Download presentation
Presentation is loading. Please wait.
1
Andrew McNab - GridSite/EDG/GGF - 29 Sept 2003 GridSite, EDG and GGF Andrew McNab, University of Manchester mcnab@hep.man.ac.uk
2
Andrew McNab - GridSite/EDG/GGF - 29 Sept 2003 GridPP / EDG / WP6 Outline u GACL and GridSite status u Compact credentials u OGSA Authz WG u XACML u VOMS representations for XACML u GACL vs XACML
3
Andrew McNab - GridSite/EDG/GGF - 29 Sept 2003 GridPP / EDG / WP6 GACL and GridSite status in CVS/autobuild u GACL library fully in CVS/autobuild system n available to WP1 (L&B) / WP4 (LCAS) / WP5 (SE) users of GACL u GridSite library provides utility functions for GACL, GSI and VOMS handling. n No Globus dependencies - uses OpenSSL directly. n (GACL/GridSite will be merged but gacl.h API still supported.) u mod_ssl-gridsite for Apache 2.0 n Support for old and new (“RFC”) GSI proxies, with X509 or X509v3 certs n Via libgridsite, parsing of VOMS extensions n Full Apache 2.0 now part of autobuild (to get mod_ssl-gridsite built) u mod_gridsite for Apache 2.0 n Applies GACL access control to webpages / files n Since done inside Apache, applies to dynamic content too.
4
Andrew McNab - GridSite/EDG/GGF - 29 Sept 2003 GridPP / EDG / WP6 Compact Credentials u mod_ssl-gridsite needs to add VOMS info to “CGI” environment n Not just SSL_S_SERVER etc environment variables n GRST_CRED_0, GRST_CRED_1, … u Contains type, start time, end time and value: n X509USER 1054777860 1074777860 /O=Grid/O=YourCA/CN=Name n GSIPROXY 1064778087 1064878087 /O=Grid/O=YourCA/CN=Name/CN=proxy n VOMS 1064778087 1064878087 /voms.dom.ain/group/Role=role/Capability=cap u To do this, need a way of mapping each credential of each type to a unique string u For VOMS, just use “WP2” string representation. u Ideally, want credentials to be opaque strings, since Authorization Decision Functions do not need to understand group structure etc.
5
Andrew McNab - GridSite/EDG/GGF - 29 Sept 2003 GridPP / EDG / WP6 OGSA-Authz WG in GGF u Attribute format/structure u Assertion protocol n SAML u Expression n XACML u Requirements
6
Andrew McNab - GridSite/EDG/GGF - 29 Sept 2003 GridPP / EDG / WP6 XACML subject matching <AttributeValue DataType=“http://www.w3.org/2001/XMLSchema#string” >John< /AttributeValue> u Some other data types: n urn:oasis:names:tc:xacml:1.0:data-type:x500Name n http://www.ietf.org/rfc/rfc2256.txt#userPassword n urn:oasis:names:tc:xacml:1.0:subject:authn-locality:ip-address u Obviously could add http://something/something-voms u But need a unique string representation of VOMS attributes too
7
Andrew McNab - GridSite/EDG/GGF - 29 Sept 2003 GridPP / EDG / WP6 Suggestions for VOMS representation u Use something like the Compact Credentials u Make the string opaque - this means repeating parent groups n /VO.name/group n /VO.name/group/subgroup n (VOMS attribute certificates already do this anyway) u Include certificate name associated with the VO in the name of the attribute n Can do this already by specifying a per-VO server cert in the voms.conf file? n This means all the VOMS for a particular VO have access to the same private key, and the VOMS server certs need not be transmitted through a trusted medium.
8
Andrew McNab - GridSite/EDG/GGF - 29 Sept 2003 GridPP / EDG / WP6 GACL vs XACML vo.org /group admin <AttributeValue DataType=“http://voms.standard.url/” >/vo.org/group/Role=admin< /AttributeValue>
9
Andrew McNab - GridSite/EDG/GGF - 29 Sept 2003 GridPP / EDG / WP6 Summary u GACL, GridSite, mod_ssl-gridsite, mod_gridsite u Compact Credentials u OGSA-Authz WG u Representation of VOMS for XACML etc?
Similar presentations
