1. Andrew McNab - GACL - 16 Dec 2003 Grid Access Control Language Andrew McNab, University of Manchester mcnab@hep.man.ac.uk

2. Andrew McNab - GACL - 16 Dec 2003 GridPP / EDG / WP6 Current GACL’s u When building GridSite, SlashGrid and the EDG Storage Element, we needed a simple ACL format to use for prototyping. u Wanted to support multiple credential types n individuals (X.509/GSI identities) n groups from VO-LDAP list-publishing services n groups/roles from VOMS attribute certificate services u Currently use per-directory XML ACL in file.gacl n As a file, this can be stored in directories, copied via unmodified https or gsiftp channels and easily manipulated by scripts and applications. u We aimed for simplicity since we wanted to use it for fileservers and filesystems, and we care about performance.

3. Andrew McNab - GACL - 16 Dec 2003 GridPP / EDG / WP6 GACL example /O=Grid/CN=Andrew

4. Andrew McNab - GACL - 16 Dec 2003 GridPP / EDG / WP6 GACL example /O=Grid/CN=Andrew Credential: AND’d inside this entry if more than one present Permissions: deny wins over allow Entry: container for credentials and permissions If multiple entries, resulting permissions are OR’d

5. Andrew McNab - GACL - 16 Dec 2003 GridPP / EDG / WP6 Currently supported credential types u Any user or authenticated user (cf AFS) n or u Person - full certificate or original issuer of GSI proxy n /O=Grid/CN=Mr Grid Person u VOMS - fully qualified attribute names from VOMS certificate n /vo.name/group/subgroup/Role=X u DN List - text lists of DNs, pulled by something outside GACL n https://www.vo.name/dn-lists/group n ldap://ldap.vo.name/ou=group,dc=vo,dc=name n vomss://vo.name/voms-admin-vo?/group u DNS - application must supply remote host name of request/user n host*.domain.name

6. Andrew McNab - GACL - 16 Dec 2003 GridPP / EDG / WP6 GACL library u XML ACL format not finalised but several products wanted to use it: GridSite; SlashGrid; and EDG Storage Element. u ACL will almost certainly change again in the future; and (hopefully) will need to understand XACML policies emerging from GGF. u Insulate ourselves from this by putting ACL handling functions into a standalone library, and make this understand the current XML. u Handles read/list/write ACL’s in a reasonably general and OO way n packs C structs and linked lists with their contents n provides access functions to manipulate the structs as types/objects u Build up ACL objects and User objects out of credential, permission and entry objects. u Then compare User to ACL to get user permissions for this context.

7. Andrew McNab - GACL - 16 Dec 2003 GridPP / EDG / WP6 EDG Middleware using GACL u WP1 n GACL is used to specify the access policies for data in Logging and Bookkeeping service. u WP4 LCAS n VOMS plugin compares VOMS attribute assertions against GACL policy written by site. u WP5 n GACL integrated into Storage Element for access control of files. u GridSite (HTTPS) and SlashGrid (filesystems) n GACL is the basis of read/write file access to files. n After 0.9.2, GACL library became GridSite library (now with http and x509 utility functions.)

8. Andrew McNab - GACL - 16 Dec 2003 GridPP / EDG / WP6 mod_ssl: plain HTTPS > env vars mod_gridsite: GACL access control + GACL > env vars mod_gridsite:.html headers and footers.shtml, mod_perl CGI, PHP mod_jk: JSP with Tomcat HTTP grst-admin.cgi: page editing, file upload, ACL editing etc. mod_gridsite: file PUT and DELETE GridSite / Apache Architecture mod_gridsite: GSI / VOMS OpenSSL callback wrappers

9. Andrew McNab - GACL - 16 Dec 2003 GridPP / EDG / WP6 Summary u GACL provides a simple way of describing resource access policies in XML. u GACL supports both pull (LDAP/HTTP) and push (VOMS) authorization models. u GACL library provides API for handling Grid ACL’s. u GACL is being used by EDG WP1 (L&B), WP4 (LCAS), WP5 (SE) and WP6 (GridSite) u Further work on GACL as part of GridSite library u For more information, see n http://www.gridpp.ac.uk/gridsite/ - overview, CVS/LXR n http://savannah.cern.ch/projects/gridsite/- bug tracker, news