Web Services with GridSite and CC Scripts

1
Web Services with GridSite and C/C/Scripts
University of Manchester
Unauthenticated user
User/job with GSI proxy and VOMS
attribute certificates
User/job with GSI proxy
User with X.509 cert
Internet
HTTPS
HTTP
Apache mod_ssl does server and client X.509
authentication, and maintains encrypted SSL/TLS
stream. mod_gridsite adds support for GSI proxies
and extraction of any VOMS attributes present, by
dynamically intercepting the underlying OpenSSL
callbacks.
No authentication (although for bulk data,
GridSite's GridHTTP protocol provides
authentication via onetime passcodes.)
mod_ssl
mod_gridsite
Apache web server
Loaded into Apache at startup, and with access to
data structures of all other Apache components.
Provides GSI and VOMS support in mod_ssl access
control via GACL/XACML policies (in terms of
X.509 DN, GSI DN, DN List group membership, VOMS
FQAN, or client IP) HTTP PUT, DELETE and MOVE
support.
GET PUT DELETE MOVE
Calls external scripts or binary executables,
using CGI protocol, involving stdin, stdout and
environment variables
mod_cgi or mod_fcgi
gsexec
gridsite- delegation.cgi
Uploading executables or scripts owned by apache,
pool users or ordinary users
Runs CGI as a pool user, either unique to the
client identity or to its directory.
Scripts and executables
(modified suexec)
Provides a Web Services portType allowing
delegation of a GSI proxy to the server. This
follows the EGEE Delegation portType
specification and WSDL. (This portType can also
be included in other services.) gSOAP is used to
process SOAP messages, and libgridsite functions
perform the delegation.
Executables and files owned by pool user, UID101
UID 102
UID 103
UID .....
File system
Delegated proxies store
Server X.509 cert and private key, only readable
by root
Read/write of files owned by apache, pool
users or ordinary users
Dr Andrew McNab - www.gridsite.org -
Andrew.McNab_at_manchester.ac.uk