Argus PEP Client API (Java)
description
Transcript of Argus PEP Client API (Java)
EMI I
NFS
O-R
I-261
611
EMI I
NFS
O-R
I-261
611
ArgusPEP Client API (Java)
Valery Tschopp (SWITCH)[email protected]
EMI I
NFS
O-R
I-261
611
EMI I
NFS
O-R
I-261
611
• Argus–Argus Services (PAP, …)–Authorization Policies
• Argus PEP Client API–XACML Object Model–Authorization Decision–Simple Java Example Demo
Outline
229/03/2012 Argus PEP Client API, EGI Community Forum 2012, München
EMI I
NFS
O-R
I-261
611
EMI I
NFS
O-R
I-261
611
• A generic authorization system– Built on top of a XACML policy engine– Renders consistent authorization decisions
based on XACML policies
Argus
329/03/2012 Argus PEP Client API, EGI Community Forum 2012, München
EMI I
NFS
O-R
I-261
611
EMI I
NFS
O-R
I-261
611
• Argus PAP: Policy Administration Point– Provides administrators with the tools to
author policies (pap-admin)– Stores and manages authored XACML
policies – Provides managed authorization policies to
other authorization service components (other PAPs or PDP)
Argus Components
429/03/2012 Argus PEP Client API, EGI Community Forum 2012, München
EMI I
NFS
O-R
I-261
611
EMI I
NFS
O-R
I-261
611
• Argus PDP: Policy Decision Point– Policy evaluation engine– Receives authorization requests from the PEP– Evaluates the authorization requests against
the XACML policies retrieved from the PAP– Renders the authorization decision
Argus Components (cont.)
529/03/2012 Argus PEP Client API, EGI Community Forum 2012, München
EMI I
NFS
O-R
I-261
611
EMI I
NFS
O-R
I-261
611
• Argus PEP: Policy Execution Point– Client/Server architecture– Lightweight PEP client libraries (C and Java)– PEP Server receives the authorization requests
from the PEP clients• Transforms lightweight internal request into XACML• Applies a configurable set of filters (PIPs) to the
incoming requests• Asks the PDP to render an authorization decision• If requested by the policy, applies the obligation
handler (OH) to determine the user mapping
Argus Components (cont.)
629/03/2012 Argus PEP Client API, EGI Community Forum 2012, München
EMI I
NFS
O-R
I-261
611
EMI I
NFS
O-R
I-261
611
Argus is designed to answer the question:
Can user X perform action Y on resource Z ?
•Argus policies contain rules that state which actions can be performed on which resources by which users.•Argus uses XACML v.2 as the policy language.–However, XACML is hard to read and write, so we developed a Simplified Policy Language (SPL)
Authorization Policies
729/03/2012 Argus PEP Client API, EGI Community Forum 2012, München
EMI I
NFS
O-R
I-261
611
EMI I
NFS
O-R
I-261
611
• Can user X…– execute on this worker node (WN) ?– submit a job to this CREAM CE ?– access this storage area ?– submit a job to this WMS instance ?
• User X is banned !– Is not allowed to do anything on any
resource!
Authorization Examples
829/03/2012 Argus PEP Client API, EGI Community Forum 2012, München
EMI I
NFS
O-R
I-261
611
EMI I
NFS
O-R
I-261
611
The Argus PAP is loaded with the following SPL authorization policies:
Policies for the Demo
929/03/2012 Argus PEP Client API, EGI Community Forum 2012, München
# glite Example (Decision, and user mapping)resource "test-glite" { obligation "http://glite.org/xacml/obligation/local-environment-map" {} action "test" { rule permit { vo=“dteam" } }}# EMI Example (Decision only, NO USER MAPPPING)resource "test-emi" { action "test" { rule permit { subject="CN=Valery Tschopp,O=SWITCH,C=ch" } }}
# glite Example (Decision, and user mapping)resource "test-glite" { obligation "http://glite.org/xacml/obligation/local-environment-map" {} action "test" { rule permit { vo=“dteam" } }}# EMI Example (Decision only, NO USER MAPPPING)resource "test-emi" { action "test" { rule permit { subject="CN=Valery Tschopp,O=SWITCH,C=ch" } }}
EMI I
NFS
O-R
I-261
611
EMI I
NFS
O-R
I-261
611
Argus PEP Client
29/03/2012 Argus PEP Client API, EGI Community Forum 2012, München 10
• Argus PEP Client API– Communicate with the Argus PEP Server– HTTPS connection with client authentication– XACML handled as an object model– Create authorization request and submit it– Parse the authorization response– Enforce the decision locally
EMI I
NFS
O-R
I-261
611
EMI I
NFS
O-R
I-261
611
• XACML Object Model
Argus PEP Client API
29/03/2012 Argus PEP Client API, EGI Community Forum 2012, München 11
EMI I
NFS
O-R
I-261
611
EMI I
NFS
O-R
I-261
611
• XACML Profiles– Define the XACML attribute identifiers,
datatypes, and their semantic– gLite XACML Profile for CE
https://edms.cern.ch/document/1078881– gLite XACML Profile for WN
https://edms.cern.ch/document/1058175– EMI Common XACML Authorization Profile
https://twiki.cern.ch/twiki/bin/view/EMI/CommonXACMLProfileV1_1
Argus PEP Client API (cont.)
29/03/2012 Argus PEP Client API, EGI Community Forum 2012, München 12
EMI I
NFS
O-R
I-261
611
EMI I
NFS
O-R
I-261
611
• If the decision is Permit, then the PEP client SHALL permit access. If obligations accompany the decision, then the PEP client SHALL permit access only if it understands and it can and will enforce those obligations.
• If the decision is Deny, then the PEP client SHALL deny access. • If the decision is NotApplicable, meaning that no policy apply,
then the PEP client SHALL deny access. • If the decision is Inderterminate, then the PEP client SHALL
deny access. The decision status message and status code should be used to produce an error message.
Authorization Decision Processing
29/03/2012 Argus PEP Client API, EGI Community Forum 2012, München 13
EMI I
NFS
O-R
I-261
611
EMI I
NFS
O-R
I-261
611
Demo Time ^_^
Simple Argus Java PEP Client
29/03/2012 Argus PEP Client API, EGI Community Forum 2012, München 14
EMI I
NFS
O-R
I-261
611
EMI I
NFS
O-R
I-261
611
• General documentation https://twiki.cern.ch/twiki/bin/view/EGEE/AuthorizationFramework
• PAP admin Tool https://twiki.cern.ch/twiki/bin/view/EGEE/AuthZPAPCLI
• Argus Policy Management Tutorialhttp://bit.ly/argus-policies
• Argus PEP client API for Javahttps://twiki.cern.ch/twiki/bin/view/EGEE/AuthZPEPJavaAPI
Documentation
1529/03/2012 Argus PEP Client API, EGI Community Forum 2012, München
EMI I
NFS
O-R
I-261
611
EMI I
NFS
O-R
I-261
611
• The documentation is your friend ;-)
• Support mailing list (e-group):[email protected]
• GGUS Tickets (ARGUS Support Unit)https://ggus.eu
Support
1629/03/2012 Argus PEP Client API, EGI Community Forum 2012, München
EMI I
NFS
O-R
I-261
611
EMI I
NFS
O-R
I-261
611
Thank you
EMI is partially funded by the European Commission under Grant Agreement INFSO-RI-261611
1729/03/2012 Argus PEP Client API, EGI Community Forum 2012, München