Access Control model

From GridSiteWiki

GridSite uses an Access Control model based on X.509 authentication, various virtual organization / authorization systems, and GACL or XACML policy files.

Authentication

Users are identified by X.509 certificates loaded into unmodified web browsers. With commonly used browsers such as Firefox or Internet Explorer, several ways of storing the private key may be used, such as in an encrypted keys file or in an external hardware token.

Virtual Organisations

Virtual Organisation and group mmberships are defined by lists of members' certificate names ("DN Lists") or by the Fully Qualified Attribute Names of VOMS attribute certificates.

GridSite stores DN Lists in plain text files, and refers to them by LDAP or HTTPS URLs. DN Lists can be retrieved asynchromously from remote authorization servers, or managed locally using the tools described below. The certificate DNs of authenticated users are simply matched with the file containing the relevant DN List to determine their VO and group memberships.

For handling VOMS attribute certificates, a simple parser of X.509 attribute certificates in ASN.1 format is included. This relies on the invariant layout of the ASN.1 tree of objects in attribute certificates. Rather than define the full set of call back functions for all the ASN.1 objects which these certificates can contain, a simpler approach was used: the ASN.1 tree of data nodes is unrolled, each node assigned a co-ordinate and the invariant co-ordinates of each node is used to find its value when required.

Access Policies

An XML Grid Access Control Language (GACL) was developed for use with GridSite and other components of the European DataGrid project. For use with websites, the GACL file governing a particular directory or hierarchy is simply stored in that directory as a file .gacl. This policy file allows read, write, list and admin access (giving the ability to modify the policy itself) to be granted or denied on the basis of X.509 identity, GSI proxies, DN List membership, or the possession of a VOMS attribute certificate.

As an alternative, GridSite now also supports simple XACML policies, which are restricted to have the same content as GACL policies. Nevertheless, they are syntactically correct and can also be evaluated by Sun's reference XACML implementation in Java, for example.

When GridSite reads a policy, stored in the .gacl file or otherwise, it determines whether GACL or XACML is present and transparently uses the correct parser. When writing policies, the choice of GACL or XACML can be set by the webserver administrator on a per-directory basis.