Presentation is loading. Please wait.

Presentation is loading. Please wait.

DataGrid is a project funded by the European Union CHEP 2003 – 24-28 March 2003 – Grid-based access control – n° 1 Grid-based access control for Unix environments,

Published byHannah Reeves Modified over 11 years ago

Similar presentations

Presentation on theme: "DataGrid is a project funded by the European Union CHEP 2003 – 24-28 March 2003 – Grid-based access control – n° 1 Grid-based access control for Unix environments,"— Presentation transcript:

1 DataGrid is a project funded by the European Union CHEP 2003 – 24-28 March 2003 – Grid-based access control – n° 1 Grid-based access control for Unix environments, filesystems and websites Andrew McNab (University of Manchester, GridPP and EU DataGrid WP6) mcnab@hep.man.ac.uk http://www.hep.man.ac.uk/~mcnab/grid/access-chep2003.ppt

2 CHEP 2003 – 24-28 March 2003 – Grid-based access control – n° 2 Talk Outline u Account management issues u Pool Accounts u SlashGrid filesystems u GridSite u Grid ACLs u Grid ACL vs VOMS (or CAS) u Future developments Authors The EU DataGrid Security Co-ordination Group, http://cern.ch/hep-project-grid-scg/

3 CHEP 2003 – 24-28 March 2003 – Grid-based access control – n° 3 Account management issues u EDG currently uses Globus2 gatekeepers and file servers, and Globuss GSI model for authentication. u Authorization is provided by simple text file with certificate names and corresponding local Unix account names. n /etc/grid-security/grid-mapfile consisting of lines like: /O=Grid/O=UKHEP/OU=hep.man.ac.uk/CN=Andrew McNab mcnab u At the start of the project, site administrators expressed concerns about having to manually maintain accounts and grid-mapfile entries. u Luca has already discussed how we maintain the grid-mapfile from authorization information published by Virtual Organisations. u But this still leaves problem of creating a static, named account for each Testbed user at each Testbed site.

4 CHEP 2003 – 24-28 March 2003 – Grid-based access control – n° 4 Pool Accounts u Aim to remove local account-creation burden from admins: n pre-create pools of accounts and allocate these to users when they request access: atlas001, atlas002,... u Widely used by EDG Testbed sites, but not obligatory n in practice, almost all have chosen to use it u Auditing possible since cert => UID mappings recorded in log files. u Same pool mappings can be shared across a farm by sharing /etc/grid-security/gridmapdir/ lock files with NFS. u Existing system works ok for CPU-only jobs. n but not really appropriate if users are creating long lived files at the site in question. n limitations are because files are still owned by Unix UID: cant recycle UID until all files created have been removed.

5 CHEP 2003 – 24-28 March 2003 – Grid-based access control – n° 5 SlashGrid filesystems u Framework for creating Grid-aware filesystems n different types of filesystem provided by dynamically loaded (and potentially third-party) plugins. u certfs.so plugin provides local storage governed by Access Control Lists based on Grid certificate names and VO groups n certfs is very solid: you can build a bootable Linux kernel on a certfs filesystem (~100,000 file operations in a few minutes) u Since new ACLs just have creators name, this is equivalent to file ownership by certificate name rather than UID. n solves admin worries about long lived files owned by pool accounts. n if pool accounts are prevented from writing to normal disks, then no chance they will write something unpleasant somewhere unexpected. u HTTP/HTTPS plugin (curlfs) ultimately aims to provide some NFS/AFS-like functionality, again governed by Grid creds + ACLs

6 CHEP 2003 – 24-28 March 2003 – Grid-based access control – n° 6 GridSite u GridSite manages access to websites and HTTP(S) fileservers n Users and admins load GSI cert + key into unmodified web browsers n Originally produced for www.gridpp.ac.uk u ACLs control level of read and write access to file/directory n Write access by HTML forms (interactive) or HTTP PUT (programmatic) u Website admins can define groups of users with specific rights n Can delegate administration of that group to one or more members. n Group membership can also be published in EDG VO LDAP format. u GridSite used by several external projects, including UK e-Science Level 2 Grid Support website. u New 0.9 architecture also provides support for efficient HTTP GET and PUT operations via Apache module. n ACL enforcement now available for PHP, CGI, JSP etc as well as HTML

7 CHEP 2003 – 24-28 March 2003 – Grid-based access control – n° 7 GridSite architecture mod_ssl: plain HTTPS > env vars mod_gridsite: GACL access control + GACL > env vars mod_gridsite:.html headers and footers.shtml, mod_perl CGI, PHP mod_jk: JSP with Tomcat HTTP grst-admin.cgi: page editing, file upload, ACL editing etc. grst-proxy.cgi: delegation, 3rd party COPY, proxy GET + PUT mod_gridsite: PUT, DELETE, MOVE mod_ssl-GSI: HTTPS with GSI+VOMS+CAS > env vars

8 CHEP 2003 – 24-28 March 2003 – Grid-based access control – n° 8 Grid ACLs u When building SlashGrid and other systems like GridSite and the EDG Storage Element, we needed a simple ACL format to use for prototyping. u Current SlashGrid and GridSite use per-directory XML ACL in.gacl n As a file, this can be stored in directories, copied via unmodified https or gsiftp channels and easily manipulated by scripts and applications. n Sysadmins wanted disk filesystem ACLs on same physical disk as files if possible (or managed off-site!) u GACL not a standard, and have provided libgacl with C/C++ API to insulate applications from future changes (eg to subset of XACML?) u Aim to support authorization publishing systems, like LDAP VO, and also authorization certifying systems like VOMS and CAS.

