Overview

1
(No Transcript)
2
Overview

• Public key cryptography
• Key pairs
• Certificates
• HTTPS
• Groups and roles
• DN Lists
• VOMS
• Binding rights to resources
• Putting it all together GridSite

3
Public key cryptography

• Security systems are usually based on secrets
• The Right People have them and others don't
• If I have a Key that fits your Lock, you let me
  in
• Numeric/symbolic keys/passwords widely used
• In public key cryptography, knowing the Lock does
  not let you calculate the Key
• I can tell you my numeric Lock
• If later I produce the matching Key, it's me
  again
• It's possible to do this with Challenges rather
  than than the Keys and Locks themselves

4
Using public keys

• A common use of public key crypto is ssh on Unix
  systems
• I generate a public and private key pair on my
  desktop computer
• I put the public key in my .ssh directory on a
  remote computer
• If I connect to the ssh server there with my
  matching private key, it lets me in to my account
• But I need to bootstrap this by first proving
  my identity to each remote admin I want to deal
  with

5
Something better certificates

• One step better is to use a Certificate
• My X.509 Certificate My Public Key signed by
  a trusted Certification Authority
• I prove my identity once to the CA and the CA
  signs my Public Key
• The remote admin gets the CA's Public Key somehow
• If I can present my Private Key, the remote
  admin's server can verify the CA's signature on
  my Public Key
• So there's a chain of trust proving it's me
• (unless my Private Key is stolen!)

6
Using certificates HTTPS

• Inserting a small number of CA's into the system
  makes it much more scalable
• So this is what we need for the Grid, and for the
  Web before it
• e-Commerce websites already use this to prove
  their identity to customers
• Don't want to give Credit Card number to bad
  sites
• HTTPS also lets users prove identity to servers
• This is hardly used, but in Mozilla, IE, NS
  already
• GridSite exploits this to authenticate users

7
UK e-Science CA

• This is based at RAL and issues Certificates to
  people in the UK Grid/e-Science community
• http//ca.grid-support.ac.uk/
• They adhere to a policy on how this is done
• eg using photographic ID
• eg the machine with the Private Key lives in a
  safe
• They issue user certificates
• /CUK/OeScience/OUManchester/LHEP/CNAndrew
  McNab
• And server certificates
• /CUK/OeScience/OUManchester/LHEP/CNwww.gridpp
  .ac.uk/Emailhostmaster_at_hep.man.ac.uk

8
Other CAs

• We have a list of other Certification Authorities
• http//www.gridpp.ac.uk/gridsite/calist.html
• There are a couple of dozen ones for other EU and
  North American academic communities
• Use common standards for CA operations
• There are commercial ones (Verisign etc) which
  charge a few tens of dollars for basic user certs
• There are also free CAs of varying value
• Globus.org run a CA with no user verification
• Cacert.org runs a CA with community verification

9
From individuals to groups

• One of the key Grid concepts is the Virtual
  Organisation, composed on the Net/Web/Grid
  rather than in physical space
• Also, when authorizing people to access
  resources, often want to be able to manage them
  as a group
• So we need ways of specifying Groups or VOs, and
  to securely decide whether someone is in that
  group.
• Two main ways of doing this
• DN Lists (pull)
• Attribute Certificates (push)

10
Authorization pull DN Lists

• The name on a Certificate is the Distinguished
  Named or DN
• So a DN List is a list of people's certificate
  names
• The simplest way of defining a group is to list a
  set of DNs
• This is now widely used in deployed Grids
• Globus uses a manually edited file grid-mapfile
• EDG publishes lists via LDAP protocol
• GridSite uses HTTPS or LDAP to publish lists
• Each site must pull the current list periodically

11
Authorization push VOMS

• The opposite way is for users to have another
  certificate which proves they are in the group
• There is an IETF RFC for these Attribute Certs
• EDG's VOMS service is run by a VO
• VO managers define group memberships
• Users contact VOMS to get a short lived AC
• When users connect to a resource, they present
  their Authentication Cert and Attribute Cert(s)
• This avoids the need for sites to pull DN Lists
• But needs special client software to support ACs

