GridSite Grid Security for the Web
Web platforms for Grids

Welcome page : Documentation : Download : License

GridSite Apache module: mod_gridsite

mod_gridsite is an Apache 2.0 module which enforces access control via Grid Access Control Lists, and X.509, GSI or VOMS credentials. mod_gridsite also gives Apache built-in support for the HTTP PUT and DELETE methods, and formatting of HTML pages with standard headers and footers.

Since mod_gridsite access control within Apache itself, Grid authorization and the associated verified credentials are available to all technologies supported by Apache, including static file serving, SSI, CGI, PHP, mod_perl and Java servlets via a connector to Tomcat.

Operation of mod_gridsite can be configured using runtime directives in Apache's standard httpd.conf configuration file. The module must first be loaded with a LoadModule directive:

LoadModule gridsite_module /PATH/TO/MODULES/

The module's behaviour is then controlled by GridSite... directives within Apache <Directory ...> sections, allowing different directories to use GridSite features in different ways.

GridSite directives

GridSiteIndexes on|off
Determines whether GridSite generates HTML directory listings. These have some advantages over standard Apache directory listings (eg the displayed filenames are never truncated) and will include standard headers and footers if GridSiteHtmlFormat is on.
(Default: GridSiteIndexes off)

GridSiteIndexHeader file
If the named file is found in the directory being listed, the file is included verbatim at the top of the listing and excluded from the file-by-file listing. The file can either be HTML or plain text (in which case browsers will be treat it as one HTML paragraph.)
(Default: none)

GridSiteHtmlFormat on|off
Determines where HTML pages receive additional formatting before being sent to the client. This includes the "Last modified", "View page history", "Switch to HTTP(S)", "Print View" and "Built with GridSite" footer elements. If header and footer files are found, they will be used too.
(Default: GridSiteHtmlFormat off)

GridSiteHeadFile file
GridSiteFootFile file
Set the filenames to be searched for as standard headers and footers for HTML pages. For each HTML page, the directory of that page is tried first, and then parent directories in ascending order until a header / footer file is found. Header files are inserted in place of HTML <body[ ...]> tags; footer files in place of </body>. (These standard files should each include the appropriate body tag as a replacement.)
(Defaults: GridSiteHeadFile gridsitehead.txt, GridSiteFootFile gridsitefoot.txt)

GridSiteAuth on|off
Enables GridSite access control features, using GACL files. The files are named .gacl and are per-directory. The current directory is tried and then parent directories in ascending order until a .gacl file is found.
(Default: GridSiteAuth off)

GridSiteAdminList uri
All members of the DN List with name "uri" receive the full set of permissions, irrespective of per-directory .gacl files. People in this group have full control over the whole site.
(Default: none)

GridSiteGSIProxyLimit limit
When using GSI Proxy credentials, proxies with delegation depth greater than "limit" will be ignored by mod_gridsite authorization decisions. A limit of zero implies only full X.509 certificates (and no proxies) will be accepted. A limit of 1 implies that only the initial proxy, usually created on the user's own machine, is acceptable. Higher levels lead to proxies on remote machines, eg used by running jobs, being accepted.
(Default: GridSiteGSIProxyLimit 1)

GridSiteMethods [GET] [PUT] [DELETE]
Specifies which HTTP methods are supported by GridSite. GET (and HEAD) are always supported. PUT and DELETE support is turned on by this directive, subject to a positive statement that write permission is allowed for the directory in question, by a GACL file.
(Default: GridSite GET)

GridSiteDNlists directory1[:directory2[:directory3]...]
Sets up the DN List path used by GACL for evaluating <dn-list> credentials. If this directive is not used, then GACL will use the GRST_DN_LISTS variable from Apache's own environment. If that is not set either, then /etc/grid-security/dn-lists is searched.
(Default: none)

GridSiteDNlistsURI uri
If GridSiteDNlistsURI is used, then the URI given appears to be populated with all the DN lists on the current DN lists path which match the current server. That is, for server with DN lists URI /dn-lists/, all DN lists with URLs starting will appear to be present in /dn-lists/, irrespective of where in the path they are stored.
(Default: none)

GridSiteAdminURI uri
GridSiteAdminURI gives the absolute URI on the server of the GridSite Admin CGI program, which is used for file management, HTML and GACL editing. This should be used in conjunction with the standard Apache directive ScriptAlias to map that URI to the real-gridsite-admin.cgi executable. For example:
ScriptAlias /real-gridsite-admin.cgi /PATH/TO/real-gridsite-admin.cgi
This URI is always reached by an internal redirection from the value set by GridSiteAdminFile, and is never visible to users.
(Default: none)

GridSiteAdminFile cgifilename
If GridSiteAdminURI is set, then the cgifilename of GridSiteAdminFile appears to be present in all directories when explicitly requested (it does not appear in directory listings.) Requests for these ghost CGI URIs are internally redirected to the value set by GridSiteAdminURI.
(Default: GridSiteAdminFile gridsite-admin.cgi)

GridSiteEnvs on|off
This makes mod_gridsite export several variables into the environment of CGI programs and other dynamic content systems. The variable names are listed below. For gridsite-admin.cgi mechanism to work, this switch must be left in its default state of on.
(Default: GridSiteEnvs on)

GridSiteEditable [ext1 [ext2 [ext3] ...]]]
A space-separated list of file extensions which can safely be edited by the GridSite Text/HTML editor. The extensions are given without the initial dot.
(Default: GridSiteEditable txt shtml html htm css js php jsp)

GridSiteHelpURI uri
If set, gives the URI to use for "Website Help" links in HTML page footers.
(Default: none)

GridSiteLink on|off
Turns off the link in the HTML page footers which gives credit to GridSite.
(Default: GridSiteLink on)

GridSiteUnzip path
If "path" is set by this directive, then real-gridsite-admin.cgi will offer to list the contents of .zip archives on the server. Users with write access are able to unpack the contents into the same directory as the .zip file. The value of "path" must point to the location of the unzip binary.
(Default: none)

Environment variables

The following variables are present in the environment of CGI programs and other dynamic content systems if the GridSiteEnvs on directive is in effect.

Numerical value of the permission bit-map obtained by comparing the user with the GACL in force. (These should be tested using the GRSTgaclPermHasXXXX functions from GACL.)

URI of the DN List, listing people with full admin and write access to the whole site.

Maximum valid delegation level for GSI Proxies.

Absolute path in the local filesystem to the directory holding the file being requested.

URI of website help pages set by GridSiteHelpURI directive.

Filename of per-directory ghost gridsite-admin.cgi program. (This is used by real-gridsite-admin.cgi to construct links in its pages.)

Space-separated list of extensions which can safely be edited with a Text/HTML editor.

Filenames of standard header and footer files.

DN lists search path.

Directory of virtual URIs used to publish this site's DN Lists.

Full path to the unzip binary, used to list and unpack .zip files.

If set, do not include credit links to GridSite in page footers.

Last modified Fri 19 December 2003 . View page history
Switch to HTTPS . Print View . Built with GridSite 1.4.3
Funded by:   GridPP   STFC   JISC   University of Manchester