GridSite, EDG and GGF

1
GridSite, EDG and GGF

• Andrew McNab, University of Manchester
• mcnab_at_hep.man.ac.uk

2
Outline

• GACL and GridSite status
• Compact credentials
• OGSA Authz WG
• XACML
• VOMS representations for XACML
• GACL vs XACML

3
GACL and GridSite status in CVS/autobuild

• GACL library fully in CVS/autobuild system
• available to WP1 (LB) / WP4 (LCAS) / WP5 (SE)
  users of GACL
• GridSite library provides utility functions for
  GACL, GSI and VOMS handling.
• No Globus dependencies - uses OpenSSL directly.
• (GACL/GridSite will be merged but gacl.h API
  still supported.)
• mod_ssl-gridsite for Apache 2.0
• Support for old and new (RFC) GSI proxies, with
  X509 or X509v3 certs
• Via libgridsite, parsing of VOMS extensions
• Full Apache 2.0 now part of autobuild (to get
  mod_ssl-gridsite built)
• mod_gridsite for Apache 2.0
• Applies GACL access control to webpages / files
• Since done inside Apache, applies to dynamic
  content too.

4
Compact Credentials

• mod_ssl-gridsite needs to add VOMS info to CGI
  environment
• Not just SSL_S_SERVER etc environment variables
• GRST_CRED_0, GRST_CRED_1,
• Contains type, start time, end time and value
• X509USER 1054777860 1074777860 /OGrid/OYourCA/CN
  Name
• GSIPROXY 1064778087 1064878087 /OGrid/OYourCA/CN
  Name/CNproxy
• VOMS 1064778087 1064878087 /voms.dom.ain/group/Rol
  erole/Capabilitycap
• To do this, need a way of mapping each credential
  of each type to a unique string
• For VOMS, just use WP2 string representation.
• Ideally, want credentials to be opaque strings,
  since Authorization Decision Functions do not
  need to understand group structure etc.

5
OGSA-Authz WG in GGF

• Attribute format/structure
• Assertion protocol
• SAML
• Expression
• XACML
• Requirements

6
XACML subject matching
ltSubjectMatchgt ltAttributeValue
DataTypehttp//www.w3.org/2001/XMLSchemastring
gtJohnlt /AttributeValuegt lt/SubjectMatchgt

• Some other data types
• urnoasisnamestcxacml1.0data-typex500Name
• http//www.ietf.org/rfc/rfc2256.txtuserPassword
• urnoasisnamestcxacml1.0subjectauthn-localit
  yip-address
• Obviously could add http//something/something-vom
  s
• But need a unique string representation of VOMS
  attributes too

7
Suggestions for VOMS representation

• Use something like the Compact Credentials
• Make the string opaque - this means repeating
  parent groups
• /VO.name/group
• /VO.name/group/subgroup
• (VOMS attribute certificates already do this
  anyway)
• Include certificate name associated with the VO
  in the name of the attribute
• Can do this already by specifying a per-VO server
  cert in the voms.conf file?
• This means all the VOMS for a particular VO have
  access to the same private key, and the VOMS
  server certs need not be transmitted through a
  trusted medium.

8
GACL vs XACML
ltvoms-credgt ltvogtvo.orglt/vogt
ltgroupgt/grouplt/groupgt ltrolegtadminlt/rolegt lt/voms-
credgt
ltSubjectMatchgt ltAttributeValue
DataTypehttp//voms.standard.url/
gt/vo.org/group/Roleadminlt /AttributeValuegt lt/S
ubjectMatchgt
9
Summary

• GACL, GridSite, mod_ssl-gridsite, mod_gridsite
• Compact Credentials
• OGSA-Authz WG
• Representation of VOMS for XACML etc?