Download presentation
Presentation is loading. Please wait.
1
Andrew McNab - GridPP Security - 24 Feb 2003 GridPP Security Middleware Andrew McNab, University of Manchester mcnab@hep.man.ac.uk
2
Andrew McNab - GridPP Security - 24 Feb 2003 GridPP / EDG / WP6 Overview: u Pool Accounts u SlashGrid u VO Servers u GridSite 0.3 u GACL u Delegation over HTTPS u GridSite 0.9 u What’s missing? Concentrate on GridPP-produced middleware
3
Andrew McNab - GridPP Security - 24 Feb 2003 GridPP / EDG / WP6 Pool Accounts u One of first questions/problems we had with “Testbed 0” in 2000 was account creation/management n grid-mapfile has to be populated with lists of certificate names n 1 cert mapped to 1 static account; or N certs mapped to 1 account u Pool Accounts patch add 3rd alternative to Globus grid-mapfile handling: n Each cert mapped to one of a pool of accounts. n Pool accounts leased at request time. u This has considerably simplified site administration n now used by almost all EDG Testbed sites. u Included in EDG Globus and now VDT Globus distributions.
4
Andrew McNab - GridPP Security - 24 Feb 2003 GridPP / EDG / WP6 SlashGrid u With pool accounts, files are owned by a specific UID u But UID’s have no long term meaning in Grid context. u SlashGrid allows you to make filesystems where files are controlled/owned by Grid identities not UID. n Grid ACL’s used, with cert names, VO groups etc. u certfs filesystem provides robust, fast, local or NFS- shared disk access, with access controlled by Grid ACL. u System also allows you to build other filesystems: n curlfs demonstrates authenticated access to remote HTTP(S) servers: “ls -l /grid/https/www.gridpp.ac.uk/authz/gridsite/”
5
Andrew McNab - GridPP Security - 24 Feb 2003 GridPP / EDG / WP6 kernel a real (ext2) disk open() read() write() stat() SlashGrid open() stat() /dev/cfs0/var/spool/slashgrid/grid ordinary directory/grid/... Standard Unix User process read() write()
6
Andrew McNab - GridPP Security - 24 Feb 2003 GridPP / EDG / WP6 VO Servers u Pool accounts make it easier to manage local accounts. n VO Server is other half: makes management of grid- mapfile easier. u EDG VO servers use LDAP to publish lists of certificate subject names, per VO or per subgroup of VO. u mkgridmap used to pull lists from VO servers and make grid-mapfile u Original implementations and API from INFN. u To provide management via web, same API used to publish groups managed via GridSite n Used for GridPP Testbed and BaBar VOs.
7
Andrew McNab - GridPP Security - 24 Feb 2003 GridPP / EDG / WP6 GridSite u GridSite grew out of www.gridpp.ac.uk management u Added HTTPS authenticated browsing n First for page editing and file upload. n Then management of per-directory ACLs. n Then management of groups (=> VO server) u Currently at 0.3 on GridPP and ETF/Level 2 Grid sites u Up to this point, GridSite is basically a monolithic, website management system, intended for use by humans, maintaining files to be be read by humans.
8
Andrew McNab - GridPP Security - 24 Feb 2003 GridPP / EDG / WP6 GACL u GridSite and SlashGrid both needed Grid Access Control Lists u Straight forward XML ACL format adopted for this: n /O=Grid/CN=Andrew u Can also reference VO groups and subgroups, and other/future credentials (VOMS, CAS etc) u libgacl provide C/C++ API for manipulating ACLs n being used by new SE, as well as SlashGrid and GridSite now.
