Title: Grid Security in a production environment: 4 years of running www'gridpp'ac'uk
1Grid Security in a production environment4
years of running www.gridpp.ac.uk
- Andrew McNab
- University of Manchester
2Outline
- About GridPP
- Using X.509
- Grid ACLs Groups
- GridSite Philosophy
- Experience gt design
- Web services
- Security toolkit
1 September 2004
Grid Security in a production environment
3About GridPP
- GridPP is a collaboration of 100 particle
physicists, engineers and computer scientists - 15 UK sites CERN
- GridSite software was developed to manage
www.gridpp.ac.uk - Allows users to edit or upload pages etc.
- Security is key to this...
1 September 2004
Grid Security in a production environment
4Using X.509
- Every member of GridPP has an X.509 certificate
- Originally from UK HEP CA, now UK e-Science CA
- We've used this to control read and write access
- Don't have to type passwords once cert is loaded
- Works with all credible browsers
- Some areas of the site, eg portals, give access
to grid resources based on X.509 themselves - Users can edit HTML in their browser window
- Can upload HTML, images etc from their browser
- Manage ACLs and groups through a web GUI
1 September 2004
Grid Security in a production environment
5Grid ACLs Groups
- GridSite uses an XML access control language
(GACL) to define read, write, list, admin
permissions for files, directories and scripts - policies can use X.509/GSI certs, signed VOMS
attribute certs (for Authz Push) or DN List
groups (for Authz Pull) - right to edit an ACL can itself by delegated
- DN Lists are identified by a URI and consist of a
list of X.509 subjects - via LDAP(S) / HTTP(S) from Authz servers
elsewhere (including from EDG/LCG/EGEE VO-LDAP
or VOMS) - or from locally managed DN Lists possibly with
administration delegated to a subgroup manager
1 September 2004
Grid Security in a production environment
6GridSite Philosophy
- Re-use as much of Apache as possible
- Original gridsite.cgi becomes mod_gridsite
- use standard config files, Apache internal
settings etc - less work for us when Apache/OpenSSL
vulnerabilities patches are published - Support dynamic content in any language
- via standalone CGIs or built-ins like mod_perl
- Keep generally useful machinery in a library
- can be re-used by other server-side or even
client tools - Think about efficiency
- eg make sure HTTPS connection reuse isn't
prevented
1 September 2004
Grid Security in a production environment
7Example of experience driving architecture
- GSI proxy support had 3 stages of evolution
- 1 maximal mod_ssl-GSI
- Mike Jones' original patched version of mod_ssl
- Only one file to install but patching has to be
redone every time mainstream mod_ssl changes - 2 minimal mod_ssl-GSI/libgridsite
- Move GSI handling into the library
- Simplify patching to mod_ssl (down to a few
lines) - 3 remap SSL callbacks at runtime from
mod_gridsite - mod_ssl not modified just use vendor (re)releases
1 September 2004
Grid Security in a production environment
8Non-Java WS hosting
- Most Web Services attention goes on Java
- However, like many other application areas,
Particle Physics has a continued (and growing!)
investment in C code, applications in the form
of native binaries and scripting languages as
glue. - Most of the web is based on the same Apache httpd
tradition GridSite builds on - For CGI binaries, Perl Scripts, PHP pages etc,
Apache is the equivalent of a Java servlet
container like Tomcat. - EGEE is starting with SOAP over SSL/TLS
- GridSite's current GSI/HTTPS support provides a
hosting environment for exactly this kind of
architecture ...
1 September 2004
Grid Security in a production environment
9Libgridsite toolkit
- Core functions of GridSite pulled out into a
library - Currently only C and C-to-C API, but adding
scripting languages (Perl etc) - More functionality to be added
- eg library version of parallel HTTP etc from htcp
command line tool - more credential types? CAS? Permis? Passwords?
- Aim to provide a general C/C Grid Security
toolkit, for both client and server side
implementations - Previous versions already in use by EDG, LHC
Computing Grid and EGEE.
1 September 2004
Grid Security in a production environment
10For more details...
- See www.gridpp.ac.uk for the website in action
- And www.gridsite.org for more about the GridSite
software itself
1 September 2004
Grid Security in a production environment