Andrew McNab - GACL - 16 Dec 2003 Grid Access Control Language Andrew McNab, University of...
9
Andrew McNab - GACL - 16 Dec 2003 Grid Access Control Language Andrew McNab, University of Manchester [email protected]
-
Upload
ferdinand-joseph -
Category
Documents
-
view
212 -
download
0
Transcript of Andrew McNab - GACL - 16 Dec 2003 Grid Access Control Language Andrew McNab, University of...
Andrew McNab - GACL - 16 Dec 2003
Grid Access Control Language
Andrew McNab, University of Manchester
Andrew McNab - GACL - 16 Dec 2003GridPP / EDG / WP6
Current GACL’s
When building GridSite, SlashGrid and the EDG Storage Element, we needed a simple ACL format to use for prototyping.
Wanted to support multiple credential types individuals (X.509/GSI identities)
groups from VO-LDAP list-publishing services
groups/roles from VOMS attribute certificate services
Currently use per-directory XML ACL in file .gacl As a file, this can be stored in directories, copied via unmodified
https or gsiftp channels and easily manipulated by scripts and applications.
We aimed for simplicity since we wanted to use it for fileservers and filesystems, and we care about performance.
Andrew McNab - GACL - 16 Dec 2003GridPP / EDG / WP6
GACL example
<gacl version=“0.0.1”>
<entry>
<person> <dn>/O=Grid/CN=Andrew</dn> </person>
<allow><read/><list/><write/></allow> <deny><admin/></deny>
</entry></gacl>
Andrew McNab - GACL - 16 Dec 2003GridPP / EDG / WP6
GACL example
<gacl version=“0.0.1”>
<entry>
<person> <dn>/O=Grid/CN=Andrew</dn> </person>
<allow><read/><list/><write/></allow> <deny><admin/></deny>
</entry></gacl>
Credential:AND’d inside this entry if more than one present
Permissions:deny wins over allow
Entry: container forcredentials and permissions
If multipleentries, resultingpermissions are
OR’d
Andrew McNab - GACL - 16 Dec 2003GridPP / EDG / WP6
Currently supported credential types Any user or authenticated user (cf AFS)
<any-user/> or <auth-user/>
Person - full certificate or original issuer of GSI proxy <person><dn>/O=Grid/CN=Mr Grid Person</dn></person>
VOMS - fully qualified attribute names from VOMS certificate <voms><fqan>/vo.name/group/subgroup/Role=X</fqan></voms>
DN List - text lists of DNs, pulled by something outside GACL <dn-list><url>https://www.vo.name/dn-lists/group</url></dn-list>
<dn-list><url>ldap://ldap.vo.name/ou=group,dc=vo,dc=name</url></dn-list>
<dn-list><url>vomss://vo.name/voms-admin-vo?/group</url></dn-list>
DNS - application must supply remote host name of request/user <dns><hostname>host*.domain.name</hostname></dns>
Andrew McNab - GACL - 16 Dec 2003GridPP / EDG / WP6
GACL library
XML ACL format not finalised but several products wanted to use it: GridSite; SlashGrid; and EDG Storage Element.
ACL will almost certainly change again in the future; and (hopefully) will need to understand XACML policies emerging from GGF.
Insulate ourselves from this by putting ACL handling functions into a standalone library, and make this understand the current XML.
Handles read/list/write ACL’s in a reasonably general and OO way packs C structs and linked lists with their contents
provides access functions to manipulate the structs as types/objects
Build up ACL objects and User objects out of credential, permission and entry objects.
Then compare User to ACL to get user permissions for this context.
Andrew McNab - GACL - 16 Dec 2003GridPP / EDG / WP6
EDG Middleware using GACL
WP1 GACL is used to specify the access policies for data in Logging and
Bookkeeping service.
WP4 LCAS VOMS plugin compares VOMS attribute assertions against GACL
policy written by site.
WP5 GACL integrated into Storage Element for access control of files.
GridSite (HTTPS) and SlashGrid (filesystems) GACL is the basis of read/write file access to files.
After 0.9.2, GACL library became GridSite library (now with http and x509 utility functions.)
Andrew McNab - GACL - 16 Dec 2003GridPP / EDG / WP6
mod_ssl: plainHTTPS > env vars
mod_gridsite: GACL access control + GACL > env vars
mod_gridsite:.html headersand footers
.shtml,mod_perlCGI, PHP
mod_jk:JSP withTomcat
HTTP
grst-admin.cgi: page editing,file upload, ACL editing etc.
mod_gridsite:file PUT
and DELETE
GridSite / Apache
Architecture
mod_gridsite: GSI / VOMS OpenSSL callback wrappers
Andrew McNab - GACL - 16 Dec 2003GridPP / EDG / WP6
Summary
GACL provides a simple way of describing resource access policies in XML.
GACL supports both pull (LDAP/HTTP) and push (VOMS) authorization models.
GACL library provides API for handling Grid ACL’s.
GACL is being used by EDG WP1 (L&B), WP4 (LCAS), WP5 (SE) and WP6 (GridSite)
Further work on GACL as part of GridSite library
For more information, see http://www.gridpp.ac.uk/gridsite/ - overview, CVS/LXR
http://savannah.cern.ch/projects/gridsite/ - bug tracker, news
