Presentation is loading. Please wait.

Presentation is loading. Please wait.

EMI is partially funded by the European Commission under Grant Agreement RI-261611 Argus Policies Tutorial Valery Tschopp (SWITCH) – Argus Product Team.

Published byBeverly Leonard Modified over 8 years ago

Similar presentations

Presentation on theme: "EMI is partially funded by the European Commission under Grant Agreement RI-261611 Argus Policies Tutorial Valery Tschopp (SWITCH) – Argus Product Team."— Presentation transcript:

1 EMI is partially funded by the European Commission under Grant Agreement RI-261611 Argus Policies Tutorial Valery Tschopp (SWITCH) – Argus Product Team EGI CF 2013 @ Manchester

2 EMI INFSO-RI-261611 Goal of the tutorial – Present the Argus service – Explain the authorization policies Authorizing VOs, pilot jobs… Banning users Demo – Job submission through CREAM/gLExec using Argus authorization – Banning a user payload in a pilot job Argus Tutorial 11/04/2013EGI CF 2013, Manchester2

3 EMI INFSO-RI-261611 What is authorization? Authorization EGI CF 2013, Manchester11/04/20133

4 EMI INFSO-RI-261611 Can user X perform action Y on resource Z ? Authorization EGI CF 2013, Manchester11/04/20134

5 EMI INFSO-RI-261611 Can user X… – execute on this worker node (WN) ? – submit a job to this CREAM CE ? – access this storage area ? – submit a job to this WMS instance ? User X is banned ! – Is not allowed to do anything on any resource! Authorization Examples EGI CF 2013, Manchester11/04/20135

6 EMI INFSO-RI-261611 Each Grid service has its own authorization mechanism – Administrators need to know them all – Authorization rules at a site become difficult to understand and manage No global banning mechanism – Urgent ban of malicious users cannot be easily and timely enforced on distributed sites Authorization policies are static – Hard to change policies without reconfiguring services Monitoring authorization decisions is hard Motivations for Argus EGI CF 2013, Manchester11/04/20136

7 EMI INFSO-RI-261611 A generic authorization system – Built on top of a XACML policy engine – Renders consistent authorization decisions based on XACML policies Argus Authorization Service EGI CF 2013, Manchester11/04/20137

8 EMI INFSO-RI-261611 Argus PAP: Policy Administration Point – Provides administrators with the tools to author policies (pap-admin) – Stores and manages authored XACML policies – Provides managed authorization policies to other authorization service components (other PAPs or PDP) Argus Components EGI CF 2013, Manchester11/04/20138

9 EMI INFSO-RI-261611 Argus PDP: Policy Decision Point – Policy evaluation engine – Receives authorization requests from the PEP – Evaluates the authorization requests against the XACML policies retrieved from the PAP – Renders the authorization decision Argus Components EGI CF 2013, Manchester11/04/20139

10 EMI INFSO-RI-261611 Argus PEP: Policy Execution Point – Client/Server architecture – Lightweight PEP client libraries (C and Java) – PEP Server receives the authorization requests from the PEP clients Transforms lightweight internal request into XACML Applies a configurable set of filters (PIPs) to the incoming requests Asks the PDP to render an authorization decision If requested by the policy, applies the obligation handler (OH) to determine the user mapping Argus Components EGI CF 2013, Manchester11/04/201310

11 EMI INFSO-RI-261611 Argus is designed to answer the questions: – Can user X performs action Y on resource Z? – Is user X banned? PERMIT decision – Allow to authorize users to perform an action on a resource DENY decision – Allow to ban users Both can be expressed with XACML policies Authorization Policies EGI CF 2013, Manchester11/04/201311

12 EMI INFSO-RI-261611.* public_2d8346b8-5cd2-44ad-9ad1-0eff5d8a6ef1 <xacml:Policy xmlns:xacml="urn:oasis:names:tc:xacml:2.0:policy:schema:os” PolicyId="public_2d8346b8-5cd2-44ad-9ad1-0eff5d8a6ef1” RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1">.*... Authorization Policies (XACML) EGI CF 2013, Manchester11/04/201312

13 EMI INFSO-RI-261611 Problem? – XACML not easy to read and/or understand – XACML not easy to write, prone to error Solution – Hide the XACML language complexity – Introduce a Simplified Policy Language (SPL) – Provide administrators with simple tool to manage the policies pap-admin to create, edit, delete permit/deny policy rules Authorization Policies EGI CF 2013, Manchester11/04/201313