9 CHEP 2003 – 24-28 March 2003 – Grid-based access control – n° 9 Current Grid ACL format ldap://ldap.abc.ac.uk/ou=xyz,dc=abc,dc=ac,dc=uk /O=Grid/OU=abc.ac.uk/DN=AbcVOMS Abc readers /O=Grid/DN=Andrew

10 CHEP 2003 – 24-28 March 2003 – Grid-based access control – n° 10 Grid ACL vs fine-grained VOMS, CAS u CAS or VOMS can provide ACL-like feature, specifying what capability (write) is permissible on objects (higgs-wg- montecarlo) u However, we think this is too coarse-grained and too heavyweight for all contexts n eg if my job creates a temporary, working directory in /grid/tmp, I dont want to have to set up a new entry on the central CAS or VOMS machine u The two types of system should be seen as complementary n when you create some Higgs Monte Carlo data, you set its ACL to give write access for people with higgs-wg-montecarlo-admin credential. n when you create a temporary working directory, you set its ACL to give only you read and write access. n applications should find their own level when splitting policy between local ACL or VO-wide authorisation service

11 CHEP 2003 – 24-28 March 2003 – Grid-based access control – n° 11 Summary & Future Work u Major management overhead concerns of Testbed site admins have been addressed u LDAP VO system is currently sufficient, but VOMS will be more flexible and scalable. u Pool accounts are useful but limited by UID file ownership issues. u SlashGrid / certfs provides a solution to this. u GridSite provides a way of controlling HTTP(S) via Grid credentials. u GACL and gacl library provides Grid ACLs and API. u Extending this work into Usage Control, not just Access Control. u See http://www.gridpp.ac.uk/authz/ for links to source code and details of all tools mentioned in this talk

Download ppt "DataGrid is a project funded by the European Union CHEP 2003 – 24-28 March 2003 – Grid-based access control – n° 1 Grid-based access control for Unix environments,"

Similar presentations

30-31 Jan 2003J G Jensen, RAL/WP5 Storage Elephant Grid Access to Mass Storage.

30-31 Jan 2003J G Jensen, RAL/WP5 Storage Elephant Grid Access to Mass Storage.
24-May-01D.P.Kelsey, GridPP WG E: Security1 GridPP Work Group E Security Development David Kelsey CLRC/RAL, UK

24-May-01D.P.Kelsey, GridPP WG E: Security1 GridPP Work Group E Security Development David Kelsey CLRC/RAL, UK
Security middleware Andrew McNab University of Manchester.

Security middleware Andrew McNab University of Manchester.
5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK

5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK
Andrew McNab - Manchester HEP - 17 September 2002 Putting Existing Farms on the Testbed Manchester DZero/Atlas and BaBar farms are available via the Testbed.

Andrew McNab - Manchester HEP - 17 September 2002 Putting Existing Farms on the Testbed Manchester DZero/Atlas and BaBar farms are available via the Testbed.
29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org GridSite Storage Andrew McNab University of Manchester.

29 June 2006 GridSite Andrew McNabwww.gridsite.org GridSite Storage Andrew McNab University of Manchester.
29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
Andrew McNab - Manchester HEP - 24 May 2001 WorkGroup H: Software Support Both middleware and application support Installation tools and expertise Communication.

Andrew McNab - Manchester HEP - 24 May 2001 WorkGroup H: Software Support Both middleware and application support Installation tools and expertise Communication.
The GridSite Toolbar Shiv Kaushal The University of Manchester All Hands Meeting 2006.

The GridSite Toolbar Shiv Kaushal The University of Manchester All Hands Meeting 2006.
Andrew McNab - Manchester HEP - 22 April 2002 EU DataGrid Testbed EU DataGrid Software releases Testbed 1 Job Lifecycle Authorisation at your site More.

Andrew McNab - Manchester HEP - 22 April 2002 EU DataGrid Testbed EU DataGrid Software releases Testbed 1 Job Lifecycle Authorisation at your site More.
22-Apr-02D.P.Kelsey, Security, UKHEP Sysman1 Grid Security 22 Apr 2002 UK HEP Sysman Meeting David Kelsey CLRC/RAL, UK

22-Apr-02D.P.Kelsey, Security, UKHEP Sysman1 Grid Security 22 Apr 2002 UK HEP Sysman Meeting David Kelsey CLRC/RAL, UK
Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.

Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.
Andrew McNab - Manchester HEP - 31 January 2002 Testbed Release in the UK Integration Team UK deployment TB1 Job Lifecycle VO: Authorisation VO: GIIS and.

Andrew McNab - Manchester HEP - 31 January 2002 Testbed Release in the UK Integration Team UK deployment TB1 Job Lifecycle VO: Authorisation VO: GIIS and.
GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.

GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.
Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.

Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.
Andrew McNab - Manchester HEP - 29/30 March 2001 gridmapdir patch Overview of the problem Constraints from local systems Outline of how it works How to.

Andrew McNab - Manchester HEP - 29/30 March 2001 gridmapdir patch Overview of the problem Constraints from local systems Outline of how it works How to.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
The GridSite Security Framework Andrew McNab University of Manchester.

The GridSite Security Framework Andrew McNab University of Manchester.
20 March 2007 VOMS etc - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.

20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.
Andrew McNab - Manchester HEP - 6 November 2001 www.gridpp.ac.uk Old version of website was maintained from Unix command line => needed (gsi)ssh access.

Andrew McNab - Manchester HEP - 6 November Old version of website was maintained from Unix command line => needed (gsi)ssh access.

Similar presentations

Ads by Google