Presentation is loading. Please wait.

Presentation is loading. Please wait.

The GridSite Security Framework Andrew McNab University of Manchester.

Published byRandolph Pope Modified over 9 years ago

Similar presentations

Presentation on theme: "The GridSite Security Framework Andrew McNab University of Manchester."— Presentation transcript:

1 The GridSite Security Framework Andrew McNab University of Manchester

2 22 Sept 2005GridSite - www.GridSite.org Outline ● GridSite components ● mod_gridsite & Apache ● Some features in detail ● GridHTTP ● Web service support ● gsexec and GRACE

3 22 Sept 2005GridSite - www.gridsite.org Components ● libgridsite C/C++ toolkit provides utility functions – based on OpenSSL, libxml2, gSOAP – parse GSI Proxies and VOMS X.509 attribute certs – evaluate GACL and XACML access policies – generate new GSI Proxies ● mod_gridsite adds support for GSI Proxies, VOMS attributes, DN List groups, GACL/XAMCL policies and Onetime Passcodes to Apache ● htcp, htls, htdelegate,... provide command line tools

4 22 Sept 2005GridSite - www.gridsite.org Module architecture mod_ssl: plain HTTPS > env vars mod_gridsite: GACL access control + GACL > env vars mod_gridsite:.html headers and footers.shtml, mod_perl CGI, PHP CGI Web Services (gsexec) HTTP grst-admin.cgi: page editing, file upload, GACL editing etc. mod_gridsite: PUT, MOVE and DELETE Apache/GridSite mod_gridsite: GSI / VOMS OpenSSL callback wrappers

5 22 Sept 2005GridSite - www.gridsite.org GridHTTP ● Profile for using HTTP(S) for bulk data transfers – eg for 2 GB files across WAN ● HTTPS “control” channel used for authentication – X.509, GSI, VOMS credentials and GACL policies – Redirects to HTTP, with a one-time passcode cookie ● HTTP GET or PUT request made with passcode ● Similar to unencrypted GridFTP data channel ● But with Apache performance benefits: sendfile() etc

6 22 Sept 2005GridSite - www.gridsite.org Web Service support ● GridSite architecture can provide security for Web Service tools like gSOAP, with CGI Web Services ● We also provide the C/C++ implementation of the GridSite / EGEE Delegation portType – Java implementation by other members of EGEE ● mod_gridsite + delegation CGI used by EGEE WMS – Apache/FastCGI; GridSite (security); gSOAP (WS) ● Delegated credentials stored in the filesystem ● Allows sharing between different CGI languages

7 22 Sept 2005GridSite - www.gridsite.org suexec and gsexec ● Apache has traditionally provided a wrapper to run CGIs as other Unix users: ● Start as root, process as apache, CGI as joeuser ● We've modified this to run CGI scripts and services as pool Unix users, similar to LCG/EGEE and NGS ● Either per-client: the cert in the browser determines which pool user ● Or per-directory: all the CGIs in my directory run as the same pool user

8 22 Sept 2005GridSite - www.gridsite.org suexec / gsexec (2) ● This allows us to sandbox CGI-based services by ensuring that the pool users are of sufficiently low privilege ● Different clients or service owners can't interfere with each other ● Access control is still via GACL/XACML policy files ● X.509, GSI Proxy, VOMS, DN List credentials ● We can now offer “third-party” service hosting ● Give a user or VO access to a privileged directory ● They deploy their C/C++/Perl/Python services remotely

9 22 Sept 2005GridSite - www.gridsite.org GRACE ● In adding support for Web Services to GridSite, we started to offer non-Java ways of building service-orientated grids ● This provides another way of deploying Web Services – “GRACE” : GRidsite - Apache - CGI – Executables – Allows services to be written in any language – Can be deployed remotely – Deployment rights controlled by GACL/XACML policies – Different VOs/individuals are sandboxed via Unix UIDs

10 22 Sept 2005GridSite - www.gridsite.org More information ● www.gridsite.org is the project website www.gridsite.org – Open Source (BSD), bug tracker, CVS etc ● Includes the new GridSiteWiki – Derived from MediaWiki but uses X.509 instead of usernames / passwords ● www.gridpp.ac.uk is the largest site using GridSite www.gridpp.ac.uk – and includes it's own Wiki, which is pulling in info ● You can also find GridSites at NGS, GOC, CERN, LCG, TCD.IE,... by searching for GridSite with Google!

