Argus Policies Tutorial

Argus Policies Tutorial Valery Tschopp - SWITCH EGI TF 2012 @ Prague

Authorization What is authorization? EGI TF 2012, Prague

Authorization Can user X perform action Y on resource Z ? EGI TF 2012, Prague

Authorization Examples • Can user X… • execute on this worker node (WN) ? • submit a job to this CREAM CE ? • access this storage area ? • submit a job to this WMS instance ? • User X is banned ! • Is not allowed to do anything on any resource! EGI TF 2012, Prague

Motivations for Argus • Each Grid service has its own authorization mechanism • Administrators need to know them all • Authorization rules at a site become difficult to understand and manage • No global banning mechanism • Urgent ban of malicious users cannot be easily and timely enforced on distributed sites • Authorization policies are static • Hard to change policies without reconfiguring services • Monitoring authorization decisions is hard EGI TF 2012, Prague

Argus Authorization Service • A generic authorization system • Built on top of a XACML policy engine • Renders consistent authorization decisions based on XACML policies EGI TF 2012, Prague

Argus Components • Argus PAP: Policy Administration Point • Provides administrators with the tools to author policies (pap-admin) • Stores and manages authored XACML policies • Provides managed authorization policies to other authorization service components (other PAPs or PDP) EGI TF 2012, Prague

Argus Components • Argus PDP: Policy Decision Point • Policy evaluation engine • Receives authorization requests from the PEP • Evaluates the authorization requests against the XACML policies retrieved from the PAP • Renders the authorization decision EGI TF 2012, Prague

Argus Components • Argus PEP: Policy Execution Point • Client/Server architecture • Lightweight PEP client libraries (C and Java) • PEP Server receives the authorization requests from the PEP clients • Transforms lightweight internal request into XACML • Applies a configurable set of filters (PIPs) to the incoming requests • Asks the PDP to render an authorization decision • If requested by the policy, applies the obligation handler (OH) to determine the user mapping EGI TF 2012, Prague

Authorization Policies Argus is designed to answer the questions: • Can user X performs action Y on resource Z? • Is user X banned? • PERMIT decision • Allow to authorize users to perform an action on a resource • DENY decision • Allow to ban users • Both can be expressed with XACML policies EGI TF 2012, Prague

Authorization Policies (XACML) <xacml:PolicySet xmlns:xacml="urn:oasis:names:tc:xacml:2.0:policy:schema:os”PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:first-applicable" PolicySetId="9784d9ce-16a9-41b9-9d26-b81a97f93616" Version="1"> <xacml:Target> <xacml:Resources> <xacml:Resource> <xacml:ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">.*</xacml:AttributeValue> <xacml:ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/> </xacml:ResourceMatch> </xacml:Resource> </xacml:Resources> </xacml:Target> <xacml:PolicyIdReference>public_2d8346b8-5cd2-44ad-9ad1-0eff5d8a6ef1</xacml:PolicyIdReference> </xacml:PolicySet> <xacml:Policy xmlns:xacml="urn:oasis:names:tc:xacml:2.0:policy:schema:os” PolicyId="public_2d8346b8-5cd2-44ad-9ad1-0eff5d8a6ef1” RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1"> <xacml:Target> <xacml:Actions> <xacml:Action> <xacml:ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">.*</xacml:AttributeValue> <xacml:ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/> </xacml:ActionMatch> </xacml:Action> </xacml:Actions> </xacml:Target> <xacml:Rule Effect="Deny" RuleId="43c15124-6635-47ee-b13c-53f672d0de77"> ... EGI TF 2012, Prague

Authorization Policies • Problem? • XACML not easy to read and/or understand • XACML not easy to write, prone to error • Solution • Hide the XACML language complexity • Introduce a Simplified Policy Language (SPL) • Provide administrators with simple tool to manage the policies • pap-admin to create, edit, delete permit/deny policy rules EGI TF 2012, Prague

Simplified Policy Language (SPL) • Deny (ban) a particular user by DN resource ".*" { action ".*" { rule deny { subject=”CN=Valery Tschopp, O=SWITCH, C=CH" } } } • Permit ATLAS users (VO) to execute a job on a worker node (WN) resource "http://grid.switch.ch/wn" { action "http://glite.org/xacml/action/execute" { rule permit { vo=“atlas" } } } EGI TF 2012, Prague

Identifying Resources and Actions • Actions and Resources are identified by unique ID or “names”, that are assigned to them • Typically URIs, but any string will work • Resource ID example: http://cnaf.infn.it/resource/cream-ce • Action ID examples: http://glite.org/action/submit-job http://glite.org/action/execute EGI TF 2012, Prague

Identifying Subjects Subject in a policy can be identified via the following attributes: subject X509 certificate DN: subject="CN=Valery Tschopp,O=SWITCH,C=CH” cathe CA certificate DN: ca="CN=INFN CA,O=INFN,C=IT” vothe name of the Virtual Organization: vo=”cms” fqana VOMS fully qualified attribute name: fqan=”/atlas/analysis” EGI TF 2012, Prague

