Grid Security in a production environment: 4 years of running www'gridpp'ac'uk - PowerPoint PPT Presentation

1 / 10
About This Presentation
Title:

Grid Security in a production environment: 4 years of running www'gridpp'ac'uk

Description:

... HTML in their browser window. Can upload HTML, images etc from their browser ... For CGI binaries, Perl Scripts, PHP pages etc, Apache is the equivalent of a ... – PowerPoint PPT presentation

Number of Views:21
Avg rating:3.0/5.0
Slides: 11
Provided by: grid49
Category:

less

Transcript and Presenter's Notes

Title: Grid Security in a production environment: 4 years of running www'gridpp'ac'uk


1
Grid Security in a production environment4
years of running www.gridpp.ac.uk
  • Andrew McNab
  • University of Manchester

2
Outline
  • About GridPP
  • Using X.509
  • Grid ACLs Groups
  • GridSite Philosophy
  • Experience gt design
  • Web services
  • Security toolkit

1 September 2004
Grid Security in a production environment
3
About GridPP
  • GridPP is a collaboration of 100 particle
    physicists, engineers and computer scientists
  • 15 UK sites CERN
  • GridSite software was developed to manage
    www.gridpp.ac.uk
  • Allows users to edit or upload pages etc.
  • Security is key to this...

1 September 2004
Grid Security in a production environment
4
Using X.509
  • Every member of GridPP has an X.509 certificate
  • Originally from UK HEP CA, now UK e-Science CA
  • We've used this to control read and write access
  • Don't have to type passwords once cert is loaded
  • Works with all credible browsers
  • Some areas of the site, eg portals, give access
    to grid resources based on X.509 themselves
  • Users can edit HTML in their browser window
  • Can upload HTML, images etc from their browser
  • Manage ACLs and groups through a web GUI

1 September 2004
Grid Security in a production environment
5
Grid ACLs Groups
  • GridSite uses an XML access control language
    (GACL) to define read, write, list, admin
    permissions for files, directories and scripts
  • policies can use X.509/GSI certs, signed VOMS
    attribute certs (for Authz Push) or DN List
    groups (for Authz Pull)
  • right to edit an ACL can itself by delegated
  • DN Lists are identified by a URI and consist of a
    list of X.509 subjects
  • via LDAP(S) / HTTP(S) from Authz servers
    elsewhere (including from EDG/LCG/EGEE VO-LDAP
    or VOMS)
  • or from locally managed DN Lists possibly with
    administration delegated to a subgroup manager

1 September 2004
Grid Security in a production environment
6
GridSite Philosophy
  • Re-use as much of Apache as possible
  • Original gridsite.cgi becomes mod_gridsite
  • use standard config files, Apache internal
    settings etc
  • less work for us when Apache/OpenSSL
    vulnerabilities patches are published
  • Support dynamic content in any language
  • via standalone CGIs or built-ins like mod_perl
  • Keep generally useful machinery in a library
  • can be re-used by other server-side or even
    client tools
  • Think about efficiency
  • eg make sure HTTPS connection reuse isn't
    prevented

1 September 2004
Grid Security in a production environment
7
Example of experience driving architecture
  • GSI proxy support had 3 stages of evolution
  • 1 maximal mod_ssl-GSI
  • Mike Jones' original patched version of mod_ssl
  • Only one file to install but patching has to be
    redone every time mainstream mod_ssl changes
  • 2 minimal mod_ssl-GSI/libgridsite
  • Move GSI handling into the library
  • Simplify patching to mod_ssl (down to a few
    lines)
  • 3 remap SSL callbacks at runtime from
    mod_gridsite
  • mod_ssl not modified just use vendor (re)releases

1 September 2004
Grid Security in a production environment
8
Non-Java WS hosting
  • Most Web Services attention goes on Java
  • However, like many other application areas,
    Particle Physics has a continued (and growing!)
    investment in C code, applications in the form
    of native binaries and scripting languages as
    glue.
  • Most of the web is based on the same Apache httpd
    tradition GridSite builds on
  • For CGI binaries, Perl Scripts, PHP pages etc,
    Apache is the equivalent of a Java servlet
    container like Tomcat.
  • EGEE is starting with SOAP over SSL/TLS
  • GridSite's current GSI/HTTPS support provides a
    hosting environment for exactly this kind of
    architecture ...

1 September 2004
Grid Security in a production environment
9
Libgridsite toolkit
  • Core functions of GridSite pulled out into a
    library
  • Currently only C and C-to-C API, but adding
    scripting languages (Perl etc)
  • More functionality to be added
  • eg library version of parallel HTTP etc from htcp
    command line tool
  • more credential types? CAS? Permis? Passwords?
  • Aim to provide a general C/C Grid Security
    toolkit, for both client and server side
    implementations
  • Previous versions already in use by EDG, LHC
    Computing Grid and EGEE.

1 September 2004
Grid Security in a production environment
10
For more details...
  • See www.gridpp.ac.uk for the website in action
  • And www.gridsite.org for more about the GridSite
    software itself

1 September 2004
Grid Security in a production environment
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Grid Security in a production environment: 4 years of running www'gridpp'ac'uk" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!