3 May 2006 GridSite Andrew McNabwww.gridsite.org Web Services for Grids in Scripts and C using GridSite Andrew McNab University of Manchester

3 May 2006 GridSite Andrew McNabwww.gridsite.org Outline ● LCG/EGEE/gLite ● GridSite philosophy ● Components ● GridSite/Apache architecture ● Web Service support ● Delegation ● gsexec and GRACE

3 May 2006 GridSite Andrew McNabwww.gridsite.org LCG/EGEE/gLite This is GridSite's main user Developing and deploying grids for Particle Physics – At ~200 farms at university sites – In production with Monte Carlo simulation now – Must go into production with LHC data in 2007 Security based on proxy certificates + X.509/VOMS attribute certificates from application groups All middleware to be Web Services over HTTPS

3 May 2006 GridSite Andrew McNabwww.gridsite.org GridSite philosophy ● Aim to reuse as much as possible from mainstream Web and Web Services worlds – Applies both to software and standards – Reduces work needed and ongoing support overhead – We use Apache, OpenSSL, curl, gSOAP, libxml,... ● Aim for language neutrality on server side – We're coming from the Particle Physics world where C++/Perl/Python/C are the dominant languages – Allow use of Apache's CGI interface, mod_perl, etc

3 May 2006 GridSite Andrew McNabwww.gridsite.org Components ● libgridsite C/C++ toolkit provides utility functions – parse GSI Proxies and VOMS X.509 attribute certs – evaluate GACL and XACML access policies – generate new GSI Proxies ● mod_gridsite adds support for GSI Proxies, VOMS attributes, DN List groups, GACL/XAMCL policies and Onetime Passcodes to Apache – supplemented by gsexec setuid wrapper ● htcp, htls, htproxyput,... provide command line file tools

3 May 2006 GridSite Andrew McNabwww.gridsite.org Module architecture mod_ssl: plain HTTPS > env vars mod_gridsite: GACL access control + GACL > env vars mod_gridsite:.html headers and footers.shtml, mod_perl CGI, PHP CGI Web Services (gsexec) HTTP grst-admin.cgi: page editing, file upload, GACL editing etc. mod_gridsite: PUT, MOVE and DELETE Apache/GridSite mod_gridsite: GSI / VOMS OpenSSL callback wrappers

3 May 2006 GridSite Andrew McNabwww.gridsite.org File access options ● Web browser – View page/files/services on GridSite managed server ● Web browser + User's certificate – Upload/edit/delete of pages/files/scripts/executables ● htcp shell commands – scp/“ssh ls -l” access for Unix-based clients via HTTP(S) ● SlashGrid (“/grid”) – AFS-like access (“/grid/https/ – but requires Linux and local SlashGrid daemon

3 May 2006 GridSite Andrew McNabwww.gridsite.org Web Service support ● Apache “eco-system” already supports Web Services – gSOAP, SOAP-Lite etc ● GridSite adds security context via CGI environment – or systems like mod_perl which simulate CGI since our module has access to Apache internal data “upstream” ● Service authors are provided with users' credentials from proxies and VOMS ACs as environment variables ● Coarse-grained access control from XACML/GACL policy engine

3 May 2006 GridSite Andrew McNabwww.gridsite.org Delegation portType ● We also provide the C/C++ implementation of the GridSite/gLite Proxy Certificate delegation portType – Java implementation by other members of EGEE ● mod_gridsite + delegation CGI used by EGEE WMS – Apache/FastCGI; GridSite (security); gSOAP (WS) ● Delegated credentials stored in the filesystem (or SQL DB) ● Allows sharing between different CGI languages ● Unix permissions used to control which sessions / services / application owners can access proxies

3 May 2006 GridSite Andrew McNabwww.gridsite.org suexec and gsexec ● Apache has traditionally provided a wrapper to run CGIs as other Unix users: ● Start as root, process as apache, CGI as joeuser ● We've modified this to run CGI scripts and services as pool Unix users, similar to LCG/EGEE and NGS ● Either per-client: the certificate of the client program determines which pool user ● Or per-directory: all the CGIs in my directory run as the same pool user

3 May 2006 GridSite Andrew McNabwww.gridsite.org suexec / gsexec (2) ● This allows us to sandbox CGI-based services by ensuring that the pool users are of sufficiently low privilege ● Different clients or service owners can't interfere with each other ● Access control is still via GACL/XACML policy files ● X.509, GSI Proxy, VOMS, DN List credentials ● Sites can now offer “third-party” service hosting ● Give a user or VO access to a privileged directory ● They deploy C/C++/Perl/Python CGI services remotely

3 May 2006 GridSite Andrew McNabwww.gridsite.org GRACE ● In adding support for Web Services to GridSite, we're offering non-Java ways of building service-orientated grids ● This provides another way of deploying Web Services – “GRACE” : GRidsite - Apache - CGI – Executables – Allows services to be written in any language – Can be deployed remotely – Deployment rights controlled by GACL/XACML policies – Different VOs/individuals are sandboxed via Unix UIDs

3 May 2006 GridSite Andrew McNabwww.gridsite.org More information ● org is the project website – Open Source (BSD), bug tracker, CVS etc ● Includes the new GridSiteWiki – Derived from MediaWiki but uses X.509 instead of usernames / passwords ● uk is the largest site using GridSite – and includes it's own Wiki, which is pulling in info ● You can also find GridSites at NGS, GOC, CERN, LCG, TCD.IE,... by searching for GridSite with Google

3 May 2006 GridSite Andrew McNabwww.gridsite.org Summary ● GridSite aims to reuse as much of the mainstream Web and Web Service world for grids ● Provides libgridsite Grid security toolkit for C/C++ ● mod_gridsite adds support for GSI Proxies, VOMS, GACL, XAMCL, and HTTP PUT,MOVE,DELETE to Apache ● Can provide the basis of secured Web Services for Grids as CGI programs ● GRACE model goes further, and supports third party service hosting and remote deployment of services