The GridSite Security Framework

1
The GridSiteSecurity Framework

• Andrew McNab
• University of Manchester

2
Outline

• GridSite components
• mod_gridsite Apache
• Some features in detail
• GridHTTP
• Web service support
• gsexec and GRACE

22 Sept 2005
GridSite - www.GridSite.org
3
Components

• libgridsite C/C toolkit provides utility
  functions
• based on OpenSSL, libxml2, gSOAP
• parse GSI Proxies and VOMS X.509 attribute certs
• evaluate GACL and XACML access policies
• generate new GSI Proxies
• mod_gridsite adds support for GSI Proxies, VOMS
  attributes, DN List groups, GACL/XAMCL policies
  and Onetime Passcodes to Apache
• htcp, htls, htdelegate, ... provide command line
  tools

22 Sept 2005
GridSite - www.gridsite.org
4
(No Transcript)
5
GridHTTP

• Profile for using HTTP(S) for bulk data transfers
• eg for 2 GB files across WAN
• HTTPS control channel used for authentication
• X.509, GSI, VOMS credentials and GACL policies
• Redirects to HTTP, with a one-time passcode
  cookie
• HTTP GET or PUT request made with passcode
• Similar to unencrypted GridFTP data channel
• But with Apache performance benefits sendfile()
  etc

22 Sept 2005
GridSite - www.gridsite.org
6
Web Service support

• GridSite architecture can provide security for
  Web Service tools like gSOAP, with CGI Web
  Services
• We also provide the C/C implementation of the
  GridSite / EGEE Delegation portType
• Java implementation by other members of EGEE
• mod_gridsite delegation CGI used by EGEE WMS
• Apache/FastCGI GridSite (security) gSOAP (WS)
• Delegated credentials stored in the filesystem
• Allows sharing between different CGI languages

22 Sept 2005
GridSite - www.gridsite.org
7
suexec and gsexec

• Apache has traditionally provided a wrapper to
  run CGIs as other Unix users
• Start as root, process as apache, CGI as joeuser
• We've modified this to run CGI scripts and
  services as pool Unix users, similar to LCG/EGEE
  and NGS
• Either per-client the cert in the browser
  determines which pool user
• Or per-directory all the CGIs in my directory
  run as the same pool user

22 Sept 2005
GridSite - www.gridsite.org
8
suexec / gsexec (2)

• This allows us to sandbox CGI-based services by
  ensuring that the pool users are of sufficiently
  low privilege
• Different clients or service owners can't
  interfere with each other
• Access control is still via GACL/XACML policy
  files
• X.509, GSI Proxy, VOMS, DN List credentials
• We can now offer third-party service hosting
• Give a user or VO access to a privileged
  directory
• They deploy their C/C/Perl/Python services
  remotely

22 Sept 2005
GridSite - www.gridsite.org
9
GRACE

• In adding support for Web Services to GridSite,
  we started to offer non-Java ways of building
  service-orientated grids
• This provides another way of deploying Web
  Services
• GRACE GRidsite - Apache - CGI Executables
• Allows services to be written in any language
• Can be deployed remotely
• Deployment rights controlled by GACL/XACML
  policies
• Different VOs/individuals are sandboxed via Unix
  UIDs

22 Sept 2005
GridSite - www.gridsite.org
10
More information

• www.gridsite.org is the project website
• Open Source (BSD), bug tracker, CVS etc
• Includes the new GridSiteWiki
• Derived from MediaWiki but uses X.509 instead of
  usernames / passwords
• www.gridpp.ac.uk is the largest site using
  GridSite
• and includes it's own Wiki, which is pulling in
  info
• You can also find GridSites at NGS, GOC, CERN,
  LCG, TCD.IE, ... by searching for GridSite with
  Google!

22 Sept 2005
GridSite - www.gridsite.org
11
Summary

• GridSite has now grown way beyond a web content
  management system
• Provides libgridsite Grid security toolkit for
  C/C
• mod_gridsite adds support for GSI Proxies, VOMS,
  GACL, XAMCL, and HTTP PUT,MOVE,DELETE to Apache
• We can now build secured Web Services for Grids
  as CGI programs
• GRACE model goes further, and supports third
  party service hosting and remote deployment of
  services

22 Sept 2005
GridSite - www.gridsite.org