The GridSite Security System Andrew McNab and Shiv Kaushal University of Manchester

29 September 2004A.McNab – GridSite Outline ● What is GridSite? ● Components ● Philosophy ● Architecture ● Credential parsing ● GACL access policies ● HTTPS Downgrade ● Delegation ● SOAP/WS in GridSite

29 September 2004A.McNab – GridSite What is GridSite? ● GridSite has evolved from a set of website management tools, used by GridPP in ● It still provides some basic website tools ● Edit or upload files/pages via your web browser ● Create directories, manage access control etc ● However, our emphasis is now on adding grid security support to the industry-standard Apache webserver ● From 2001, GridSite recognised X.509 user certs in web browsers, so this has been a natural progression. ● We do all this in a modular way to help 3 rd parties.

29 September 2004A.McNab – GridSite GridSite Components ● Central component is libgridsite ● Provides reusable C/C++ functions ● Handles X.509/GSI/VOMS credentials ● Parses GACL(/XACML) policy files ● Provides some HTTP/HTML utilities ● mod_gridsite plugs into Apache 2.0 ● Uses libgridsite functions to add GSI/VOMS support ● And to allow fine grained access control with GACL ● grst-admin.cgi provides website management tools ● htcp command provides scp-like copies via HTTP(S)

29 September 2004A.McNab – GridSite Philosophy ● Re-use as much of Apache as possible ● Original gridsite.cgi filter became mod_gridsite ● Use standard config files, Apache internal settings etc ● Less work for us when Apache/OpenSSL vulnerabilities & patches are published ● Support dynamic content in any language ● via standalone CGIs or built-ins like mod_perl ● Keep generally useful machinery in a library ● Can be re-used by other server-side or even client tools ● Think about efficiency ● eg make sure HTTPS connection reuse isn't prevented

29 September 2004A.McNab – GridSite Architecture mod_ssl: plain HTTPS > env vars mod_gridsite: GACL access control + GACL > env vars mod_gridsite:.html headers and footers CGI, PHP,.shtml, mod_perl mod_jk: JSP with Tomcat HTTP Grst-admin.cgi: page editing, file upload, ACL editing etc. mod_gridsite: file PUT and DELETE GridSite 1.0.x mod_gridsite: GSI / VOMS OpenSSL callback wrappers

29 September 2004A.McNab – GridSite Credential Parsing ● Apache mod_ssl provides X.509 parsing and checking natively ● To support jobs or agents with GSI proxies, we need to deal with their “invalid” certificate chain ● This is done by intercepting OpenSSL callbacks ● Functions that understand GSI proxy chains are in libgridsite ● Valid proxies are treated like valid X.509 certs ● Normal mod_ssl environment variables are created ● If VOMS attribute certs are present, variables are exported downstream with their values too.

29 September 2004A.McNab – GridSite GACL access policies ● Apache has a simple access model based on IP number and username / password credentials. ● GridSite adds to this by being able to use GACL access policies for fine grained access control. ● GACL handling is done within libgridsite ● It's used outside Apache by some other LCG/EGEE components ● Read/write/execute/list/admin permissions can be granted according to X.509/GSI DN, VO DN Lists or VOMS attribute certificates. ● grst-admin.cgi provides a GUI editor for GACL files.

29 September 2004A.McNab – GridSite HTTPS Downgrade ● For large files, GridSite has an option to negotiate access via HTTPS and then do the transfer via HTTP. ● This is done using the standard HTTP redirect mechanism. ● Clients can suggest downgrade by making their HTTPS request with an HTTP-Downgrade-Size header ● If the file is bigger than the size given, the server may issue a redirect to an HTTP version of the file. ● HTTP authentication is done using a one-time passcode, returned over HTTPS as an HTTP cookie. ● Like HTTP, this is vulnerable to man-in-the-middle snooping ● But can't be used for replay attacks.

29 September 2004A.McNab – GridSite Delegation During EDG we produced a delegation-over-HTTPS extension to GridSite – (protocol implemented for Java by EDG WP2) EGEE JRA3 has agreed to support delegation via a web services Delegation portType – We've produced a prototype standalone delegation service. – Delegation handling functions being added to libgridsite for other services to use directly. – Will also add delegation support to mod_gridsite, by intercepting SOAP messages upstream.

29 September 2004A.McNab – GridSite SOAP in GridSite ● EGEE intention is to use “SOAP over HTTPS” first. ● Apache/GridSite provides a language-neutral Grid security aware container for C/C++/Perl/etc services. ● We expect many services to continue with transport level security because of large performance benefit of SSL/TLS session reuse. ● However, we also intend to add upstream SOAP parsing capability within mod_gridsite ● Initially to provide delegation support transparently ● As needed, we will add support for SOAP message level security handling within the web server.

29 September 2004A.McNab – GridSite Summary ● GridSite has grown from a set of tools use by a grid collaboration into a piece of grid middleware ● Aims to provide native support for Grid security credentials and policies within Apache web platform. ● And to provide reusable security tools for other systems. ● The architecture is deliberately chosen to simplify the operational aspects of running a GridSite service. ● Current work is focussing on support for Web Services running on Apache/GridSite in languages other than Java.