Upload
jelani-nolan
View
23
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Security middleware. Andrew McNab University of Manchester. Outline. GridSite features in gLite 1.2 Some features in detail HTTP Downgrade Web service support suexec and gsexec Secmon boxes. 6 July 2005. Security middleware. GridSite in gLite 1.2. Up to date VOMS support - PowerPoint PPT Presentation
Citation preview
Security middleware
Andrew McNab
University of Manchester
6 July 2005 Security middleware
Outline
● GridSite features in gLite 1.2● Some features in detail
● HTTP Downgrade● Web service support● suexec and gsexec
● Secmon boxes
6 July 2005 Security middleware
GridSite in gLite
1.2● Up to date VOMS support
● Attribute Certificates from “gLite”/“LCG” VOMS● XML access policies written in GACL or XACML
● File access / scripts / services controlled by X.509,
GSI Proxy, VOMS AC, DN List credentials.● HTTP Downgrade
● Authentication via HTTPS; bulk file copy via HTTP● gsexec
● Run scripts/services in Unix user “sandboxes”
6 July 2005 Security middleware
HTTP Downgrade
● This is mostly code from last summer
● Renewed interest in bulk HTTP so we're revisiting it● Idea is to offer similar functionality to GridFTP but
using standard HTTP(S) tools● HTTPS “control” channel used for authentication
● Returns a one-time passcode as a cookie● HTTP GET or PUT request made with passcode
● Similar to unencrypted GridFTP data channel
● But with Apache performance benefits: sendfile() etc
6 July 2005 Security middleware
HTTP Downgrade
(2)● Intend to add support for third-party copies
● Use COPY method from RFC 2518 (WebDAV)
● Passcode used to authenticate the remote leg of the copy● Add HTTP header with client's estimate of Round Trip Time
● Used by server to select correct TCP window size● Work ongoing with networking (Richard Hughes-Jones etc)
to demonstrate performance of HTTP on WANs● Evangelise about this a bit more...
● eg GridSite's htcp command now used by EGEE WMS
6 July 2005 Security middleware
Web Service
support● GridSite architecture can provide security for Web
Service tools like gSOAP, with CGI Web Services● We also provide the C/C++ implementation of the
EGEE / JRA3 Delegation portType
● Java implementation by funded part of JRA3● mod_gridsite + delegation CGI used by EGEE WMS:
● Apache/FastCGI; GridSite (security); gSOAP
(SOAP/WS) ● Delegated credentials stored in the filesystem
● Allows sharing between different CGI languages
6 July 2005 Security middleware
suexec and
gsexec● Apache has traditionally provided a wrapper to run
CGIs as other Unix users:
● Start as root, process as apache, CGI as joeuser● We've modified this to run CGI scripts and services
as pool Unix users
● Either per-client: the cert in the browser
determines which pool user
● Or per-directory: all the CGIs in my directory run
as the same pool user
6 July 2005 Security middleware
suexec / gsexec
(2)● This allows us to sandbox CGI-based services by
ensuring that the pool users are of sufficiently low
privilege
● Different clients or service owners can't interfere with
each other● Access control is still via GACL/XACML policy files
● X.509, GSI Proxy, VOMS, DN List credentials● We can now offer “third-party” hosting of services
● Give a user or VO access to a privileged directory
● They deploy their C/C++/Perl/Python services remotely
6 July 2005 Security middleware
GRACE
● In adding support for Web Services to GridSite, we
started to offer non-Java ways of building service-
orientated grids● We're now at the point where this is being taken up● Clearly, this community has a big investment in
languages other than Java● But many other scientists and admins do too● So again, want to start evangelising about this model
● GRACE: GRidsite/Apache/CGI-scripts/Executables
6 July 2005 Security middleware
SECMON boxes
● Had hoped to have SECMON box prototype ready for
this meeting
● Expect DVD images available in the next week or two● Aim is to provide a simple to install security monitoring
box that just sits in the corner of your machine room
● Sites don't need to install anything special on CE etc
being monitored● Remote administration / monitoring done by
Tier-2/Tier-1 staff, but site retains root
6 July 2005 Security middleware
SECMON design
● Want to keep things as simple as possible● Unix syslog already provides almost all of what we need
● Always installed
● Logs from services/daemons and kernel (port scans
etc)
● Logging interfaces for scripts, C/C++ etc
● One line added to syslog.conf can direct the messages
over the network to local SECMON box● So we need to provide remote config tools and remote
access to log files
6 July 2005 Security middleware
secmon.conf
● All configuration in one place
● All local choices can be recovered from this file
● May want to freeze SECMON hard drive to use as
evidence for the Police, so this may be important● secmon.conf currently defines
● firewall rules for syslogd, sshd and httpd
● services to log (globus-gatekeeper etc)
● X.509 DNs of people with different privilege levels
6 July 2005 Security middleware
Implementation
● secmond runs as root
● monitors secmon.conf for changes
● updates config files as a result
● filters syslog messages into log files according to
service name (sshd, httpd, globus-gatekeeper etc)● Admin CGI (secmon-admin.cgi) runs as user apache
● manages secmon.conf● RSS CGI (secmon-rss.cgi) runs as user apache● All remote access controlled by GridSite/GACL policies
6 July 2005 Security middleware
RSS Access
● RSS is widely used to allow clients to pull categorised,
chronological data (like news headlines) out of
webservers, in a programmatic way
● Well matched to transporting syslog type alert
messages● secmon-rss.cgi queried by service name, severity and/or
date range
● Only pull out the level of detail we need
● Seeks / bisects / reads log file directly to find messages● Access control currently via X.509/GSI Proxy only
6 July 2005 Security middleware
Summary
● The current version of GridSite is part of
the latest gLite release process● We're providing a system which is used by
other middleware, not just websites● Non-Web Service tools from GridSite (htcp
etc) are starting to be used too● SECMON box prototype is almost ready