EMI is partially funded by the European Commission under Grant Agreement RI-261611 Argus Policies Tutorial Valery Tschopp - SWITCH EGI TF Prague.

Slides:



Advertisements
Similar presentations
Data Management Expert Panel - WP2. WP2 Overview.
Advertisements

1 Authorization XACML – a language for expressing policies and rules.
OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.
XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.
Makrand Siddhabhatti Tata Institute of Fundamental Research Mumbai 17 Aug
Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.
Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.
INFSO-RI Enabling Grids for E-sciencE XACML and G-PBox update MWSG 14-15/09/2005 Presenter: Vincenzo Ciaschini.
XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
1 Update on the Vulnerability Assessment Effort Elisa Heymann Computer Architecture and Operating Systems Department Universitat Autònoma de Barcelona.
AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.
GILDA testbed GILDA Certification Authority GILDA Certification Authority User Support and Training Services in IGI IGI Site Administrators IGI Users IGI.
VOMRS/VOMS-Admin Convergence and VO Services Project Status Tanya Levshina Computing Division, Fermilab.
11 Usage policies for end point access control  XACML is Oasis standard to express enterprise security policies with a common XML based policy language.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Argus gLite Authorization Service Status.
Mine Altunay July 30, 2007 Security and Privacy in OSG.
Glexec, SCAS & CREAM. Milestones CREAM-CE capable of large-scale direct job submission Glexec & SCAS capable of large-scale use on WN in logging only.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks gLite Authorization Service: Technical Overview.
Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.
INFSO-RI Enabling Grids for E-sciencE Use of VOMS Attributes: semantics and suggestions Vincenzo Ciaschini MWSG 12 Stockholm 12-13/06/07.
INFSO-RI Enabling Grids for E-sciencE EGEE is a project funded by the European Union under contract INFSO-RI Grid Accounting.
INFSO-RI Enabling Grids for E-sciencE G-PBox Auth meeting 13/9/2005 Presenter: Vincenzo Ciaschini.
OSG AuthZ components Dane Skow Gabriele Carcassi.
11 Restricting key use with XACML* for access control * Zack’-a-mul.
EMI INFSO-RI Argus Policies in Action Valery Tschopp (SWITCH) on behalf of the Argus PT.
DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks New Authorization Service Christoph Witzig,
OSG Site Admin Workshop - Mar 2008Using gLExec to improve security1 OSG Site Administrators Workshop Using gLExec to improve security of Grid jobs by Alain.
EMI INFSO-RI Argus The EMI Authorization Service Valery Tschopp (SWITCH) Argus Product Team.
DIRAC Pilot Jobs A. Casajus, R. Graciani, A. Tsaregorodtsev for the LHCb DIRAC team Pilot Framework and the DIRAC WMS DIRAC Workload Management System.
1 Update on the Vulnerability Assessment Effort Elisa Heymann Computer Architecture and Operating Systems Department Universitat Autònoma de Barcelona.
XACML Showcase RSA Conference What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation logic n.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Update Authorization Service Christoph Witzig,
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
INFSO-RI Enabling Grids for E-sciencE Policy management and fair share in gLite Andrea Guarise HPDC 2006 Paris June 19th, 2006.
INFSO-RI Enabling Grids for E-sciencE SAML-XACML interoperability Oscar Koeroo.
EMI Inter-component and Large Scale Testing Infrastructure Danilo Dongiovanni INFN-CNAF.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks OpenSAML extension library and API to support.
Placeholder ES 1 CERN IT EGI Technical Forum, Experiment Support group AAI usage, issues and wishes for WLCG Maarten Litmaath CERN.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Study on Authorization Christoph Witzig,
Access Control Policy Languages in XML Lê Anh Vũ Võ Thành Vinh
EMI is partially funded by the European Commission under Grant Agreement RI EMI Registry (EMIR) Shiraz Memon, Ivan Marton, Gabor Szigeti, Laurence.
Authorization PDP GE Course (R4) FIWARE Chapter: Security FIWARE GE: Authorization PDP FIWARE GEri: AuthZForce Authorization PDP Owner: Cyril Dangerville,
EMI is partially funded by the European Commission under Grant Agreement RI Common Authentication Library Daniel Kouril, for the CaNL PT EGI CF.
EMI INFSO-RI Testbed for project continuous Integration Danilo Dongiovanni (INFN-CNAF) -SA2.6 Task Leader Jozef Cernak(UPJŠ, Kosice, Slovakia)
EMI is partially funded by the European Commission under Grant Agreement RI Argus Policies Tutorial Valery Tschopp (SWITCH) – Argus Product Team.
Security recommendations DPM Jean-Philippe Baud CERN/IT.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Authorization Service Christoph Witzig, SWITCH.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks The new gLite Authorization Service Alberto.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Services for Distributed e-Infrastructure Access Tiziana Ferrari on behalf.
INFSO-RI Enabling Grids for E-sciencE GUMS vs. LCMAPS Oscar Koeroo.
Security Area Christoph Witzig (SWITCH) on behalf of John White (HIP)
Enabling Grids for E-sciencE Claudio Cherubino INFN DGAS (Distributed Grid Accounting System)
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Argus gLite Authorization Service Workplan.
Implementation of GLUE 2.0 support in the EMI Data Area Elisabetta Ronchieri on behalf of JRA1’s GLUE 2.0 Working Group INFN-CNAF 13 April 2011, EGI User.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Argus: command line usage and banning Christoph.
UNICORE and Argus integration Krzysztof Benedyczak ICM / UNICORE Security PT.
Virtual Organisations and the NGS Mike Jones Research Computing Services e-Science & “The Grid” for Bio/Health Informaticians, IT January 2008.
Argus EMI Authorization Integration
AuthN and AuthZ in StoRM A short guide
EMI Common XACML Profile
A gLite Authorization Framework
EMI Interoperability Activities
Global Banning List and Authorization Service
Argus Authorization Service Security Training
Argus: General Introduction
Argus The EMI Authorization Service
Groups and Permissions
Presentation transcript:

EMI is partially funded by the European Commission under Grant Agreement RI Argus Policies Tutorial Valery Tschopp - SWITCH EGI TF Prague

EMI INFSO-RI What is authorization? Authorization EGI TF 2012, Prague20/09/20122

EMI INFSO-RI Can user X perform action Y on resource Z ? Authorization EGI TF 2012, Prague20/09/20123

EMI INFSO-RI Can user X… – execute on this worker node (WN) ? – submit a job to this CREAM CE ? – access this storage area ? – submit a job to this WMS instance ? User X is banned ! – Is not allowed to do anything on any resource! Authorization Examples EGI TF 2012, Prague20/09/20124

EMI INFSO-RI Each Grid service has its own authorization mechanism – Administrators need to know them all – Authorization rules at a site become difficult to understand and manage No global banning mechanism – Urgent ban of malicious users cannot be easily and timely enforced on distributed sites Authorization policies are static – Hard to change policies without reconfiguring services Monitoring authorization decisions is hard Motivations for Argus EGI TF 2012, Prague20/09/20125

EMI INFSO-RI A generic authorization system – Built on top of a XACML policy engine – Renders consistent authorization decisions based on XACML policies Argus Authorization Service EGI TF 2012, Prague20/09/20126

EMI INFSO-RI Argus PAP: Policy Administration Point – Provides administrators with the tools to author policies (pap-admin) – Stores and manages authored XACML policies – Provides managed authorization policies to other authorization service components (other PAPs or PDP) Argus Components EGI TF 2012, Prague20/09/20127

EMI INFSO-RI Argus PDP: Policy Decision Point – Policy evaluation engine – Receives authorization requests from the PEP – Evaluates the authorization requests against the XACML policies retrieved from the PAP – Renders the authorization decision Argus Components EGI TF 2012, Prague20/09/20128

EMI INFSO-RI Argus PEP: Policy Execution Point – Client/Server architecture – Lightweight PEP client libraries (C and Java) – PEP Server receives the authorization requests from the PEP clients Transforms lightweight internal request into XACML Applies a configurable set of filters (PIPs) to the incoming requests Asks the PDP to render an authorization decision If requested by the policy, applies the obligation handler (OH) to determine the user mapping Argus Components EGI TF 2012, Prague20/09/20129

EMI INFSO-RI Argus is designed to answer the questions: – Can user X performs action Y on resource Z? – Is user X banned? PERMIT decision – Allow to authorize users to perform an action on a resource DENY decision – Allow to ban users Both can be expressed with XACML policies Authorization Policies EGI TF 2012, Prague20/09/201210

EMI INFSO-RI * public_2d8346b8-5cd2-44ad-9ad1-0eff5d8a6ef1 <xacml:Policy xmlns:xacml="urn:oasis:names:tc:xacml:2.0:policy:schema:os” PolicyId="public_2d8346b8-5cd2-44ad-9ad1-0eff5d8a6ef1” RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1">.*... Authorization Policies (XACML) EGI TF 2012, Prague20/09/201211