11 22 Sept 2005GridSite - www.gridsite.org Summary ● GridSite has now grown way beyond a web content management system ● Provides libgridsite Grid security toolkit for C/C++ ● mod_gridsite adds support for GSI Proxies, VOMS, GACL, XAMCL, and HTTP PUT,MOVE,DELETE to Apache ● We can now build secured Web Services for Grids as CGI programs ● GRACE model goes further, and supports third party service hosting and remote deployment of services

Download ppt "The GridSite Security Framework Andrew McNab University of Manchester."

Similar presentations

Security middleware Andrew McNab University of Manchester.

Security middleware Andrew McNab University of Manchester.
DataGrid is a project funded by the European Union CHEP 2003 – 24-28 March 2003 – Grid-based access control – n° 1 Grid-based access control for Unix environments,

DataGrid is a project funded by the European Union CHEP 2003 – March 2003 – Grid-based access control – n° 1 Grid-based access control for Unix environments,
29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org GridSite Storage Andrew McNab University of Manchester.

29 June 2006 GridSite Andrew McNabwww.gridsite.org GridSite Storage Andrew McNab University of Manchester.
29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
The GridSite Toolbar Shiv Kaushal The University of Manchester All Hands Meeting 2006.

The GridSite Toolbar Shiv Kaushal The University of Manchester All Hands Meeting 2006.
Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.

Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.
Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.

Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
5 Copyright © 2006, Oracle. All rights reserved. Securing Grid Control.

5 Copyright © 2006, Oracle. All rights reserved. Securing Grid Control.
20 March 2007 VOMS etc - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.

20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.
Andrew McNab - Manchester HEP - 6 November 2001 www.gridpp.ac.uk Old version of website was maintained from Unix command line => needed (gsi)ssh access.

Andrew McNab - Manchester HEP - 6 November Old version of website was maintained from Unix command line => needed (gsi)ssh access.
Chapter Apache Installation in Linux- Mandrake. Acknowledgment The following information has been obtained directly from www.mandrake.com www.mandrake.com.

Chapter Apache Installation in Linux- Mandrake. Acknowledgment The following information has been obtained directly from
EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.

EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.
10 May 2007 HTTP - - User data via HTTP(S) Andrew McNab University of Manchester.

10 May 2007 HTTP - - User data via HTTP(S) Andrew McNab University of Manchester.
Andrew McNab - GACL - 16 Dec 2003 Grid Access Control Language Andrew McNab, University of Manchester

Andrew McNab - GACL - 16 Dec 2003 Grid Access Control Language Andrew McNab, University of Manchester
3 May 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org Web Services for Grids in Scripts and C using GridSite Andrew McNab University of.

3 May 2006 GridSite Andrew McNabwww.gridsite.org Web Services for Grids in Scripts and C using GridSite Andrew McNab University of.
Andrew McNab - EDG Access Control - 17 Jan 2003 EDG Site Access Control (ie Local Authorisation and Accounts) Andrew McNab, University of Manchester

Andrew McNab - EDG Access Control - 17 Jan 2003 EDG Site Access Control (ie Local Authorisation and Accounts) Andrew McNab, University of Manchester
About Dynamic Sites (Front End / Back End Implementations) by Janssen & Associates Affordable Website Solutions for Individuals and Small Businesses.

About Dynamic Sites (Front End / Back End Implementations) by Janssen & Associates Affordable Website Solutions for Individuals and Small Businesses.
Andrew McNab - Manchester HEP - 26 June 2001 WG-H / Support status Packaging / RPM’s UK + EU DG CA’s central grid-users file www.gridpp.ac.uk grid “ping”

Andrew McNab - Manchester HEP - 26 June 2001 WG-H / Support status Packaging / RPM’s UK + EU DG CA’s central grid-users file grid “ping”
Security Middleware and VOMS service status Andrew McNab Grid Security Research Fellow University of Manchester.

Security Middleware and VOMS service status Andrew McNab Grid Security Research Fellow University of Manchester.

Similar presentations

Ads by Google