Security Middleware in GridPP2 5 Feb 2004 Security Middleware in GridPP2 Current Status – GridSite GridPP2 Themes – libgridsite.

Slides:



Advertisements
Similar presentations
30-31 Jan 2003J G Jensen, RAL/WP5 Storage Elephant Grid Access to Mass Storage.
Advertisements

Security middleware Andrew McNab University of Manchester.
DataGrid is a project funded by the European Union CHEP 2003 – March 2003 – Grid-based access control – n° 1 Grid-based access control for Unix environments,
5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK
Andrew McNab - Manchester HEP - 17 September 2002 Putting Existing Farms on the Testbed Manchester DZero/Atlas and BaBar farms are available via the Testbed.
29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
Andrew McNab - Manchester HEP - 24 May 2001 WorkGroup H: Software Support Both middleware and application support Installation tools and expertise Communication.
Andrew McNab - Manchester HEP - 22 April 2002 EU DataGrid Testbed EU DataGrid Software releases Testbed 1 Job Lifecycle Authorisation at your site More.
Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.
Andrew McNab - Manchester HEP - 31 January 2002 Testbed Release in the UK Integration Team UK deployment TB1 Job Lifecycle VO: Authorisation VO: GIIS and.
Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.
Plateforme de Calcul pour les Sciences du Vivant SRB & gLite V. Breton.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
The GridSite Security Framework Andrew McNab University of Manchester.
Make Secure Information Sharing (SIS) Easy and an Reality C. Edward Chow, PI Osama Khaleel Bill Kretschmer C. Edward Chow, PI Osama Khaleel Bill Kretschmer.
20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.
Andrew McNab - Manchester HEP - 6 November Old version of website was maintained from Unix command line => needed (gsi)ssh access.
30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK
EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.
10 May 2007 HTTP - - User data via HTTP(S) Andrew McNab University of Manchester.
Andrew McNab - GACL - 16 Dec 2003 Grid Access Control Language Andrew McNab, University of Manchester
3 May 2006 GridSite Andrew McNabwww.gridsite.org Web Services for Grids in Scripts and C using GridSite Andrew McNab University of.
Andrew McNab - EDG Access Control - 17 Jan 2003 EDG Site Access Control (ie Local Authorisation and Accounts) Andrew McNab, University of Manchester
Andrew McNab - Manchester HEP - 26 June 2001 WG-H / Support status Packaging / RPM’s UK + EU DG CA’s central grid-users file grid “ping”
Security Middleware and VOMS service status Andrew McNab Grid Security Research Fellow University of Manchester.
Andrew McNab - GridPP Security - 24 Feb 2003 GridPP Security Middleware Andrew McNab, University of Manchester
Andrew McNab - SlashGrid, HTTPS, fileGridSite SlashGrid, HTTPS and fileGridSite 30 October 2002 Andrew McNab, University of Manchester
Andrew McNab - GridSite/G-HTTPS - 17 Feb 2003 GridSite and G-HTTPS update Andrew McNab, University of Manchester
Grid Security work in 2006 Andrew McNab Grid Security Research Fellow University of Manchester.
GT Components. Globus Toolkit A “toolkit” of services and packages for creating the basic grid computing infrastructure Higher level tools added to this.
Grid Security and VO Management Andrew McNab University of Manchester.
The GridSite Security System Andrew McNab and Shiv Kaushal University of Manchester.
Security Area in GridPP2 4 Mar 2004 Security Area in GridPP2 “Proforma-2 posts” overview Deliverables – Local Access – Local Usage.
3 June 2004GridPP10Slide 1 GridPP Dissemination Sarah Pearce Dissemination Officer
Andrew McNab - Access Control - 28 May 2002 Access Control and User Management (ie Local Authorisation and Accounts) Andrew McNab, University of Manchester.
EU DataGrid (EDG) & GridPP Authorization and Access Control User VOMS C CA 2. certificate dn, ca, key 1. request 3. certificate 4. VOMS cred: VO, groups,
Author - Title- Date - n° 1 Partner Logo WP5 Summary Paris John Gordon WP5 6th March 2002.
JISC Middleware Security Workshop 20/10/05© 2005 University of Kent.1 The PERMIS Authorisation Infrastructure David Chadwick
Andrew McNab - GridSite/EDG/GGF - 29 Sept 2003 GridSite, EDG and GGF Andrew McNab, University of Manchester
Grid Security in a production environment: 4 years of running Andrew McNab University of Manchester.
Andrew McNab - Security - 1 July 2003 Security: Authorization, Access Control and Usage Control Andrew McNab, University of Manchester
NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.
30-Sep-03D.P.Kelsey, SCG Summary1 Security Co-ordination Group (WP7 SCG) EDG Heidelberg 30 September 2003 David Kelsey CCLRC/RAL, UK
Oxford University e-Science Centre 1 Managing Access 4 Dec Managing Access to Resources on the Grid 4 December 2002.
GridSite Web Servers for bulk file transfers & storage Andrew McNab Grid Security Research Fellow University of Manchester, UK.
INFSO-RI Enabling Grids for E-sciencE OSG-LCG Interoperability Activity Author: Laurence Field (CERN)
US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.
Andrew McNab - EDG Access Control - 4 Dec 2002 EDG Access Control and User Management (ie Local Authorisation and Accounts) Andrew McNab, University of.
Andrew McNabSecurity Middleware, GridPP8, 23 Sept 2003Slide 1 Security Middleware Andrew McNab High Energy Physics University of Manchester.
Glite. Architecture Applications have access both to Higher-level Grid Services and to Foundation Grid Middleware Higher-Level Grid Services are supposed.
Andrew McNab - Manchester HEP - 17 September 2002 UK Testbed Deployment Aim of this talk is to the answer the questions: –“How much of the Testbed has.
Andrew McNabGrid in 2002, Manchester HEP, 7 Jan 2003Slide 1 Grid Work in 2002 Andrew McNab High Energy Physics University of Manchester.
INFSO-RI Enabling Grids for E-sciencE ARDA Experiment Dashboard Ricardo Rocha (ARDA – CERN) on behalf of the Dashboard Team.
Andrew McNab - EDG Access Control - 17 Jun 2003 EU DataGrid and GridPP Authorization and Access Control Andrew McNab, University of Manchester
Grid Security work in 2004 Andrew McNab Grid Security Research Fellow University of Manchester.
Security Middleware 3 June 2004 Security Middleware Current Status – GridSite deployments – Architecture GridPP2 – Web services.
1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.
Security Middleware Andrew McNab University of Manchester.
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
Site Authorization Service Local Resource Authorization Service (VOX Project) Vijay Sekhri Tanya Levshina Fermilab.
GridPP2 Data Management work area J Jensen / RAL GridPP2 Data Management Work Area – Part 2 Mass storage & local storage mgmt J Jensen
DataGrid Security Wrapup Linda Cornwall 4 th March 2004.
Overview of the New Security Model Akos Frohner (CERN) WP8 Meeting VI DataGRID Conference Barcelone, May 2003.
GridSite status Andrew McNab University of Manchester.
The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) gLite Grid Introduction Salma Saber Electronic.
J Jensen / WP5 /RAL UCL 4/5 March 2004 GridPP / DataGrid wrap-up Mass Storage Management J Jensen
Argus EMI Authorization Integration
Third Party Transfers & Attribute URI ideas
Shiv Kaushal, University of Manchester
Presentation transcript:

Security Middleware in GridPP2 5 Feb 2004 Security Middleware in GridPP2 Current Status – GridSite GridPP2 Themes – libgridsite toolkit – Lightweight VOs – “Grid Home Directory” – SlashGrid Dissemination and Interoperation – eSecurity Centre, “gridsite.org”, XACML/SAML

Security Middleware in GridPP2 5 Feb 2004 Current Status GridSite released on 14 December – In production on Includes – libgridsite: Grid ACL access control + HTTP / X.509 / GSI / VOMS utilities – gridsite-admin.cgi: user editing of pages, groups etc – mod_gridsite: support for GACL / GSI / VOMS in Apache 2.0 – (No longer need patched mod_ssl to support GSI) “Toolkit” approach works with other tools (eg PHP)

Security Middleware in GridPP2 5 Feb 2004 New fileserver features One of the aims of the GridSite modular architecture is better fileserver functionality With mod_gridsite installed, can now – Do HTTP(S) GET/PUT/DELETE and directory listings without a CGI binary – So no context switch from server to CGI – Full support for GACL access control built in htcp command line tool vs globus-url-copy, scp etc – htcp uses HTTP(S) servers and GSI [VOMS etc] – multistream HTTP being added to htcp client

Security Middleware in GridPP2 5 Feb 2004 Current Users Various web/VO sites: – ManHEP, MCC, grid-support.ac.uk, GOC, Grid Ireland – VOs: BaBar plus MICE, CALICE, DESY (experimental) – BaBarGrid experimenting with GridSite and gsub Three pieces of EDG middleware can use the GACL component (not all deployed) – LCAS: GACL control of gatekeeper access – WP1 Logging and Bookkeeping – Storage Element NorduGrid GridFTP server now supports GACL

