GACL

1
(No Transcript)
2
Grid Security and Accounting

• Shiv Kaushal, University of Manchester
• shiv_at_hep.man.ac.uk
• http//www.hep.man.ac.uk/u/shiv/

3
Grid Security and Accounting

• The Grid
• GridSite
• Security
• Accounting Issues
• Further Work

4
The Grid

• What is the Grid?
• An analogy
• Why use Grids?

5
GridSite

• What is GridSite?
• Set of tools for using Grid security over HTTP(S)
• Extension to Apache web server
• Files or web pages
• Command line tools

6
GridSite Features

• Edit pages on the fly
• Various other operations
• Delete/rename/edit files directories
• Upload files and directory trees
• Define groups
• Delegate control of sections of a site to others

7
Security

• HTTP(S)
• Widely distributed
• RSA encryption
• Partial file retrieval
• Grid Certificates
• Can be loaded into most web browsers
• Unique identifier - DN
• /CUK/OeScience/OUManchester/LHEP/CNshiv
  kaushal

8
Security - GACL

• Access control done through Grid certificates and
  GACL
• Can base security on more than DNs
• Access Control List files can become difficult to
  read and edit
• Web based editor built into GridSite

9
Security - GACL

• lt?xml version"1.0"?gt
• ltgacl version"0.0.1"gt
• ltentrygt
• ltpersongt
• ltdngt/CUK/OeScience/OUManchester/LHEP/CNAndr
  ew McNablt/dngt
• lt/persongt
• ltallowgtltread/gtltexec/gtltlist/gtlt/allowgt
• lt/entrygt
• ltentrygt
• ltpersongt
• ltdngt/CUK/OeScience/OUManchester/LHEP/CNshiv
  kaushallt/dngt
• lt/persongt
• ltallowgtltread/gtltexec/gtltlist/gtltwrite/gtltadmin/gtlt/all
  owgt
• lt/entrygt
• ltentrygt
• ltany-user/gt
• ltallowgtltread/gtltlist/gtlt/allowgt
• lt/entrygt
• lt/gaclgt

10
Security - GACL

• Access control done through GRID certificates and
  GACL
• Access Control List files can become difficult to
  read and edit
• Web based editor built into GridSite

11
Security
12
Security Migration to XACML

• XACML
• General purpose language
• Becoming widely accepted in Grid community
• More complex than GACL
• Greater need for easy editing