EMI INFSO-RI Problem? – XACML not easy to read and/or understand – XACML not easy to write, prone to error Solution – Hide the XACML language complexity – Introduce a Simplified Policy Language (SPL) – Provide administrators with simple tool to manage the policies pap-admin to create, edit, delete permit/deny policy rules Authorization Policies EGI TF 2012, Prague20/09/201212

EMI INFSO-RI Deny (ban) a particular user by DN resource ".*" { action ".*" { rule deny { subject=”CN=Valery Tschopp, O=SWITCH, C=CH" } } Permit ATLAS users (VO) to execute a job on a worker node (WN) resource " { action " { rule permit { vo=“atlas" } } Simplified Policy Language (SPL) EGI TF 2012, Prague20/09/201213

EMI INFSO-RI Actions and Resources are identified by unique ID or “names”, that are assigned to them – Typically URIs, but any string will work Resource ID example: Action ID examples: Identifying Resources and Actions EGI TF 2012, Prague20/09/201214

EMI INFSO-RI Subject in a policy can be identified via the following attributes: subject X509 certificate DN: subject="CN=Valery Tschopp,O=SWITCH,C=CH” ca the CA certificate DN: ca="CN=INFN CA,O=INFN,C=IT” vo the name of the Virtual Organization: vo=”cms” fqan a VOMS fully qualified attribute name: fqan=”/atlas/analysis” Identifying Subjects EGI TF 2012, Prague20/09/201215

EMI INFSO-RI AND logic for attributes inside a block Policy order matters: First match algorithm SPL Syntax resource { action { rule (permit|deny) { =... }... }... resource { action { rule (permit|deny) { =... }... }... EGI TF 2012, Prague20/09/201216

EMI INFSO-RI We have two CEs at our site, ce_1 and ce_2. We want to authorize Valery to contact one, but not the other. SPL Example resource “ce_1” { action “.*” { rule permit { subject = “CN=Valery Tschopp, O=SWITCH, C=CH” } resource “ce_2” { action “.*” { rule deny { subject = “CN=Valery Tschopp, O=SWITCH, C=CH” } resource “ce_1” { action “.*” { rule permit { subject = “CN=Valery Tschopp, O=SWITCH, C=CH” } resource “ce_2” { action “.*” { rule deny { subject = “CN=Valery Tschopp, O=SWITCH, C=CH” } EGI TF 2012, Prague20/09/201217

EMI INFSO-RI We have to ban all users member of VO ‘dteam’ from ce_1, but not those who have certificate signed by the INFA CA SPL Example (cont.) resource “ce_1” { action “.*” { rule permit { vo = “dteam” ca = “CN=INFN CA,O=INFN,C=IT” } rule deny { vo = “dteam” } resource “ce_1” { action “.*” { rule permit { vo = “dteam” ca = “CN=INFN CA,O=INFN,C=IT” } rule deny { vo = “dteam” } EGI TF 2012, Prague20/09/201218

EMI INFSO-RI Administrator tool to manage the PAP – Policies management – PAP server management – PAP authorization management Simple way to ban user Simple way to create, edit and delete authorization policies Tool pap-admin EGI TF 2012, Prague20/09/201219

EMI INFSO-RI List currently active policies: pap-admin list-policies Ban/unban users: pap-admin ban subject "CN=John Doe,O=ACME,C=org” pap-admin ban subject ”/C=org/O=ACME/CN=Batman” pap-admin un-ban vo ”atlas“ Add a generic permit policy: pap-admin add-policy \ --resource “ \ --action “.*” \ permit fqan=”/atlas/production” And a lot more functionalites… Tool pap-admin (cont.) EGI TF 2012, Prague20/09/201220

EMI INFSO-RI Site Deployment EGI TF 2012, Prague20/09/201221

EMI INFSO-RI Hierarchical Policy Distribution EGI TF 2012, Prague20/09/201222

EMI INFSO-RI Top PAP – Manages global banning list – Have to be trusted by site Site PAP – Retrieves global banning list from top PAP – Merges it on top of local policies – FIRST MATCH rules applies in local PDP Hierarchical Policy Distribution EGI TF 2012, Prague20/09/201223

