GridSite status Andrew McNab University of Manchester.

Slides:



Advertisements
Similar presentations
30-31 Jan 2003J G Jensen, RAL/WP5 Storage Elephant Grid Access to Mass Storage.
Advertisements

Security middleware Andrew McNab University of Manchester.
DataGrid is a project funded by the European Union CHEP 2003 – March 2003 – Grid-based access control – n° 1 Grid-based access control for Unix environments,
29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
The GridSite Toolbar Shiv Kaushal The University of Manchester All Hands Meeting 2006.
Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.
Jianlin Zhu Huazhong Normal University Running AliEn Secure Services.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
The GridSite Security Framework Andrew McNab University of Manchester.
20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.
Andrew McNab - Manchester HEP - 6 November Old version of website was maintained from Unix command line => needed (gsi)ssh access.
JMeter Workshop Friday 1 December 2006 Anthony Colebourne IT Services The University of Manchester.
EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.
M. Taimoor Khan * Java Server Pages (JSP) is a server-side programming technology that enables the creation of dynamic,
10 May 2007 HTTP - - User data via HTTP(S) Andrew McNab University of Manchester.
Andrew McNab - GACL - 16 Dec 2003 Grid Access Control Language Andrew McNab, University of Manchester
3 May 2006 GridSite Andrew McNabwww.gridsite.org Web Services for Grids in Scripts and C using GridSite Andrew McNab University of.
Andrew McNab - EDG Access Control - 17 Jan 2003 EDG Site Access Control (ie Local Authorisation and Accounts) Andrew McNab, University of Manchester
4-1 INTERNET DATABASE CONNECTOR Colorado Technical University IT420 Tim Peterson.
Andrew McNab - Manchester HEP - 26 June 2001 WG-H / Support status Packaging / RPM’s UK + EU DG CA’s central grid-users file grid “ping”
Security Middleware and VOMS service status Andrew McNab Grid Security Research Fellow University of Manchester.
Andrew McNab - GridPP Security - 24 Feb 2003 GridPP Security Middleware Andrew McNab, University of Manchester
Andrew McNab - SlashGrid, HTTPS, fileGridSite SlashGrid, HTTPS and fileGridSite 30 October 2002 Andrew McNab, University of Manchester
Andrew McNab - GridSite/G-HTTPS - 17 Feb 2003 GridSite and G-HTTPS update Andrew McNab, University of Manchester
Grid Security work in 2006 Andrew McNab Grid Security Research Fellow University of Manchester.
1 Apache. 2 Module - Apache ♦ Overview This module focuses on configuring and customizing Apache web server. Apache is a commonly used Hypertext Transfer.
Grid Security and VO Management Andrew McNab University of Manchester.
The GridSite Security System Andrew McNab and Shiv Kaushal University of Manchester.
Security Area in GridPP2 4 Mar 2004 Security Area in GridPP2 “Proforma-2 posts” overview Deliverables – Local Access – Local Usage.
Andrew McNab - Access Control - 28 May 2002 Access Control and User Management (ie Local Authorisation and Accounts) Andrew McNab, University of Manchester.
Andrew McNab - GGF Authz - 16 Dec 2003 GGF Authorization work Andrew McNab, University of Manchester
EGEE is a project funded by the European Union under contract IST Gap analysis draft v2 Olle Mulmo, David Groep, Joni Hahkala JRA3 Gap, 10.
Security Middleware in GridPP2 5 Feb 2004 Security Middleware in GridPP2 Current Status – GridSite GridPP2 Themes – libgridsite.
Andrew McNab - GridSite/EDG/GGF - 29 Sept 2003 GridSite, EDG and GGF Andrew McNab, University of Manchester
EDG Security European DataGrid Project Security Coordination Group
