Security middleware Andrew McNab University of Manchester
6 July 2005Security middleware Outline GridSite features in gLite 1.2 Some features in detail HTTP Downgrade Web service support suexec and gsexec Secmon boxes
6 July 2005Security middleware GridSite in gLite 1.2 Up to date VOMS support Attribute Certificates from gLite/LCG VOMS XML access policies written in GACL or XACML File access / scripts / services controlled by X.509, GSI Proxy, VOMS AC, DN List credentials. HTTP Downgrade Authentication via HTTPS; bulk file copy via HTTP gsexec Run scripts/services in Unix user sandboxes
6 July 2005Security middleware HTTP Downgrade This is mostly code from last summer Renewed interest in bulk HTTP so we're revisiting it Idea is to offer similar functionality to GridFTP but using standard HTTP(S) tools HTTPS control channel used for authentication Returns a one-time passcode as a cookie HTTP GET or PUT request made with passcode Similar to unencrypted GridFTP data channel But with Apache performance benefits: sendfile() etc
6 July 2005Security middleware HTTP Downgrade (2) Intend to add support for third-party copies Use COPY method from RFC 2518 (WebDAV) Passcode used to authenticate the remote leg of the copy Add HTTP header with client's estimate of Round Trip Time Used by server to select correct TCP window size Work ongoing with networking (Richard Hughes-Jones etc) to demonstrate performance of HTTP on WANs Evangelise about this a bit more... eg GridSite's htcp command now used by EGEE WMS
6 July 2005Security middleware Web Service support GridSite architecture can provide security for Web Service tools like gSOAP, with CGI Web Services We also provide the C/C++ implementation of the EGEE / JRA3 Delegation portType Java implementation by funded part of JRA3 mod_gridsite + delegation CGI used by EGEE WMS: Apache/FastCGI; GridSite (security); gSOAP (SOAP/WS) Delegated credentials stored in the filesystem Allows sharing between different CGI languages
6 July 2005Security middleware suexec and gsexec Apache has traditionally provided a wrapper to run CGIs as other Unix users: Start as root, process as apache, CGI as joeuser We've modified this to run CGI scripts and services as pool Unix users Either per-client: the cert in the browser determines which pool user Or per-directory: all the CGIs in my directory run as the same pool user
6 July 2005Security middleware suexec / gsexec (2) This allows us to sandbox CGI-based services by ensuring that the pool users are of sufficiently low privilege Different clients or service owners can't interfere with each other Access control is still via GACL/XACML policy files X.509, GSI Proxy, VOMS, DN List credentials We can now offer third-party hosting of services Give a user or VO access to a privileged directory They deploy their C/C++/Perl/Python services remotely
6 July 2005Security middleware GRACE In adding support for Web Services to GridSite, we started to offer non-Java ways of building service-orientated grids We're now at the point where this is being taken up Clearly, this community has a big investment in languages other than Java But many other scientists and admins do too So again, want to start evangelising about this model GRACE: GRidsite/Apache/CGI-scripts/Executables
6 July 2005Security middleware SECMON boxes Had hoped to have SECMON box prototype ready for this meeting Expect DVD images available in the next week or two Aim is to provide a simple to install security monitoring box that just sits in the corner of your machine room Sites don't need to install anything special on CE etc being monitored Remote administration / monitoring done by Tier-2/Tier-1 staff, but site retains root
6 July 2005Security middleware SECMON design Want to keep things as simple as possible Unix syslog already provides almost all of what we need Always installed Logs from services/daemons and kernel (port scans etc) Logging interfaces for scripts, C/C++ etc One line added to syslog.conf can direct the messages over the network to local SECMON box So we need to provide remote config tools and remote access to log files
6 July 2005Security middleware secmon.conf All configuration in one place All local choices can be recovered from this file May want to freeze SECMON hard drive to use as evidence for the Police, so this may be important secmon.conf currently defines firewall rules for syslogd, sshd and httpd services to log (globus-gatekeeper etc) X.509 DNs of people with different privilege levels
6 July 2005Security middleware Implementation secmond runs as root monitors secmon.conf for changes updates config files as a result filters syslog messages into log files according to service name (sshd, httpd, globus-gatekeeper etc) Admin CGI (secmon-admin.cgi) runs as user apache manages secmon.conf RSS CGI (secmon-rss.cgi) runs as user apache All remote access controlled by GridSite/GACL policies
6 July 2005Security middleware RSS Access RSS is widely used to allow clients to pull categorised, chronological data (like news headlines) out of webservers, in a programmatic way Well matched to transporting syslog type alert messages secmon-rss.cgi queried by service name, severity and/or date range Only pull out the level of detail we need Seeks / bisects / reads log file directly to find messages Access control currently via X.509/GSI Proxy only
6 July 2005Security middleware Summary The current version of GridSite is part of the latest gLite release process We're providing a system which is used by other middleware, not just websites Non-Web Service tools from GridSite (htcp etc) are starting to be used too SECMON box prototype is almost ready