Presentation is loading. Please wait.

Presentation is loading. Please wait.

Andrew McNab - SlashGrid, HTTPS, fileGridSite SlashGrid, HTTPS and fileGridSite 30 October 2002 Andrew McNab, University of Manchester

Published byEvelyn Weaver Modified over 9 years ago

Similar presentations

Presentation on theme: "Andrew McNab - SlashGrid, HTTPS, fileGridSite SlashGrid, HTTPS and fileGridSite 30 October 2002 Andrew McNab, University of Manchester"— Presentation transcript:

1 Andrew McNab - SlashGrid, HTTPS, fileGridSite SlashGrid, HTTPS and fileGridSite 30 October 2002 Andrew McNab, University of Manchester mcnab@hep.man.ac.uk

2 Andrew McNab - SlashGrid, HTTPS, fileGridSite - 30 Oct 2002 Overview u SlashGrid framework u certfs filesystem u GACL Access Control Lists u HTTPS u fileGridSite HTTPS server u fileGridSite examples with curl u curlfs for SlashGrid u “G-HTTPS” u HTTP(S) as data protocol too? u Summary

3 Andrew McNab - SlashGrid, HTTPS, fileGridSite - 30 Oct 2002 SlashGrid (“/grid”) framework u SlashGrid is a framework for making “Grid-aware” filesystems n in particular, filesystems where Grid credentials not Unix UID or GID determine access to files u Individual filesystems are provided by dynamically loaded plugins n configuration in /etc/fstab u Filesystems so far: certfs, gmapfs, httpfs and curlfs u SlashGrid verifies and manages the Grid credentials associated with a UID and makes this available to plugins in an efficient way. u Currently uses GSI proxies, full X509 certificates or gridmap (grid- mapfile or Pool account gridmapdir) u Will also pull information from LCMAPS in future versions.

4 Andrew McNab - SlashGrid, HTTPS, fileGridSite - 30 Oct 2002 certfs filesystem u In TB 1, pool accounts create files as the Pool UID n If Pool UID is recycled, files are now owned by new user of that UID! u With certfs, file access is controlled by per-directory or per-file ACL’s in terms of certificate subjects. u This means that if my UID is reused, the new user can’t access my files because their credentials don’t match the ACL. u If I come back with a different UID, I do match the ACL since my Grid credentials are the same, and I can read my old files. u certfs uses GACL ACL library, so ACL’s can also include VOMS or LDAP VO groups, CAS objects or other credentials supported by GACL in the future. u certfs has been stress tested: eg you can build a bootable Linux kernel in a directory hierarchy on a certfs filesystem (~100,000 operations?)

5 Andrew McNab - SlashGrid, HTTPS, fileGridSite - 30 Oct 2002 GACL Access Control Lists u XML format for controlling read, list, write and admin access u Can specify DN, LDAP VO group, VOMS group or CAS objects n Can easily be extended to other credential types u C libgacl is provided to manipulate ACL objects in memory n permissions (eg write), credentials (eg a DN), entries and whole ACL’s. n access functions allow you to construct and test ACL components n aim for efficiency since ACL may need to be evaluated repeatedly n working on Java implementation of the same API u Aim to standardise some form of GACL ACL’s through GGF Authorisation WG. u GACL API intended to insulate applications from changes to XML representation.

6 Andrew McNab - SlashGrid, HTTPS, fileGridSite - 30 Oct 2002 HTTPS u HTTPS is an interesting and important protocol for several reasons: n it is by far the most widely deployed secure protocol n has a large amount of high quality software that we could leverage n has excellent interaction with Firewalls, Network Address Translation and Application Proxies s has the potential to solve some of the problems sites have with private IP farms n along with HTTP, is the basis for Web and Grid Services u HTTPS consists of HTTP/1.1 over an SSL connection n security done by SSL layer, using X509 certificates (including GSI) u HTTP/1.1 (rfc2616) and extensions like WebDAV (rfc2518) have a rich set of methods (GET, PUT, DELETE, COPY etc) headers (“Expires:” etc) and Errors (“413 Request Entity Too Large”) n so a standard way exists for many of the transfer operations we need

