Presentation is loading. Please wait.

Presentation is loading. Please wait.

EMI INFSO-RI-261611 Argus The EMI Authorization Service Valery Tschopp (SWITCH) Argus Product Team.

Published byDouglas Dennis Modified over 8 years ago

Similar presentations

Presentation on theme: "EMI INFSO-RI-261611 Argus The EMI Authorization Service Valery Tschopp (SWITCH) Argus Product Team."— Presentation transcript:

1 EMI INFSO-RI-261611 Argus The EMI Authorization Service Valery Tschopp (SWITCH) Argus Product Team

2 EMI INFSO-RI-261611 Argus Authorization Service Service Deployment Authorization Policies Simplified Policy Language pap-admin Tool Pilot Jobs Authorization Argus 1.3 EMI-1 Release Conclusions 12/04/2011 Argus Authorization Service, EGI User Forum 2011, Vilnius 2 Outline

3 EMI INFSO-RI-261611 Renders consistent authorization decisions based on XACML policies – Can user X perform action Y on resource Z? – Ban user by DN, FQAN, issuing CA, … ! Argus Authorization Service 12/04/2011 Argus Authorization Service, EGI User Forum 2011, Vilnius 3

4 EMI INFSO-RI-261611 Argus PAP: Policy Administration Point – Provides site administrators with the tools for authoring policies (pap-admin) – Stores and manages authored XACML policies – Provides managed authorization policies to other authorization service components (other PAPs or PDP) Argus Authorization Service (cont.) 12/04/2011 Argus Authorization Service, EGI User Forum 2011, Vilnius 4

5 EMI INFSO-RI-261611 Argus PDP: Policy Decision Point – Policy evaluation engine – Receives authorization requests from the PEP – Evaluates the authorization requests against the XACML policies retrieved from the PAP – Renders the authorization decision Argus Authorization Service (cont.) 12/04/2011 Argus Authorization Service, EGI User Forum 2011, Vilnius 5

6 EMI INFSO-RI-261611 Argus PEP: Policy Execution Point – Client/Server architecture – Lightweight PEP client libraries (C and Java) – PEP Server receives the authorization requests from the PEP clients – Applies additional filters to the requests (PIP) – Asks the PDP to render an authorization decision – Applies the obligation handler (OH) to determine the user mapping Argus Authorization Service (cont.) 12/04/2011 Argus Authorization Service, EGI User Forum 2011, Vilnius 6

7 EMI INFSO-RI-261611 Argus as a service to manage consistent authorization policy based decisions Service Deployment 12/04/2011 Argus Authorization Service, EGI User Forum 2011, Vilnius 7

8 EMI INFSO-RI-261611 Hierarchical distribution of policies Service Deployment (cont.) 12/04/2011 Argus Authorization Service, EGI User Forum 2011, Vilnius 8

9 EMI INFSO-RI-261611 Global banning list (EGI, NGI, …) Local site authorization policies Experiment specific policies Service Deployment (cont.) 12/04/2011 Argus Authorization Service, EGI User Forum 2011, Vilnius 9

10 EMI INFSO-RI-261611 Open ports (firewall): – PAP: 8150 (pap-admin, policies distribution) – PEP Server: 8154 (PEP client connections) Log and audit files: /var/log/argus/(pap|pdp|pepd) Init scripts: /etc/init.d/argus-pap {start|stop|status} /etc/init.d/argus-pdp {start|stop|status|reloadpolicy} /etc/init.d/argus-pepd {start|stop|status|clearcache} Nagios plugins available to monitor the service Argus Service Operations 12/04/2011 Argus Authorization Service, EGI User Forum 2011, Vilnius 10

11 EMI INFSO-RI-261611 Argus is designed to answer the questions: – Can user X perform action Y on resource Z? – Is user X banned? PERMIT decision – Allow to authorize users to perform an action on a resource DENY decision – Allow to ban users Both can be expressed with XACML policies Authorization Policies 12/04/2011 Argus Authorization Service, EGI User Forum 2011, Vilnius 11

12 EMI INFSO-RI-261611 XACML policies !?! Authorization Policies (cont.) 12/04/2011 Argus Authorization Service, EGI User Forum 2011, Vilnius 12.* public_2d8346b8-5cd2-44ad-9ad1-0eff5d8a6ef1 <xacml:Policy xmlns:xacml="urn:oasis:names:tc:xacml:2.0:policy:schema:os” PolicyId="public_2d8346b8-5cd2-44ad-9ad1-0eff5d8a6ef1” RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1">.*...

