Argus Policies Tutorial
Valery Tschopp - SWITCH
EGI TF 2012 @ Prague
EMI is partially funded by the European Commission under Grant Agreement RI-261611
Authorization
20/09/2012
EGI TF 2012, Prague
2
EMI INFSO-RI-261611
What is authorization?
Authorization
20/09/2012
EGI TF 2012, Prague
3
EMI INFSO-RI-261611
Can user X
perform action Y
on resource Z ?
Authorization Examples
• Can user X…
– execute on this worker node (WN) ?
– submit a job to this CREAM CE ?
– access this storage area ?
– submit a job to this WMS instance ?
• User X is banned !
20/09/2012
EGI TF 2012, Prague
4
EMI INFSO-RI-261611
– Is not allowed to do anything on any resource!
Motivations for Argus
• Each Grid service has its own authorization
mechanism
– Administrators need to know them all
– Authorization rules at a site become difficult to
understand and manage
• No global banning mechanism
– Urgent ban of malicious users cannot be easily and
timely enforced on distributed sites
– Hard to change policies without reconfiguring services
• Monitoring authorization decisions is hard
20/09/2012
EGI TF 2012, Prague
5
EMI INFSO-RI-261611
• Authorization policies are static
Argus Authorization Service
• A generic authorization system
20/09/2012
EGI TF 2012, Prague
6
EMI INFSO-RI-261611
– Built on top of a XACML policy engine
– Renders consistent authorization decisions based
on XACML policies
Argus Components
• Argus PAP: Policy Administration Point
20/09/2012
EGI TF 2012, Prague
7
EMI INFSO-RI-261611
– Provides administrators with the tools to author
policies (pap-admin)
– Stores and manages authored XACML policies
– Provides managed authorization policies to other
authorization service components (other PAPs or
PDP)
Argus Components
• Argus PDP: Policy Decision Point
20/09/2012
EGI TF 2012, Prague
8
EMI INFSO-RI-261611
– Policy evaluation engine
– Receives authorization requests from the PEP
– Evaluates the authorization requests against the
XACML policies retrieved from the PAP
– Renders the authorization decision
Argus Components
• Argus PEP: Policy Execution Point
• Transforms lightweight internal request into XACML
• Applies a configurable set of filters (PIPs) to the
incoming requests
• Asks the PDP to render an authorization decision
• If requested by the policy, applies the obligation
handler (OH) to determine the user mapping
20/09/2012
EGI TF 2012, Prague
9
EMI INFSO-RI-261611
– Client/Server architecture
– Lightweight PEP client libraries (C and Java)
– PEP Server receives the authorization requests
from the PEP clients
Authorization Policies
Argus is designed to answer the questions:
–Can user X performs action Y on resource Z?
–Is user X banned?
• PERMIT decision
–Allow to authorize users to perform an action on a
resource
• DENY decision
• Both can be expressed with XACML policies
20/09/2012
EGI TF 2012, Prague
10
EMI INFSO-RI-261611
–Allow to ban users
<xacml:PolicySet
xmlns:xacml="urn:oasis:names:tc:xacml:2.0:policy:schema:os”PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policycombining-algorithm:first-applicable" PolicySetId="9784d9ce-16a9-41b9-9d26-b81a97f93616" Version="1">
<xacml:Target>
<xacml:Resources>
<xacml:Resource>
<xacml:ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">.*</xacml:AttributeValue>
<xacml:ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
</xacml:ResourceMatch>
</xacml:Resource>
</xacml:Resources>
</xacml:Target>
<xacml:PolicyIdReference>public_2d8346b8-5cd2-44ad-9ad1-0eff5d8a6ef1</xacml:PolicyIdReference>
</xacml:PolicySet>
<xacml:Policy xmlns:xacml="urn:oasis:names:tc:xacml:2.0:policy:schema:os” PolicyId="public_2d8346b8-5cd2-44ad-9ad10eff5d8a6ef1”
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1">
<xacml:Target>
<xacml:Actions>
<xacml:Action>
<xacml:ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">.*</xacml:AttributeValue>
<xacml:ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
</xacml:ActionMatch>
</xacml:Action>
</xacml:Actions>
</xacml:Target>
<xacml:Rule Effect="Deny" RuleId="43c15124-6635-47ee-b13c-53f672d0de77">
...