14 EMI INFSO-RI-261611 Deny (ban) a particular user by DN resource ".*" { action ".*" { rule deny { subject=”CN=Valery Tschopp, O=SWITCH, C=CH" } } Permit ATLAS users (VO) to execute a job on a worker node (WN) resource "http://grid.switch.ch/wn" { action "http://glite.org/xacml/action/execute" { rule permit { vo=“atlas" } } Simplified Policy Language (SPL) EGI CF 2013, Manchester11/04/201314

15 EMI INFSO-RI-261611 Actions and Resources are identified by unique ID or “names”, that are assigned to them – Typically URIs, but any string will work Resource ID example: http://emitestbed.cnaf.infn.it/ce Action ID examples: http://glite.org/action/submit-job http://glite.org/action/execute Identifying Resources and Actions EGI CF 2013, Manchester11/04/201315

16 EMI INFSO-RI-261611 Subject in a policy can be identified via the following attributes: subject X509 certificate DN (RFC2253 format): subject="CN=Valery Tschopp,O=SWITCH,C=CH” ca the CA certificate DN (RFC2253 format): ca="CN=INFN CA,O=INFN,C=IT” vo the name of the Virtual Organization: vo=”cms” fqan a VOMS fully qualified attribute name: fqan=”/atlas/analysis” Identifying Subjects EGI CF 2013, Manchester11/04/201316

17 EMI INFSO-RI-261611 AND logic for attributes inside a block Policy order matters: First match algorithm SPL Syntax resource { action { rule (permit|deny) { =... }... }... resource { action { rule (permit|deny) { =... }... }... EGI CF 2013, Manchester11/04/201317

18 EMI INFSO-RI-261611 We have two CEs at our site, ce_1 and ce_2. We want to authorize Valery to contact one, but not the other. SPL Example resource “ce_1” { action “.*” { rule permit { subject = “CN=Valery Tschopp, O=SWITCH, C=CH” } resource “ce_2” { action “.*” { rule deny { subject = “CN=Valery Tschopp, O=SWITCH, C=CH” } resource “ce_1” { action “.*” { rule permit { subject = “CN=Valery Tschopp, O=SWITCH, C=CH” } resource “ce_2” { action “.*” { rule deny { subject = “CN=Valery Tschopp, O=SWITCH, C=CH” } EGI CF 2013, Manchester11/04/201318

19 EMI INFSO-RI-261611 We have to ban all users member of VO ‘dteam’ from ce_1, but not those who have certificate signed by the INFA CA SPL Example (cont.) resource “ce_1” { action “.*” { rule permit { vo = “dteam” ca = “CN=INFN CA,O=INFN,C=IT” } rule deny { vo = “dteam” } resource “ce_1” { action “.*” { rule permit { vo = “dteam” ca = “CN=INFN CA,O=INFN,C=IT” } rule deny { vo = “dteam” } EGI CF 2013, Manchester11/04/201319

20 EMI INFSO-RI-261611 Administrator tool to manage the PAP – Policies management – PAP server management – PAP authorization management Simple way to ban user Simple way to create, edit and delete authorization policies Tool pap-admin EGI CF 2013, Manchester11/04/201320

21 EMI INFSO-RI-261611 List currently active policies: pap-admin list-policies Ban/unban users: pap-admin ban subject "CN=John Doe,O=ACME,C=org” pap-admin un-ban vo ”atlas“ Add a generic permit policy: pap-admin add-policy \ --resource “http://grid.switch.ch/ce_1” \ --action “.*” \ permit fqan=”/atlas/production” And a lot more functionalites… Tool pap-admin (cont.) EGI CF 2013, Manchester11/04/201321

22 EMI INFSO-RI-261611 Site Deployment EGI CF 2013, Manchester11/04/201322

23 EMI INFSO-RI-261611 Hierarchical Policy Distribution EGI CF 2013, Manchester11/04/201323

24 EMI INFSO-RI-261611 Top PAP – Manages global banning list – Have to be trusted by site Site PAP – Retrieves global banning list from top PAP – Merges it on top of local policies – FIRST MATCH rules applies in local PDP Hierarchical Policy Distribution EGI CF 2013, Manchester11/04/201324

25 EMI INFSO-RI-261611 Add the WLCG PAP pap-admin apap WLCG argus.cern.ch \ "/DC=ch/DC=cern/OU=computers/CN=argus.cern.ch” Set PAP order (top banning) pap-admin spo WLCG default Enable the banning WLCG PAP pap-admin epap WLCG List all policies (WLCG and local ones) pap-admin lp -all Enable WLCG Global Banning EGI CF 2013, Manchester11/04/201325

