Presentation is loading. Please wait.

Presentation is loading. Please wait.

3 May 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org Web Services for Grids in Scripts and C using GridSite Andrew McNab University of.

Published byMiles Ford Modified over 8 years ago

Similar presentations

Presentation on theme: "3 May 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org Web Services for Grids in Scripts and C using GridSite Andrew McNab University of."— Presentation transcript:

1 3 May 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org Web Services for Grids in Scripts and C using GridSite Andrew McNab University of Manchester

2 3 May 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org Outline ● LCG/EGEE/gLite ● GridSite philosophy ● Components ● GridSite/Apache architecture ● Web Service support ● Delegation ● gsexec and GRACE

3 3 May 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org LCG/EGEE/gLite This is GridSite's main user Developing and deploying grids for Particle Physics – At ~200 farms at university sites – In production with Monte Carlo simulation now – Must go into production with LHC data in 2007 Security based on proxy certificates + X.509/VOMS attribute certificates from application groups All middleware to be Web Services over HTTPS

4 3 May 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org GridSite philosophy ● Aim to reuse as much as possible from mainstream Web and Web Services worlds – Applies both to software and standards – Reduces work needed and ongoing support overhead – We use Apache, OpenSSL, curl, gSOAP, libxml,... ● Aim for language neutrality on server side – We're coming from the Particle Physics world where C++/Perl/Python/C are the dominant languages – Allow use of Apache's CGI interface, mod_perl, etc

5 3 May 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org Components ● libgridsite C/C++ toolkit provides utility functions – parse GSI Proxies and VOMS X.509 attribute certs – evaluate GACL and XACML access policies – generate new GSI Proxies ● mod_gridsite adds support for GSI Proxies, VOMS attributes, DN List groups, GACL/XAMCL policies and Onetime Passcodes to Apache – supplemented by gsexec setuid wrapper ● htcp, htls, htproxyput,... provide command line file tools

6 3 May 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org Module architecture mod_ssl: plain HTTPS > env vars mod_gridsite: GACL access control + GACL > env vars mod_gridsite:.html headers and footers.shtml, mod_perl CGI, PHP CGI Web Services (gsexec) HTTP grst-admin.cgi: page editing, file upload, GACL editing etc. mod_gridsite: PUT, MOVE and DELETE Apache/GridSite mod_gridsite: GSI / VOMS OpenSSL callback wrappers

7 3 May 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org File access options ● Web browser – View page/files/services on GridSite managed server ● Web browser + User's certificate – Upload/edit/delete of pages/files/scripts/executables ● htcp shell commands – scp/“ssh ls -l” access for Unix-based clients via HTTP(S) ● SlashGrid (“/grid”) – AFS-like access (“/grid/https/www.gridpp.ac.uk/dir/file.txt”) – but requires Linux and local SlashGrid daemon

8 3 May 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org Web Service support ● Apache “eco-system” already supports Web Services – gSOAP, SOAP-Lite etc ● GridSite adds security context via CGI environment – or systems like mod_perl which simulate CGI since our module has access to Apache internal data “upstream” ● Service authors are provided with users' credentials from proxies and VOMS ACs as environment variables ● Coarse-grained access control from XACML/GACL policy engine

9 3 May 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org Delegation portType ● We also provide the C/C++ implementation of the GridSite/gLite Proxy Certificate delegation portType – Java implementation by other members of EGEE ● mod_gridsite + delegation CGI used by EGEE WMS – Apache/FastCGI; GridSite (security); gSOAP (WS) ● Delegated credentials stored in the filesystem (or SQL DB) ● Allows sharing between different CGI languages ● Unix permissions used to control which sessions / services / application owners can access proxies

10 3 May 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org suexec and gsexec ● Apache has traditionally provided a wrapper to run CGIs as other Unix users: ● Start as root, process as apache, CGI as joeuser ● We've modified this to run CGI scripts and services as pool Unix users, similar to LCG/EGEE and NGS ● Either per-client: the certificate of the client program determines which pool user ● Or per-directory: all the CGIs in my directory run as the same pool user

11 3 May 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org suexec / gsexec (2) ● This allows us to sandbox CGI-based services by ensuring that the pool users are of sufficiently low privilege ● Different clients or service owners can't interfere with each other ● Access control is still via GACL/XACML policy files ● X.509, GSI Proxy, VOMS, DN List credentials ● Sites can now offer “third-party” service hosting ● Give a user or VO access to a privileged directory ● They deploy C/C++/Perl/Python CGI services remotely