20/09/2012
EGI TF 2012, Prague
11
EMI INFSO-RI-261611
Authorization Policies (XACML)
Authorization Policies
• Problem?
–XACML not easy to read and/or understand
–XACML not easy to write, prone to error
• Solution
• pap-admin to create, edit, delete permit/deny
policy rules
20/09/2012
EGI TF 2012, Prague
12
EMI INFSO-RI-261611
–Hide the XACML language complexity
–Introduce a Simplified Policy Language (SPL)
–Provide administrators with simple tool to manage
the policies
Simplified Policy Language (SPL)
• Deny (ban) a particular user by DN
resource ".*" {
action ".*" {
rule deny {
subject=”CN=Valery Tschopp, O=SWITCH, C=CH" }
}
}
resource "http://grid.switch.ch/wn" {
action "http://glite.org/xacml/action/execute" {
rule permit { vo=“atlas" }
}
}
20/09/2012
EGI TF 2012, Prague
13
EMI INFSO-RI-261611
• Permit ATLAS users (VO) to execute a job on a
worker node (WN)
Identifying Resources and Actions
• Actions and Resources are identified by
unique ID or “names”, that are assigned to
them
–Typically URIs, but any string will work
• Resource ID example:
http://cnaf.infn.it/resource/cream-ce
http://glite.org/action/submit-job
http://glite.org/action/execute
20/09/2012
EGI TF 2012, Prague
14
EMI INFSO-RI-261611
• Action ID examples:
Identifying Subjects
Subject in a policy can be identified via the
following attributes:
subject
X509 certificate DN:
subject="CN=Valery Tschopp,O=SWITCH,C=CH”
ca
the CA certificate DN:
ca="CN=INFN CA,O=INFN,C=IT”
vo the name of the Virtual Organization:
vo=”cms”
a VOMS fully qualified attribute name:
fqan=”/atlas/analysis”
20/09/2012
EGI TF 2012, Prague
15
EMI INFSO-RI-261611
fqan
Tool pap-admin
• Administrator tool to manage the PAP
–Policies management
–PAP server management
–PAP authorization management
20/09/2012
EGI TF 2012, Prague
19
EMI INFSO-RI-261611
• Simple way to ban user
• Simple way to create, edit and delete
authorization policies
Tool pap-admin (cont.)
• List currently active policies:
pap-admin list-policies
• Ban/unban users:
pap-admin ban subject "CN=John Doe,O=ACME,C=org”
pap-admin ban subject ”/C=org/O=ACME/CN=Batman”
pap-admin un-ban vo ”atlas“
• Add a generic permit policy:
• And a lot more functionalites…
20/09/2012
EGI TF 2012, Prague
20
EMI INFSO-RI-261611
pap-admin add-policy \
--resource “http://grid.switch.ch/ce_1” \
--action “.*” \
permit fqan=”/atlas/production”
20/09/2012
EGI TF 2012, Prague
21
EMI INFSO-RI-261611
Site Deployment
20/09/2012
EGI TF 2012, Prague
22
EMI INFSO-RI-261611
Hierarchical Policy Distribution
Hierarchical Policy Distribution
• Top PAP
– Manages global banning list
– Have to be trusted by site
• Site PAP
20/09/2012
EGI TF 2012, Prague
23
EMI INFSO-RI-261611
– Retrieves global banning list from top PAP
– Merges it on top of local policies
– FIRST MATCH rules applies in local PDP
Enable WLCG Global Banning
• Add the WLCG PAP