26 EMI INFSO-RI-261611 General documentation https://twiki.cern.ch/twiki/bin/view/EGEE/Authoriz ationFramework https://twiki.cern.ch/twiki/bin/view/EGEE/Authoriz ationFramework PAP admin CLIhttps://twiki.cern.ch/twiki/bin/view/EGEE/AuthZ PAPCLIhttps://twiki.cern.ch/twiki/bin/view/EGEE/AuthZ PAPCLI Simplified Policy Language https://twiki.cern.ch/twiki/bin/view/EGEE/Simplifie dPolicyLanguage https://twiki.cern.ch/twiki/bin/view/EGEE/Simplifie dPolicyLanguage Service Reference Card https://twiki.cern.ch/twiki/bin/view/EMI/ArgusSRC https://twiki.cern.ch/twiki/bin/view/EMI/ArgusSRC Documentation EGI CF 2013, Manchester11/04/201326

27 EMI INFSO-RI-261611 GGUS Tickets (ARGUS support unit) https://ggus.eu Support mailing list (e-group): argus-support@cern.ch Support and Help EGI CF 2013, Manchester11/04/201327

28 EMI INFSO-RI-261611 DEMO EGI CF 2013, Manchester11/04/201328

29 EMI INFSO-RI-261611 EMI UI CREAM CE Argus Service gLExec WN Demo Setup: emitestbed EGI CF 2013, Manchester11/04/201329

30 EMI INFSO-RI-261611 Policies authorized jobs on CREAM CE and for gLExec on the WN for a VO Demo Setup: Policies EGI CF 2013, Manchester11/04/201330 resource "http://emitestbed.cnaf.infn.it/ce" { obligation "http://glite.org/xacml/obligation/local-environment-map" {} action ".*" { rule permit { vo="testers.eu-emi.eu" } } resource "http://emitestbed.cnaf.infn.it/wn" { obligation "http://glite.org/xacml/obligation/local-environment-map" {} action ".*" { rule permit { vo="testers.eu-emi.eu" } } resource "http://emitestbed.cnaf.infn.it/ce" { obligation "http://glite.org/xacml/obligation/local-environment-map" {} action ".*" { rule permit { vo="testers.eu-emi.eu" } } resource "http://emitestbed.cnaf.infn.it/wn" { obligation "http://glite.org/xacml/obligation/local-environment-map" {} action ".*" { rule permit { vo="testers.eu-emi.eu" } }

31 EMI INFSO-RI-261611 Argus node site-info.def Demo Setup: Argus YAIM Config EGI CF 2013, Manchester11/04/201331 # The Argus hostname ARGUS_HOST=emitestbed45.cnaf.infn.it # The DN of a trusted PAP administrator PAP_ADMIN_DN="/C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Danilo Nicola Dongiovanni" # Local mapping configuration USERS_CONF=/root/siteinfo/users.conf GROUPS_CONF=/root/siteinfo/groups.conf # Space separated list of VOs supported by your site VOS="testers.eu-emi.eu" # The Argus hostname ARGUS_HOST=emitestbed45.cnaf.infn.it # The DN of a trusted PAP administrator PAP_ADMIN_DN="/C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Danilo Nicola Dongiovanni" # Local mapping configuration USERS_CONF=/root/siteinfo/users.conf GROUPS_CONF=/root/siteinfo/groups.conf # Space separated list of VOs supported by your site VOS="testers.eu-emi.eu"

32 EMI INFSO-RI-261611 CREAM CE site-info.def Enables Argus authorizations Demo Setup: CREAM YAIM Config EGI CF 2013, Manchester11/04/201332 CEMON_HOST=emitestbed59.cnaf.infn.it CREAM_DB_USER=tester CREAM_DB_PASSWORD=**** BLPARSER_HOST=emitestbed59.cnaf.infn.it... USE_ARGUS=yes ARGUS_PEPD_ENDPOINTS=https://emitestbed45.cnaf.infn.it:8154/authz CREAM_PEPC_RESOURCEID=http://emitestbed.cnaf.infn.it/ce CEMON_HOST=emitestbed59.cnaf.infn.it CREAM_DB_USER=tester CREAM_DB_PASSWORD=**** BLPARSER_HOST=emitestbed59.cnaf.infn.it... USE_ARGUS=yes ARGUS_PEPD_ENDPOINTS=https://emitestbed45.cnaf.infn.it:8154/authz CREAM_PEPC_RESOURCEID=http://emitestbed.cnaf.infn.it/ce

