EMI is partially funded by the European Commission under Grant Agreement RI Argus Policies Tutorial Valery Tschopp - SWITCH EGI TF Prague
EMI INFSO-RI What is authorization? Authorization EGI TF 2012, Prague20/09/20122
EMI INFSO-RI Can user X perform action Y on resource Z ? Authorization EGI TF 2012, Prague20/09/20123
EMI INFSO-RI Can user X… – execute on this worker node (WN) ? – submit a job to this CREAM CE ? – access this storage area ? – submit a job to this WMS instance ? User X is banned ! – Is not allowed to do anything on any resource! Authorization Examples EGI TF 2012, Prague20/09/20124
EMI INFSO-RI Each Grid service has its own authorization mechanism – Administrators need to know them all – Authorization rules at a site become difficult to understand and manage No global banning mechanism – Urgent ban of malicious users cannot be easily and timely enforced on distributed sites Authorization policies are static – Hard to change policies without reconfiguring services Monitoring authorization decisions is hard Motivations for Argus EGI TF 2012, Prague20/09/20125
EMI INFSO-RI A generic authorization system – Built on top of a XACML policy engine – Renders consistent authorization decisions based on XACML policies Argus Authorization Service EGI TF 2012, Prague20/09/20126
EMI INFSO-RI Argus PAP: Policy Administration Point – Provides administrators with the tools to author policies (pap-admin) – Stores and manages authored XACML policies – Provides managed authorization policies to other authorization service components (other PAPs or PDP) Argus Components EGI TF 2012, Prague20/09/20127
EMI INFSO-RI Argus PDP: Policy Decision Point – Policy evaluation engine – Receives authorization requests from the PEP – Evaluates the authorization requests against the XACML policies retrieved from the PAP – Renders the authorization decision Argus Components EGI TF 2012, Prague20/09/20128
EMI INFSO-RI Argus PEP: Policy Execution Point – Client/Server architecture – Lightweight PEP client libraries (C and Java) – PEP Server receives the authorization requests from the PEP clients Transforms lightweight internal request into XACML Applies a configurable set of filters (PIPs) to the incoming requests Asks the PDP to render an authorization decision If requested by the policy, applies the obligation handler (OH) to determine the user mapping Argus Components EGI TF 2012, Prague20/09/20129
EMI INFSO-RI Argus is designed to answer the questions: – Can user X performs action Y on resource Z? – Is user X banned? PERMIT decision – Allow to authorize users to perform an action on a resource DENY decision – Allow to ban users Both can be expressed with XACML policies Authorization Policies EGI TF 2012, Prague20/09/201210
EMI INFSO-RI * public_2d8346b8-5cd2-44ad-9ad1-0eff5d8a6ef1 <xacml:Policy xmlns:xacml="urn:oasis:names:tc:xacml:2.0:policy:schema:os” PolicyId="public_2d8346b8-5cd2-44ad-9ad1-0eff5d8a6ef1” RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1">.*... Authorization Policies (XACML) EGI TF 2012, Prague20/09/201211
EMI INFSO-RI Problem? – XACML not easy to read and/or understand – XACML not easy to write, prone to error Solution – Hide the XACML language complexity – Introduce a Simplified Policy Language (SPL) – Provide administrators with simple tool to manage the policies pap-admin to create, edit, delete permit/deny policy rules Authorization Policies EGI TF 2012, Prague20/09/201212