7 Andrew McNab - SlashGrid, HTTPS, fileGridSite - 30 Oct 2002 fileGridSite u Read (GET) well supported by HTTPS servers. u However, write (PUT and DELETE) usually left to CGI programs, servlets etc. u Access control also limited to client IP or HTTP passwords. u fileGridSite adds Grid authorisation and write operation support to Apache n a cut-down version of GridSite (used for https://marianne.in2p3.fr) n file rather than webpage orientated (no fancy headers on HTML etc) n uses GACL to handle the Access Control Lists n can work with mod_ssl-GSI so clients can authenticate with a GSI proxy u Turns an Apache webserver into a Grid HTTPS fileserver with the key functionality of a GridFTP server.

8 Andrew McNab - SlashGrid, HTTPS, fileGridSite - 30 Oct 2002 fileGridSite examples with curl u Curl is a standard HTTP/HTTPS command line client (cf wget) u Get a file using GSI proxy in /tmp/x509up_u100 n curl --capath /etc/grid-security/certificates/ --cert /tmp/x509up_u100 https://a.b.com/example1.txt u Copy a file to the fileGridSite server with HTTP PUT: n curl --capath /etc/grid-security/certificates/ --cert /tmp/x509up_u100 --upload-file /tmp/example2.txt https://a.b.com/example2.txt u Delete a file with HTTP DELETE: n curl --capath /etc/grid-security/certificates/ --cert /tmp/x509up_u100 --request DELETE https://a.b.com/example2.txt u Create a directory with PUT to …/ n curl --capath /etc/grid-security/certificates/ --cert /tmp/x509up_u100 --request PUT https://a.b.com/newdir/

9 Andrew McNab - SlashGrid, HTTPS, fileGridSite - 30 Oct 2002 curlfs for SlashGrid u curl is built on top of a general library, libcurl n handles persistent HTTP and HTTPS connections, SSL setup etc u To add HTTP and HTTPS filesystems to SlashGrid, have made a libcurl filesystem plugin: curlfs u This maps parts of the URL space into the local filesystem: n https://a.b.com/newdir/ ---> /grid/https/a.b.com/newdir/ u Works with any standard HTTP or HTTPS server n rpm -i /grid/http/datagrid.in2p3.fr/distribution/globus/beta-21/RPMS/* u SlashGrid framework provides GSI proxy or full cert/key to curlfs so it can make authenticated requests. u Write with HTTP/1.1 PUT and DELETE being added to curlfs n Will complement fileGridSite support for these on server side

10 Andrew McNab - SlashGrid, HTTPS, fileGridSite - 30 Oct 2002 “G-HTTPS” u A proposal for backwards compatible extensions to HTTPS n being discussed on wp2-sec and wp7-security lists u Adds GSI proxy delegation to HTTPS using additional methods (eg PUT-PROXY) and headers (eg Delegation-ID) u Allows services to return generalised metadata in headers or by URL n initially this allows services to return the GACL ACL of a response for more efficient caching (ie sharing cached copies with other users.) u Aim is to avoid breaking existing HTTPS systems and to achieve “pass through” compatibility: n even if HTTPS client or server software doesn’t understand extensions, they can make them available to the application which does u Agree common extensions for use by Grid Services people (WP2/WP3) and file access people (WP5/WP6) Then --> GGF.

11 Andrew McNab - SlashGrid, HTTPS, fileGridSite - 30 Oct 2002 HTTP(S) as data protocol too? u HTTP(S) has a large amount of high quality software we can leverage u It is supported by existing web browsers (email my job output URL?) u It works well with Firewalls (just one port), NAT (one way connection) and Proxy Servers (Squid etc already available.) u It can be extended to do “Grid things” like delegation: G-HTTPS u Should be straightforward to add to Storage Element n Much of SE prototyping was done with HTTPS u It can support application-level multiple streams and striping by using the standard Range: header to set up many partial fetches. n A lot of websites run replicated/clustered server farms for HTTP(S) u Kernel-based “zero-copy” HTTP servers like tux are very efficient n negotiate in HTTPS, then get Redirect: to HTTP transfer URL for data??

