3 May 2006 GridSite - - Andrew McNab Web Services for Grids in Scripts and C using GridSite Andrew McNab University of

3 May 2006 GridSite - www.gridsite.org - Andrew McNab

Web Services for Grids in Scripts and C using GridSite

Andrew McNab

University of Manchester


Outline

● LCG/EGEE/gLite● GridSite philosophy● Components● GridSite/Apache architecture

● Web Service support● Delegation● gsexec and GRACE


LCG/EGEE/gLite

• This is GridSite's main user

• Developing and deploying grids for Particle Physics

– At ~200 farms at university sites

– In production with Monte Carlo simulation now

– Must go into production with LHC data in 2007

• Security based on proxy certificates + X.509/VOMS

attribute certificates from application groups

• All middleware to be Web Services over HTTPS


GridSite philosophy

● Aim to reuse as much as possible from mainstream Web and Web Services worlds

– Applies both to software and standards

– Reduces work needed and ongoing support overhead

– We use Apache, OpenSSL, curl, gSOAP, libxml, ...● Aim for language neutrality on server side

– We're coming from the Particle Physics world where

C++/Perl/Python/C are the dominant languages

– Allow use of Apache's CGI interface, mod_perl, etc


Components

● libgridsite C/C++ toolkit provides utility functions

– parse GSI Proxies and VOMS X.509 attribute certs

– evaluate GACL and XACML access policies

– generate new GSI Proxies● mod_gridsite adds support for GSI Proxies, VOMS

attributes, DN List groups, GACL/XAMCL policies and Onetime Passcodes to Apache

– supplemented by gsexec setuid wrapper● htcp, htls, htproxyput, ... provide command line file

tools


Module architecture

mod_ssl: plainHTTPS > env vars

mod_gridsite: GACL access control + GACL > env vars

mod_gridsite:.html headersand footers

.shtml,mod_perlCGI, PHP

CGI WebServices(gsexec)

HTTP

grst-admin.cgi: page editing,file upload, GACL editing etc.

mod_gridsite:PUT, MOVEand DELETE

Apache/GridSite

mod_gridsite: GSI / VOMS OpenSSL callback wrappers


File access options

● Web browser

– View page/files/services on GridSite managed server● Web browser + User's certificate

– Upload/edit/delete of pages/files/scripts/executables● htcp shell commands

– scp/“ssh ls -l” access for Unix-based clients via

HTTP(S)● SlashGrid (“/grid”)

– AFS-like access (“/grid/https/www.gridpp.ac.uk/dir/file.txt”)

– but requires Linux and local SlashGrid daemon


Web Service support

● Apache “eco-system” already supports Web Services

– gSOAP, SOAP-Lite etc● GridSite adds security context via CGI environment

– or systems like mod_perl which simulate CGI since our

module has access to Apache internal data “upstream”● Service authors are provided with users' credentials from

proxies and VOMS ACs as environment variables● Coarse-grained access control from XACML/GACL policy

engine


Delegation portType

● We also provide the C/C++ implementation of the GridSite/gLite Proxy Certificate delegation portType

– Java implementation by other members of EGEE● mod_gridsite + delegation CGI used by EGEE WMS

– Apache/FastCGI; GridSite (security); gSOAP (WS) ● Delegated credentials stored in the filesystem (or

SQL DB)

● Allows sharing between different CGI languages

● Unix permissions used to control which sessions /

services / application owners can access proxies


suexec and gsexec

● Apache has traditionally provided a wrapper to run CGIs as other Unix users:

● Start as root, process as apache, CGI as joeuser● We've modified this to run CGI scripts and services

as pool Unix users, similar to LCG/EGEE and NGS

● Either per-client: the certificate of the client

program determines which pool user

● Or per-directory: all the CGIs in my directory run

as the same pool user


suexec / gsexec (2)

● This allows us to sandbox CGI-based services by ensuring that the pool users are of sufficiently low privilege

● Different clients or service owners can't interfere with

each other● Access control is still via GACL/XACML policy files

● X.509, GSI Proxy, VOMS, DN List credentials● Sites can now offer “third-party” service hosting

● Give a user or VO access to a privileged directory

● They deploy C/C++/Perl/Python CGI services remotely


GRACE

● In adding support for Web Services to GridSite, we're offering non-Java ways of building service-orientated grids

● This provides another way of deploying Web Services

– “GRACE” : GRidsite - Apache - CGI – Executables

– Allows services to be written in any language

– Can be deployed remotely

– Deployment rights controlled by GACL/XACML policies

– Different VOs/individuals are sandboxed via Unix UIDs


More information

● www.gridsiteorg is the project website

– Open Source (BSD), bug tracker, CVS etc● Includes the new GridSiteWiki

– Derived from MediaWiki but uses X.509 instead of

usernames / passwords● www.gridpp.ac. uk is the largest site using GridSite

– and includes it's own Wiki, which is pulling in info● You can also find GridSites at NGS, GOC, CERN,

LCG, TCD.IE, ... by searching for GridSite with Google


Summary

● GridSite aims to reuse as much of the mainstream Web and Web Service world for grids

● Provides libgridsite Grid security toolkit for C/C++● mod_gridsite adds support for GSI Proxies, VOMS,

GACL, XAMCL, and HTTP PUT,MOVE,DELETE to Apache

● Can provide the basis of secured Web Services for Grids as CGI programs

● GRACE model goes further, and supports third party service hosting and remote deployment of services

Documents

3 May 2006 GridSite - - Andrew McNab Web Services for Grids in Scripts and C using GridSite Andrew McNab University of