Grid Access Control Language Andrew Mc Nab University

Зарегистрируйтесь, чтобы просмотреть полный документ!

Grid Access Control Language Andrew Mc. Nab, University of Manchester mcnab@hep. man. ac. uk Andrew Mc. Nab - GACL - 16 Dec 2003

Current GACL’s u When building Grid. Site, Slash. Grid and the EDG Storage Element, we needed a simple ACL format to use for prototyping. u Wanted to support multiple credential types n individuals (X. 509/GSI identities) n groups from VO-LDAP list-publishing services n groups/roles from VOMS attribute certificate services u Currently n use per-directory XML ACL in file. gacl As a file, this can be stored in directories, copied via unmodified https or gsiftp channels and easily manipulated by scripts and applications. u We aimed for simplicity since we wanted to use it for fileservers and filesystems, and we care about performance. Grid. PP / EDG / WP 6 Andrew Mc. Nab - GACL - 16 Dec 2003

GACL example <gacl version=“ 0. 0. 1”> <entry> <person> <dn>/O=Grid/CN=Andrew</dn> </person> <allow><read/><list/><write/></allow> <deny><admin/></deny> </entry> </gacl> Grid. PP / EDG / WP 6 Andrew Mc. Nab - GACL - 16 Dec 2003

GACL example Entry: container for credentials and permissions <gacl version=“ 0. 0. 1”> Credential: AND’d inside this entry if more than one present <entry> <person> <dn>/O=Grid/CN=Andrew</dn> </person> <allow><read/><list/><write/></allow> <deny><admin/></deny> </entry> </gacl> Grid. PP / EDG / WP 6 Permissions: deny wins over allow If multiple entries, resulting permissions are OR’d Andrew Mc. Nab - GACL - 16 Dec 2003

Currently supported credential types u Any n user or authenticated user (cf AFS) <any-user/> or <auth-user/> u Person n <person><dn>/O=Grid/CN=Mr Grid Person</dn></person> u VOMS n - full certificate or original issuer of GSI proxy - fully qualified attribute names from VOMS certificate <voms><fqan>/vo. name/group/subgroup/Role=X</fqan></voms> u DN List - text lists of DNs, pulled by something outside GACL n <dn-list><url>https: //www. vo. name/dn-lists/group</url></dn-list> n <dn-list><url>ldap: //ldap. vo. name/ou=group, dc=vo, dc=name</url></dn-list> n <dn-list><url>vomss: //vo. name/voms-admin-vo? /group</url></dn-list> u DNS n - application must supply remote host name of request/user <dns><hostname>host*. domain. name</hostname></dns> Grid. PP / EDG / WP 6 Andrew Mc. Nab - GACL - 16 Dec 2003

GACL library u XML ACL format not finalised but several products wanted to use it: Grid. Site; Slash. Grid; and EDG Storage Element. u ACL will almost certainly change again in the future; and (hopefully) will need to understand XACML policies emerging from GGF. u Insulate ourselves from this by putting ACL handling functions into a standalone library, and make this understand the current XML. u Handles read/list/write ACL’s in a reasonably general and OO way n packs C structs and linked lists with their contents n provides access functions to manipulate the structs as types/objects u Build up ACL objects and User objects out of credential, permission and entry objects. u Then compare User to ACL to get user permissions for this context. Grid. PP / EDG / WP 6 Andrew Mc. Nab - GACL - 16 Dec 2003

EDG Middleware using GACL u WP 1 n GACL is used to specify the access policies for data in Logging and Bookkeeping service. u WP 4 n LCAS VOMS plugin compares VOMS attribute assertions against GACL policy written by site. u WP 5 n GACL integrated into Storage Element for access control of files. u Grid. Site n n (HTTPS) and Slash. Grid (filesystems) GACL is the basis of read/write file access to files. After 0. 9. 2, GACL library became Grid. Site library (now with http and x 509 utility functions. ) Grid. PP / EDG / WP 6 Andrew Mc. Nab - GACL - 16 Dec 2003

Grid. Site / Apache Architecture mod_gridsite: . html headers and footers . shtml, mod_perl CGI, PHP grst-admin. cgi: page editing, file upload, ACL editing etc. mod_jk: JSP with Tomcat mod_gridsite: file PUT and DELETE mod_gridsite: GACL access control + GACL > env vars HTTP Grid. PP / EDG / WP 6 mod_ssl: plain HTTPS > env vars mod_gridsite: GSI / VOMS Open. SSL callback wrappers Andrew Mc. Nab - GACL - 16 Dec 2003

Summary u GACL provides a simple way of describing resource access policies in XML. u GACL supports both pull (LDAP/HTTP) and push (VOMS) authorization models. u GACL library provides API for handling Grid ACL’s. u GACL is being used by EDG WP 1 (L&B), WP 4 (LCAS), WP 5 (SE) and WP 6 (Grid. Site) u Further u For work on GACL as part of Grid. Site library more information, see n http: //www. gridpp. ac. uk/gridsite/ n http: //savannah. cern. ch/projects/gridsite/ - bug tracker, news Grid. PP / EDG / WP 6 - overview, CVS/LXR Andrew Mc. Nab - GACL - 16 Dec 2003

Скачать презентацию Grid Access Control Language Andrew Mc Nab University

bb581a2ada2656a3119172ace187d7b0.ppt

Количество слайдов: 9