Security monitoring boxes Andrew McNab University of Manchester.
Grid Security in a production environment: 4 years of running Andrew McNab University of Manchester.
Andrew McNab - Security - 1 July 2003 Security: Authorization, Access Control and Usage Control Andrew McNab, University of Manchester
Andrew McNab - Grid HTTP/HTTPS extensions Grid HTTP/HTTPS extensions 18 November 2002 Andrew McNab, University of Manchester
GridSite Web Servers for bulk file transfers & storage Andrew McNab Grid Security Research Fellow University of Manchester, UK.
National Center for Supercomputing ApplicationsNational Computational Science Grid Packaging Technology Technical Talk University of Wisconsin Condor/GPT.
Andrew McNab - EDG Access Control - 4 Dec 2002 EDG Access Control and User Management (ie Local Authorisation and Accounts) Andrew McNab, University of.
Andrew McNabSecurity Middleware, GridPP8, 23 Sept 2003Slide 1 Security Middleware Andrew McNab High Energy Physics University of Manchester.
VOMS: Status & Plans Vincenzo Ciaschini, Valerio Venturi MWSG Meeting, CERN, Feb
Andrew McNabGrid in 2002, Manchester HEP, 7 Jan 2003Slide 1 Grid Work in 2002 Andrew McNab High Energy Physics University of Manchester.
Andrew McNab - EDG Access Control - 17 Jun 2003 EU DataGrid and GridPP Authorization and Access Control Andrew McNab, University of Manchester
Grid Security work in 2004 Andrew McNab Grid Security Research Fellow University of Manchester.
Andrew McNabGESA/Authz, GGF9, 7 Oct 2003Slide 1 Authorization status Andrew McNab High Energy Physics University of Manchester
Security Middleware 3 June 2004 Security Middleware Current Status – GridSite deployments – Architecture GridPP2 – Web services.
Andrew McNab - Security issues - 17 May 2002 WP6 Security Issues (some personal observations from a WP6 and sysadmin perspective) Andrew McNab, University.
INFSO-RI Enabling Grids for E-sciencE EGEE is a project funded by the European Union under contract IST Job sandboxes.
Andrew McNab - Globus Distribution for Testbed 1 Globus Distribution for Testbed 1 Andrew McNab, University of Manchester
Security Middleware Andrew McNab University of Manchester.
Andrew McNab - HTTP/HTTPS extensions HTTP/HTTPS as Grid data transport 6 March 2003 Andrew McNab, University of Manchester
Andrew McNab - Dynamic Accounts - 2 July 2002 Dynamic Accounts in TB1.3 What we could do with what we’ve got now... Andrew McNab, University of Manchester.
Ákos FROHNER – DataGrid Security n° 1 Security Group TODO
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks GSI with OpenSSL Vincenzo Ciaschini EGEE-3.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks OpenSAML extension library and API to support.
Andrew McNab - Globus Distribution for Testbed 1 Status of the Globus Distribution for Testbed 1 Andrew McNab, University of Manchester
Storage Element Security Jens G Jensen, WP5 Barcelona, May 2003.
Overview of the New Security Model Akos Frohner (CERN) WP8 Meeting VI DataGRID Conference Barcelone, May 2003.
EGEE is a project funded by the European Union under contract IST Datamat Status Report F. Pacini Datamat S.p.a. Milan, IT-CZ JRA1 meeting,
Clinical Data Exchange using HL7 and Mirth Connect Lecture 2 - Toolset to use for working with Mirth Connect. - Mirth Connect architecture. - Changing.
Virtual Organisations and the NGS Mike Jones Research Computing Services e-Science & “The Grid” for Bio/Health Informaticians, IT January 2008.
Mehran Ahsant, PDC, Joni Hahkala, HIP on behalf of JRA3
Third Party Transfers & Attribute URI ideas
John Gordon EDG Conference Barcelona, May 2003
Brian McCallum UWS, Web Services Unit 15 November 2011
Shiv Kaushal, University of Manchester
Presentation transcript:

GridSite status Andrew McNab University of Manchester

24 February 2005GridSite status Outline ● “ Web” status ● “EGEE” features ● Delegation ● GACL / XACML ● Globus/non-Globus SSL ● VOMS AC support ● Next steps

24 February 2005GridSite status Current “web” status ● GridSite is current production release for websites ● On ● Used by several GridPP/LCG sites (eg GOCDB) ● Plus ~half-a-dozen other sites ● Includes ● libgridsite: Grid ACL access control + HTTP / X.509 / GSI / VOMS utilities ● gridsite-admin.cgi: user editing of pages, groups etc ● mod_gridsite: support for GACL / GSI / VOMS in Apache 2.0 ● htcp command line tools (like scp but with GSI/https)

24 February 2005Gridsite status “EGEE” status ● Version in the EGEE CVS has additional features, relevant to the EGEE/gLite environment ● Aim to support grid/web services on Apache/CGI ● Delegation library functions and standalone delegation service ● libgridsite and libgridsite_globus for binaries built with system OpenSSL or Globus OpenSSL. ● Original GACL support still in place (XACML to be added) ● VOMS attributes read from proxy chain if present

24 February 2005GridSite status Delegation ● Implements JRA3-agreed delegation portType ● Core functions (GRSTx509MakeProxyRequest() etc) are in libgridsite, and can be used by C/C++. ● Standalone gridsite-delegation.cgi also provided as example ● Proxies are created in proxycache directory following JRA3-agree hash-based names ● So can share proxies between multiple CGIs/Java ● findproxyfile command line utility provided for scripts ● But need to agree file ownerships of cached proxies

24 February 2005GridSite status GACL (... XACML) ● GACL API largely unchanged since EDG ● gridsite-gacl.h supplied for strict compatability ● GACL handles credentials, ACL rules and permissions as C “objects” (structs + access methods) ● ACLs are stored in XML, but loaded into structs for evaluation ● Functions are provided to build up ACLs and write out ● gridsite-admin.cgi provides GUI for editing ACLs ● Outside of the EGEE CVS, we have basic XACML support ● Read/write XACML instead of GACL XML

24 February 2005GridSite status GACL's XACML GACL: /C=UK/CN=shiv GACL-XACML: /C=UK/CN=shiv <SubjectAttributeDesignator AttributeId=”person” DataType=”

24 February 2005GridSite status Globus vs OpenSSL ● libgridsite uses several OpenSSL functions, especially for handling proxies and certificates ● Original intent was to avoid Globus dependencies ● However, some programs using GridSite need to be linked with Globus ● Usually this involves linking with Globus's copy of OpenSSL rather than the system copy ● To resolve this, we now provide libgridsite and libgridsite_globus, built with the appropriate headers ● mod_gridsite and gridsite binaries still use non-Globus version of OpenSSL

24 February 2005GridSite status VOMS AC support ● One of the casualities of the Globus problems was VOMS AC support in GridSite ● This needs to work in mod_gridsite, inside Apache, but we don't want to relink Apache to use Globus's (out of date) OpenSSL. ● But using VOMS C API would involve a Globus dependency ● Finally resolved this by writing a parser for ASN.1 / X.509 attribute certs / VOMS ACs that only depends on OpenSSL ● This now in EGEE CVS (GridSIte 1.1.6)

24 February 2005GridSite status GridSite ASN.1 parsing ● ASN.1 complex objects in X.509 extensions take the form of a tree, containing variable length objects and lists. ● Official OpenSSL way is to define callbacks for your special objects (eg VOMS ACs) and then pass ASN.1 data to OpenSSL. ● We've used a simpler strategy. ● Due to the X.509 AC (and VOMS) standards, the structure of the tree is constant. ● So we assign a co-ordinate to each node, and search for those each time we parse an extension.

24 February 2005GridSite status GridSite ASN.1 parsing Co-ordinates are sibling numbers for each depth in the tree (-1,-1-1,-1-2,-2,-2-1,-2-2,-2-3 etc) In this example, if multiple FQANs are present then would need to go through...-1,...-2,...-3 etc :d=8 hl=2 l= 33 cons: SEQUENCE :d=9 hl=2 l= 31 prim: OCTET STRING :/EGEE/Role=NULL/Capability=NULL

24 February 2005GridSite status ASN.1/VOMS API Write VOMS FQANs from X509 extension into string creds: int GRSTx509ParseVomsExt(int *lastcred, int maxcreds, size_t credlen, char *creds, time_t time1_time, time_t time2_time, X509_EXTENSION *ex, char *ucuserdn, char *vomsdir) ● Also functions to parse ASN.1 and make co-ordinates lookup table; and to search for particular objects by co-ordinate; and then utility functions for ASN.1 times etc. ● For CGI web services running on Apache/mod_gridsite the API is just an env variable with times and FQAN

24 February 2005GridSite status Next steps ● Documentation for web use of GridSite is reasonably good. ● Need to match this with much better API and example config files for web services, delegation, VOMS usage etc. ● Need to clarify API: what should be internal and what exposed to users of the library. ● Others things already on the roadmap (suexec, OCSP support, XAMCL in EGEE version...)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.