 Sept 2003 GridSite, EDG and GGF Andrew McNab, University of Manchester

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.

Security monitoring boxes Andrew McNab University of Manchester.

Grid Security in a production environment: 4 years of running Andrew McNab University of Manchester.

Andrew McNab - Security - 1 July 2003 Security: Authorization, Access Control and Usage Control Andrew McNab, University of Manchester

Andrew McNab - Grid HTTP/HTTPS extensions Grid HTTP/HTTPS extensions 18 November 2002 Andrew McNab, University of Manchester

GridSite Web Servers for bulk file transfers & storage Andrew McNab Grid Security Research Fellow University of Manchester, UK.

S imple O bject A ccess P rotocol Karthikeyan Chandrasekaran & Nandakumar Padmanabhan.

EGEE is a project funded by the European Union under contract IST Gap Analysis JRA3 12/7/2015

Andrew McNab - EDG Access Control - 4 Dec 2002 EDG Access Control and User Management (ie Local Authorisation and Accounts) Andrew McNab, University of.

Andrew McNabSecurity Middleware, GridPP8, 23 Sept 2003Slide 1 Security Middleware Andrew McNab High Energy Physics University of Manchester.

Andrew McNabGrid in 2002, Manchester HEP, 7 Jan 2003Slide 1 Grid Work in 2002 Andrew McNab High Energy Physics University of Manchester.

Andrew McNab - EDG Access Control - 17 Jun 2003 EU DataGrid and GridPP Authorization and Access Control Andrew McNab, University of Manchester

Grid Security work in 2004 Andrew McNab Grid Security Research Fellow University of Manchester.

Security Middleware 3 June 2004 Security Middleware Current Status – GridSite deployments – Architecture GridPP2 – Web services.

Andrew McNab - Security issues - 17 May 2002 WP6 Security Issues (some personal observations from a WP6 and sysadmin perspective) Andrew McNab, University.

Andrew McNab - Security issues - 4 Mar 2002 Security issues for TB1+ (some personal observations from a WP6 and sysadmin perspective) Andrew McNab, University.

INFSO-RI Enabling Grids for E-sciencE EGEE is a project funded by the European Union under contract IST Job sandboxes.

INFSO-RI Enabling Grids for E-sciencE Web Services Mike Mineter National e-Science Centre, Edinburgh.

Andrew McNab - HTTP/HTTPS extensions HTTP/HTTPS as Grid data transport 6 March 2003 Andrew McNab, University of Manchester

Andrew McNab - Dynamic Accounts - 2 July 2002 Dynamic Accounts in TB1.3 What we could do with what we’ve got now... Andrew McNab, University of Manchester.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks GSI with OpenSSL Vincenzo Ciaschini EGEE-3.

Clarens Toolkit Building Blocks for a Simple TeraGrid Gateway Tutorial Conrad Steenberg Julian Bunn, Matthew Graham, Joseph Jacob, Craig Miller, Roy Williams.

DataGrid Security Wrapup Linda Cornwall 4 th March 2004.

Storage Element Security Jens G Jensen, WP5 Barcelona, May 2003.

Andrew McNabSlashGrid/GFS BOF, GGF9, 7 Oct 2003Slide 1 SlashGrid = “/grid” Andrew McNab High Energy Physics University of Manchester

GridSite status Andrew McNab University of Manchester.

INFSOM-RI WP3: WP3: Software configuration tools and methodologies Status Report ETICS All-Hands – 23 May 2007 E. Ronchieri.