pap-admin apap WLCG argus.cern.ch \
"/DC=ch/DC=cern/OU=computers/CN=argus.cern.ch”
• Set PAP order (top banning)
pap-admin spo WLCG default
• Enable the banning WLCG PAP
pap-admin epap WLCG
• List all policies (WLCG and local ones)
20/09/2012
EGI TF 2012, Prague
24
EMI INFSO-RI-261611
pap-admin lp -all
• General documentation
https://twiki.cern.ch/twiki/bin/view/EGEE/Authoriz
ationFramework
• PAP admin
CLIhttps://twiki.cern.ch/twiki/bin/view/EGEE/AuthZ
PAPCLI
• Simplified Policy Language
https://twiki.cern.ch/twiki/bin/view/EGEE/Simplifie
dPolicyLanguage
• Service Reference Card
https://twiki.cern.ch/twiki/bin/view/EMI/ArgusSRC
20/09/2012
EGI TF 2012, Prague
25
EMI INFSO-RI-261611
Documentation
20/09/2012
EGI TF 2012, Prague
27
EMI INFSO-RI-261611
DEMO
Demo Setup: emitestbed
20/09/2012
EGI TF 2012, Prague
28
EMI INFSO-RI-261611
• EMI UI
• CREAM CE
• Argus Services
• 2 gLExec WN
Demo Setup: Policies
• Policies authorized jobs on CREAM CE and
for gLExec on the WN for a VO
resource "http://emitestbed.cnaf.infn.it/wn" {
obligation "http://glite.org/xacml/obligation/local-environment-map" {}
action ".*" {
rule permit { vo="testers.eu-emi.eu" }
}
}
20/09/2012
EGI TF 2012, Prague
29
EMI INFSO-RI-261611
resource "http://emitestbed.cnaf.infn.it/ce" {
obligation "http://glite.org/xacml/obligation/local-environment-map" {}
action ".*" {
rule permit { vo="testers.eu-emi.eu" }
}
}
Demo Setup: Argus YAIM Config
• Argus node site-info.def
# The Argus hostname
ARGUS_HOST=emitestbed10.cnaf.infn.it
# The DN of a trusted PAP administrator
PAP_ADMIN_DN="/C=IT/O=INFN/OU=Personal
Certificate/L=CNAF/CN=Danilo Nicola Dongiovanni"
# Space separated list of VOs supported by your site
VOS="testers.eu-emi.eu"
20/09/2012
EGI TF 2012, Prague
30
EMI INFSO-RI-261611
# Local mapping configuration
USERS_CONF=/root/siteinfo/users.conf
GROUPS_CONF=/root/siteinfo/groups.conf
Demo Setup: CREAM YAIM Config
• CREAM CE site-info.def
• Enables Argus authorizations
20/09/2012
EGI TF 2012, Prague
31
EMI INFSO-RI-261611
CEMON_HOST=cert-07.cnaf.infn.it
CREAM_DB_USER=tester
CREAM_DB_PASSWORD=****
BLPARSER_HOST=cert-07.cnaf.infn.it
...
USE_ARGUS=yes
ARGUS_PEPD_ENDPOINTS=https://emitestbed10.cnaf.infn.it:8154/authz
CREAM_PEPC_RESOURCEID=http://emitestbed.cnaf.infn.it/ce
Demo Setup: gLExec/WN YAIM
• gLExec on the WN site-info.def
• Enables Argus authorizations
GLEXEC_WN_OPMODE=setuid
GLEXEC_WN_SCAS_ENABLED=no
20/09/2012
EGI TF 2012, Prague
32
EMI INFSO-RI-261611
GLEXEC_WN_ARGUS_ENABLED=yes
ARGUS_PEPD_ENDPOINTS=https://emitestbed10.cnaf.infn.it:8154/authz
GLEXEC_WN_PEPC_RESOURCEID=http://emitestbed.cnaf.infn.it/wn
Demo: Pilot Job Authorization
20/09/2012
EGI TF 2012, Prague
33
EMI INFSO-RI-261611
• The pilot job is authorized on the CE
• The payload is downloaded on the WN
• gLExec executes it under the end-user identity
© Copyright 2025 Paperzz