Argus PEP Client API (Java)

EMI I

NFS

O-R

I-261

611

EMI I

NFS

O-R

I-261

611

ArgusPEP Client API (Java)

Valery Tschopp (SWITCH)[email protected]

EMI I

NFS

O-R

I-261

611

EMI I

NFS

O-R

I-261

611

• Argus–Argus Services (PAP, …)–Authorization Policies

• Argus PEP Client API–XACML Object Model–Authorization Decision–Simple Java Example Demo

Outline

229/03/2012 Argus PEP Client API, EGI Community Forum 2012, München

EMI I

NFS

O-R

I-261

611

EMI I

NFS

O-R

I-261

611

• A generic authorization system– Built on top of a XACML policy engine– Renders consistent authorization decisions

based on XACML policies

Argus


EMI I

NFS

O-R

I-261

611

EMI I

NFS

O-R

I-261

611

• Argus PAP: Policy Administration Point– Provides administrators with the tools to

author policies (pap-admin)– Stores and manages authored XACML

policies – Provides managed authorization policies to

other authorization service components (other PAPs or PDP)

Argus Components


EMI I

NFS

O-R

I-261

611

EMI I

NFS

O-R

I-261

611

• Argus PDP: Policy Decision Point– Policy evaluation engine– Receives authorization requests from the PEP– Evaluates the authorization requests against

the XACML policies retrieved from the PAP– Renders the authorization decision

Argus Components (cont.)


EMI I

NFS

O-R

I-261

611

EMI I

NFS

O-R

I-261

611

• Argus PEP: Policy Execution Point– Client/Server architecture– Lightweight PEP client libraries (C and Java)– PEP Server receives the authorization requests

from the PEP clients• Transforms lightweight internal request into XACML• Applies a configurable set of filters (PIPs) to the

incoming requests• Asks the PDP to render an authorization decision• If requested by the policy, applies the obligation

handler (OH) to determine the user mapping

Argus Components (cont.)


EMI I

NFS

O-R

I-261

611

EMI I

NFS

O-R

I-261

611

Argus is designed to answer the question:

Can user X perform action Y on resource Z ?

•Argus policies contain rules that state which actions can be performed on which resources by which users.•Argus uses XACML v.2 as the policy language.–However, XACML is hard to read and write, so we developed a Simplified Policy Language (SPL)

Authorization Policies


EMI I

NFS

O-R

I-261

611

EMI I

NFS

O-R

I-261

611

• Can user X…– execute on this worker node (WN) ?– submit a job to this CREAM CE ?– access this storage area ?– submit a job to this WMS instance ?

• User X is banned !– Is not allowed to do anything on any

resource!

Authorization Examples


EMI I

NFS

O-R

I-261

611

EMI I

NFS

O-R

I-261

611

The Argus PAP is loaded with the following SPL authorization policies:

Policies for the Demo


# glite Example (Decision, and user mapping)resource "test-glite" { obligation "http://glite.org/xacml/obligation/local-environment-map" {} action "test" { rule permit { vo=“dteam" } }}# EMI Example (Decision only, NO USER MAPPPING)resource "test-emi" { action "test" { rule permit { subject="CN=Valery Tschopp,O=SWITCH,C=ch" } }}

# glite Example (Decision, and user mapping)resource "test-glite" { obligation "http://glite.org/xacml/obligation/local-environment-map" {} action "test" { rule permit { vo=“dteam" } }}# EMI Example (Decision only, NO USER MAPPPING)resource "test-emi" { action "test" { rule permit { subject="CN=Valery Tschopp,O=SWITCH,C=ch" } }}

EMI I

NFS

O-R

I-261

611

EMI I

NFS

O-R

I-261

611

Argus PEP Client

29/03/2012 Argus PEP Client API, EGI Community Forum 2012, München 10

• Argus PEP Client API– Communicate with the Argus PEP Server– HTTPS connection with client authentication– XACML handled as an object model– Create authorization request and submit it– Parse the authorization response– Enforce the decision locally

EMI I

NFS

O-R

I-261

611

EMI I

NFS

O-R

I-261

611

• XACML Object Model

Argus PEP Client API


EMI I

NFS

O-R

I-261

611

EMI I

NFS

O-R

I-261

611

• XACML Profiles– Define the XACML attribute identifiers,

datatypes, and their semantic– gLite XACML Profile for CE

https://edms.cern.ch/document/1078881– gLite XACML Profile for WN

https://edms.cern.ch/document/1058175– EMI Common XACML Authorization Profile

https://twiki.cern.ch/twiki/bin/view/EMI/CommonXACMLProfileV1_1

Argus PEP Client API (cont.)


EMI I

NFS

O-R

I-261

611

EMI I

NFS

O-R

I-261

611

• If the decision is Permit, then the PEP client SHALL permit access. If obligations accompany the decision, then the PEP client SHALL permit access only if it understands and it can and will enforce those obligations.

• If the decision is Deny, then the PEP client SHALL deny access. • If the decision is NotApplicable, meaning that no policy apply,

then the PEP client SHALL deny access. • If the decision is Inderterminate, then the PEP client SHALL

deny access. The decision status message and status code should be used to produce an error message.

Authorization Decision Processing


EMI I

NFS

O-R

I-261

611

EMI I

NFS

O-R

I-261

611

Demo Time ^_^

Simple Argus Java PEP Client


EMI I

NFS

O-R

I-261

611

EMI I

NFS

O-R

I-261

611

• General documentation https://twiki.cern.ch/twiki/bin/view/EGEE/AuthorizationFramework

• PAP admin Tool https://twiki.cern.ch/twiki/bin/view/EGEE/AuthZPAPCLI

• Argus Policy Management Tutorialhttp://bit.ly/argus-policies

• Argus PEP client API for Javahttps://twiki.cern.ch/twiki/bin/view/EGEE/AuthZPEPJavaAPI

Documentation


EMI I

NFS

O-R

I-261

611

EMI I

NFS

O-R

I-261

611

• The documentation is your friend ;-)

• Support mailing list (e-group):[email protected]

• GGUS Tickets (ARGUS Support Unit)https://ggus.eu

Support


EMI I

NFS

O-R

I-261

611

EMI I

NFS

O-R

I-261

611

Thank you

EMI is partially funded by the European Commission under Grant Agreement INFSO-RI-261611


Argus PEP Client API (Java)

Documents

Transcript of Argus PEP Client API (Java)