J Jensen / WP5 /RAL UCL 4/5 March 2004 GridPP / DataGrid wrap-up Mass Storage Management J Jensen

Trygve Aspelien and Yuri Demchenko

Mehran Ahsant, PDC, Joni Hahkala, HIP on behalf of JRA3

Third Party Transfers & Attribute URI ideas

Outline SOAP and Web Services in relation to Distributed Objects

Outline SOAP and Web Services in relation to Distributed Objects

Shiv Kaushal, University of Manchester

Presentation transcript:

Security Middleware Andrew McNab University of Manchester

14 September 2004Security Middleware Outline ● “Summer” work ● Delegation ● SOAP in GridSite ● ● Publicity! ● EGEE collaboration ● Security toolkit ● Web services ● Setuid

14 September 2004Security Middleware Current Status GridSite is current production release – On – Plus ~half-a-dozen other sites Includes – libgridsite: Grid ACL access control + HTTP / X.509 / GSI / VOMS utilities – gridsite-admin.cgi: user editing of pages, groups etc – mod_gridsite: support for GACL / GSI / VOMS in Apache 2.0 – htcp command line tools (like scp but with GSI/https)

14 September 2004Security Middleware Delegation It was relatively straightforward for us to add GSI proxy support to HTTPS servers – but delegation is still missing During EDG we produced a delegation-over-HTTPS extension to GridSite – (protocol implemented for Java Security by WP2) However, EGEE JRA3 has agreed to support delegation via a web services Delegation PortType – We produced a prototype, for the non-Java world – Our WSDL has been adopted as the EGEE “standard”

14 September 2004Security Middleware SOAP in GridSite ● Delegation is currently a standalone CGI “service” ● If services want to have their own instance of the delegation portType, they need to accept those messages and use our library functions ● Would be easier if delegation was implemented “higher up” the chain ● With this in mind, we're experimenting with adding some SOAP handling within the mod_gridsite module inside Apache ● May also offer SOAP XML CGI “name=value” mapping: easier to write very simple Web Services

14 September 2004Security Middleware GridPP Website ● Effort for this is still part of the security middleware activity ● Some changes to the layout from Sarah and QMUL had to be integrated ● This involved conjuring up various bits of HTML “black magic” to get it working accross browsers ● And changes to the dynamic content scripts (news, member list etc) to deal with the new layout ● Resulting “GridPP 2” website won Gold Award at AHM ● We've also got a new news weblog engine in C, and this is being integrated into the GridPP system

14 September 2004Security Middleware Publicity! ● GridSite is about Security (a hot topic since events of September 2001 and the emergence of viruses/worms that now make headlines) ● GridSite is probably the most understandable part of our Grid work if all you're familiar with is a web server ● We're getting more external attention partly due to the above reasons ● eg article in DTI edition of Public Service Review will be reprinted in Home Office edition of PSR ● Some of this (eg Physics World) also due to the events of 3 rd June

14 September 2004Security Middleware EGEE: Security Toolkit ● We provided the GACL/GridSite library to EDG ● This has been inherited by LCG/EGEE ● We've agreed to continute supporting it for C/C++, and to add scripting language modules (Perl/Python/???) ● All “reusable” functions are being done as library functions: ● Delegation operations ● Security credential parsing/creation (GSI, VOMS...) ● Low level HTTP/HTTPS ● Parsing of GACL and XACML access policy languages

14 September 2004Security Middleware EGEE: Web Services ● Already mentioned delegation portType. ● Grid security context needed for Java WSs being done by EGEE JRA3 ● We've undertaken hosting of WS in other languages, which rely directly on Apache (either as CGI, or via mod_perl, mod_python etc) ● Will provide Grid security credential parsing in language neutral way ● This is especially important in HEP due to our large investment in code and people familiar with C/C++/Scripts rather than Java.

14 September 2004Security Middleware EGEE: Setuid ● Both Apache and Java WS need a way of “becoming” a local Unix UID ● Currently, this is done by Globus gatekeeper ● Apache already has a suEXEC mechanism which almost does this ● We've undertaken to add grid-mapfile/LCMAPS support to this, in a way that can be reused for Java WS too ● This will allow services to be run either as the pool account of the client; or as the service owner. ● By using Unix UIDs to do this, can run semi-trusted binaries in a controlled way.

14 September 2004Security Middleware Summary ● Various pieces of work going on since tail end of GridPP1/EDG ● Some of immediate application (website) ● Some of medium term need (EGEE delegation) ● Some longer term (SOAP in GridSite) ● We've achieved a certain amount of positive publicity for GridPP. ● We've agreed areas of collaboration with EGEE, based on the above foundation.