Grid Security in a production environment: 4 years of running www.gridpp.ac.uk Andrew McNab University of Manchester.

Slides:



Advertisements
Similar presentations
30-31 Jan 2003J G Jensen, RAL/WP5 Storage Elephant Grid Access to Mass Storage.
Advertisements

Security middleware Andrew McNab University of Manchester.
DataGrid is a project funded by the European Union CHEP 2003 – March 2003 – Grid-based access control – n° 1 Grid-based access control for Unix environments,
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.
29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
The GridSite Toolbar Shiv Kaushal The University of Manchester All Hands Meeting 2006.
Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.
Andrew McNab - Manchester HEP - 31 January 2002 Testbed Release in the UK Integration Team UK deployment TB1 Job Lifecycle VO: Authorisation VO: GIIS and.
Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
The GridSite Security Framework Andrew McNab University of Manchester.
DT211/3 Internet Application Development Active Server Pages & IIS Web server.
1 CENTER FOR PARALLEL COMPUTERS An Introduction to Globus Toolkit® 3 -Developing Interoperable Grid services.
20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.
Andrew McNab - Manchester HEP - 6 November Old version of website was maintained from Unix command line => needed (gsi)ssh access.
30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK
Joining the Grid Andrew McNab. 28 March 2006Andrew McNab – Joining the Grid Outline ● LCG – the grid you're joining ● Related projects ● Getting a certificate.
Java Server Team 8. Overview What is a Java Server? History Architecture Advantages Disadvantages Current Technologies Conclusion.
Julien Thibault / Phil Brewster / Kristina Doing-Harris
TOPIC 1 – SERVER SIDE APPLICATIONS IFS 234 – SERVER SIDE APPLICATION DEVELOPMENT.
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.
EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.
M. Taimoor Khan * Java Server Pages (JSP) is a server-side programming technology that enables the creation of dynamic,
10 May 2007 HTTP - - User data via HTTP(S) Andrew McNab University of Manchester.
Andrew McNab - GACL - 16 Dec 2003 Grid Access Control Language Andrew McNab, University of Manchester
3 May 2006 GridSite Andrew McNabwww.gridsite.org Web Services for Grids in Scripts and C using GridSite Andrew McNab University of.
Andrew McNab - EDG Access Control - 17 Jan 2003 EDG Site Access Control (ie Local Authorisation and Accounts) Andrew McNab, University of Manchester
Security Middleware and VOMS service status Andrew McNab Grid Security Research Fellow University of Manchester.
Andrew McNab - GridPP Security - 24 Feb 2003 GridPP Security Middleware Andrew McNab, University of Manchester
Andrew McNab - SlashGrid, HTTPS, fileGridSite SlashGrid, HTTPS and fileGridSite 30 October 2002 Andrew McNab, University of Manchester
Andrew McNab - GridSite/G-HTTPS - 17 Feb 2003 GridSite and G-HTTPS update Andrew McNab, University of Manchester
Grid Security work in 2006 Andrew McNab Grid Security Research Fellow University of Manchester.
Grid Security and VO Management Andrew McNab University of Manchester.
The GridSite Security System Andrew McNab and Shiv Kaushal University of Manchester.
Web Pages with Features. Features on Web Pages Interactive Pages –Shows current date, get server’s IP, interactive quizzes Processing Forms –Serach a.
Andrew McNab - Access Control - 28 May 2002 Access Control and User Management (ie Local Authorisation and Accounts) Andrew McNab, University of Manchester.
EU DataGrid (EDG) & GridPP Authorization and Access Control User VOMS C CA 2. certificate dn, ca, key 1. request 3. certificate 4. VOMS cred: VO, groups,
EGEE is a project funded by the European Union under contract IST Gap analysis draft v2 Olle Mulmo, David Groep, Joni Hahkala JRA3 Gap, 10.
JISC Middleware Security Workshop 20/10/05© 2005 University of Kent.1 The PERMIS Authorisation Infrastructure David Chadwick
Security Middleware in GridPP2 5 Feb 2004 Security Middleware in GridPP2 Current Status – GridSite GridPP2 Themes – libgridsite.
Andrew McNab - GridSite/EDG/GGF - 29 Sept 2003 GridSite, EDG and GGF Andrew McNab, University of Manchester
EDG Security European DataGrid Project Security Coordination Group
Security monitoring boxes Andrew McNab University of Manchester.
Andrew McNab - Security - 1 July 2003 Security: Authorization, Access Control and Usage Control Andrew McNab, University of Manchester
NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.
Andrew McNab - Grid HTTP/HTTPS extensions Grid HTTP/HTTPS extensions 18 November 2002 Andrew McNab, University of Manchester
The HTTP is a standard that all Web browsers and Web servers must speak in order for the Web portion of the Internet to work.
GridSite Web Servers for bulk file transfers & storage Andrew McNab Grid Security Research Fellow University of Manchester, UK.
Andrew McNab - Manchester HEP - 11 May 2001 Packaging / installation Ready to take globus from prerelease to release. Alex has prepared GSI openssh.
Web Pages with Features. Features on Web Pages Interactive Pages –Shows current date, get server’s IP, interactive quizzes Processing Forms –Serach a.
EGEE User Forum Data Management session Development of gLite Web Service Based Security Components for the ATLAS Metadata Interface Thomas Doherty GridPP.
Andrew McNab - EDG Access Control - 4 Dec 2002 EDG Access Control and User Management (ie Local Authorisation and Accounts) Andrew McNab, University of.
Andrew McNabSecurity Middleware, GridPP8, 23 Sept 2003Slide 1 Security Middleware Andrew McNab High Energy Physics University of Manchester.
Services Security A. Casajus R. Graciani. 12/12/ Overview DIRAC Security Infrastructure HSGE Transport Authentication Authorization DIRAC Authorization.
Andrew McNabGrid in 2002, Manchester HEP, 7 Jan 2003Slide 1 Grid Work in 2002 Andrew McNab High Energy Physics University of Manchester.
Andrew McNab - EDG Access Control - 17 Jun 2003 EU DataGrid and GridPP Authorization and Access Control Andrew McNab, University of Manchester
Grid Security work in 2004 Andrew McNab Grid Security Research Fellow University of Manchester.
Security Middleware 3 June 2004 Security Middleware Current Status – GridSite deployments – Architecture GridPP2 – Web services.
GRID Security & DIRAC A. Casajus R. Graciani A. Tsaregorodtsev.
Security Middleware Andrew McNab University of Manchester.
Outline Server side Dependencies Installing it Configuring it Client side coding Browser setup.
(ITI310) By Eng. BASSEM ALSAID SESSIONS 10: Internet Information Services (IIS)
DataGrid Security Wrapup Linda Cornwall 4 th March 2004.
Storage Element Security Jens G Jensen, WP5 Barcelona, May 2003.
Overview of the New Security Model Akos Frohner (CERN) WP8 Meeting VI DataGRID Conference Barcelone, May 2003.
GridSite status Andrew McNab University of Manchester.
Third Party Transfers & Attribute URI ideas
Web App vs Mobile App.
Shiv Kaushal, University of Manchester
Presentation transcript:

Grid Security in a production environment: 4 years of running Andrew McNab University of Manchester

1 September 2004Grid Security in a production environment Outline ● About GridPP ● Using X.509 ● Grid ACLs + Groups ● GridSite Philosophy ● Experience => design ● Web services ● Security toolkit

1 September 2004Grid Security in a production environment About GridPP GridPP is a collaboration of ~100 particle physicists, engineers and computer scientists 15 UK sites + CERN GridSite software was developed to manage Allows users to edit or upload pages etc. Security is key to this...

1 September 2004Grid Security in a production environment Using X.509 Every member of GridPP has an X.509 certificate – Originally from UK HEP CA, now UK e-Science CA We've used this to control read and write access – Don't have to type passwords once cert is loaded – Works with all credible browsers – Some areas of the site, eg portals, give access to grid resources based on X.509 themselves Users can edit HTML in their browser window Can upload HTML, images etc from their browser Manage ACLs and groups through a web GUI

1 September 2004Grid Security in a production environment Grid ACLs + Groups GridSite uses an XML access control language (GACL) to define read, write, list, admin permissions for files, directories and scripts – policies can use X.509/GSI certs, signed VOMS attribute certs (for Authz Push) or “DN List” groups (for Authz Pull) – right to edit an ACL can itself by delegated DN Lists are identified by a URI and consist of a list of X.509 subjects – via LDAP(S) / HTTP(S) from Authz servers elsewhere (including from EDG/LCG/EGEE VO-LDAP or VOMS) – or from locally managed DN Lists – possibly with administration delegated to a subgroup manager

1 September 2004Grid Security in a production environment GridSite Philosophy Re-use as much of Apache as possible – Original gridsite.cgi becomes mod_gridsite – use standard config files, Apache internal settings etc – less work for us when Apache/OpenSSL vulnerabilities & patches are published Support dynamic content in any language – via standalone CGIs or built-ins like mod_perl Keep generally useful machinery in a library – can be re-used by other server-side or even client tools Think about efficiency – eg make sure HTTPS connection reuse isn't prevented

1 September 2004Grid Security in a production environment Example of experience driving architecture GSI proxy support had 3 stages of evolution 1: maximal mod_ssl-GSI – Mike Jones' original patched version of mod_ssl – Only one file to install – but patching has to be redone every time mainstream mod_ssl changes 2: minimal mod_ssl-GSI/libgridsite – Move GSI handling into the library – Simplify patching to mod_ssl (down to a few lines) 3: remap SSL callbacks at runtime from mod_gridsite – mod_ssl not modified: just use vendor (re)releases

1 September 2004Grid Security in a production environment Non-Java WS hosting Most Web Services attention goes on Java – However, like many other application areas, Particle Physics has a continued (and growing!) investment in C++ code, applications in the form of native binaries and scripting languages as glue. Most of the web is based on the same Apache httpd tradition GridSite builds on – For CGI binaries, Perl Scripts, PHP pages etc, Apache is the equivalent of a Java servlet container like Tomcat. EGEE is starting with SOAP over SSL/TLS – GridSite's current “GSI/HTTPS” support provides a hosting environment for exactly this kind of architecture...

1 September 2004Grid Security in a production environment Libgridsite toolkit Core functions of GridSite pulled out into a library – Currently only C and C-to-C++ API, but adding scripting languages (Perl etc) More functionality to be added – eg library version of parallel HTTP etc from htcp command line tool – more credential types? CAS? Permis? Passwords? Aim to provide a general C/C++ Grid Security toolkit, for both client and server side implementations Previous versions already in use by EDG, LHC Computing Grid and EGEE.

1 September 2004Grid Security in a production environment For more details... See for the website in action And for more about the GridSite software itself

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.