Download presentation
Presentation is loading. Please wait.
Published byRudolph Griffin Modified over 9 years ago
1
Andrew.McNab@man.ac.uk Security Middleware in GridPP2 5 Feb 2004 Security Middleware in GridPP2 Current Status – GridSite GridPP2 Themes – libgridsite toolkit – Lightweight VOs – “Grid Home Directory” – SlashGrid Dissemination and Interoperation – eSecurity Centre, “gridsite.org”, XACML/SAML
2
Andrew.McNab@man.ac.uk Security Middleware in GridPP2 5 Feb 2004 Current Status GridSite 1.0.0 released on 14 December – In production on www.gridpp.ac.uk Includes – libgridsite: Grid ACL access control + HTTP / X.509 / GSI / VOMS utilities – gridsite-admin.cgi: user editing of pages, groups etc – mod_gridsite: support for GACL / GSI / VOMS in Apache 2.0 – (No longer need patched mod_ssl to support GSI) “Toolkit” approach works with other tools (eg PHP)
3
Andrew.McNab@man.ac.uk Security Middleware in GridPP2 5 Feb 2004 New fileserver features One of the aims of the GridSite 1.0.0 modular architecture is better fileserver functionality With mod_gridsite installed, can now – Do HTTP(S) GET/PUT/DELETE and directory listings without a CGI binary – So no context switch from server to CGI – Full support for GACL access control built in htcp command line tool vs globus-url-copy, scp etc – htcp uses HTTP(S) servers and GSI [VOMS etc] – multistream HTTP being added to htcp client
4
Andrew.McNab@man.ac.uk Security Middleware in GridPP2 5 Feb 2004 Current Users Various web/VO sites: – ManHEP, MCC, grid-support.ac.uk, GOC, Grid Ireland – VOs: BaBar plus MICE, CALICE, DESY (experimental) – BaBarGrid experimenting with GridSite and gsub Three pieces of EDG middleware can use the GACL component (not all deployed) – LCAS: GACL control of gatekeeper access – WP1 Logging and Bookkeeping – Storage Element NorduGrid GridFTP server now supports GACL
5
Andrew.McNab@man.ac.uk Security Middleware in GridPP2 5 Feb 2004 GridPP2 Themes GridPP2 bidding process resulted in – 2.5 Middleware posts – 0.5 VO operations – 1.0 LCG co-ordination The Middleware/VO Ops area has 4 main themes – libgridsite toolkit (from GACL C to XACML C, C++, Java,...?) – Lightweight VOs – “Grid Home Directory” – SlashGrid
6
Andrew.McNab@man.ac.uk Security Middleware in GridPP2 5 Feb 2004 libgridsite toolkit Core functions of GridSite pulled out into a library Currently only C and C-to-C++ API – Will provide Java and OO C++ API Part of the rationale for the original libgacl was to insulate us from Policy Language developments XACML from WS community is likely to become endorsed by GGF etc – We aim to provide a smooth transition (no change?) for users of the API More functionality to be added: parallel HTTP etc.
7
Andrew.McNab@man.ac.uk Security Middleware in GridPP2 5 Feb 2004 Lightweight VOs GridSite supports lightweight VO management – eg the groups published from www.gridpp.ac.uk This implements the GACL concept of a “DN List” – A list of certifcate names, identified by an HTTPS, voms-httpd or LDAP URL. “Lightweight” = they're stored as plain text files – Easy to edit, populate from scripts etc – Not meant to compete with VOMS/VOX etc databases – (But we do have a gateway to produce VOMS certs) Aim to support small VOs, individuals, HEP groups etc
8
Andrew.McNab@man.ac.uk Security Middleware in GridPP2 5 Feb 2004 “Grid Home Directory” This is more a concept than a specific technology BaBarGrid requirements suggests people will want access to filespace they own during running jobs Various ways of doing this: – GridFTP server – AFS + gsiklog – htcp or browser + GridSite server But getting things to interoperate is largely a security problem Provide glue code + recipes for tying these together
9
Andrew.McNab@man.ac.uk Security Middleware in GridPP2 5 Feb 2004 SlashGrid Have now got funding to move this beyond prototype and demonstration stage! Aim to provide a way of making “things” available via the filesystem – Remote files, via standard HTTP(S), GridFTP etc – Dynamic filesystem areas (Logical to physical names; sandboxes; on-demand environments) Do this through a daemon to kernel connector – Loopback NFS for portability/kernel independence Also want to interoperate with NFSv4 + GSI
10
Andrew.McNab@man.ac.uk Security Middleware in GridPP2 5 Feb 2004 Dissemination GridSite and Security Middleware are readily applicable to other projects – All projects need a website – All projects need security (write access control if nothing else) We're talking to other projects which are interested in using GridPP security middleware – In particular, the existing PPARC/MRC distributed cancer analysis project at Dundee/Manchester. Other possibilities in the pipeline...
11
Andrew.McNab@man.ac.uk Security Middleware in GridPP2 5 Feb 2004 eSecurity Centre Joint project between – Manchester HEP – Manchester Computer Science – e-Science North West – Salford Computer Science – (Roughly equal to UK GGF Authorization involvement) Aim to promote communication and use of standards based security tools in UK e-Science, LCG/EGEE, JISC-funded academia, NHS etc. – Eg aim to add support for Salford's PERMIS to GridSite, alongside existing VOMS support
12
Andrew.McNab@man.ac.uk Security Middleware in GridPP2 5 Feb 2004 “gridsite.org” Shorthand for making GridSite an Open Source project, with external involvement We noticed that most of the users installed the software without first asking for help/support We're trying to encourage this: – Source and binary distributions – User, Admin, Install guides, man pages etc – Publically available CVS + Bugtrack (thanks to EDG and now LCG Savannah) – Public announcement and discussion mailing lists – Pointers to free/cheap/lightweight X.509 CAs
13
Andrew.McNab@man.ac.uk Security Middleware in GridPP2 5 Feb 2004 Interoperation Already mentioned PERMIS in parallel with VOMS – Attribute certificate format of these now converging Other protocols are also around – SAML for asking external servers questions like “can the user do this?” – XACML as a policy language like GACL We want to support these for the usual reasons – Avoid duplication of effort by using external tools – Want other systems to use our stuff – Sites don't want to run multiple incompatible services
14
Andrew.McNab@man.ac.uk Security Middleware in GridPP2 5 Feb 2004 Authorization Architecture Policy Enforcement Point (libgridsite) Policy Decision Point (PERMIS, LCAS + libgridsite + GACL or XACML) User Attribute Authority (VOMS, CAS, PERMIS, GridSite VO) Resource Internal PDP Request => <= Results VOMS etc GSI [+ VOMS etc] SAML HTTPS, voms-httpd, VO LDAP
15
Andrew.McNab@man.ac.uk Security Middleware in GridPP2 5 Feb 2004 Summary GridPP1 security middleware in (increasing) use Funding now available to expand this – (subject to final agreement of deliverables) Aim to provide reusable components...... and documented off-the-shelf implementations Most of the GridPP2 deliverables provide missing pieces of the authorization machinery Also looking outside GridPP for additional funding to apply HEP security tools to Medical use, general academic infrastructure etc.
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.