EMI INFSO-RI-261611 Argus Policies in Action Valery Tschopp (SWITCH) on behalf of the Argus PT.
-
Upload
byron-dickerson -
Category
Documents
-
view
226 -
download
0
Transcript of EMI INFSO-RI-261611 Argus Policies in Action Valery Tschopp (SWITCH) on behalf of the Argus PT.
EMI I
NFS
O-R
I-261
611
EMI I
NFS
O-R
I-261
611
ArgusPolicies in Action
Valery Tschopp (SWITCH)on behalf of the Argus PT
EMI I
NFS
O-R
I-261
611
EMI I
NFS
O-R
I-261
611
What is authorization ?
220/09/2011 Argus Policies in Action, EGI Technical Forum 2011, Lyon
EMI I
NFS
O-R
I-261
611
EMI I
NFS
O-R
I-261
611
Can user X perform action Yon resource Z ?
320/09/2011 Argus Policies in Action, EGI Technical Forum 2011, Lyon
EMI I
NFS
O-R
I-261
611
EMI I
NFS
O-R
I-261
611
• Can user X…– execute on this worker node (WN) ?– submit a job to this CREAM CE ?– access this storage area ?– submit a job to this WMS instance ?
• User X is banned !– Is not allowed to do anything on any
resource!
Authorization Examples
420/09/2011 Argus Policies in Action, EGI Technical Forum 2011, Lyon
EMI I
NFS
O-R
I-261
611
EMI I
NFS
O-R
I-261
611
• Each Grid service has its own authorization mechanism– Administrators need to know them all– Authorization rules at a site become difficult to
understand and manage
• No global banning mechanism– Urgent ban of malicious users cannot be easily and
timely enforced on distributed sites
• Authorization policies are static– Hard to change policies without reconfiguring services
• Monitoring authorization decisions is hard
Motivations for Argus
520/09/2011 Argus Policies in Action, EGI Technical Forum 2011, Lyon
EMI I
NFS
O-R
I-261
611
EMI I
NFS
O-R
I-261
611
• A generic authorization system– Built on top of a XACML policy engine– Renders consistent authorization decisions
based on XACML policies
Argus
620/09/2011 Argus Policies in Action, EGI Technical Forum 2011, Lyon
EMI I
NFS
O-R
I-261
611
EMI I
NFS
O-R
I-261
611
• Argus PAP: Policy Administration Point– Provides administrators with the tools to
author policies (pap-admin)– Stores and manages authored XACML
policies – Provides managed authorization policies to
other authorization service components (other PAPs or PDP)
Argus Components
720/09/2011 Argus Policies in Action, EGI Technical Forum 2011, Lyon
EMI I
NFS
O-R
I-261
611
EMI I
NFS
O-R
I-261
611
• Argus PDP: Policy Decision Point– Policy evaluation engine– Receives authorization requests from the PEP– Evaluates the authorization requests against
the XACML policies retrieved from the PAP– Renders the authorization decision
Argus Components (cont.)
820/09/2011 Argus Policies in Action, EGI Technical Forum 2011, Lyon
EMI I
NFS
O-R
I-261
611
EMI I
NFS
O-R
I-261
611
• Argus PEP: Policy Execution Point– Client/Server architecture– Lightweight PEP client libraries (C and Java)– PEP Server receives the authorization requests
from the PEP clients• Transforms lightweight internal request into XACML• Applies a configurable set of filters (PIPs) to the
incoming requests• Asks the PDP to render an authorization decision• If requested by the policy, applies the obligation
handler (OH) to determine the user mapping
Argus Components (cont.)
920/09/2011 Argus Policies in Action, EGI Technical Forum 2011, Lyon
EMI I
NFS
O-R
I-261
611
EMI I
NFS
O-R
I-261
611Argus Service Deployment
1020/09/2011 Argus Policies in Action, EGI Technical Forum 2011, Lyon
EMI I
NFS
O-R
I-261
611
EMI I
NFS
O-R
I-261
611
Argus is designed to answer the question:
Can user X perform action Y on resource Z ?