12 Andrew McNab - SlashGrid, HTTPS, fileGridSite - 30 Oct 2002 Summary u SlashGrid provides framework for Grid-aware filesystems u certfs filesystem provides local disk storage controlled by Grid credentials n resolves Pool Account recycling problem u GACL Access Control Lists support DN, VOMS, CAS etc u fileGridSite HTTP(S) server has been written n supports read/write with standard utilities like curl u curlfs written for SlashGrid: maps URL’s into filesystem u “G-HTTPS” proposal for Grid extensions to HTTPS u HTTPS may be a viable alternative to GridFTP, even for data u Source code for SlashGrid, GACL, fileGridSite, curlfs is in EDG CVS u See http://www.gridpp.ac.uk/authz/ for more details

Download ppt "Andrew McNab - SlashGrid, HTTPS, fileGridSite SlashGrid, HTTPS and fileGridSite 30 October 2002 Andrew McNab, University of Manchester"

Similar presentations

30-31 Jan 2003J G Jensen, RAL/WP5 Storage Elephant Grid Access to Mass Storage.

30-31 Jan 2003J G Jensen, RAL/WP5 Storage Elephant Grid Access to Mass Storage.
Security middleware Andrew McNab University of Manchester.

Security middleware Andrew McNab University of Manchester.
DataGrid is a project funded by the European Union CHEP 2003 – 24-28 March 2003 – Grid-based access control – n° 1 Grid-based access control for Unix environments,

DataGrid is a project funded by the European Union CHEP 2003 – March 2003 – Grid-based access control – n° 1 Grid-based access control for Unix environments,
Andrew McNabTestbed / HTTPS, GridPP6, 30 Jan 2003Slide 1 UK Testbed Status Andrew McNab High Energy Physics University of Manchester.

Andrew McNabTestbed / HTTPS, GridPP6, 30 Jan 2003Slide 1 UK Testbed Status Andrew McNab High Energy Physics University of Manchester.
29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
The GridSite Toolbar Shiv Kaushal The University of Manchester All Hands Meeting 2006.

The GridSite Toolbar Shiv Kaushal The University of Manchester All Hands Meeting 2006.
Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.

Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.
Andrew McNab - Manchester HEP - 31 January 2002 Testbed Release in the UK Integration Team UK deployment TB1 Job Lifecycle VO: Authorisation VO: GIIS and.

Andrew McNab - Manchester HEP - 31 January 2002 Testbed Release in the UK Integration Team UK deployment TB1 Job Lifecycle VO: Authorisation VO: GIIS and.
Chapter 17: WEB COMPONENTS

Chapter 17: WEB COMPONENTS
Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.

Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
The GridSite Security Framework Andrew McNab University of Manchester.

The GridSite Security Framework Andrew McNab University of Manchester.
20 March 2007 VOMS etc - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.

20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.
30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK

30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK
Copyright B. Wilkinson, 2008. This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
Data Grid Web Services Chip Watson Jie Chen, Ying Chen, Bryan Hess, Walt Akers.

Data Grid Web Services Chip Watson Jie Chen, Ying Chen, Bryan Hess, Walt Akers.
Web Servers Web server software is a product that works with the operating system The server computer can run more than one software product such as e-mail.

Web Servers Web server software is a product that works with the operating system The server computer can run more than one software product such as .
Andrew McNab - Manchester HEP - 5 March 2002 SlashGrid (“/grid”) Motivation: dynamic-accounts issues Local storage: implementation alternatives Generalisation:

Andrew McNab - Manchester HEP - 5 March 2002 SlashGrid (“/grid”) Motivation: dynamic-accounts issues Local storage: implementation alternatives Generalisation:
10 May 2007 HTTP - - User data via HTTP(S) Andrew McNab University of Manchester.

10 May 2007 HTTP - - User data via HTTP(S) Andrew McNab University of Manchester.
Andrew McNab - GACL - 16 Dec 2003 Grid Access Control Language Andrew McNab, University of Manchester

Andrew McNab - GACL - 16 Dec 2003 Grid Access Control Language Andrew McNab, University of Manchester

Similar presentations

Ads by Google