1 / 27

Argus Policies in Action

Argus Policies in Action. Valery Tschopp (SWITCH) on behalf of the Argus PT. What is authorization ?. Can user X perform action Y on resource Z ?. Authorization Examples. Can user X … execute on this worker node (WN) ? submit a job to this CREAM CE ? access this storage area ?

tyrone-leon
Download Presentation

Argus Policies in Action

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ArgusPolicies in Action Valery Tschopp (SWITCH) on behalf of the Argus PT

  2. What is authorization ? Argus Policies in Action, EGI Technical Forum 2011, Lyon

  3. Can user X perform action Y on resource Z ? Argus Policies in Action, EGI Technical Forum 2011, Lyon

  4. Authorization Examples • Can user X… • execute on this worker node (WN) ? • submit a job to this CREAM CE ? • access this storage area ? • submit a job to this WMS instance ? • User X is banned ! • Is not allowed to do anything on any resource! Argus Policies in Action, EGI Technical Forum 2011, Lyon

  5. Motivations for Argus • Each Grid service has its own authorization mechanism • Administrators need to know them all • Authorization rules at a site become difficult to understand and manage • No global banning mechanism • Urgent ban of malicious users cannot be easily and timely enforced on distributed sites • Authorization policies are static • Hard to change policies without reconfiguring services • Monitoring authorization decisions is hard Argus Policies in Action, EGI Technical Forum 2011, Lyon

  6. Argus • A generic authorization system • Built on top of a XACML policy engine • Renders consistent authorization decisions based on XACML policies Argus Policies in Action, EGI Technical Forum 2011, Lyon

  7. Argus Components • Argus PAP: Policy Administration Point • Provides administrators with the tools to author policies (pap-admin) • Stores and manages authored XACML policies • Provides managed authorization policies to other authorization service components (other PAPs or PDP) Argus Policies in Action, EGI Technical Forum 2011, Lyon

  8. Argus Components (cont.) • Argus PDP: Policy Decision Point • Policy evaluation engine • Receives authorization requests from the PEP • Evaluates the authorization requests against the XACML policies retrieved from the PAP • Renders the authorization decision Argus Policies in Action, EGI Technical Forum 2011, Lyon

  9. Argus Components (cont.) • Argus PEP: Policy Execution Point • Client/Server architecture • Lightweight PEP client libraries (C and Java) • PEP Server receives the authorization requests from the PEP clients • Transforms lightweight internal request into XACML • Applies a configurable set of filters (PIPs) to the incoming requests • Asks the PDP to render an authorization decision • If requested by the policy, applies the obligation handler (OH) to determine the user mapping Argus Policies in Action, EGI Technical Forum 2011, Lyon

  10. Argus Service Deployment Argus Policies in Action, EGI Technical Forum 2011, Lyon

  11. Argus Authorization Policies Argus is designed to answer the question: Can user X perform action Y on resource Z ? • Argus policies contain rules that state which actions can be performed on which resources by which users. • Argus uses XACML v.2 as the policy language. • However, XACML is hard to read and write, so we developed a Simplified Policy Language (SPL) Argus Policies in Action, EGI Technical Forum 2011, Lyon

  12. Use Case: User Banning User X should not be allowed to do anything on any resource ! Argus Policies in Action, EGI Technical Forum 2011, Lyon

  13. Use Case: User Banning (XACML) • XACML policies anyone … ? <xacml:PolicySet xmlns:xacml="urn:oasis:names:tc:xacml:2.0:policy:schema:os”PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:first-applicable" PolicySetId="9784d9ce-16a9-41b9-9d26-b81a97f93616" Version="1"> <xacml:Target> <xacml:Resources> <xacml:Resource> <xacml:ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">.*</xacml:AttributeValue> <xacml:ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/> </xacml:ResourceMatch> </xacml:Resource> </xacml:Resources> </xacml:Target> <xacml:PolicyIdReference>public_2d8346b8-5cd2-44ad-9ad1-0eff5d8a6ef1</xacml:PolicyIdReference> </xacml:PolicySet> <xacml:Policy xmlns:xacml="urn:oasis:names:tc:xacml:2.0:policy:schema:os” PolicyId="public_2d8346b8-5cd2-44ad-9ad1-0eff5d8a6ef1” RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1"> <xacml:Target> <xacml:Actions> <xacml:Action> <xacml:ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">.*</xacml:AttributeValue> <xacml:ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/> </xacml:ActionMatch> </xacml:Action> </xacml:Actions> </xacml:Target> <xacml:Rule Effect="Deny" RuleId="43c15124-6635-47ee-b13c-53f672d0de77"> ... Argus Policies in Action, EGI Technical Forum 2011, Lyon

