The GridSite Security System

Andrew McNab and Shiv Kaushal

University of Manchester

29 September 2004

A.McNab – GridSite

Outline

● What is GridSite?● Components● Philosophy● Architecture● Credential parsing● GACL access policies ● HTTPS Downgrade● Delegation● SOAP/WS in GridSite

29 September 2004

A.McNab – GridSite

What is GridSite?

●GridSite has evolved from a set of website management tools, used by GridPP in 2000.●It still provides some basic website tools

● Edit or upload files/pages via your web browser● Create directories, manage access control etc

●However, our emphasis is now on adding grid security support to the industry-standard Apache webserver

● From 2001, GridSite recognised X.509 user certs in web browsers, so this has been a natural progression.

●We do all this in a modular way to help 3rd parties.

29 September 2004

A.McNab – GridSite

GridSite Components

●Central component is libgridsite● Provides reusable C/C++ functions● Handles X.509/GSI/VOMS credentials● Parses GACL(/XACML) policy files● Provides some HTTP/HTML utilities

●mod_gridsite plugs into Apache 2.0● Uses libgridsite functions to add GSI/VOMS support● And to allow fine grained access control with GACL

●grst-admin.cgi provides website management tools●htcp command provides scp-like copies via HTTP(S)

29 September 2004

A.McNab – GridSite

Philosophy

●Re-use as much of Apache as possible● Original gridsite.cgi filter became mod_gridsite● Use standard config files, Apache internal settings etc● Less work for us when Apache/OpenSSL vulnerabilities

& patches are published●Support dynamic content in any language

● via standalone CGIs or built-ins like mod_perl●Keep generally useful machinery in a library

● Can be re-used by other server-side or even client tools●Think about efficiency

● eg make sure HTTPS connection reuse isn't prevented

29 September 2004

A.McNab – GridSite

Architecture

mod_ssl: plainHTTPS > env vars

mod_gridsite: GACL access control + GACL > env vars

mod_gridsite:.html headersand footers

CGI, PHP,.shtml,

mod_perl

mod_jk:JSP withTomcat

HTTP

Grst-admin.cgi: page editing,file upload, ACL editing etc.

mod_gridsite:file PUT

and DELETE

GridSite 1.0.x

mod_gridsite: GSI / VOMS OpenSSL callback wrappers

29 September 2004

A.McNab – GridSite

Credential Parsing

●Apache mod_ssl provides X.509 parsing and checking natively●To support jobs or agents with GSI proxies, we need to deal with their “invalid” certificate chain

● This is done by intercepting OpenSSL callbacks●Functions that understand GSI proxy chains are in libgridsite●Valid proxies are treated like valid X.509 certs●Normal mod_ssl environment variables are created●If VOMS attribute certs are present, variables are exported downstream with their values too.

29 September 2004

A.McNab – GridSite

GACL access policies

●Apache has a simple access model based on IP number and username / password credentials.●GridSite adds to this by being able to use GACL access policies for fine grained access control.●GACL handling is done within libgridsite

● It's used outside Apache by some other LCG/EGEE components

● Read/write/execute/list/admin permissions can be granted according to X.509/GSI DN, VO DN Lists or VOMS attribute certificates.

●grst-admin.cgi provides a GUI editor for GACL files.

29 September 2004

A.McNab – GridSite

HTTPS Downgrade

●For large files, GridSite has an option to negotiate access via HTTPS and then do the transfer via HTTP.●This is done using the standard HTTP redirect mechanism.●Clients can suggest downgrade by making their HTTPS request with an HTTP-Downgrade-Size header

● If the file is bigger than the size given, the server may issue a redirect to an HTTP version of the file.

●HTTP authentication is done using a one-time passcode, returned over HTTPS as an HTTP cookie.

● Like HTTP, this is vulnerable to man-in-the-middle snooping

● But can't be used for replay attacks.

29 September 2004

A.McNab – GridSite

Delegation

• During EDG we produced a delegation-over-HTTPS extension to GridSite– (protocol implemented for Java by EDG WP2)

• EGEE JRA3 has agreed to support delegation via a web services Delegation portType–We've produced a prototype standalone

delegation service.– Delegation handling functions being added to

libgridsite for other services to use directly.–Will also add delegation support to

mod_gridsite, by intercepting SOAP messages upstream.

29 September 2004

A.McNab – GridSite

SOAP in GridSite

● EGEE intention is to use “SOAP over HTTPS” first.● Apache/GridSite provides a language-neutral Grid

security aware container for C/C++/Perl/etc services.● We expect many services to continue with transport

level security because of large performance benefit of SSL/TLS session reuse.

● However, we also intend to add upstream SOAP parsing capability within mod_gridsite

● Initially to provide delegation support transparently

● As needed, we will add support for SOAP message level security handling within the web server.

29 September 2004

A.McNab – GridSite

Summary

● GridSite has grown from a set of tools use by a grid collaboration into a piece of grid middleware

● Aims to provide native support for Grid security credentials and policies within Apache web platform.

● And to provide reusable security tools for other systems.

● The architecture is deliberately chosen to simplify the operational aspects of running a GridSite service.

● Current work is focussing on support for Web Services running on Apache/GridSite in languages other than Java.