1 / 14

A Web Server for Basic Grid Services

This article explores the functionality and potential of using a typical web server for basic Grid services, including anonymous access, secure transfers, file read/write access, and user authentication and authorization. The implementation includes the use of open-source Java-based web server Jetty, CGI interface for interaction with host computers, and support for X.509 certificates for authentication.

robertfay
Download Presentation

A Web Server for Basic Grid Services

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Web Server for Basic Grid Services D. Calvet DAPNIA/SEI, CEA Saclay 91191 Gif-sur-Yvette Cedex

  2. GRID and WWW • Functionality of a typical Web server useful for GRID: • Anonymous access, or server authentication, or mutual client and server authentication (e.g. X.509 certificates) • Plain-text or secure transfers (encryption), HTTPS over SSL • File read/write access by clients • Execute access on a server is not well defined -> the basis of the GRID can be seen as providing the « Execute » capability to the existing WWW • Some basic GRID Services: • servers and users authentication • users authorization • secure data transfers • remote process creation 2

  3. Providing Basic Services for Grid • Dedicated packages, specific protocols • E.g. Globus and gatekeeper protocol -> viable option, main (only?) stream of work in DataGRID • « Standard » Web tools • Re-use as much as one can from WWW technology • Use Web browsers as clients; HTTP(S) protocol as is • Make extensions to one of today’s web server to provide the missing parts • -> this option is investigated in the present work: • feasibility, proof of principle, how much effort is needed • … but all code is for demonstration only (i.e. incomplete, quickly done – ~6 person month - and most likely unsafe) 3

  4. Technical Choices • An open-source JAVA based Web server • portability, ease of customization,… • Choice: JETTY (http://jetty.mortbay.org) • Hook to host computer via CGI interface • PERL scripts for interaction with host computer • C programs to wrap critical parts, system commands… -> Code runs on any UNIX-like machines • Use of standard X.509 certificates for authentication • JAVA like trusted certificate management (keystore file) • or Globus/OpenSSL like certificate storage (directory of files) • Off-the-shelf web browsers for clients -> Zero installation or specific program on the client side 4

  5. Software Architecture GUI, Server authentication X.509 Certs (and CRLs) Client browser Secure channel HTTPS X.509 Certs and CRLs Web server Client authentication Environment variables CGI HTML (stdout) User authorization HTML form Perl script Process creation DN to login User A Execvp Upload Dynamic account setup User B Execvp Upload adduser SUID root DN denied DN allowed (stdout) 5

  6. Implementation • Server and Client authentication (JAVA) • Supported by Jetty without any modification -> but no check of CRLs in today’s SUN JDK classes • SUN’s X509TrustManager replaced by our own version -> support trusted Certs and CRL’s a la Globus/OpenSSL • Secure data transfer • HTTPS support in Jetty and Web browsers without any change • Client authorization: (PERL CGI script) • Client rights: transposed combination of UNIX flags « rwx » • document read on server (all authenticated users) • file upload to server (authorized users) • execute command or program on server (authorized users) • -> more refinements can be imagined 6

  7. Implementation (con’t) • Users and accounts • 1 account per user: correspondence between the user’s DN and his local account provided by a mapfile • Dynamic account creation on the server if a user’s DN is not in the mapfile, is in a file users.allow and not in a file users.deny • file users.allow: list of users’ DN permitted to have an account (e.g. project wide list distributed to all sites) • file users.deny: list of users’ DN not permitted on this site/server (local policy enforcement) • Remote process creation (PERL script and C wrapper) • return output in HTML to the client 7

  8. Demonstration Top window: server; bottom window: client 8

  9. Demonstration 9

  10. Demonstration 10

  11. Demonstration 11

  12. Tentative comparison with Globus 12

  13. Potential of proposed approach • Pros • Minimum effort by extensive re-use of web stuff • Reduced dedicated package to develop, install and maintain • Web servers and browsers are ubiquitous and come by default with any modern OS • Software companies could extend the scope of their web products in the direction of the GRID (if there is a market…) • Cons • Proof of principle is easy, but obstacles may be found later • Introduces security weaknesses in web servers • Relies a lot on software industry (will they do what we need?) • Clients tight to a Web browser (no access via console, batch) • The GRID is much more than the basic services mentioned • For DataGRID, orthogonal to the approach based on Globus 13

  14. Summary • Today’s Web stuff could be the basis of the GRID • Anonymous or authenticated accesses • Clear or encrypted data transfers • File read/write access by clients on a server • Adaptations around a JAVA-based Web server showed • Server and client authentication with X.509 certificates/CRLs • Dynamic computer account creation on server for authorized remote users (or use of an existing account) • File upload, program execute for authorized remote users • Data stream encryption between client and server • Client software: off-the-shelf web browsers • Paper submitted to CCGrid2002 as a personal contribution 14

More Related