13
XACML lt?xml version"1.0" encoding"UTF-8"?gt ltPol
icy xmlns"urnoasisnamestcxacml1.0policy"
xmlnsxsi"http//www.w3.org/2001/XMLSchema-insta
nce" xsischemaLocation"urnoasisnamestcxacm
l1.0policy cs-xacml-schema-policy-01.xsd"
PolicyId"GridSitePolicy" RuleCombiningAlgId"ur
noasisnamestcxacml1.0rule-combining-algorith
mdeny-overrides"gt ltTargetgt ltResourcesgt
ltResourcegt ltResourceMatch
MatchId"urnoasisnamestcxacml1.0functionstr
ing-equal"gt ltAttributeValue
DataType"http//www.w3.org/2001/XMLSchemastring"
gt/path/to/dirlt/AttributeValuegt
ltResourceAttributeDesignator
AttributeId"urnoasisnamestcxacml1.0resource
resource-id" DataType"http//www.w3.
org/2001/XMLSchemastring"/gt
lt/ResourceMatchgt lt/Resourcegt
lt/Resourcesgt ltSubjectsgt ltAnySubject/gt
lt/Subjectsgt ltActionsgt ltAnyAction/gt
lt/Actionsgt lt/Targetgt ltRule
RuleId"Entry1A" Effect"Permit"gt ltTargetgt
ltSubjectsgt ltSubjectgt
ltSubjectMatch MatchId"urnoasisnamestcxacml1.
0functionstring-equal"gt
ltAttributeValue DataType"http//www.w3.org/2001/X
MLSchemastring"gt/CUK/CNshivlt/AttributeValuegt
ltSubjectAttributeDesignator
AttributeId"person"
DataType"http//www.w3.org/2001/XMLSchemastring"
/gt lt/SubjectMatchgt lt/Subjectgt
lt/Subjectsgt ltActionsgt ltActiongt
ltActionMatch MatchId"urnoasisnamestc
xacml1.0functionstring-equal"gt
ltAttributeValue DataType"http//www.w3.org/2001/X
MLSchemastring"gtreadlt/AttributeValuegt
ltActionAttributeDesignator
AttributeId"urnoasisnamestcxacml1.0actiona
ction-id" DataType"http//www.w3.or
g/2001/XMLSchemastring"/gt
lt/ActionMatchgt lt/Actiongt
ltActiongt ltActionMatch
MatchId"urnoasisnamestcxacml1.0functionstr
ing-equal"gt ltAttributeValue
DataType"http//www.w3.org/2001/XMLSchemastring"
gtlistlt/AttributeValuegt
ltActionAttributeDesignator
AttributeId"urnoasisnamestcxacml1.0actiona
ction-id" DataType"http//www.w3.or
g/2001/XMLSchemastring"/gt
lt/ActionMatchgt lt/Actiongt
lt/Actionsgt lt/Targetgt lt/Rulegt ltRule
RuleId"Entry1D" Effect"Deny"gt ltTargetgt
ltSubjectsgt ltSubjectgt
ltSubjectMatch MatchId"urnoasisnamestcxacml1.
0functionstring-equal"gt
ltAttributeValue DataType"http//www.w3.org/2001/X
MLSchemastring"gt/CUK/CNshivlt/AttributeValuegt
ltSubjectAttributeDesignator
AttributeId"person"
DataType"http//www.w3.org/2001/XMLSchemastring"
/gt lt/SubjectMatchgt lt/Subjectgt
lt/Subjectsgt ltActionsgt ltActiongt
ltActionMatch MatchId"urnoasisnamestc
xacml1.0functionstring-equal"gt
ltAttributeValue DataType"http//www.w3.org/2001/X
MLSchemastring"gtexeclt/AttributeValuegt
ltActionAttributeDesignator
AttributeId"urnoasisnamestcxacml1.0actiona
ction-id" DataType"http//www.w3.or
g/2001/XMLSchemastring"/gt
lt/ActionMatchgt lt/Actiongt
ltActiongt ltActionMatch
MatchId"urnoasisnamestcxacml1.0functionstr
ing-equal"gt ltAttributeValue
DataType"http//www.w3.org/2001/XMLSchemastring"
gtwritelt/AttributeValuegt
ltActionAttributeDesignator
AttributeId"urnoasisnamestcxacml1.0actiona
ction-id" DataType"http//www.w3.or
g/2001/XMLSchemastring"/gt
lt/ActionMatchgt lt/Actiongt
lt/Actionsgt lt/Targetgt lt/Rulegt lt/Policygt
GACL lt?xml version"1.0"?gt ltgacl
version"0.0.1"gt ltentrygt ltpersongt ltdngt/CUK/CNshi
vlt/dngt lt/persongt ltallowgtltread/gtltlist/gtlt/allowgt ltde
nygtltexec/gtltwrite/gtlt/denygt lt/entrygt lt/gaclgt
14
Security Migration to XACML

• XACML
• General purpose language
• Becoming widely accepted
• Useful for accounting?
• More complex than GACL
• Greater need for easy editing

15
Security Migration to XACML

• GACL editor in GridSite modified
• Can now output XACML policy files
• Working on reading in of XACML files
• Will support both GACL and XACML

16
Accounting

• What is accounting?
• Need for accounting
• To ensure adequate access
• To prevent abuse
• Financial purposes
• What are HEP requirements?

17
Further Work

• Security
• Continue on XACML work
• Provide support for GridSite
• Accounting
• Investigate requirements and produce
  specification
• Work on implementation

18
More Information

• http//www.hep.man.ac.uk/u/shiv/blog/