160 likes | 293 Views
Argus: command line usage and banning. Christoph Witzig, SWITCH (christoph.witzig@switch.ch). Outline. Introduction Command line interface Global Banning Summary. Introduction. Institutions involved: CNAF, HIP, NIKHEF, SWITCH Argus = Attribute-based Authorization service
E N D
Argus: command line usage and banning Christoph Witzig, SWITCH (christoph.witzig@switch.ch)
Outline • Introduction • Command line interface • Global Banning • Summary OSCT/MWSG meeting, EGEE09, Sept 22, 2009
Introduction • Institutions involved: • CNAF, HIP, NIKHEF, SWITCH • Argus = Attribute-based Authorization service • Attributes = DN, CA, FQAN, …. • Internal engine that determines whether a request containing a set of attributes shall be authorized or not • Decisions are taken for a given resource and a given action: • E.g. A WN has a resource id and the action may be “execute_pilot” • Policies are formulated for • Individual resource and action • Groups of resources and groups of action • All resources and all actions • Default deployment: all components on a single host • Note abbreviation: authZ = authorization OSCT/MWSG meeting, EGEE09, Sept 22, 2009
On the CE OSCT/MWSG meeting, EGEE09, Sept 22, 2009
Proposed Deployment Plan Adoption during EGEE-III Deployment during EGEE-III OSCT/MWSG meeting, EGEE09, Sept 22, 2009
Outline • Introduction • Command line interface • Global Banning • Summary OSCT/MWSG meeting, EGEE09, Sept 22, 2009
Argus CLI • Argus is operated from the command line • Policies either • Added/removed from command line • Import/export of file in simplified policy language (optional!) • see A.Ceccanti’s talk in MWSG • Banning and unbanning users • Evaluating authZ decisions OSCT/MWSG meeting, EGEE09, Sept 22, 2009
Banning Users • To ban a user on the entire site:pap-admin ban subject <dn>pap-admin ban fqan <fqan> • To un-ban a user on the entire site:pap-admin un-ban subject <dn>pap-admin un-ban fqan <fqan> • To ban a user on a specific resource: pap-admin ban -r resource_id subject <dn> OSCT/MWSG meeting, EGEE09, Sept 22, 2009
Evaluating authZ Decisions • pepcli -p https://ares.switch.ch:8154/authz -c /tmp/x509up_u964 -r res_nok -a my_action Decision: Deny • pepcli -p https://ares.switch.ch:8154/authz -c /tmp/x509up_u964 -r res_ok -a my_action Decision: Permit Username=testb001 UID=5100 GID=5100 • pepcli -p https://ares.switch.ch:8154/authz -s <dn> -f /switch -f /switch/test -r test -a test Decision: Permit Username=testb002 UID=5101 GID=5100 Secondary GIDs=5300 OSCT/MWSG meeting, EGEE09, Sept 22, 2009
Outline • Introduction • Command line interface • Global Banning • Summary OSCT/MWSG meeting, EGEE09, Sept 22, 2009
Grid-wide Banning by OSCT • OSCT offers centralized banning list to the sites • Allows banning for: • DN (with or without SN) • CA • VO • FQAN • As well as regular expressions of the above • Operated (same as for local Argus instance) • From the CLI • pap-admin ban-user <DN> • pap-admin ban-fqan <fqan> • Import / export of files in a simplified notation OSCT/MWSG meeting, EGEE09, Sept 22, 2009
Operational Policy OSCT/MWSG meeting, EGEE09, Sept 22, 2009 Each site manages its own access policies • Local site autonomy OSCT operates a central banning service (CBS) • Sites SHOULD deploy CBS • Sites SHOULD give CBS priority over local policies • Sites SHOULD configure CBS so any ban/restore action is active in under 6 hours • Time period still under discussion • Grid Security Operations MUST inform VO manager whenever user/group access is changed (ban & restore) SHOULD= Obligation with escape clause • Inform Grid Security Office. Currently proposed by JSPG • Discussions continuing.
Policy for Global Banning(Full text) • Each site manages its own local access policies to its resources. In addition, Grid security operations SHOULD operate a central banning service. Whenever Grid security operations bans a user or group of users, or restores their access, they MUST inform the appropriate VO Manager. • Sites SHOULD deploy this central banning service and give it priority over local policies. • The site implementation of the central banning service SHOULD be configured such that any ban or restore action made by Grid security operations is active at the site without a delay of more than 6 hours OSCT/MWSG meeting, EGEE09, Sept 22, 2009
Outline • Introduction • Short Description of the Service • Deployment Proposal • Global Banning • Summary OSCT/MWSG meeting, EGEE09, Sept 22, 2009
Summary • Gradual deployment in six self-contained steps • Simple CLI for • Banning/unbanning users • Adding/removing policies • Evaluating request for debugging • OSCT global banning list • Feedback and volunteer from sites / OSCT for trying service out is highly welcome OSCT/MWSG meeting, EGEE09, Sept 22, 2009
Further Information • About the service: • authZ service design document: https://edms.cern.ch/document/944192/1 • Deployment plan: https://edms.cern.ch/document/984088/1 • General EGEE grid security: • Authorization study: https://edms.cern.ch/document/887174/1 • gLite security: architecture: https://edms.cern.ch/document/935451/2 • Other: • Wiki: (under development) https://twiki.cern.ch/twiki/bin/view/EGEE/AuthorizationFramework OSCT/MWSG meeting, EGEE09, Sept 22, 2009