Security middleware - PowerPoint PPT Presentation

1 / 15
About This Presentation
Title:

Security middleware

Description:

... categorised, chronological data (like news headlines) out of webservers, in a programmatic way ... of GridSite is part of the latest gLite release process ... – PowerPoint PPT presentation

Number of Views:35
Avg rating:3.0/5.0
Slides: 16
Provided by: grid4
Category:

less

Transcript and Presenter's Notes

Title: Security middleware


1
Security middleware
  • Andrew McNab
  • University of Manchester

2
Outline
  • GridSite features in gLite 1.2
  • Some features in detail
  • HTTP Downgrade
  • Web service support
  • suexec and gsexec
  • Secmon boxes

6 July 2005
Security middleware
3
GridSite in gLite 1.2
  • Up to date VOMS support
  • Attribute Certificates from gLite/LCG VOMS
  • XML access policies written in GACL or XACML
  • File access / scripts / services controlled by
    X.509, GSI Proxy, VOMS AC, DN List credentials.
  • HTTP Downgrade
  • Authentication via HTTPS bulk file copy via HTTP
  • gsexec
  • Run scripts/services in Unix user sandboxes

6 July 2005
Security middleware
4
HTTP Downgrade
  • This is mostly code from last summer
  • Renewed interest in bulk HTTP so we're revisiting
    it
  • Idea is to offer similar functionality to GridFTP
    but using standard HTTP(S) tools
  • HTTPS control channel used for authentication
  • Returns a one-time passcode as a cookie
  • HTTP GET or PUT request made with passcode
  • Similar to unencrypted GridFTP data channel
  • But with Apache performance benefits sendfile()
    etc

6 July 2005
Security middleware
5
HTTP Downgrade (2)
  • Intend to add support for third-party copies
  • Use COPY method from RFC 2518 (WebDAV)
  • Passcode used to authenticate the remote leg of
    the copy
  • Add HTTP header with client's estimate of Round
    Trip Time
  • Used by server to select correct TCP window size
  • Work ongoing with networking (Richard
    Hughes-Jones etc) to demonstrate performance of
    HTTP on WANs
  • Evangelise about this a bit more...
  • eg GridSite's htcp command now used by EGEE WMS

6 July 2005
Security middleware
6
Web Service support
  • GridSite architecture can provide security for
    Web Service tools like gSOAP, with CGI Web
    Services
  • We also provide the C/C implementation of the
    EGEE / JRA3 Delegation portType
  • Java implementation by funded part of JRA3
  • mod_gridsite delegation CGI used by EGEE WMS
  • Apache/FastCGI GridSite (security) gSOAP
    (SOAP/WS)
  • Delegated credentials stored in the filesystem
  • Allows sharing between different CGI languages

6 July 2005
Security middleware
7
suexec and gsexec
  • Apache has traditionally provided a wrapper to
    run CGIs as other Unix users
  • Start as root, process as apache, CGI as joeuser
  • We've modified this to run CGI scripts and
    services as pool Unix users
  • Either per-client the cert in the browser
    determines which pool user
  • Or per-directory all the CGIs in my directory
    run as the same pool user

6 July 2005
Security middleware
8
suexec / gsexec (2)
  • This allows us to sandbox CGI-based services by
    ensuring that the pool users are of sufficiently
    low privilege
  • Different clients or service owners can't
    interfere with each other
  • Access control is still via GACL/XACML policy
    files
  • X.509, GSI Proxy, VOMS, DN List credentials
  • We can now offer third-party hosting of
    services
  • Give a user or VO access to a privileged
    directory
  • They deploy their C/C/Perl/Python services
    remotely

6 July 2005
Security middleware
9
GRACE
  • In adding support for Web Services to GridSite,
    we started to offer non-Java ways of building
    service-orientated grids
  • We're now at the point where this is being taken
    up
  • Clearly, this community has a big investment in
    languages other than Java
  • But many other scientists and admins do
    too
  • So again, want to start evangelising about this
    model
  • GRACE GRidsite/Apache/CGI-scripts/Executables

6 July 2005
Security middleware
10
SECMON boxes
  • Had hoped to have SECMON box prototype ready for
    this meeting
  • Expect DVD images available in the next week or
    two
  • Aim is to provide a simple to install security
    monitoring box that just sits in the corner of
    your machine room
  • Sites don't need to install anything special on
    CE etc being monitored
  • Remote administration / monitoring done by
    Tier-2/Tier-1 staff, but site retains root

6 July 2005
Security middleware
11
SECMON design
  • Want to keep things as simple as possible
  • Unix syslog already provides almost all of what
    we need
  • Always installed
  • Logs from services/daemons and kernel (port scans
    etc)
  • Logging interfaces for scripts, C/C etc
  • One line added to syslog.conf can direct the
    messages over the network to local SECMON box
  • So we need to provide remote config tools and
    remote access to log files

6 July 2005
Security middleware
12
secmon.conf
  • All configuration in one place
  • All local choices can be recovered from this file
  • May want to freeze SECMON hard drive to use as
    evidence for the Police, so this may be important
  • secmon.conf currently defines
  • firewall rules for syslogd, sshd and httpd
  • services to log (globus-gatekeeper etc)
  • X.509 DNs of people with different privilege
    levels

6 July 2005
Security middleware
13
Implementation
  • secmond runs as root
  • monitors secmon.conf for changes
  • updates config files as a result
  • filters syslog messages into log files according
    to service name (sshd, httpd, globus-gatekeeper
    etc)
  • Admin CGI (secmon-admin.cgi) runs as user apache
  • manages secmon.conf
  • RSS CGI (secmon-rss.cgi) runs as user apache
  • All remote access controlled by GridSite/GACL
    policies

6 July 2005
Security middleware
14
RSS Access
  • RSS is widely used to allow clients to pull
    categorised, chronological data (like news
    headlines) out of webservers, in a programmatic
    way
  • Well matched to transporting syslog type alert
    messages
  • secmon-rss.cgi queried by service name, severity
    and/or date range
  • Only pull out the level of detail we need
  • Seeks / bisects / reads log file directly to find
    messages
  • Access control currently via X.509/GSI Proxy only

6 July 2005
Security middleware
15
Summary
  • The current version of GridSite is part of the
    latest gLite release process
  • We're providing a system which is used by other
    middleware, not just websites
  • Non-Web Service tools from GridSite (htcp etc)
    are starting to be used too
  • SECMON box prototype is almost ready

6 July 2005
Security middleware
Write a Comment
User Comments (0)
About PowerShow.com