EMI INFSO-RI Add the WLCG PAP pap-admin apap WLCG argus.cern.ch \ "/DC=ch/DC=cern/OU=computers/CN=argus.cern.ch” Set PAP order (top banning) pap-admin spo WLCG default Enable the banning WLCG PAP pap-admin epap WLCG List all policies (WLCG and local ones) pap-admin lp -all Enable WLCG Global Banning EGI TF 2012, Prague20/09/201224

EMI INFSO-RI General documentation ationFramework ationFramework PAP admin CLIhttps://twiki.cern.ch/twiki/bin/view/EGEE/AuthZ PAPCLIhttps://twiki.cern.ch/twiki/bin/view/EGEE/AuthZ PAPCLI Simplified Policy Language dPolicyLanguage dPolicyLanguage Service Reference Card Documentation EGI TF 2012, Prague20/09/201225

EMI INFSO-RI GGUS Tickets (ARGUS support unit) Support mailing list (e-group): Support and Help EGI TF 2012, Prague20/09/201226

EMI INFSO-RI DEMO EGI TF 2012, Prague20/09/201227

EMI INFSO-RI EMI UI CREAM CE Argus Services 2 gLExec WN Demo Setup: emitestbed EGI TF 2012, Prague20/09/201228

EMI INFSO-RI Policies authorized jobs on CREAM CE and for gLExec on the WN for a VO Demo Setup: Policies EGI TF 2012, Prague20/09/ resource " { obligation " {} action ".*" { rule permit { vo="testers.eu-emi.eu" } } resource " { obligation " {} action ".*" { rule permit { vo="testers.eu-emi.eu" } } resource " { obligation " {} action ".*" { rule permit { vo="testers.eu-emi.eu" } } resource " { obligation " {} action ".*" { rule permit { vo="testers.eu-emi.eu" } }

EMI INFSO-RI Argus node site-info.def Demo Setup: Argus YAIM Config EGI TF 2012, Prague20/09/ # The Argus hostname ARGUS_HOST=emitestbed10.cnaf.infn.it # The DN of a trusted PAP administrator PAP_ADMIN_DN="/C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Danilo Nicola Dongiovanni" # Local mapping configuration USERS_CONF=/root/siteinfo/users.conf GROUPS_CONF=/root/siteinfo/groups.conf # Space separated list of VOs supported by your site VOS="testers.eu-emi.eu" # The Argus hostname ARGUS_HOST=emitestbed10.cnaf.infn.it # The DN of a trusted PAP administrator PAP_ADMIN_DN="/C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Danilo Nicola Dongiovanni" # Local mapping configuration USERS_CONF=/root/siteinfo/users.conf GROUPS_CONF=/root/siteinfo/groups.conf # Space separated list of VOs supported by your site VOS="testers.eu-emi.eu"

EMI INFSO-RI CREAM CE site-info.def Enables Argus authorizations Demo Setup: CREAM YAIM Config EGI TF 2012, Prague20/09/ CEMON_HOST=cert-07.cnaf.infn.it CREAM_DB_USER=tester CREAM_DB_PASSWORD=**** BLPARSER_HOST=cert-07.cnaf.infn.it... USE_ARGUS=yes ARGUS_PEPD_ENDPOINTS= CREAM_PEPC_RESOURCEID= CEMON_HOST=cert-07.cnaf.infn.it CREAM_DB_USER=tester CREAM_DB_PASSWORD=**** BLPARSER_HOST=cert-07.cnaf.infn.it... USE_ARGUS=yes ARGUS_PEPD_ENDPOINTS= CREAM_PEPC_RESOURCEID=

EMI INFSO-RI gLExec on the WN site-info.def Enables Argus authorizations Demo Setup: gLExec/WN YAIM EGI TF 2012, Prague20/09/ GLEXEC_WN_OPMODE=setuid GLEXEC_WN_SCAS_ENABLED=no GLEXEC_WN_ARGUS_ENABLED=yes ARGUS_PEPD_ENDPOINTS= GLEXEC_WN_PEPC_RESOURCEID= GLEXEC_WN_OPMODE=setuid GLEXEC_WN_SCAS_ENABLED=no GLEXEC_WN_ARGUS_ENABLED=yes ARGUS_PEPD_ENDPOINTS= GLEXEC_WN_PEPC_RESOURCEID=

EMI INFSO-RI Demo: Pilot Job Authorization The pilot job is authorized on the CE The payload is downloaded on the WN gLExec executes it under the end-user identity EGI TF 2012, Prague20/09/201233

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.