1 / 18

Grid Security and Accounting

Grid Security and Accounting. Shiv Kaushal, University of Manchester shiv@hep.man.ac.uk http://www.hep.man.ac.uk/u/shiv/. Grid Security and Accounting. The Grid GridSite Security Accounting Issues Further Work. The Grid. What is the Grid? An analogy Why use Grids?. GridSite.

mirra
Download Presentation

Grid Security and Accounting

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Grid Security and Accounting Shiv Kaushal, University of Manchester shiv@hep.man.ac.uk http://www.hep.man.ac.uk/u/shiv/

  2. Grid Security and Accounting • The Grid • GridSite • Security • Accounting Issues • Further Work

  3. The Grid • What is the Grid? • An analogy • Why use Grids?

  4. GridSite • What is GridSite? • Set of tools for using Grid security over HTTP(S) • Extension to Apache web server • Files or web pages • Command line tools

  5. GridSite Features • Edit pages “on the fly” • Various other operations: • Delete/rename/edit files & directories • Upload files and directory trees • Define groups • Delegate control of sections of a site to others

  6. Security • HTTP(S) • Widely distributed • RSA encryption • Partial file retrieval • Grid Certificates • Can be loaded into most web browsers • Unique identifier - DN /C=UK/O=eScience/OU=Manchester/L=HEP/CN=shiv kaushal

  7. Security - GACL • Access control done through Grid certificates and GACL • Can base security on more than DNs • Access Control List files can become difficult to read and edit • Web based editor built into GridSite

  8. Security - GACL <?xml version="1.0"?> <gacl version="0.0.1"> <entry> <person> <dn>/C=UK/O=eScience/OU=Manchester/L=HEP/CN=Andrew McNab</dn> </person> <allow><read/><exec/><list/></allow> </entry> <entry> <person> <dn>/C=UK/O=eScience/OU=Manchester/L=HEP/CN=shiv kaushal</dn> </person> <allow><read/><exec/><list/><write/><admin/></allow> </entry> <entry> <any-user/> <allow><read/><list/></allow> </entry> </gacl>

  9. Security - GACL • Access control done through GRID certificates and GACL • Access Control List files can become difficult to read and edit • Web based editor built into GridSite

  10. Security

  11. Security – Migration to XACML • XACML • “General purpose” language • Becoming widely accepted in Grid community • More complex than GACL • Greater need for easy editing

  12. XACML <?xml version="1.0" encoding="UTF-8"?> <Policy xmlns="urn:oasis:names:tc:xacml:1.0:policy" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:1.0:policy cs-xacml-schema-policy-01.xsd" PolicyId="GridSitePolicy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides"> <Target> <Resources> <Resource> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/path/to/dir</AttributeValue> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ResourceMatch> </Resource> </Resources> <Subjects> <AnySubject/> </Subjects> <Actions> <AnyAction/> </Actions> </Target> <Rule RuleId="Entry1A" Effect="Permit"> <Target> <Subjects> <Subject> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/C=UK/CN=shiv</AttributeValue> <SubjectAttributeDesignator AttributeId="person" DataType="http://www.w3.org/2001/XMLSchema#string"/> </SubjectMatch> </Subject> </Subjects> <Actions> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ActionMatch> </Action> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">list</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ActionMatch> </Action> </Actions> </Target> </Rule> <Rule RuleId="Entry1D" Effect="Deny"> <Target> <Subjects> <Subject> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/C=UK/CN=shiv</AttributeValue> <SubjectAttributeDesignator AttributeId="person" DataType="http://www.w3.org/2001/XMLSchema#string"/> </SubjectMatch> </Subject> </Subjects> <Actions> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">exec</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ActionMatch> </Action> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">write</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ActionMatch> </Action> </Actions> </Target> </Rule> </Policy> GACL <?xml version="1.0"?> <gacl version="0.0.1"> <entry> <person> <dn>/C=UK/CN=shiv</dn> </person> <allow><read/><list/></allow> <deny><exec/><write/></deny> </entry> </gacl>

  13. Security – Migration to XACML • XACML • “General purpose” language • Becoming widely accepted • Useful for accounting? • More complex than GACL • Greater need for easy editing

  14. Security – Migration to XACML • GACL editor in GridSite modified • Can now output XACML policy files • Working on reading in of XACML files • Will support both GACL and XACML

  15. Accounting • What is accounting? • Need for accounting • To ensure adequate access • To prevent abuse • Financial purposes • What are HEP requirements?

  16. Further Work • Security • Continue on XACML work • Provide support for GridSite • Accounting • Investigate requirements and produce specification • Work on implementation

  17. More Information • http://www.hep.man.ac.uk/u/shiv/blog/

More Related