13 EMI INFSO-RI-261611 Problem? – XACML not easy to read and/or understand – XACML not easy to write, prone to error Solution – Hide the XACML language complexity – Introduce a Simplified Policy Language (SPL) – Provide administrators with simple tool to manage the policies pap-admin to create, edit, delete permit/deny policy rules Authorization Policies (cont.) 12/04/2011 Argus Authorization Service, EGI User Forum 2011, Vilnius 13

14 EMI INFSO-RI-261611 Ban a particular user by DN resource ".*" { action ".*" { rule deny { subject="/C=CH/O=SWITCH/CN=Valery Tschopp" } } Permit ATLAS users (FQAN) to execute a job on a worker node (WN) resource "http://grid.switch.ch/wn" { action "http://glite.org/xacml/action/execute" { rule permit { fqan="/atlas" } } Simplified Policy Language 12/04/2011 Argus Authorization Service, EGI User Forum 2011, Vilnius 14

15 EMI INFSO-RI-261611 Administrator’s tool to manage the PAP – Policies management – PAP server management – PAP authorization management Simple way to ban user Simple way to create, edit and delete authorization policies pap-admin Tool 12/04/2011 Argus Authorization Service, EGI User Forum 2011, Vilnius 15

16 EMI INFSO-RI-261611 Create authorization policies Permit a user by distinguished name (DN) $ pap-admin add-policy --resource “http://grid.switch.ch/wn” --action “http://glite.org/xacml/action/execute” permit subject="CN=Valery Tschopp,O=SWITCH,C=ch” Permit users by primary FQAN $ pap-admin ap --resource “http://grid.switch.ch/wn” --action “http://glite.org/xacml/action/execute” permit pfqan=”/atlas” Ban a user for any action and resource $ pap-admin ban subject "CN=John Doe,O=ACME,C=org” pap-admin Tool (cont.) 12/04/2011 Argus Authorization Service, EGI User Forum 2011, Vilnius 16

17 EMI INFSO-RI-261611 Listing existing authorization policies $ pap-admin lp Enter the passphrase for the private key /home/tschopp/.globus/userkey.pem: default (local): resource ”.*" { action ”.*" { rule deny { subject="CN=John Doe,O=ACME,C=org” } } resource ”http://grid.switch.ch/atlas-cluster" { obligation "http://glite.org/xacml/obligation/local-environment-map" { } action ”http://glite.org/xacml/action/execute" { rule permit { pfqan="/atlas" } rule permit { subject="CN=Valery Tschopp,O=SWITCH,C=ch” } … pap-admin Tool (cont.) 12/04/2011 Argus Authorization Service, EGI User Forum 2011, Vilnius 17

18 EMI INFSO-RI-261611 Payload is downloaded on the WN gLExec runs it under the end-user identity Pilot Jobs Authorization 12/04/2011 Argus Authorization Service, EGI User Forum 2011, Vilnius 18

19 EMI INFSO-RI-261611 Pilot Job Policy resource ”http://grid.switch.ch/wn" { obligation "http://glite.org/xacml/obligation/local-environment-map" { } action ”http://glite.org/xacml/action/execute" { rule permit { pfqan="/atlas/Role=pilot" } rule permit { fqan=”/atlas/analysis” } Pilot Job Authorization (cont.) 12/04/2011 Argus Authorization Service, EGI User Forum 2011, Vilnius 19

20 EMI INFSO-RI-261611 Argus 1.3 – Compatible with gLite 3.2 Argus PEP client libraries (C and Java) – Support for LFC/DPM banning engine – Bug fixes Will be released for EMI-1 (end April) Is it a problem for gLite 3.2 site ? – Install the Argus 1.3 EMI-1 service (standalone) – Keep the existing gLite 3.2 applications Argus 1.3 EMI-1 Release 12/04/2011 Argus Authorization Service, EGI User Forum 2011, Vilnius 20

21 EMI INFSO-RI-261611 Global banning list policies Site specific authorization policies Experiment specific authorization policies Consistent authorization decisions across the whole middleware stack (CE, WN, …) Pilot Jobs authorization and mapping Simple tool to manage authorization Argus Authorization Service, EGI User Forum 2011, Vilnius 21 Conclusions 12/04/2011