Security Middleware in GridPP2 5 Feb 2004 GridPP2 Themes GridPP2 bidding process resulted in – 2.5 Middleware posts – 0.5 VO operations – 1.0 LCG co-ordination The Middleware/VO Ops area has 4 main themes – libgridsite toolkit (from GACL C to XACML C, C++, Java,...?) – Lightweight VOs – “Grid Home Directory” – SlashGrid

Security Middleware in GridPP2 5 Feb 2004 libgridsite toolkit Core functions of GridSite pulled out into a library Currently only C and C-to-C++ API – Will provide Java and OO C++ API Part of the rationale for the original libgacl was to insulate us from Policy Language developments XACML from WS community is likely to become endorsed by GGF etc – We aim to provide a smooth transition (no change?) for users of the API More functionality to be added: parallel HTTP etc.

Security Middleware in GridPP2 5 Feb 2004 Lightweight VOs GridSite supports lightweight VO management – eg the groups published from This implements the GACL concept of a “DN List” – A list of certifcate names, identified by an HTTPS, voms-httpd or LDAP URL. “Lightweight” = they're stored as plain text files – Easy to edit, populate from scripts etc – Not meant to compete with VOMS/VOX etc databases – (But we do have a gateway to produce VOMS certs) Aim to support small VOs, individuals, HEP groups etc

Security Middleware in GridPP2 5 Feb 2004 “Grid Home Directory” This is more a concept than a specific technology BaBarGrid requirements suggests people will want access to filespace they own during running jobs Various ways of doing this: – GridFTP server – AFS + gsiklog – htcp or browser + GridSite server But getting things to interoperate is largely a security problem Provide glue code + recipes for tying these together

Security Middleware in GridPP2 5 Feb 2004 SlashGrid Have now got funding to move this beyond prototype and demonstration stage! Aim to provide a way of making “things” available via the filesystem – Remote files, via standard HTTP(S), GridFTP etc – Dynamic filesystem areas (Logical to physical names; sandboxes; on-demand environments) Do this through a daemon to kernel connector – Loopback NFS for portability/kernel independence Also want to interoperate with NFSv4 + GSI

Security Middleware in GridPP2 5 Feb 2004 Dissemination GridSite and Security Middleware are readily applicable to other projects – All projects need a website – All projects need security (write access control if nothing else) We're talking to other projects which are interested in using GridPP security middleware – In particular, the existing PPARC/MRC distributed cancer analysis project at Dundee/Manchester. Other possibilities in the pipeline...

Security Middleware in GridPP2 5 Feb 2004 eSecurity Centre Joint project between – Manchester HEP – Manchester Computer Science – e-Science North West – Salford Computer Science – (Roughly equal to UK GGF Authorization involvement) Aim to promote communication and use of standards based security tools in UK e-Science, LCG/EGEE, JISC-funded academia, NHS etc. – Eg aim to add support for Salford's PERMIS to GridSite, alongside existing VOMS support

Security Middleware in GridPP2 5 Feb 2004 “gridsite.org” Shorthand for making GridSite an Open Source project, with external involvement We noticed that most of the users installed the software without first asking for help/support We're trying to encourage this: – Source and binary distributions – User, Admin, Install guides, man pages etc – Publically available CVS + Bugtrack (thanks to EDG and now LCG Savannah) – Public announcement and discussion mailing lists – Pointers to free/cheap/lightweight X.509 CAs

Security Middleware in GridPP2 5 Feb 2004 Interoperation Already mentioned PERMIS in parallel with VOMS – Attribute certificate format of these now converging Other protocols are also around – SAML for asking external servers questions like “can the user do this?” – XACML as a policy language like GACL We want to support these for the usual reasons – Avoid duplication of effort by using external tools – Want other systems to use our stuff – Sites don't want to run multiple incompatible services

Security Middleware in GridPP2 5 Feb 2004 Authorization Architecture Policy Enforcement Point (libgridsite) Policy Decision Point (PERMIS, LCAS + libgridsite + GACL or XACML) User Attribute Authority (VOMS, CAS, PERMIS, GridSite VO) Resource Internal PDP Request => <= Results VOMS etc GSI [+ VOMS etc] SAML HTTPS, voms-httpd, VO LDAP

Security Middleware in GridPP2 5 Feb 2004 Summary GridPP1 security middleware in (increasing) use Funding now available to expand this – (subject to final agreement of deliverables) Aim to provide reusable components and documented off-the-shelf implementations Most of the GridPP2 deliverables provide missing pieces of the authorization machinery Also looking outside GridPP for additional funding to apply HEP security tools to Medical use, general academic infrastructure etc.