Post on 29-Jan-2016
The GridSite Security System
Andrew McNab and Shiv Kaushal
University of Manchester
29 September 2004
A.McNab – GridSite
Outline
● What is GridSite?● Components● Philosophy● Architecture● Credential parsing● GACL access policies ● HTTPS Downgrade● Delegation● SOAP/WS in GridSite
29 September 2004
A.McNab – GridSite
What is GridSite?
●GridSite has evolved from a set of website management tools, used by GridPP in 2000.●It still provides some basic website tools
● Edit or upload files/pages via your web browser● Create directories, manage access control etc
●However, our emphasis is now on adding grid security support to the industry-standard Apache webserver
● From 2001, GridSite recognised X.509 user certs in web browsers, so this has been a natural progression.
●We do all this in a modular way to help 3rd parties.
29 September 2004
A.McNab – GridSite
GridSite Components
●Central component is libgridsite● Provides reusable C/C++ functions● Handles X.509/GSI/VOMS credentials● Parses GACL(/XACML) policy files● Provides some HTTP/HTML utilities
●mod_gridsite plugs into Apache 2.0● Uses libgridsite functions to add GSI/VOMS support● And to allow fine grained access control with GACL
●grst-admin.cgi provides website management tools●htcp command provides scp-like copies via HTTP(S)
29 September 2004
A.McNab – GridSite
Philosophy
●Re-use as much of Apache as possible● Original gridsite.cgi filter became mod_gridsite● Use standard config files, Apache internal settings etc● Less work for us when Apache/OpenSSL vulnerabilities
& patches are published●Support dynamic content in any language
● via standalone CGIs or built-ins like mod_perl●Keep generally useful machinery in a library
● Can be re-used by other server-side or even client tools●Think about efficiency
● eg make sure HTTPS connection reuse isn't prevented
29 September 2004
A.McNab – GridSite
Architecture
mod_ssl: plainHTTPS > env vars
mod_gridsite: GACL access control + GACL > env vars
mod_gridsite:.html headersand footers
CGI, PHP,.shtml,
mod_perl
mod_jk:JSP withTomcat
HTTP
Grst-admin.cgi: page editing,file upload, ACL editing etc.
mod_gridsite:file PUT
and DELETE
GridSite 1.0.x
mod_gridsite: GSI / VOMS OpenSSL callback wrappers
29 September 2004
A.McNab – GridSite
Credential Parsing
●Apache mod_ssl provides X.509 parsing and checking natively●To support jobs or agents with GSI proxies, we need to deal with their “invalid” certificate chain
● This is done by intercepting OpenSSL callbacks●Functions that understand GSI proxy chains are in libgridsite●Valid proxies are treated like valid X.509 certs●Normal mod_ssl environment variables are created●If VOMS attribute certs are present, variables are exported downstream with their values too.
29 September 2004
A.McNab – GridSite
GACL access policies
●Apache has a simple access model based on IP number and username / password credentials.●GridSite adds to this by being able to use GACL access policies for fine grained access control.●GACL handling is done within libgridsite
● It's used outside Apache by some other LCG/EGEE components
● Read/write/execute/list/admin permissions can be granted according to X.509/GSI DN, VO DN Lists or VOMS attribute certificates.
●grst-admin.cgi provides a GUI editor for GACL files.
29 September 2004
A.McNab – GridSite
HTTPS Downgrade
●For large files, GridSite has an option to negotiate access via HTTPS and then do the transfer via HTTP.●This is done using the standard HTTP redirect mechanism.●Clients can suggest downgrade by making their HTTPS request with an HTTP-Downgrade-Size header
● If the file is bigger than the size given, the server may issue a redirect to an HTTP version of the file.
●HTTP authentication is done using a one-time passcode, returned over HTTPS as an HTTP cookie.
● Like HTTP, this is vulnerable to man-in-the-middle snooping
● But can't be used for replay attacks.
29 September 2004
A.McNab – GridSite
Delegation
• During EDG we produced a delegation-over-HTTPS extension to GridSite– (protocol implemented for Java by EDG WP2)
• EGEE JRA3 has agreed to support delegation via a web services Delegation portType–We've produced a prototype standalone
delegation service.– Delegation handling functions being added to
libgridsite for other services to use directly.–Will also add delegation support to
mod_gridsite, by intercepting SOAP messages upstream.
29 September 2004
A.McNab – GridSite
SOAP in GridSite
● EGEE intention is to use “SOAP over HTTPS” first.● Apache/GridSite provides a language-neutral Grid
security aware container for C/C++/Perl/etc services.● We expect many services to continue with transport
level security because of large performance benefit of SSL/TLS session reuse.
● However, we also intend to add upstream SOAP parsing capability within mod_gridsite
● Initially to provide delegation support transparently
● As needed, we will add support for SOAP message level security handling within the web server.
29 September 2004
A.McNab – GridSite
Summary
● GridSite has grown from a set of tools use by a grid collaboration into a piece of grid middleware
● Aims to provide native support for Grid security credentials and policies within Apache web platform.
● And to provide reusable security tools for other systems.
● The architecture is deliberately chosen to simplify the operational aspects of running a GridSite service.
● Current work is focussing on support for Web Services running on Apache/GridSite in languages other than Java.