EMI INFSO-RI Deny (ban) a particular user by DN resource ".*" { action ".*" { rule deny { subject=”CN=Valery Tschopp, O=SWITCH, C=CH" } } Permit ATLAS users (VO) to execute a job on a worker node (WN) resource " { action " { rule permit { vo=“atlas" } } Simplified Policy Language (SPL) EGI TF 2012, Prague20/09/201213
EMI INFSO-RI Actions and Resources are identified by unique ID or “names”, that are assigned to them – Typically URIs, but any string will work Resource ID example: Action ID examples: Identifying Resources and Actions EGI TF 2012, Prague20/09/201214
EMI INFSO-RI Subject in a policy can be identified via the following attributes: subject X509 certificate DN: subject="CN=Valery Tschopp,O=SWITCH,C=CH” ca the CA certificate DN: ca="CN=INFN CA,O=INFN,C=IT” vo the name of the Virtual Organization: vo=”cms” fqan a VOMS fully qualified attribute name: fqan=”/atlas/analysis” Identifying Subjects EGI TF 2012, Prague20/09/201215
EMI INFSO-RI AND logic for attributes inside a block Policy order matters: First match algorithm SPL Syntax resource { action { rule (permit|deny) { =... }... }... resource { action { rule (permit|deny) { =... }... }... EGI TF 2012, Prague20/09/201216
EMI INFSO-RI We have two CEs at our site, ce_1 and ce_2. We want to authorize Valery to contact one, but not the other. SPL Example resource “ce_1” { action “.*” { rule permit { subject = “CN=Valery Tschopp, O=SWITCH, C=CH” } resource “ce_2” { action “.*” { rule deny { subject = “CN=Valery Tschopp, O=SWITCH, C=CH” } resource “ce_1” { action “.*” { rule permit { subject = “CN=Valery Tschopp, O=SWITCH, C=CH” } resource “ce_2” { action “.*” { rule deny { subject = “CN=Valery Tschopp, O=SWITCH, C=CH” } EGI TF 2012, Prague20/09/201217
EMI INFSO-RI We have to ban all users member of VO ‘dteam’ from ce_1, but not those who have certificate signed by the INFA CA SPL Example (cont.) resource “ce_1” { action “.*” { rule permit { vo = “dteam” ca = “CN=INFN CA,O=INFN,C=IT” } rule deny { vo = “dteam” } resource “ce_1” { action “.*” { rule permit { vo = “dteam” ca = “CN=INFN CA,O=INFN,C=IT” } rule deny { vo = “dteam” } EGI TF 2012, Prague20/09/201218
EMI INFSO-RI Administrator tool to manage the PAP – Policies management – PAP server management – PAP authorization management Simple way to ban user Simple way to create, edit and delete authorization policies Tool pap-admin EGI TF 2012, Prague20/09/201219
EMI INFSO-RI List currently active policies: pap-admin list-policies Ban/unban users: pap-admin ban subject "CN=John Doe,O=ACME,C=org” pap-admin ban subject ”/C=org/O=ACME/CN=Batman” pap-admin un-ban vo ”atlas“ Add a generic permit policy: pap-admin add-policy \ --resource “ \ --action “.*” \ permit fqan=”/atlas/production” And a lot more functionalites… Tool pap-admin (cont.) EGI TF 2012, Prague20/09/201220
EMI INFSO-RI Site Deployment EGI TF 2012, Prague20/09/201221
EMI INFSO-RI Hierarchical Policy Distribution EGI TF 2012, Prague20/09/201222
EMI INFSO-RI Top PAP – Manages global banning list – Have to be trusted by site Site PAP – Retrieves global banning list from top PAP – Merges it on top of local policies – FIRST MATCH rules applies in local PDP Hierarchical Policy Distribution EGI TF 2012, Prague20/09/201223
