Security middleware Andrew McNab University of Manchester.
-
Upload
landon-mccullough -
Category
Documents
-
view
219 -
download
2
Transcript of Security middleware Andrew McNab University of Manchester.
Security middleware
Andrew McNab
University of Manchester
6 July 2005 Security middleware
Outline
● GridSite features in gLite 1.2● Some features in detail
● HTTP Downgrade● Web service support● suexec and gsexec
● Secmon boxes
6 July 2005 Security middleware
GridSite in gLite 1.2
● Up to date VOMS support
● Attribute Certificates from “gLite”/“LCG” VOMS● XML access policies written in GACL or XACML
● File access / scripts / services controlled by X.509,
GSI Proxy, VOMS AC, DN List credentials.● HTTP Downgrade
● Authentication via HTTPS; bulk file copy via HTTP● gsexec
● Run scripts/services in Unix user “sandboxes”
6 July 2005 Security middleware
HTTP Downgrade
● This is mostly code from last summer
● Renewed interest in bulk HTTP so we're revisiting it● Idea is to offer similar functionality to GridFTP but
using standard HTTP(S) tools● HTTPS “control” channel used for authentication
● Returns a one-time passcode as a cookie● HTTP GET or PUT request made with passcode
● Similar to unencrypted GridFTP data channel
● But with Apache performance benefits: sendfile() etc
6 July 2005 Security middleware
HTTP Downgrade
(2)● Intend to add support for third-party copies
● Use COPY method from RFC 2518 (WebDAV)
● Passcode used to authenticate the remote leg of the copy● Add HTTP header with client's estimate of Round Trip Time
● Used by server to select correct TCP window size● Work ongoing with networking (Richard Hughes-Jones etc)
to demonstrate performance of HTTP on WANs● Evangelise about this a bit more...
● eg GridSite's htcp command now used by EGEE WMS
6 July 2005 Security middleware
Web Service
support● GridSite architecture can provide security for Web
Service tools like gSOAP, with CGI Web Services● We also provide the C/C++ implementation of the
EGEE / JRA3 Delegation portType
● Java implementation by funded part of JRA3● mod_gridsite + delegation CGI used by EGEE WMS:
● Apache/FastCGI; GridSite (security); gSOAP
(SOAP/WS) ● Delegated credentials stored in the filesystem
● Allows sharing between different CGI languages
6 July 2005 Security middleware
suexec and gsexec
● Apache has traditionally provided a wrapper to run
CGIs as other Unix users:
● Start as root, process as apache, CGI as joeuser● We've modified this to run CGI scripts and services
as pool Unix users
● Either per-client: the cert in the browser
determines which pool user
● Or per-directory: all the CGIs in my directory run
as the same pool user
6 July 2005 Security middleware
suexec / gsexec (2)
● This allows us to sandbox CGI-based services by
ensuring that the pool users are of sufficiently low
privilege
● Different clients or service owners can't interfere with
each other● Access control is still via GACL/XACML policy files
● X.509, GSI Proxy, VOMS, DN List credentials● We can now offer “third-party” hosting of services
● Give a user or VO access to a privileged directory
● They deploy their C/C++/Perl/Python services remotely
6 July 2005 Security middleware
GRACE
● In adding support for Web Services to GridSite, we
started to offer non-Java ways of building service-
orientated grids● We're now at the point where this is being taken up● Clearly, this community has a big investment in
languages other than Java● But many other scientists and admins do too● So again, want to start evangelising about this model
● GRACE: GRidsite/Apache/CGI-scripts/Executables
6 July 2005 Security middleware
SECMON boxes
● Had hoped to have SECMON box prototype ready for
this meeting
● Expect DVD images available in the next week or two● Aim is to provide a simple to install security monitoring
box that just sits in the corner of your machine room
● Sites don't need to install anything special on CE etc
being monitored● Remote administration / monitoring done by
Tier-2/Tier-1 staff, but site retains root
6 July 2005 Security middleware
SECMON design
● Want to keep things as simple as possible● Unix syslog already provides almost all of what we need
● Always installed
● Logs from services/daemons and kernel (port scans
etc)
● Logging interfaces for scripts, C/C++ etc
● One line added to syslog.conf can direct the messages
over the network to local SECMON box● So we need to provide remote config tools and remote
access to log files
6 July 2005 Security middleware
secmon.conf
● All configuration in one place
● All local choices can be recovered from this file
● May want to freeze SECMON hard drive to use as
evidence for the Police, so this may be important● secmon.conf currently defines
● firewall rules for syslogd, sshd and httpd
● services to log (globus-gatekeeper etc)
● X.509 DNs of people with different privilege levels
6 July 2005 Security middleware
Implementation
● secmond runs as root
● monitors secmon.conf for changes
● updates config files as a result
● filters syslog messages into log files according to
service name (sshd, httpd, globus-gatekeeper etc)● Admin CGI (secmon-admin.cgi) runs as user apache
● manages secmon.conf● RSS CGI (secmon-rss.cgi) runs as user apache● All remote access controlled by GridSite/GACL policies
6 July 2005 Security middleware
RSS Access
● RSS is widely used to allow clients to pull categorised,
chronological data (like news headlines) out of
webservers, in a programmatic way
● Well matched to transporting syslog type alert
messages● secmon-rss.cgi queried by service name, severity and/or
date range
● Only pull out the level of detail we need
● Seeks / bisects / reads log file directly to find messages● Access control currently via X.509/GSI Proxy only
6 July 2005 Security middleware
Summary
● The current version of GridSite is part of
the latest gLite release process● We're providing a system which is used by
other middleware, not just websites● Non-Web Service tools from GridSite (htcp
etc) are starting to be used too● SECMON box prototype is almost ready