Tool pap-admin • Administratortool to manage the PAP • Policies management • PAP server management • PAP authorization management • Simple way to ban user • Simple way to create, edit and delete authorization policies EGI TF 2012, Prague

Tool pap-admin (cont.) • List currently active policies: pap-admin list-policies • Ban/unban users: pap-admin ban subject "CN=John Doe,O=ACME,C=org” pap-admin ban subject ”/C=org/O=ACME/CN=Batman” pap-admin un-ban vo ”atlas“ • Add a generic permit policy: pap-admin add-policy \ --resource “http://grid.switch.ch/ce_1” \ --action “.*” \ permit fqan=”/atlas/production” • And a lot more functionalites… EGI TF 2012, Prague

Site Deployment EGI TF 2012, Prague

Hierarchical Policy Distribution EGI TF 2012, Prague

Hierarchical Policy Distribution • Top PAP • Manages global banning list • Have to be trusted by site • Site PAP • Retrieves global banning list from top PAP • Merges it on top of local policies • FIRST MATCH rules applies in local PDP EGI TF 2012, Prague

Enable WLCG Global Banning • Add the WLCG PAP pap-admin apap WLCG argus.cern.ch \ "/DC=ch/DC=cern/OU=computers/CN=argus.cern.ch” • Set PAP order (top banning) pap-admin spo WLCG default • Enable the banning WLCG PAP pap-admin epap WLCG • List all policies (WLCG and local ones) pap-admin lp -all EGI TF 2012, Prague

Documentation • General documentation https://twiki.cern.ch/twiki/bin/view/EGEE/AuthorizationFramework • PAP admin CLIhttps://twiki.cern.ch/twiki/bin/view/EGEE/AuthZPAPCLI • Simplified Policy Language https://twiki.cern.ch/twiki/bin/view/EGEE/SimplifiedPolicyLanguage • Service Reference Card https://twiki.cern.ch/twiki/bin/view/EMI/ArgusSRC EGI TF 2012, Prague

DEMO EGI TF 2012, Prague

Demo Setup: emitestbed • EMI UI • CREAM CE • Argus Services • 2 gLExec WN EGI TF 2012, Prague

Demo Setup: Policies • Policies authorized jobs on CREAM CE and for gLExecon the WN for a VO resource "http://emitestbed.cnaf.infn.it/ce" { obligation "http://glite.org/xacml/obligation/local-environment-map" {} action ".*" { rule permit { vo="testers.eu-emi.eu" } } } resource "http://emitestbed.cnaf.infn.it/wn" { obligation "http://glite.org/xacml/obligation/local-environment-map" {} action ".*" { rule permit { vo="testers.eu-emi.eu" } } } EGI TF 2012, Prague

Demo Setup: Argus YAIM Config • Argus node site-info.def # The Argus hostname ARGUS_HOST=emitestbed10.cnaf.infn.it # The DN of a trusted PAP administrator PAP_ADMIN_DN="/C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Danilo Nicola Dongiovanni" # Local mapping configuration USERS_CONF=/root/siteinfo/users.conf GROUPS_CONF=/root/siteinfo/groups.conf # Space separated list of VOs supported by your site VOS="testers.eu-emi.eu" EGI TF 2012, Prague

Demo Setup: CREAM YAIM Config • CREAM CE site-info.def • Enables Argus authorizations CEMON_HOST=cert-07.cnaf.infn.it CREAM_DB_USER=tester CREAM_DB_PASSWORD=**** BLPARSER_HOST=cert-07.cnaf.infn.it ... USE_ARGUS=yes ARGUS_PEPD_ENDPOINTS=https://emitestbed10.cnaf.infn.it:8154/authz CREAM_PEPC_RESOURCEID=http://emitestbed.cnaf.infn.it/ce EGI TF 2012, Prague

Demo Setup: gLExec/WN YAIM • gLExec on the WN site-info.def • Enables Argus authorizations GLEXEC_WN_OPMODE=setuidGLEXEC_WN_SCAS_ENABLED=no GLEXEC_WN_ARGUS_ENABLED=yes ARGUS_PEPD_ENDPOINTS=https://emitestbed10.cnaf.infn.it:8154/authz GLEXEC_WN_PEPC_RESOURCEID=http://emitestbed.cnaf.infn.it/wn EGI TF 2012, Prague

Demo: Pilot Job Authorization • The pilot job is authorized on the CE • The payload is downloaded on the WN • gLExecexecutes it under the end-user identity EGI TF 2012, Prague

Argus Policies Tutorial

Argus Policies Tutorial

Presentation Transcript

Argus Officer Retention

Northern Snakehead Channa argus

Argus

Argus Insurance Co.

Cephalopholis argus CEAR 60cm

ARGUS

Argus

Argus Search, Inc.

glexec /Argus pilot service

Argus Policies in Action

Argus Authorization Service

The Argus II

ARGUS support

Channa argus

Argus Magnetics

Argus helmet

Argus EMI Authorization Integration

ARGUS Governance

Voopoo Argus & Argus Pro Review – Your Ideal Outdoor Vape