12 3 May 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org GRACE ● In adding support for Web Services to GridSite, we're offering non-Java ways of building service-orientated grids ● This provides another way of deploying Web Services – “GRACE” : GRidsite - Apache - CGI – Executables – Allows services to be written in any language – Can be deployed remotely – Deployment rights controlled by GACL/XACML policies – Different VOs/individuals are sandboxed via Unix UIDs

13 3 May 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org More information ● www.gridsite. org is the project website – Open Source (BSD), bug tracker, CVS etc ● Includes the new GridSiteWiki – Derived from MediaWiki but uses X.509 instead of usernames / passwords ● www.gridpp.ac. uk is the largest site using GridSite – and includes it's own Wiki, which is pulling in info ● You can also find GridSites at NGS, GOC, CERN, LCG, TCD.IE,... by searching for GridSite with Google

14 3 May 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org Summary ● GridSite aims to reuse as much of the mainstream Web and Web Service world for grids ● Provides libgridsite Grid security toolkit for C/C++ ● mod_gridsite adds support for GSI Proxies, VOMS, GACL, XAMCL, and HTTP PUT,MOVE,DELETE to Apache ● Can provide the basis of secured Web Services for Grids as CGI programs ● GRACE model goes further, and supports third party service hosting and remote deployment of services

Download ppt "3 May 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org Web Services for Grids in Scripts and C using GridSite Andrew McNab University of."

Similar presentations

30-31 Jan 2003J G Jensen, RAL/WP5 Storage Elephant Grid Access to Mass Storage.

30-31 Jan 2003J G Jensen, RAL/WP5 Storage Elephant Grid Access to Mass Storage.
Security middleware Andrew McNab University of Manchester.

Security middleware Andrew McNab University of Manchester.
DataGrid is a project funded by the European Union CHEP 2003 – 24-28 March 2003 – Grid-based access control – n° 1 Grid-based access control for Unix environments,

DataGrid is a project funded by the European Union CHEP 2003 – March 2003 – Grid-based access control – n° 1 Grid-based access control for Unix environments,
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.

Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.
29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org GridSite Storage Andrew McNab University of Manchester.

29 June 2006 GridSite Andrew McNabwww.gridsite.org GridSite Storage Andrew McNab University of Manchester.
29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
The GridSite Toolbar Shiv Kaushal The University of Manchester All Hands Meeting 2006.

The GridSite Toolbar Shiv Kaushal The University of Manchester All Hands Meeting 2006.
Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.

Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.
Andrew McNab - Manchester HEP - 31 January 2002 Testbed Release in the UK Integration Team UK deployment TB1 Job Lifecycle VO: Authorisation VO: GIIS and.

Andrew McNab - Manchester HEP - 31 January 2002 Testbed Release in the UK Integration Team UK deployment TB1 Job Lifecycle VO: Authorisation VO: GIIS and.
Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.

Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
The GridSite Security Framework Andrew McNab University of Manchester.

The GridSite Security Framework Andrew McNab University of Manchester.
20 March 2007 VOMS etc - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.

20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.
Andrew McNab - Manchester HEP - 6 November 2001 www.gridpp.ac.uk Old version of website was maintained from Unix command line => needed (gsi)ssh access.

Andrew McNab - Manchester HEP - 6 November Old version of website was maintained from Unix command line => needed (gsi)ssh access.
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.

Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.
EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.

EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.
10 May 2007 HTTP - - User data via HTTP(S) Andrew McNab University of Manchester.

10 May 2007 HTTP - - User data via HTTP(S) Andrew McNab University of Manchester.
Andrew McNab - GACL - 16 Dec 2003 Grid Access Control Language Andrew McNab, University of Manchester

Andrew McNab - GACL - 16 Dec 2003 Grid Access Control Language Andrew McNab, University of Manchester
Andrew McNab - EDG Access Control - 17 Jan 2003 EDG Site Access Control (ie Local Authorisation and Accounts) Andrew McNab, University of Manchester

Andrew McNab - EDG Access Control - 17 Jan 2003 EDG Site Access Control (ie Local Authorisation and Accounts) Andrew McNab, University of Manchester
Security Middleware and VOMS service status Andrew McNab Grid Security Research Fellow University of Manchester.

Security Middleware and VOMS service status Andrew McNab Grid Security Research Fellow University of Manchester.

Similar presentations

Ads by Google