22 EMI INFSO-RI-261611 General documentation https://twiki.cern.ch/twiki/bin/view/EGEE/Auth orizationFramework https://twiki.cern.ch/twiki/bin/view/EGEE/Auth orizationFramework Service Reference Card https://twiki.cern.ch/twiki/bin/view/EMI/Argus SRC https://twiki.cern.ch/twiki/bin/view/EMI/Argus SRC PAP admin CLIhttps://twiki.cern.ch/twiki/bin/view/EGEE/A uthZPAPCLIhttps://twiki.cern.ch/twiki/bin/view/EGEE/A uthZPAPCLI Simplified Policy Language https://twiki.cern.ch/twiki/bin/view/EGEE/Simp lifiedPolicyLanguage https://twiki.cern.ch/twiki/bin/view/EGEE/Simp lifiedPolicyLanguage Documentation 12/04/2011 Argus Authorization Service, EGI User Forum 2011, Vilnius 22

23 EMI INFSO-RI-261611 GGUS Tickets (ARGUS Support Unit) https://gus.fzk.de Support mailing list (e-group): argus-support@cern.ch Support 12/04/2011 Argus Authorization Service, EGI User Forum 2011, Vilnius 23

24 EMI INFSO-RI-261611 Thank you 24 Argus Authorization Service, EGI User Forum 2011, Vilnius EMI is partially funded by the European Commission under Grant Agreement INFSO-RI-261611 12/04/2011

Download ppt "EMI INFSO-RI-261611 Argus The EMI Authorization Service Valery Tschopp (SWITCH) Argus Product Team."

Similar presentations

1 Authorization XACML – a language for expressing policies and rules.

1 Authorization XACML – a language for expressing policies and rules.
XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.
XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.

XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.
Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.

Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.
Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.

Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.
XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.

XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
1 Update on the Vulnerability Assessment Effort Elisa Heymann Computer Architecture and Operating Systems Department Universitat Autònoma de Barcelona.

1 Update on the Vulnerability Assessment Effort Elisa Heymann Computer Architecture and Operating Systems Department Universitat Autònoma de Barcelona.
● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0.

● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0.
EMI INFSO-RI-261611 SA2 - Quality Assurance Alberto Aimar (CERN) SA2 Leader EMI First EC Review 22 June 2011, Brussels.

EMI INFSO-RI SA2 - Quality Assurance Alberto Aimar (CERN) SA2 Leader EMI First EC Review 22 June 2011, Brussels.
EMI INFSO-RI-261611 EMI Structure, Plans, Deliverables Alberto Di Meglio (CERN) Project Director ATLAS Software & Computing Week Geneva, 21 July 2011.

EMI INFSO-RI EMI Structure, Plans, Deliverables Alberto Di Meglio (CERN) Project Director ATLAS Software & Computing Week Geneva, 21 July 2011.
Maintaining Network Health. Active Directory Certificate Services Public Key Infrastructure (PKI) Provides assurance that you are communicating with the.

Maintaining Network Health. Active Directory Certificate Services Public Key Infrastructure (PKI) Provides assurance that you are communicating with the.
11 Usage policies for end point access control  XACML is Oasis standard to express enterprise security policies with a common XML based policy language.

11 Usage policies for end point access control  XACML is Oasis standard to express enterprise security policies with a common XML based policy language.
EMI is partially funded by the European Commission under Grant Agreement RI-261611 Argus Policies Tutorial Valery Tschopp - SWITCH EGI TF Prague.

EMI is partially funded by the European Commission under Grant Agreement RI Argus Policies Tutorial Valery Tschopp - SWITCH EGI TF Prague.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Argus gLite Authorization Service Status.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Argus gLite Authorization Service Status.
Pilot Jobs John Gordon Management Board 23/10/2007.

Pilot Jobs John Gordon Management Board 23/10/2007.
Glexec, SCAS & CREAM. Milestones CREAM-CE capable of large-scale direct job submission Glexec & SCAS capable of large-scale use on WN in logging only.

Glexec, SCAS & CREAM. Milestones CREAM-CE capable of large-scale direct job submission Glexec & SCAS capable of large-scale use on WN in logging only.
EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks gLite Authorization Service: Technical Overview.

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks gLite Authorization Service: Technical Overview.
Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.

Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.
EGEE User Forum Data Management session Development of gLite Web Service Based Security Components for the ATLAS Metadata Interface Thomas Doherty GridPP.

EGEE User Forum Data Management session Development of gLite Web Service Based Security Components for the ATLAS Metadata Interface Thomas Doherty GridPP.

Similar presentations

Ads by Google