1 / 16

Argus: command line usage and banning

Argus: command line usage and banning. Christoph Witzig, SWITCH (christoph.witzig@switch.ch). Outline. Introduction Command line interface Global Banning Summary. Introduction. Institutions involved: CNAF, HIP, NIKHEF, SWITCH Argus = Attribute-based Authorization service

Download Presentation

Argus: command line usage and banning

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Argus: command line usage and banning Christoph Witzig, SWITCH (christoph.witzig@switch.ch)

  2. Outline • Introduction • Command line interface • Global Banning • Summary OSCT/MWSG meeting, EGEE09, Sept 22, 2009

  3. Introduction • Institutions involved: • CNAF, HIP, NIKHEF, SWITCH • Argus = Attribute-based Authorization service • Attributes = DN, CA, FQAN, …. • Internal engine that determines whether a request containing a set of attributes shall be authorized or not • Decisions are taken for a given resource and a given action: • E.g. A WN has a resource id and the action may be “execute_pilot” • Policies are formulated for • Individual resource and action • Groups of resources and groups of action • All resources and all actions • Default deployment: all components on a single host • Note abbreviation: authZ = authorization OSCT/MWSG meeting, EGEE09, Sept 22, 2009

  4. On the CE OSCT/MWSG meeting, EGEE09, Sept 22, 2009

  5. Proposed Deployment Plan Adoption during EGEE-III Deployment during EGEE-III OSCT/MWSG meeting, EGEE09, Sept 22, 2009

  6. Outline • Introduction • Command line interface • Global Banning • Summary OSCT/MWSG meeting, EGEE09, Sept 22, 2009

  7. Argus CLI • Argus is operated from the command line • Policies either • Added/removed from command line • Import/export of file in simplified policy language (optional!) • see A.Ceccanti’s talk in MWSG • Banning and unbanning users • Evaluating authZ decisions OSCT/MWSG meeting, EGEE09, Sept 22, 2009

  8. Banning Users • To ban a user on the entire site:pap-admin ban subject <dn>pap-admin ban fqan <fqan> • To un-ban a user on the entire site:pap-admin un-ban subject <dn>pap-admin un-ban fqan <fqan> • To ban a user on a specific resource: pap-admin ban -r resource_id subject <dn> OSCT/MWSG meeting, EGEE09, Sept 22, 2009

  9. Evaluating authZ Decisions • pepcli -p https://ares.switch.ch:8154/authz -c /tmp/x509up_u964 -r res_nok -a my_action Decision: Deny • pepcli -p https://ares.switch.ch:8154/authz -c /tmp/x509up_u964 -r res_ok -a my_action Decision: Permit Username=testb001 UID=5100 GID=5100 • pepcli -p https://ares.switch.ch:8154/authz -s <dn> -f /switch -f /switch/test -r test -a test Decision: Permit Username=testb002 UID=5101 GID=5100 Secondary GIDs=5300 OSCT/MWSG meeting, EGEE09, Sept 22, 2009

  10. Outline • Introduction • Command line interface • Global Banning • Summary OSCT/MWSG meeting, EGEE09, Sept 22, 2009

  11. Grid-wide Banning by OSCT • OSCT offers centralized banning list to the sites • Allows banning for: • DN (with or without SN) • CA • VO • FQAN • As well as regular expressions of the above • Operated (same as for local Argus instance) • From the CLI • pap-admin ban-user <DN> • pap-admin ban-fqan <fqan> • Import / export of files in a simplified notation OSCT/MWSG meeting, EGEE09, Sept 22, 2009

  12. Operational Policy OSCT/MWSG meeting, EGEE09, Sept 22, 2009 Each site manages its own access policies • Local site autonomy OSCT operates a central banning service (CBS) • Sites SHOULD deploy CBS • Sites SHOULD give CBS priority over local policies • Sites SHOULD configure CBS so any ban/restore action is active in under 6 hours • Time period still under discussion • Grid Security Operations MUST inform VO manager whenever user/group access is changed (ban & restore) SHOULD= Obligation with escape clause • Inform Grid Security Office. Currently proposed by JSPG • Discussions continuing.

  13. Policy for Global Banning(Full text) • Each site manages its own local access policies to its resources. In addition, Grid security operations SHOULD operate a central banning service. Whenever Grid security operations bans a user or group of users, or restores their access, they MUST inform the appropriate VO Manager. • Sites SHOULD deploy this central banning service and give it priority over local policies. • The site implementation of the central banning service SHOULD be configured such that any ban or restore action made by Grid security operations is active at the site without a delay of more than 6 hours OSCT/MWSG meeting, EGEE09, Sept 22, 2009

  14. Outline • Introduction • Short Description of the Service • Deployment Proposal • Global Banning • Summary OSCT/MWSG meeting, EGEE09, Sept 22, 2009

  15. Summary • Gradual deployment in six self-contained steps • Simple CLI for • Banning/unbanning users • Adding/removing policies • Evaluating request for debugging • OSCT global banning list • Feedback and volunteer from sites / OSCT for trying service out is highly welcome OSCT/MWSG meeting, EGEE09, Sept 22, 2009

  16. Further Information • About the service: • authZ service design document: https://edms.cern.ch/document/944192/1 • Deployment plan: https://edms.cern.ch/document/984088/1 • General EGEE grid security: • Authorization study: https://edms.cern.ch/document/887174/1 • gLite security: architecture: https://edms.cern.ch/document/935451/2 • Other: • Wiki: (under development) https://twiki.cern.ch/twiki/bin/view/EGEE/AuthorizationFramework OSCT/MWSG meeting, EGEE09, Sept 22, 2009

More Related