Upload
miles-ford
View
214
Download
0
Embed Size (px)
Citation preview
3 May 2006 GridSite - www.gridsite.org - Andrew McNab
Web Services for Grids in Scripts and C using GridSite
Andrew McNab
University of Manchester
3 May 2006 GridSite - www.gridsite.org - Andrew McNab
Outline
● LCG/EGEE/gLite● GridSite philosophy● Components● GridSite/Apache architecture
● Web Service support● Delegation● gsexec and GRACE
3 May 2006 GridSite - www.gridsite.org - Andrew McNab
LCG/EGEE/gLite
• This is GridSite's main user
• Developing and deploying grids for Particle Physics
– At ~200 farms at university sites
– In production with Monte Carlo simulation now
– Must go into production with LHC data in 2007
• Security based on proxy certificates + X.509/VOMS
attribute certificates from application groups
• All middleware to be Web Services over HTTPS
3 May 2006 GridSite - www.gridsite.org - Andrew McNab
GridSite philosophy
● Aim to reuse as much as possible from mainstream Web and Web Services worlds
– Applies both to software and standards
– Reduces work needed and ongoing support overhead
– We use Apache, OpenSSL, curl, gSOAP, libxml, ...● Aim for language neutrality on server side
– We're coming from the Particle Physics world where
C++/Perl/Python/C are the dominant languages
– Allow use of Apache's CGI interface, mod_perl, etc
3 May 2006 GridSite - www.gridsite.org - Andrew McNab
Components
● libgridsite C/C++ toolkit provides utility functions
– parse GSI Proxies and VOMS X.509 attribute certs
– evaluate GACL and XACML access policies
– generate new GSI Proxies● mod_gridsite adds support for GSI Proxies, VOMS
attributes, DN List groups, GACL/XAMCL policies and Onetime Passcodes to Apache
– supplemented by gsexec setuid wrapper● htcp, htls, htproxyput, ... provide command line file
tools
3 May 2006 GridSite - www.gridsite.org - Andrew McNab
Module architecture
mod_ssl: plainHTTPS > env vars
mod_gridsite: GACL access control + GACL > env vars
mod_gridsite:.html headersand footers
.shtml,mod_perlCGI, PHP
CGI WebServices(gsexec)
HTTP
grst-admin.cgi: page editing,file upload, GACL editing etc.
mod_gridsite:PUT, MOVEand DELETE
Apache/GridSite
mod_gridsite: GSI / VOMS OpenSSL callback wrappers
3 May 2006 GridSite - www.gridsite.org - Andrew McNab
File access options
● Web browser
– View page/files/services on GridSite managed server● Web browser + User's certificate
– Upload/edit/delete of pages/files/scripts/executables● htcp shell commands
– scp/“ssh ls -l” access for Unix-based clients via
HTTP(S)● SlashGrid (“/grid”)
– AFS-like access (“/grid/https/www.gridpp.ac.uk/dir/file.txt”)
– but requires Linux and local SlashGrid daemon
3 May 2006 GridSite - www.gridsite.org - Andrew McNab
Web Service support
● Apache “eco-system” already supports Web Services
– gSOAP, SOAP-Lite etc● GridSite adds security context via CGI environment
– or systems like mod_perl which simulate CGI since our
module has access to Apache internal data “upstream”● Service authors are provided with users' credentials from
proxies and VOMS ACs as environment variables● Coarse-grained access control from XACML/GACL policy
engine
3 May 2006 GridSite - www.gridsite.org - Andrew McNab
Delegation portType
● We also provide the C/C++ implementation of the GridSite/gLite Proxy Certificate delegation portType
– Java implementation by other members of EGEE● mod_gridsite + delegation CGI used by EGEE WMS
– Apache/FastCGI; GridSite (security); gSOAP (WS) ● Delegated credentials stored in the filesystem (or
SQL DB)
● Allows sharing between different CGI languages
● Unix permissions used to control which sessions /
services / application owners can access proxies
3 May 2006 GridSite - www.gridsite.org - Andrew McNab
suexec and gsexec
● Apache has traditionally provided a wrapper to run CGIs as other Unix users:
● Start as root, process as apache, CGI as joeuser● We've modified this to run CGI scripts and services
as pool Unix users, similar to LCG/EGEE and NGS
● Either per-client: the certificate of the client
program determines which pool user
● Or per-directory: all the CGIs in my directory run
as the same pool user
3 May 2006 GridSite - www.gridsite.org - Andrew McNab
suexec / gsexec (2)
● This allows us to sandbox CGI-based services by ensuring that the pool users are of sufficiently low privilege
● Different clients or service owners can't interfere with
each other● Access control is still via GACL/XACML policy files
● X.509, GSI Proxy, VOMS, DN List credentials● Sites can now offer “third-party” service hosting
● Give a user or VO access to a privileged directory
● They deploy C/C++/Perl/Python CGI services remotely
3 May 2006 GridSite - www.gridsite.org - Andrew McNab
GRACE
● In adding support for Web Services to GridSite, we're offering non-Java ways of building service-orientated grids
● This provides another way of deploying Web Services
– “GRACE” : GRidsite - Apache - CGI – Executables
– Allows services to be written in any language
– Can be deployed remotely
– Deployment rights controlled by GACL/XACML policies
– Different VOs/individuals are sandboxed via Unix UIDs
3 May 2006 GridSite - www.gridsite.org - Andrew McNab
More information
● www.gridsiteorg is the project website
– Open Source (BSD), bug tracker, CVS etc● Includes the new GridSiteWiki
– Derived from MediaWiki but uses X.509 instead of
usernames / passwords● www.gridpp.ac. uk is the largest site using GridSite
– and includes it's own Wiki, which is pulling in info● You can also find GridSites at NGS, GOC, CERN,
LCG, TCD.IE, ... by searching for GridSite with Google
3 May 2006 GridSite - www.gridsite.org - Andrew McNab
Summary
● GridSite aims to reuse as much of the mainstream Web and Web Service world for grids
● Provides libgridsite Grid security toolkit for C/C++● mod_gridsite adds support for GSI Proxies, VOMS,
GACL, XAMCL, and HTTP PUT,MOVE,DELETE to Apache
● Can provide the basis of secured Web Services for Grids as CGI programs
● GRACE model goes further, and supports third party service hosting and remote deployment of services