1 / 16

GridSite and Grid Security

GridSite and Grid Security. Shiv Kaushal University of Manchester shiv@hep.man.ac.uk http://www.hep.man.ac.uk/u/shiv/. GridSite – What?. What is GridSite? Set of tools for using Grid security over HTTP(S) Extension to Apache web server Files or web pages Command line tools libgridsite.

rittert
Télécharger la présentation

GridSite and Grid Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. GridSite and Grid Security Shiv Kaushal University of Manchester shiv@hep.man.ac.uk http://www.hep.man.ac.uk/u/shiv/

  2. GridSite – What? • What is GridSite? • Set of tools for using Grid security over HTTP(S) • Extension to Apache web server • Files or web pages • Command line tools • libgridsite

  3. GridSite – Why and Where? • Why use Apache? • Stable base that has been well tested • Any bugs/vulnerabilities fixed for free • Support dynamic content in any language • Deployed at various sites • GridPP • LCG Grid Operations Centre • Manchester HEP

  4. GridSite Features • Edit pages “on the fly” • Various other operations: • Delete/rename/edit files & directories • Upload files and directory trees • Define groups • Delegate control of sections of a site to others

  5. Where I come in… • People working on GridSite • Andrew McNab • Me • More to come • GridPP2 Security Middleware posts

  6. Security - GACL • Access control done through Grid certificates and GACL • Can base security on more than DNs • Access Control List files can become difficult to read and edit • Web based editor built into GridSite

  7. Security - GACL <?xml version="1.0"?> <gacl version="0.0.1"> <entry> <any-user/> <allow><read/><list/></allow> </entry> <entry> <person> <dn>/C=UK/O=eScience/OU=Manchester/L=HEP/CN=Andrew McNab</dn> </person> <allow><read/><exec/><list/></allow> </entry> <entry> <person> <dn>/C=UK/O=eScience/OU=Manchester/L=HEP/CN=shiv kaushal</dn> </person> <allow><read/><exec/><list/><write/><admin/></allow> </entry> </gacl>

  8. Security - GACL • Access control done through GRID certificates and GACL • Access Control List files can become difficult to read and edit • Web based editor built into GridSite

  9. Security

  10. Security – Migration to XACML • XACML • “General purpose” language • Becoming widely accepted • More complex than GACL • Greater need for easy editing

  11. XACML <?xml version="1.0" encoding="UTF-8"?> <Policy xmlns="urn:oasis:names:tc:xacml:1.0:policy" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:1.0:policy cs-xacml-schema-policy-01.xsd" PolicyId="GridSitePolicy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides"> <Target> <Resources> <Resource> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/path/to/dir</AttributeValue> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ResourceMatch> </Resource> </Resources> <Subjects> <AnySubject/> </Subjects> <Actions> <AnyAction/> </Actions> </Target> <Rule RuleId="Entry1A" Effect="Permit"> <Target> <Subjects> <Subject> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/C=UK/CN=shiv</AttributeValue> <SubjectAttributeDesignator AttributeId="person" DataType="http://www.w3.org/2001/XMLSchema#string"/> </SubjectMatch> </Subject> </Subjects> <Actions> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ActionMatch> </Action> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">list</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ActionMatch> </Action> </Actions> </Target> </Rule> <Rule RuleId="Entry1D" Effect="Deny"> <Target> <Subjects> <Subject> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/C=UK/CN=shiv</AttributeValue> <SubjectAttributeDesignator AttributeId="person" DataType="http://www.w3.org/2001/XMLSchema#string"/> </SubjectMatch> </Subject> </Subjects> <Actions> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">exec</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ActionMatch> </Action> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">write</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ActionMatch> </Action> </Actions> </Target> </Rule> </Policy> GACL <?xml version="1.0"?> <gacl version="0.0.1"> <entry> <person> <dn>/C=UK/CN=shiv</dn> </person> <allow><read/><list/></allow> <deny><exec/><write/></deny> </entry> </gacl>

  12. Security – Migration to XACML • XACML • “General purpose” language • Becoming widely accepted • More complex than GACL • Greater need for easy editing

  13. Security – Migration to XACML • GACL editor in GridSite modified • Can now output/read XACML policy files • Will support both GACL and XACML • Functionality now part of libgridsite • Cannot handle arbitrary XACML policy files • Policies generated tested using Sun’s Java implementation

  14. Further Work • Web Services • Move away from Java focus of WS hosting • Can use various languages • Currently • Tying in above with gridmap type functionality

  15. Further Information • http://www.gridsite.org/ • http://www.hep.man.ac.uk/u/shiv • http://www.hep.man.ac.uk/u/mcnab

More Related