1. EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Argus: command line usage and banning Christoph Witzig, SWITCH (christoph.witzig@switch.ch)

2. Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 OSCT/MWSG meeting, EGEE09, Sept 22, 2009 2 Outline Introduction Command line interface Global Banning Summary

3. Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 OSCT/MWSG meeting, EGEE09, Sept 22, 2009 3 Introduction Institutions involved: –CNAF, HIP, NIKHEF, SWITCH Argus = Attribute-based Authorization service –Attributes = DN, CA, FQAN, …. –Internal engine that determines whether a request containing a set of attributes shall be authorized or not Decisions are taken for a given resource and a given action: –E.g. A WN has a resource id and the action may be “execute_pilot” –Policies are formulated for  Individual resource and action  Groups of resources and groups of action  All resources and all actions Default deployment: all components on a single host Note abbreviation: authZ = authorization

4. Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 OSCT/MWSG meeting, EGEE09, Sept 22, 2009 4 Service Components Administration Point: Formulating the rules through command line interface and/or file-based input Decision Point: Evaluating a request from a client based on the rules Enforcement Point: Thin client part and server part: all complexity in server part Runtime Execution Environment: Under which env. must I run? (UID, GID) Initial rules: Banning unbanning Pilot job Initial default deployment: All components on one host

5. Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 OSCT/MWSG meeting, EGEE09, Sept 22, 2009 5 On the CE

6. Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 OSCT/MWSG meeting, EGEE09, Sept 22, 2009 6 Proposed Deployment Plan Deployment during EGEE-III Adoption during EGEE-III

7. Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 OSCT/MWSG meeting, EGEE09, Sept 22, 2009 7 Outline Introduction Command line interface Global Banning Summary

8. Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 OSCT/MWSG meeting, EGEE09, Sept 22, 2009 8 Argus CLI Argus is operated from the command line Policies either –Added/removed from command line –Import/export of file in simplified policy language (optional!)  see A.Ceccanti’s talk in MWSG Banning and unbanning users Evaluating authZ decisions

9. Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 OSCT/MWSG meeting, EGEE09, Sept 22, 2009 9 Banning Users To ban a user on the entire site: pap-admin ban subject pap-admin ban fqan To un-ban a user on the entire site: pap-admin un-ban subject pap-admin un-ban fqan To ban a user on a specific resource: pap-admin ban -r resource_id subject

10. Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 OSCT/MWSG meeting, EGEE09, Sept 22, 2009 10 Evaluating authZ Decisions pepcli -p https://ares.switch.ch:8154/authz -c /tmp/x509up_u964 -r res_nok -a my_action Decision: Deny pepcli -p https://ares.switch.ch:8154/authz -c /tmp/x509up_u964 -r res_ok -a my_action Decision: Permit Username=testb001 UID=5100 GID=5100 pepcli -p https://ares.switch.ch:8154/authz -s -f /switch -f /switch/test -r test -a test Decision: Permit Username=testb002 UID=5101 GID=5100 Secondary GIDs=5300

11. Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 OSCT/MWSG meeting, EGEE09, Sept 22, 2009 11 Outline Introduction Command line interface Global Banning Summary

12. Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 OSCT/MWSG meeting, EGEE09, Sept 22, 2009 12 Grid-wide Banning by OSCT OSCT offers centralized banning list to the sites Allows banning for: DN (with or without SN) CA VO FQAN As well as regular expressions of the above Operated (same as for local Argus instance) From the CLI pap-admin ban-user pap-admin ban-fqan Import / export of files in a simplified notation

13. Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 OSCT/MWSG meeting, EGEE09, Sept 22, 2009 13 Operational Policy Each site manages its own access policies Local site autonomy OSCT operates a central banning service (CBS) Sites SHOULD deploy CBS Sites SHOULD give CBS priority over local policies Sites SHOULD configure CBS so any ban/restore action is active in under 6 hours Time period still under discussion Grid Security Operations MUST inform VO manager whenever user/group access is changed (ban & restore) SHOULD= Obligation with escape clause Inform Grid Security Office. Currently proposed by JSPG Discussions continuing.

14. Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 OSCT/MWSG meeting, EGEE09, Sept 22, 2009 14 Policy for Global Banning (Full text) Each site manages its own local access policies to its resources. In addition, Grid security operations SHOULD operate a central banning service. Whenever Grid security operations bans a user or group of users, or restores their access, they MUST inform the appropriate VO Manager. Sites SHOULD deploy this central banning service and give it priority over local policies. The site implementation of the central banning service SHOULD be configured such that any ban or restore action made by Grid security operations is active at the site without a delay of more than 6 hours

15. Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 OSCT/MWSG meeting, EGEE09, Sept 22, 2009 15 Outline Introduction Short Description of the Service Deployment Proposal Global Banning Summary

16. Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 OSCT/MWSG meeting, EGEE09, Sept 22, 2009 16 Summary Gradual deployment in six self-contained steps Simple CLI for –Banning/unbanning users –Adding/removing policies –Evaluating request for debugging OSCT global banning list Feedback and volunteer from sites / OSCT for trying service out is highly welcome

17. Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 OSCT/MWSG meeting, EGEE09, Sept 22, 2009 17 Further Information About the service: –authZ service design document: https://edms.cern.ch/document/944192/1 https://edms.cern.ch/document/944192/1 –Deployment plan: https://edms.cern.ch/document/984088/1https://edms.cern.ch/document/984088/1 General EGEE grid security: –Authorization study: https://edms.cern.ch/document/887174/1 https://edms.cern.ch/document/887174/1 –gLite security: architecture: https://edms.cern.ch/document/935451/2 https://edms.cern.ch/document/935451/2 Other: –Wiki: (under development) https://twiki.cern.ch/twiki/bin/view/EGEE/AuthorizationFramework https://twiki.cern.ch/twiki/bin/view/EGEE/AuthorizationFramework