12
Delegation GSI Proxies

• Another problem we face is with remote jobs or
  agents
• How can they prove they are acting on our behalf
  and fetch files they need?
• We do this using Globus GSI Proxies
• A shortlived certificate signed by user using
  their longlived certificate from the CA
• Grid services like fileservers accept these proxy
  certificates as if they were talking to the user
  directly

13
Binding policies to resources

• So we have ways to
• Identify individuals and their jobs/agents
• Get lists of group members
• Prove to a resource we're in a group
• Now need a way for resource owners to associate
  rules about who can do what
• We do this with a Policy or Access Control List /
  Language
• At the moment, we're using an XML Grid Access
  Control Language (GACL) to do this

14
Grid Access Control Language
ltgacl version0.0.1gt ltentrygt
ltpersongt ltdngt/OGrid/CNAndrewlt/
dngt lt/persongt
ltallowgtltread/gtltlist/gtltwrite/gtlt/allowgt
ltdenygtltadmin/gtlt/denygt
lt/entrygt lt/gaclgt
15
Grid Access Control Language
Entry container for credentials and permissions
Credential ANDd inside this entry if more than
one present
ltgacl version0.0.1gt ltentrygt
ltpersongt ltdngt/OGrid/CNAndrewlt/
dngt lt/persongt
ltallowgtltread/gtltlist/gtltwrite/gtlt/allowgt
ltdenygtltadmin/gtlt/denygt
lt/entrygt lt/gaclgt
Permissions deny wins over allow
If multiple entries, resulting permissions
are ORd
16
Applying this to an HTTPS server

• GridSite 1.0.0 released on 14 December
• In production on www.gridpp.ac.uk
• Includes
• libgridsite Grid ACL access control HTTP /
  X.509 / GSI / VOMS utilities
• gridsite-admin.cgi user editing of pages, groups
  etc
• mod_gridsite support for GACL / GSI / VOMS
  inside Apache
• Plus support for HTTP PUT and DELETE of files
• Toolkit approach works with other tools (eg PHP)

17
Tools for site managers

• GridSite CGI utility lets you
• edit pages and groups in your browser
• create directories
• upload or delete files
• edit GACL policies

18
Apache as fileserver features

• With mod_gridsite installed, can now
• Do HTTP(S) GET/PUT/DELETE and directory listings
  without a CGI binary
• So no context switch from server to CGI
• Full support for GACL access control built in
• Makes Apache more like an FTP or scp server, but
  with a better authorization model
• htcp command line tool vs globus-url-copy, scp
  etc
• htcp uses HTTP(S) servers and GSI VOMS etc
• multistream HTTP, recursion etc being added

19
Lightweight VOs

• GridSite supports lightweight VO management
• eg the groups published from www.gridpp.ac.uk
• This implements the GACL concept of a DN List
• A list of certifcate names, identified by an
  HTTPS, voms-httpd or LDAP URL.
• Lightweight they're stored as plain text
  files
• Easy to edit, populate from scripts etc
• Not meant to compete with database-backed
  services
• But does have gateways to produce VOMS certs etc
• Aim to support small VOs, individuals, subgroups
  etc

20
libgridsite toolkit

• Core functions of GridSite pulled out into a
  library
• Currently only C and C-to-C API
• Will provide Java and OO C API
• Part of the rationale for the original libgacl
  was to insulate us from Policy Language
  developments
• XACML from WS community is likely to become
  endorsed by GGF etc
• We aim to provide a smooth transition (no
  change?) for users of the API
• More functionality to be added parallel HTTP etc.

21
gridsite.org

• Shorthand for making GridSite an Open Source
  project, with significant external involvement
• We noticed that most of the users installed the
  software without first asking for help/support
• We're trying to encourage this
• Source and binary distributions
• User, Admin, Install guides, man pages etc
• Publically available source code CVS Bugtrack
• Public announcement and discussion mailing lists
• Pointers to free/cheap/lightweight X.509 CAs

22
Summary

• Grid Security is largely based around Public Key
  Crypto and X.509 Certificates
• Push and pull technologies for group membership,
  and for binding policies to resources have been
  added
• Through GridSite, GridPP has implemented this for
  the Apache HTTP(S) server
• But the components are available in reusable
  toolkit form for other services
• See http//www.gridpp.ac.uk/gridsite/ for more...