  14. Use Case: User Banning (SPL) • The Simplified Policy Language resource ".*" { action ".*" { rule deny { subject="CN=Valery Tschopp, O=SWITCH,C=CH" } } } Argus Policies in Action, EGI Technical Forum 2011, Lyon

  15. SPL: Identifying Actions and Resources • Actions and Resources are identified by unique ID or “names”, that are assigned to them • Typically URIs, but any string will work • Resource ID example: http://cnaf.infn.it/resource/cream-ce-1 • Action ID example: http://cnaf.infn.it/action/submit-job Argus Policies in Action, EGI Technical Forum 2011, Lyon

  16. SPL: Identifying Subjects Subject in a policy can be identified via the following attributes: subject X509 certificate DN subject="CN=Valery Tschopp,O=SWITCH,C=CH” cathe CA certificate DN ca="CN=INFN CA,O=INFN,C=IT” vothe name of the Virtual Organization vo=”cms” fqana VOMS fully qualified attribute name fqan=”/atlas/analysis” pfqanthe VOMS primary FQAN pfqan=”/atlas/Role=pilot” Argus Policies in Action, EGI Technical Forum 2011, Lyon

  17. SPL Syntax • AND logic for attributes inside a block • Policy order matters! • First match algorithm resource <value> { action <value> { rule (permit|deny) { <subject_attribute> = <attribute_value> ... } ... } } ... Argus Policies in Action, EGI Technical Forum 2011, Lyon

  18. SPL Examples We have two CEs at our site, ce_1 and ce_2. We want to authorize Valery to contact one, but not the other. resource “ce_1” { action “.*” { rule permit { subject = “CN=Valery Tschopp, O=SWITCH, C=CH” } } } resource “ce_2” { action “.*” { rule deny { subject = “CN=Valery Tschopp, O=SWITCH, C=CH” } } } Argus Policies in Action, EGI Technical Forum 2011, Lyon

  19. SPL Examples (cont.) We have to ban all users member of VO ‘dteam’ from ce_1, but not those who have certificate signed by the INFA CA. resource “ce_1” { action “.*” { rule permit { vo = “dteam” ca = “CN=INFN CA,O=INFN,C=IT” } rule deny { vo = “dteam” } } } Argus Policies in Action, EGI Technical Forum 2011, Lyon

  20. The pap-admin Tool • List currently active policies: pap-admin list-policies • Import policies from a SPL file: pap-admin add-policy-from-file cms_policies.spl.txt • Ban/unban users: pap-admin ban subject "CN=John Doe,O=ACME,C=org” pap-admin unban vo ”atlas“ • Add a generic permit policy pap-admin add-policy --resource “http://grid.switch.ch/ce_1” --action “.*” permit fqan=”/atlas/production” Argus Policies in Action, EGI Technical Forum 2011, Lyon

  21. Hierarchical Policy Distribution Argus Policies in Action, EGI Technical Forum 2011, Lyon

  22. Pilot Jobs Authorization • The pilot is authorized on the CE • The payload is downloaded on the WN • gLExec runs it under the end-user identity Argus Policies in Action, EGI Technical Forum 2011, Lyon

  23. So Why Argus Simplifies my Life? • A single authorization point for many Grid services • A simple, flexible and powerful language to express authorization policies • A simple tool to manage complex policies • A policy distribution mechanism that allow to import from remote sites while keeping full authorization control on local resources (global banning) Argus Policies in Action, EGI Technical Forum 2011, Lyon

  24. Argus Releases • Argus 1.3.1 • Compatible with gLite 3.2 Argus PEP client libraries (C and Java) • Support for LFC/DPM banning engine • Bug fixes • Already released in EMI-1 and in UMD • Argus 1.4 coming soon (3rd week of Sept.) • Only optimizations (log files, memory, …) Argus Policies in Action, EGI Technical Forum 2011, Lyon

  25. Documentation • General documentation https://twiki.cern.ch/twiki/bin/view/EGEE/AuthorizationFramework • Service Reference Card https://twiki.cern.ch/twiki/bin/view/EMI/ArgusSRC • PAP admin Tool https://twiki.cern.ch/twiki/bin/view/EGEE/AuthZPAPCLI • Simplified Policy Language https://twiki.cern.ch/twiki/bin/view/EGEE/SimplifiedPolicyLanguage Argus Policies in Action, EGI Technical Forum 2011, Lyon

  26. Support • GGUS Tickets (ARGUS Support Unit) https://ggus.eu • Support mailing list (e-group): argus-support@cern.ch Argus Policies in Action, EGI Technical Forum 2011, Lyon

  27. Thank you EMI is partially funded by the European Commission under Grant Agreement INFSO-RI-261611 Argus Policies in Action, EGI Technical Forum 2011, Lyon

More Related