Presentation is loading. Please wait.

Presentation is loading. Please wait.

Grid Security in a production environment: 4 years of running www.gridpp.ac.uk Andrew McNab University of Manchester.

Published byZoe Wade Modified over 8 years ago

Similar presentations

Presentation on theme: "Grid Security in a production environment: 4 years of running www.gridpp.ac.uk Andrew McNab University of Manchester."— Presentation transcript:

1 Grid Security in a production environment: 4 years of running www.gridpp.ac.uk Andrew McNab University of Manchester

2 1 September 2004Grid Security in a production environment Outline ● About GridPP ● Using X.509 ● Grid ACLs + Groups ● GridSite Philosophy ● Experience => design ● Web services ● Security toolkit

3 1 September 2004Grid Security in a production environment About GridPP GridPP is a collaboration of ~100 particle physicists, engineers and computer scientists 15 UK sites + CERN GridSite software was developed to manage www.gridpp.ac.uk Allows users to edit or upload pages etc. Security is key to this...

4 1 September 2004Grid Security in a production environment Using X.509 Every member of GridPP has an X.509 certificate – Originally from UK HEP CA, now UK e-Science CA We've used this to control read and write access – Don't have to type passwords once cert is loaded – Works with all credible browsers – Some areas of the site, eg portals, give access to grid resources based on X.509 themselves Users can edit HTML in their browser window Can upload HTML, images etc from their browser Manage ACLs and groups through a web GUI

5 1 September 2004Grid Security in a production environment Grid ACLs + Groups GridSite uses an XML access control language (GACL) to define read, write, list, admin permissions for files, directories and scripts – policies can use X.509/GSI certs, signed VOMS attribute certs (for Authz Push) or “DN List” groups (for Authz Pull) – right to edit an ACL can itself by delegated DN Lists are identified by a URI and consist of a list of X.509 subjects – via LDAP(S) / HTTP(S) from Authz servers elsewhere (including from EDG/LCG/EGEE VO-LDAP or VOMS) – or from locally managed DN Lists – possibly with administration delegated to a subgroup manager

6 1 September 2004Grid Security in a production environment GridSite Philosophy Re-use as much of Apache as possible – Original gridsite.cgi becomes mod_gridsite – use standard config files, Apache internal settings etc – less work for us when Apache/OpenSSL vulnerabilities & patches are published Support dynamic content in any language – via standalone CGIs or built-ins like mod_perl Keep generally useful machinery in a library – can be re-used by other server-side or even client tools Think about efficiency – eg make sure HTTPS connection reuse isn't prevented

7 1 September 2004Grid Security in a production environment Example of experience driving architecture GSI proxy support had 3 stages of evolution 1: maximal mod_ssl-GSI – Mike Jones' original patched version of mod_ssl – Only one file to install – but patching has to be redone every time mainstream mod_ssl changes 2: minimal mod_ssl-GSI/libgridsite – Move GSI handling into the library – Simplify patching to mod_ssl (down to a few lines) 3: remap SSL callbacks at runtime from mod_gridsite – mod_ssl not modified: just use vendor (re)releases

8 1 September 2004Grid Security in a production environment Non-Java WS hosting Most Web Services attention goes on Java – However, like many other application areas, Particle Physics has a continued (and growing!) investment in C++ code, applications in the form of native binaries and scripting languages as glue. Most of the web is based on the same Apache httpd tradition GridSite builds on – For CGI binaries, Perl Scripts, PHP pages etc, Apache is the equivalent of a Java servlet container like Tomcat. EGEE is starting with SOAP over SSL/TLS – GridSite's current “GSI/HTTPS” support provides a hosting environment for exactly this kind of architecture...

9 1 September 2004Grid Security in a production environment Libgridsite toolkit Core functions of GridSite pulled out into a library – Currently only C and C-to-C++ API, but adding scripting languages (Perl etc) More functionality to be added – eg library version of parallel HTTP etc from htcp command line tool – more credential types? CAS? Permis? Passwords? Aim to provide a general C/C++ Grid Security toolkit, for both client and server side implementations Previous versions already in use by EDG, LHC Computing Grid and EGEE.

10 1 September 2004Grid Security in a production environment For more details... See www.gridpp.ac.uk for the website in action And www.gridsite.org for more about the GridSite software itself

Download ppt "Grid Security in a production environment: 4 years of running www.gridpp.ac.uk Andrew McNab University of Manchester."

Similar presentations

30-31 Jan 2003J G Jensen, RAL/WP5 Storage Elephant Grid Access to Mass Storage.

30-31 Jan 2003J G Jensen, RAL/WP5 Storage Elephant Grid Access to Mass Storage.
Security middleware Andrew McNab University of Manchester.

Security middleware Andrew McNab University of Manchester.
DataGrid is a project funded by the European Union CHEP 2003 – 24-28 March 2003 – Grid-based access control – n° 1 Grid-based access control for Unix environments,

DataGrid is a project funded by the European Union CHEP 2003 – March 2003 – Grid-based access control – n° 1 Grid-based access control for Unix environments,
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.

Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.
29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
The GridSite Toolbar Shiv Kaushal The University of Manchester All Hands Meeting 2006.

The GridSite Toolbar Shiv Kaushal The University of Manchester All Hands Meeting 2006.
Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.

Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.
Andrew McNab - Manchester HEP - 31 January 2002 Testbed Release in the UK Integration Team UK deployment TB1 Job Lifecycle VO: Authorisation VO: GIIS and.

Andrew McNab - Manchester HEP - 31 January 2002 Testbed Release in the UK Integration Team UK deployment TB1 Job Lifecycle VO: Authorisation VO: GIIS and.
Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.

Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
The GridSite Security Framework Andrew McNab University of Manchester.

The GridSite Security Framework Andrew McNab University of Manchester.
DT211/3 Internet Application Development Active Server Pages & IIS Web server.

DT211/3 Internet Application Development Active Server Pages & IIS Web server.
1 CENTER FOR PARALLEL COMPUTERS An Introduction to Globus Toolkit® 3 -Developing Interoperable Grid services.

1 CENTER FOR PARALLEL COMPUTERS An Introduction to Globus Toolkit® 3 -Developing Interoperable Grid services.
20 March 2007 VOMS etc - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.

20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.
Andrew McNab - Manchester HEP - 6 November 2001 www.gridpp.ac.uk Old version of website was maintained from Unix command line => needed (gsi)ssh access.

Andrew McNab - Manchester HEP - 6 November Old version of website was maintained from Unix command line => needed (gsi)ssh access.
30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK

30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK
Joining the Grid Andrew McNab. 28 March 2006Andrew McNab – Joining the Grid Outline ● LCG – the grid you're joining ● Related projects ● Getting a certificate.

Joining the Grid Andrew McNab. 28 March 2006Andrew McNab – Joining the Grid Outline ● LCG – the grid you're joining ● Related projects ● Getting a certificate.
Java Server Team 8. Overview What is a Java Server? History Architecture Advantages Disadvantages Current Technologies Conclusion.

Java Server Team 8. Overview What is a Java Server? History Architecture Advantages Disadvantages Current Technologies Conclusion.
Julien Thibault / Phil Brewster / Kristina Doing-Harris

Julien Thibault / Phil Brewster / Kristina Doing-Harris
TOPIC 1 – SERVER SIDE APPLICATIONS IFS 234 – SERVER SIDE APPLICATION DEVELOPMENT.

TOPIC 1 – SERVER SIDE APPLICATIONS IFS 234 – SERVER SIDE APPLICATION DEVELOPMENT.

Similar presentations

Ads by Google