"Andrew's blog about Grids, Webs, Security and other interestingTM Stuff"
Web/Net
W3C
RFC Editor
Apache
Grid Security
EGEE/LCG
JSPG
EU GridPMA
EGEE JRA3
MWSG
GridSite and Subversion
Fri 15 December 2006 1:12pm
In the last couple of weeks I've been looking at adding support to GridSite for the Subversion version control system (ie like CVS). It's interesting from a GridSite point of view because the server side comes in the form of modules which extend Apache, and the network protocol is just WebDAV. It's been brought up before that there might be some useful overlaps here, and Alessandra Forti who runs the Tier-2 here in Manchester suggested it again last month (as part of managing configuration files for grid installations using Subversion.)
The Subversion module is well behaved and orthogonal to the access control provided by GridSite. However, it provides a virtual piece of URL-space, based on its own database files, so GridSite's original access policy model (GACL files in the directories they apply to) wasn't enough.
Instead I've added the directive GridSiteACLPath which explicitly sets the location of the GACL which applies "here", where "here" is limited by Apache <Location ...> containers so you can choose where it applies in the URL space. (You can even use LocationMatch and get regular expression matching of URLs.) The GACLs can of course contain requirements based on certificate DNs, DN-Lists, VOMS attributes etc, and I extended the GridSite modules knowledge of HTTP methods so that the WebDAV "write" methods like MKCOL are controlled by GACL <write/>
That was enough to get a working system, but from a production point of view, it means modifying the Apache configuration file and restarting Apache every time a new Subversion repository is added (due to the way Subversion uses temporary files, you can't really do fine grained access control within a repository without a lot of ugliness.)
Noting the Subversion provides a generic directive, SVNParentPath, saying "the directory is full of repository top-level directories", I added a complementary ability to GridSiteACLPath. As well as explicitly stating the GACL file location, you can also insert %1, %2, ... which will be replaced by the first, second, ... component of the URL given. If these correspond to repository names, that means you can create new repositories and the GACL files that go with them without having to restart Apache.
I've been thinking about the wider implications this week for other virtual URL space systems. The new directive will also allow us to impose read access control to the GridSiteWiki, especially if pages can be grouped into namespaces so that regular expression matching is possible. It should also be possible to it up with a Apache+Java configurations, eg where Apache provides the HTTP and HTTPS processing (perhaps with GridSite adding GSI and VOMS support), but where Tomcat hosts the Java services using mod_jk. With the GridSiteACLPath directive, you can add GACL policies on the Apache side, and do all of the security that way.
There's some more notes about the new directive and Subversion in the GridSite project wiki.
Contact info
Dr Andrew McNab,
Department of Physics
and Astronomy,
University of Manchester,
Manchester,
United Kingdom,
M13 9PL
Andrew.McNab@cern.ch
Phone: +44-161-306-6474
Fax: +44-161-273-5867
Recent blogs
- CHEP 2007, Victoria, Canada
- GridPP18 in Glasgow
- GridSite and Subversion
- MWSG at CERN and Escalade
- All Hands Meeting, 2006
- GridSite Storage
- Fort L'Ecluse
- CERN and WLCG
- SlashGrid Reloaded
- AMPPS building site (or "No More Trees, II")