EMI INFSO-RI Add the WLCG PAP pap-admin apap WLCG argus.cern.ch \ "/DC=ch/DC=cern/OU=computers/CN=argus.cern.ch” Set PAP order (top banning) pap-admin spo WLCG default Enable the banning WLCG PAP pap-admin epap WLCG List all policies (WLCG and local ones) pap-admin lp -all Enable WLCG Global Banning EGI TF 2012, Prague20/09/201224
EMI INFSO-RI General documentation ationFramework ationFramework PAP admin CLIhttps://twiki.cern.ch/twiki/bin/view/EGEE/AuthZ PAPCLIhttps://twiki.cern.ch/twiki/bin/view/EGEE/AuthZ PAPCLI Simplified Policy Language dPolicyLanguage dPolicyLanguage Service Reference Card Documentation EGI TF 2012, Prague20/09/201225
EMI INFSO-RI GGUS Tickets (ARGUS support unit) Support mailing list (e-group): Support and Help EGI TF 2012, Prague20/09/201226
EMI INFSO-RI DEMO EGI TF 2012, Prague20/09/201227
EMI INFSO-RI EMI UI CREAM CE Argus Services 2 gLExec WN Demo Setup: emitestbed EGI TF 2012, Prague20/09/201228
EMI INFSO-RI Policies authorized jobs on CREAM CE and for gLExec on the WN for a VO Demo Setup: Policies EGI TF 2012, Prague20/09/ resource " { obligation " {} action ".*" { rule permit { vo="testers.eu-emi.eu" } } resource " { obligation " {} action ".*" { rule permit { vo="testers.eu-emi.eu" } } resource " { obligation " {} action ".*" { rule permit { vo="testers.eu-emi.eu" } } resource " { obligation " {} action ".*" { rule permit { vo="testers.eu-emi.eu" } }
EMI INFSO-RI Argus node site-info.def Demo Setup: Argus YAIM Config EGI TF 2012, Prague20/09/ # The Argus hostname ARGUS_HOST=emitestbed10.cnaf.infn.it # The DN of a trusted PAP administrator PAP_ADMIN_DN="/C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Danilo Nicola Dongiovanni" # Local mapping configuration USERS_CONF=/root/siteinfo/users.conf GROUPS_CONF=/root/siteinfo/groups.conf # Space separated list of VOs supported by your site VOS="testers.eu-emi.eu" # The Argus hostname ARGUS_HOST=emitestbed10.cnaf.infn.it # The DN of a trusted PAP administrator PAP_ADMIN_DN="/C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Danilo Nicola Dongiovanni" # Local mapping configuration USERS_CONF=/root/siteinfo/users.conf GROUPS_CONF=/root/siteinfo/groups.conf # Space separated list of VOs supported by your site VOS="testers.eu-emi.eu"
EMI INFSO-RI CREAM CE site-info.def Enables Argus authorizations Demo Setup: CREAM YAIM Config EGI TF 2012, Prague20/09/ CEMON_HOST=cert-07.cnaf.infn.it CREAM_DB_USER=tester CREAM_DB_PASSWORD=**** BLPARSER_HOST=cert-07.cnaf.infn.it... USE_ARGUS=yes ARGUS_PEPD_ENDPOINTS= CREAM_PEPC_RESOURCEID= CEMON_HOST=cert-07.cnaf.infn.it CREAM_DB_USER=tester CREAM_DB_PASSWORD=**** BLPARSER_HOST=cert-07.cnaf.infn.it... USE_ARGUS=yes ARGUS_PEPD_ENDPOINTS= CREAM_PEPC_RESOURCEID=
EMI INFSO-RI gLExec on the WN site-info.def Enables Argus authorizations Demo Setup: gLExec/WN YAIM EGI TF 2012, Prague20/09/ GLEXEC_WN_OPMODE=setuid GLEXEC_WN_SCAS_ENABLED=no GLEXEC_WN_ARGUS_ENABLED=yes ARGUS_PEPD_ENDPOINTS= GLEXEC_WN_PEPC_RESOURCEID= GLEXEC_WN_OPMODE=setuid GLEXEC_WN_SCAS_ENABLED=no GLEXEC_WN_ARGUS_ENABLED=yes ARGUS_PEPD_ENDPOINTS= GLEXEC_WN_PEPC_RESOURCEID=
EMI INFSO-RI Demo: Pilot Job Authorization The pilot job is authorized on the CE The payload is downloaded on the WN gLExec executes it under the end-user identity EGI TF 2012, Prague20/09/201233