1 / 9

Grid Access Control Language

Grid Access Control Language. Andrew McNab, University of Manchester mcnab@hep.man.ac.uk. Current GACL’s. When building GridSite, SlashGrid and the EDG Storage Element, we needed a simple ACL format to use for prototyping. Wanted to support multiple credential types

arin
Download Presentation

Grid Access Control Language

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Grid Access Control Language Andrew McNab, University of Manchester mcnab@hep.man.ac.uk

  2. Current GACL’s • When building GridSite, SlashGrid and the EDG Storage Element, we needed a simple ACL format to use for prototyping. • Wanted to support multiple credential types • individuals (X.509/GSI identities) • groups from VO-LDAP list-publishing services • groups/roles from VOMS attribute certificate services • Currently use per-directory XML ACL in file .gacl • As a file, this can be stored in directories, copied via unmodified https or gsiftp channels and easily manipulated by scripts and applications. • We aimed for simplicity since we wanted to use it for fileservers and filesystems, and we care about performance.

  3. GACL example <gacl version=“0.0.1”> <entry> <person> <dn>/O=Grid/CN=Andrew</dn> </person> <allow><read/><list/><write/></allow> <deny><admin/></deny> </entry> </gacl>

  4. GACL example Entry: container for credentials and permissions Credential: AND’d inside this entry if more than one present <gacl version=“0.0.1”> <entry> <person> <dn>/O=Grid/CN=Andrew</dn> </person> <allow><read/><list/><write/></allow> <deny><admin/></deny> </entry> </gacl> Permissions: deny wins over allow If multiple entries, resulting permissions are OR’d

  5. Currently supported credential types • Any user or authenticated user (cf AFS) • <any-user/> or <auth-user/> • Person - full certificate or original issuer of GSI proxy • <person><dn>/O=Grid/CN=Mr Grid Person</dn></person> • VOMS - fully qualified attribute names from VOMS certificate • <voms><fqan>/vo.name/group/subgroup/Role=X</fqan></voms> • DN List - text lists of DNs, pulled by something outside GACL • <dn-list><url>https://www.vo.name/dn-lists/group</url></dn-list> • <dn-list><url>ldap://ldap.vo.name/ou=group,dc=vo,dc=name</url></dn-list> • <dn-list><url>vomss://vo.name/voms-admin-vo?/group</url></dn-list> • DNS - application must supply remote host name of request/user • <dns><hostname>host*.domain.name</hostname></dns>

  6. GACL library • XML ACL format not finalised but several products wanted to use it: GridSite; SlashGrid; and EDG Storage Element. • ACL will almost certainly change again in the future; and (hopefully) will need to understand XACML policies emerging from GGF. • Insulate ourselves from this by putting ACL handling functions into a standalone library, and make this understand the current XML. • Handles read/list/write ACL’s in a reasonably general and OO way • packs C structs and linked lists with their contents • provides access functions to manipulate the structs as types/objects • Build up ACL objects and User objects out of credential, permission and entry objects. • Then compare User to ACL to get user permissions for this context.

  7. EDG Middleware using GACL • WP1 • GACL is used to specify the access policies for data in Logging and Bookkeeping service. • WP4 LCAS • VOMS plugin compares VOMS attribute assertions against GACL policy written by site. • WP5 • GACL integrated into Storage Element for access control of files. • GridSite (HTTPS) and SlashGrid (filesystems) • GACL is the basis of read/write file access to files. • After 0.9.2, GACL library became GridSite library (now with http and x509 utility functions.)

  8. grst-admin.cgi: page editing, file upload, ACL editing etc. mod_gridsite: .html headers and footers .shtml, mod_perl CGI, PHP mod_jk: JSP with Tomcat mod_gridsite: file PUT and DELETE mod_gridsite: GACL access control + GACL > env vars mod_gridsite: GSI / VOMS OpenSSL callback wrappers HTTP mod_ssl: plain HTTPS > env vars GridSite / Apache Architecture

  9. Summary • GACL provides a simple way of describing resource access policies in XML. • GACL supports both pull (LDAP/HTTP) and push (VOMS) authorization models. • GACL library provides API for handling Grid ACL’s. • GACL is being used by EDG WP1 (L&B), WP4 (LCAS), WP5 (SE) and WP6 (GridSite) • Further work on GACL as part of GridSite library • For more information, see • http://www.gridpp.ac.uk/gridsite/ - overview, CVS/LXR • http://savannah.cern.ch/projects/gridsite/ - bug tracker, news

More Related