EGEE-II INFSO-RI-

031688

Enabling Grids for E-sciencE

www.eu-egee.org

EGEE and gLite are registered

trademarks

Argus: command line usage and banning

Christoph Witzig, SWITCH

(christoph.witzig@switch.ch)

OSCT/MWSG meeting, EGEE09, Sept 22, 2009 2

Enabling Grids for E-sciencE

EGEE-II INFSO-RI-031688

Outline

• Introduction

• Command line interface

• Global Banning

• Summary

OSCT/MWSG meeting, EGEE09, Sept 22, 2009 3

Enabling Grids for E-sciencE

EGEE-II INFSO-RI-031688

Introduction

• Institutions involved:– CNAF, HIP, NIKHEF, SWITCH

• Argus = Attribute-based Authorization service – Attributes = DN, CA, FQAN, ….– Internal engine that determines whether a request containing a set of

attributes shall be authorized or not

• Decisions are taken for a given resource and a given action:– E.g. A WN has a resource id and the action may be “execute_pilot”– Policies are formulated for

Individual resource and action Groups of resources and groups of action All resources and all actions

• Default deployment: all components on a single host

• Note abbreviation: authZ = authorization

OSCT/MWSG meeting, EGEE09, Sept 22, 2009 5

Enabling Grids for E-sciencE

EGEE-II INFSO-RI-031688

On the CE

OSCT/MWSG meeting, EGEE09, Sept 22, 2009 6

Enabling Grids for E-sciencE

EGEE-II INFSO-RI-031688

Proposed Deployment Plan

Deploymentduring

EGEE-III

Adoptionduring

EGEE-III

OSCT/MWSG meeting, EGEE09, Sept 22, 2009 7

Enabling Grids for E-sciencE

EGEE-II INFSO-RI-031688

Outline

• Introduction

• Command line interface

• Global Banning

• Summary

OSCT/MWSG meeting, EGEE09, Sept 22, 2009 8

Enabling Grids for E-sciencE

EGEE-II INFSO-RI-031688

Argus CLI

• Argus is operated from the command line

• Policies either– Added/removed from command line– Import/export of file in simplified policy language (optional!)

see A.Ceccanti’s talk in MWSG

• Banning and unbanning users

• Evaluating authZ decisions

OSCT/MWSG meeting, EGEE09, Sept 22, 2009 9

Enabling Grids for E-sciencE

EGEE-II INFSO-RI-031688

Banning Users

• To ban a user on the entire site:pap-admin ban subject <dn>pap-admin ban fqan <fqan>

• To un-ban a user on the entire site:pap-admin un-ban subject <dn>pap-admin un-ban fqan <fqan>

• To ban a user on a specific resource: pap-admin ban -r resource_id subject <dn>

OSCT/MWSG meeting, EGEE09, Sept 22, 2009 10

Enabling Grids for E-sciencE

EGEE-II INFSO-RI-031688

Evaluating authZ Decisions

• pepcli -p https://ares.switch.ch:8154/authz -c /tmp/x509up_u964 -r res_nok -a my_actionDecision: Deny

• pepcli -p https://ares.switch.ch:8154/authz -c /tmp/x509up_u964 -r res_ok -a my_actionDecision: PermitUsername=testb001UID=5100GID=5100

• pepcli -p https://ares.switch.ch:8154/authz -s <dn> -f /switch -f /switch/test -r test -a testDecision: PermitUsername=testb002UID=5101GID=5100Secondary GIDs=5300

OSCT/MWSG meeting, EGEE09, Sept 22, 2009 11

Enabling Grids for E-sciencE

EGEE-II INFSO-RI-031688

Outline

• Introduction

• Command line interface

• Global Banning

• Summary

OSCT/MWSG meeting, EGEE09, Sept 22, 2009 12

Enabling Grids for E-sciencE

EGEE-II INFSO-RI-031688

Grid-wide Banning by OSCT

• OSCT offers centralized banning list to the sites

• Allows banning for:• DN (with or without SN)

• CA• VO• FQAN• As well as regular expressions of the above

• Operated (same as for local Argus instance)• From the CLI

• pap-admin ban-user <DN>

• pap-admin ban-fqan <fqan>

• Import / export of files in a simplified notation

OSCT/MWSG meeting, EGEE09, Sept 22, 2009 13

Enabling Grids for E-sciencE

EGEE-II INFSO-RI-031688

Operational Policy

• Each site manages its own access policies• Local site autonomy

• OSCT operates a central banning service (CBS)• Sites SHOULD deploy CBS• Sites SHOULD give CBS priority over local policies• Sites SHOULD configure CBS so any ban/restore action is active

in under 6 hours• Time period still under discussion

• Grid Security Operations MUST inform VO manager whenever user/group access is changed (ban & restore)

• SHOULD= Obligation with escape clause• Inform Grid Security Office.

• Currently proposed by JSPG• Discussions continuing.

OSCT/MWSG meeting, EGEE09, Sept 22, 2009 14

Enabling Grids for E-sciencE

EGEE-II INFSO-RI-031688

Policy for Global Banning(Full text)

• Each site manages its own local access policies to its resources. In addition, Grid security operations SHOULD operate a central banning service. Whenever Grid security operations bans a user or group of users, or restores their access, they MUST inform the appropriate VO Manager.

• Sites SHOULD deploy this central banning service and give it priority over local policies.

• The site implementation of the central banning service SHOULD be configured such that any ban or restore action made by Grid security operations is active at the site without a delay of more than 6 hours

OSCT/MWSG meeting, EGEE09, Sept 22, 2009 15

Enabling Grids for E-sciencE

EGEE-II INFSO-RI-031688

Outline

• Introduction

• Short Description of the Service

• Deployment Proposal

• Global Banning

• Summary

OSCT/MWSG meeting, EGEE09, Sept 22, 2009 16

Enabling Grids for E-sciencE

EGEE-II INFSO-RI-031688

Summary

• Gradual deployment in six self-contained steps

• Simple CLI for– Banning/unbanning users– Adding/removing policies– Evaluating request for debugging

• OSCT global banning list

• Feedback and volunteer from sites / OSCT for trying service out is highly welcome

OSCT/MWSG meeting, EGEE09, Sept 22, 2009 17

Enabling Grids for E-sciencE

EGEE-II INFSO-RI-031688

Further Information

• About the service:– authZ service design document: https://edms.cern

.ch/document/944192/1– Deployment plan: https://edms.cern.ch/document/984088/1

• General EGEE grid security:– Authorization study: https://edms.cern

.ch/document/887174/1– gLite security: architecture: https://edms.cern

.ch/document/935451/2

• Other:– Wiki: (under development) https://twiki.cern.

ch/twiki/bin/view/EGEE/AuthorizationFramework