Argus: command line usage and banning
-
Upload
jayme-branch -
Category
Documents
-
view
32 -
download
1
description
Transcript of Argus: command line usage and banning
EGEE-II INFSO-RI-
031688
Enabling Grids for E-sciencE
www.eu-egee.org
EGEE and gLite are registered
trademarks
Argus: command line usage and banning
Christoph Witzig, SWITCH
OSCT/MWSG meeting, EGEE09, Sept 22, 2009 2
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Outline
• Introduction
• Command line interface
• Global Banning
• Summary
OSCT/MWSG meeting, EGEE09, Sept 22, 2009 3
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Introduction
• Institutions involved:– CNAF, HIP, NIKHEF, SWITCH
• Argus = Attribute-based Authorization service – Attributes = DN, CA, FQAN, ….– Internal engine that determines whether a request containing a set of
attributes shall be authorized or not
• Decisions are taken for a given resource and a given action:– E.g. A WN has a resource id and the action may be “execute_pilot”– Policies are formulated for
Individual resource and action Groups of resources and groups of action All resources and all actions
• Default deployment: all components on a single host
• Note abbreviation: authZ = authorization
OSCT/MWSG meeting, EGEE09, Sept 22, 2009 5
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
On the CE
OSCT/MWSG meeting, EGEE09, Sept 22, 2009 6
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Proposed Deployment Plan
Deploymentduring
EGEE-III
Adoptionduring
EGEE-III
OSCT/MWSG meeting, EGEE09, Sept 22, 2009 7
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Outline
• Introduction
• Command line interface
• Global Banning
• Summary
OSCT/MWSG meeting, EGEE09, Sept 22, 2009 8
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Argus CLI
• Argus is operated from the command line
• Policies either– Added/removed from command line– Import/export of file in simplified policy language (optional!)
see A.Ceccanti’s talk in MWSG
• Banning and unbanning users
• Evaluating authZ decisions
OSCT/MWSG meeting, EGEE09, Sept 22, 2009 9
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Banning Users
• To ban a user on the entire site:pap-admin ban subject <dn>pap-admin ban fqan <fqan>
• To un-ban a user on the entire site:pap-admin un-ban subject <dn>pap-admin un-ban fqan <fqan>
• To ban a user on a specific resource: pap-admin ban -r resource_id subject <dn>
OSCT/MWSG meeting, EGEE09, Sept 22, 2009 10
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Evaluating authZ Decisions
• pepcli -p https://ares.switch.ch:8154/authz -c /tmp/x509up_u964 -r res_nok -a my_actionDecision: Deny
• pepcli -p https://ares.switch.ch:8154/authz -c /tmp/x509up_u964 -r res_ok -a my_actionDecision: PermitUsername=testb001UID=5100GID=5100
• pepcli -p https://ares.switch.ch:8154/authz -s <dn> -f /switch -f /switch/test -r test -a testDecision: PermitUsername=testb002UID=5101GID=5100Secondary GIDs=5300
OSCT/MWSG meeting, EGEE09, Sept 22, 2009 11
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Outline
• Introduction
• Command line interface
• Global Banning
• Summary
OSCT/MWSG meeting, EGEE09, Sept 22, 2009 12
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Grid-wide Banning by OSCT
• OSCT offers centralized banning list to the sites
• Allows banning for:• DN (with or without SN)
• CA• VO• FQAN• As well as regular expressions of the above
• Operated (same as for local Argus instance)• From the CLI
• pap-admin ban-user <DN>
• pap-admin ban-fqan <fqan>
• Import / export of files in a simplified notation
OSCT/MWSG meeting, EGEE09, Sept 22, 2009 13
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Operational Policy
• Each site manages its own access policies• Local site autonomy
• OSCT operates a central banning service (CBS)• Sites SHOULD deploy CBS• Sites SHOULD give CBS priority over local policies• Sites SHOULD configure CBS so any ban/restore action is active
in under 6 hours• Time period still under discussion
• Grid Security Operations MUST inform VO manager whenever user/group access is changed (ban & restore)
• SHOULD= Obligation with escape clause• Inform Grid Security Office.
• Currently proposed by JSPG• Discussions continuing.
OSCT/MWSG meeting, EGEE09, Sept 22, 2009 14
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Policy for Global Banning(Full text)
• Each site manages its own local access policies to its resources. In addition, Grid security operations SHOULD operate a central banning service. Whenever Grid security operations bans a user or group of users, or restores their access, they MUST inform the appropriate VO Manager.
• Sites SHOULD deploy this central banning service and give it priority over local policies.
• The site implementation of the central banning service SHOULD be configured such that any ban or restore action made by Grid security operations is active at the site without a delay of more than 6 hours
OSCT/MWSG meeting, EGEE09, Sept 22, 2009 15
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Outline
• Introduction
• Short Description of the Service
• Deployment Proposal
• Global Banning
• Summary
OSCT/MWSG meeting, EGEE09, Sept 22, 2009 16
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Summary
• Gradual deployment in six self-contained steps
• Simple CLI for– Banning/unbanning users– Adding/removing policies– Evaluating request for debugging
• OSCT global banning list
• Feedback and volunteer from sites / OSCT for trying service out is highly welcome
OSCT/MWSG meeting, EGEE09, Sept 22, 2009 17
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Further Information
• About the service:– authZ service design document: https://edms.cern
.ch/document/944192/1– Deployment plan: https://edms.cern.ch/document/984088/1
• General EGEE grid security:– Authorization study: https://edms.cern
.ch/document/887174/1– gLite security: architecture: https://edms.cern
.ch/document/935451/2
• Other:– Wiki: (under development) https://twiki.cern.
ch/twiki/bin/view/EGEE/AuthorizationFramework