9
Andrew McNab - GridPP Security - 24 Feb 2003 GridPP / EDG / WP6 GACL vs VOMS (vs CAS) u VOMS is EDG’s replacement for LDAP VO servers n issues signed attribute certificates which user includes in GSI proxy extensions n VO must define VO-level policy of what users are allowed what attributes (eg “Monte Carlo generation admin”) n servers parse these extensions and apply them “somehow” u GACL allows sites to define local policy n how VO credentials map on to local resources: disk files, queues etc. n This is in constrast to Globus CAS model, where the VO’s CAS server provides all the policy centrally. n (But we aim to understand CAS credentials in GACL too)
10
Andrew McNab - GridPP Security - 24 Feb 2003 GridPP / EDG / WP6 Delegation u Delegation is one of the major things the Grid adds to the Web n essential for the kinds of multicomponent Testbeds (UI->RB->CE->SE) we are running / will need u However, delegation isn’t present in standard HTTPS n eg for GridPP BaBarGrid job submission demo, had to upload GSI proxies to website manually u G-HTTP(S) proposal adds methods/headers to HTTP to allow delegation n webservers can prove user’s identity to 3rd parties: submit jobs, get AFS tokens, do restricted queries, get files and cache them, do 3rd party transfers.
11
Andrew McNab - GridPP Security - 24 Feb 2003 GridPP / EDG / WP6 G-HTTP(S) implementation u grst-proxy.cgi has example G-HTTP(S) implementation n GET-PROXY-REQ and PUT-PROXY-CERT for delegation n Delegation-ID header allows you to make use of delegated credentials in other, normal web requests s grst-proxy-put command line tool (~ grid-proxy-init) n COPY between remote HTTPS host and webserver using delegated proxy s with any client that lets you specify methods and headers n real work for the above done by functions in libgridsite, built directly on OpenSSL: C/C++ API to appear. u With this in place HTTPS has the key functionality of GridFTP n multistream HTTP/HTTPS implicitly defined by RFC2616
12
Andrew McNab - GridPP Security - 24 Feb 2003 GridPP / EDG / WP6 GridSite 0.3/fileGridSite => GridSite 0.9 u GridSite 0.3 manages access to websites n Users and admins load GSI cert + key into unmodified web browsers u We produced a standalone demonstration of an HTTPS fileserver using GridSite components: fileGridSite u In both, ACLs control read and write access to files and directories n Write access either by HTML forms (interactive) or HTTP PUT / DELETE (programmatic) u GridSite 0.9 merges interactive GridSite 0.3 functionality with programmatic functionality of fileGridSite. n Basic access control, page formatting and PUT/DELETE now done by Apache module: mod_gridsite. n Standalone grst-admin.cgi and grst-proxy.cgi provide site admin and G-HTTP(S) (delegation and 3rd party transfer) support. n Can host websites, fileserving and Grid/Web Services on same server.
13
Andrew McNab - GridPP Security - 24 Feb 2003 GridPP / EDG / WP6 GridSite 0.9 architecture mod_ssl: plain HTTPS > env vars mod_gridsite: GACL access control + GACL > env vars mod_gridsite:.html headers and footers.shtml, mod_perl CGI, PHP mod_jk: JSP with Tomcat HTTP grst-admin.cgi: page editing, file upload, ACL editing etc. grst-proxy.cgi: G-HTTPS, 3rd party COPY, proxy GET + PUT mod_gridsite: PUT, DELETE, MOVE mod_ssl-GSI: HTTPS with GSI+VOMS+CAS > env vars
14
Andrew McNab - GridPP Security - 24 Feb 2003 GridPP / EDG / WP6 What’s missing in security u Authentication pretty much done (CA’s + delegation) u Authorization mapped out (VOMS/CAS + GACL etc) u However, almost nothing has been implemented for Accounting. u Two parts of this: n Accounting of resources used, to enable some kind of real or nominal charging: can be largely retrospective. n Enforcement of quotas, resource limits etc to prevent individuals / jobs running wild: involves the same kind of low level enforcement as authorization. u Many open questions. For example: n “Do we need to do “accounting” on Grid-wide / VO-wide basis?” n or can we do it on bilateral user-site basis?
15
Andrew McNab - GridPP Security - 24 Feb 2003 GridPP / EDG / WP6 Summary u GridPP-produced security middleware now a key part of EDG Testbed, BaBarGrid and being taken up elsewhere. u Pool accounts system widely used. u SlashGrid provides Grid-aware filesystems. u GACL acls and library provide a general way of specifying fine- grained, local policy. u G-HTTP(S) provides delegation extensions to HTTPS: example implementation exists. u GridSite currently in production for website management n but GridSite 0.9 has many more possible uses due to modular design n can host websites, fileservers and Web/Grid Services u But still major areas (eg accounting) left to be resolved.
Similar presentations