33 EMI INFSO-RI-261611 gLExec on the WN site-info.def Enables Argus authorizations Demo Setup: gLExec/WN YAIM EGI CF 2013, Manchester11/04/201333 GLEXEC_WN_OPMODE=setuid GLEXEC_WN_SCAS_ENABLED=no GLEXEC_WN_ARGUS_ENABLED=yes ARGUS_PEPD_ENDPOINTS=https://emitestbed45.cnaf.infn.it:8154/authz GLEXEC_WN_PEPC_RESOURCEID=http://emitestbed.cnaf.infn.it/wn GLEXEC_WN_OPMODE=setuid GLEXEC_WN_SCAS_ENABLED=no GLEXEC_WN_ARGUS_ENABLED=yes ARGUS_PEPD_ENDPOINTS=https://emitestbed45.cnaf.infn.it:8154/authz GLEXEC_WN_PEPC_RESOURCEID=http://emitestbed.cnaf.infn.it/wn

34 EMI INFSO-RI-261611 Demo: Pilot Job Authorization The pilot job is authorized on the CE The payload is downloaded on the WN gLExec executes it under the end-user identity EGI CF 2013, Manchester11/04/201334

Download ppt "EMI is partially funded by the European Commission under Grant Agreement RI-261611 Argus Policies Tutorial Valery Tschopp (SWITCH) – Argus Product Team."

Similar presentations

1 Authorization XACML – a language for expressing policies and rules.

1 Authorization XACML – a language for expressing policies and rules.
OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.

OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.
XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.

XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.
Makrand Siddhabhatti Tata Institute of Fundamental Research Mumbai 17 Aug 2009 1.

Makrand Siddhabhatti Tata Institute of Fundamental Research Mumbai 17 Aug
Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.

Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.
Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.

Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org XACML and G-PBox update MWSG 14-15/09/2005 Presenter: Vincenzo Ciaschini.

INFSO-RI Enabling Grids for E-sciencE XACML and G-PBox update MWSG 14-15/09/2005 Presenter: Vincenzo Ciaschini.
XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.

XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
1 Update on the Vulnerability Assessment Effort Elisa Heymann Computer Architecture and Operating Systems Department Universitat Autònoma de Barcelona.

1 Update on the Vulnerability Assessment Effort Elisa Heymann Computer Architecture and Operating Systems Department Universitat Autònoma de Barcelona.
GILDA testbed GILDA Certification Authority GILDA Certification Authority User Support and Training Services in IGI IGI Site Administrators IGI Users IGI.

GILDA testbed GILDA Certification Authority GILDA Certification Authority User Support and Training Services in IGI IGI Site Administrators IGI Users IGI.
Elisa Bertino Purdue University Pag. 1 Security of Distributed Systems Part II Elisa Bertino CERIAS and CS &ECE Departments Purdue University.

Elisa Bertino Purdue University Pag. 1 Security of Distributed Systems Part II Elisa Bertino CERIAS and CS &ECE Departments Purdue University.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org www.glite.org EGEE and gLite are registered trademarks Security and Job Management.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security and Job Management.
VOMRS/VOMS-Admin Convergence and VO Services Project Status Tanya Levshina Computing Division, Fermilab.

VOMRS/VOMS-Admin Convergence and VO Services Project Status Tanya Levshina Computing Division, Fermilab.
11 Usage policies for end point access control  XACML is Oasis standard to express enterprise security policies with a common XML based policy language.

11 Usage policies for end point access control  XACML is Oasis standard to express enterprise security policies with a common XML based policy language.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
EMI is partially funded by the European Commission under Grant Agreement RI-261611 Argus Policies Tutorial Valery Tschopp - SWITCH EGI TF Prague.

EMI is partially funded by the European Commission under Grant Agreement RI Argus Policies Tutorial Valery Tschopp - SWITCH EGI TF Prague.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Argus gLite Authorization Service Status.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Argus gLite Authorization Service Status.
Mine Altunay July 30, 2007 Security and Privacy in OSG.

Mine Altunay July 30, 2007 Security and Privacy in OSG.
Glexec, SCAS & CREAM. Milestones CREAM-CE capable of large-scale direct job submission Glexec & SCAS capable of large-scale use on WN in logging only.

Glexec, SCAS & CREAM. Milestones CREAM-CE capable of large-scale direct job submission Glexec & SCAS capable of large-scale use on WN in logging only.

Similar presentations

Ads by Google