•Argus policies contain rules that state which actions can be performed on which resources by which users.•Argus uses XACML v.2 as the policy language.–However, XACML is hard to read and write, so we developed a Simplified Policy Language (SPL)
Argus Authorization Policies
1120/09/2011 Argus Policies in Action, EGI Technical Forum 2011, Lyon
EMI I
NFS
O-R
I-261
611
EMI I
NFS
O-R
I-261
611
User X should not be allowed to do anything on any resource !
Use Case: User Banning
1220/09/2011 Argus Policies in Action, EGI Technical Forum 2011, Lyon
EMI I
NFS
O-R
I-261
611
EMI I
NFS
O-R
I-261
611
• XACML policies anyone … ?
Use Case: User Banning (XACML)
<xacml:PolicySet xmlns:xacml="urn:oasis:names:tc:xacml:2.0:policy:schema:os”PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:first-applicable" PolicySetId="9784d9ce-16a9-41b9-9d26-b81a97f93616" Version="1">
<xacml:Target>
<xacml:Resources>
<xacml:Resource>
<xacml:ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">.*</xacml:AttributeValue>
<xacml:ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
</xacml:ResourceMatch>
</xacml:Resource>
</xacml:Resources>
</xacml:Target>
<xacml:PolicyIdReference>public_2d8346b8-5cd2-44ad-9ad1-0eff5d8a6ef1</xacml:PolicyIdReference>
</xacml:PolicySet>
<xacml:Policy xmlns:xacml="urn:oasis:names:tc:xacml:2.0:policy:schema:os” PolicyId="public_2d8346b8-5cd2-44ad-9ad1-0eff5d8a6ef1”RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1">
<xacml:Target>
<xacml:Actions>
<xacml:Action>
<xacml:ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">.*</xacml:AttributeValue>
<xacml:ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
</xacml:ActionMatch>
</xacml:Action>
</xacml:Actions>
</xacml:Target>
<xacml:Rule Effect="Deny" RuleId="43c15124-6635-47ee-b13c-53f672d0de77">
...
1320/09/2011 Argus Policies in Action, EGI Technical Forum 2011, Lyon
EMI I
NFS
O-R
I-261
611
EMI I
NFS
O-R
I-261
611
• The Simplified Policy Language
resource ".*" {
action ".*" {
rule deny {
subject="CN=Valery Tschopp,
O=SWITCH,C=CH"
}
}
}
Use Case: User Banning (SPL)
1420/09/2011 Argus Policies in Action, EGI Technical Forum 2011, Lyon
EMI I
NFS
O-R
I-261
611
EMI I
NFS
O-R
I-261
611
• Actions and Resources are identified by unique ID or “names”, that are assigned to them– Typically URIs, but any string will work
• Resource ID example:http://cnaf.infn.it/resource/cream-ce-1
• Action ID example:http://cnaf.infn.it/action/submit-job
SPL: Identifying Actions and Resources
1520/09/2011 Argus Policies in Action, EGI Technical Forum 2011, Lyon
EMI I
NFS
O-R
I-261
611
EMI I
NFS
O-R
I-261
611
Subject in a policy can be identified via the following attributes:
subject X509 certificate DN subject="CN=Valery Tschopp,O=SWITCH,C=CH”
ca the CA certificate DNca="CN=INFN CA,O=INFN,C=IT”
vo the name of the Virtual Organizationvo=”cms”
fqan a VOMS fully qualified attribute namefqan=”/atlas/analysis”
pfqan the VOMS primary FQANpfqan=”/atlas/Role=pilot”
SPL: Identifying Subjects
1620/09/2011 Argus Policies in Action, EGI Technical Forum 2011, Lyon
EMI I
NFS
O-R
I-261
611
EMI I
NFS
O-R
I-261
611
• AND logic for attributes inside a block• Policy order matters!– First match algorithm
SPL Syntax
1720/09/2011 Argus Policies in Action, EGI Technical Forum 2011, Lyon
resource <value> { action <value> { rule (permit|deny) { <subject_attribute> = <attribute_value> ... } ... }}...
resource <value> { action <value> { rule (permit|deny) { <subject_attribute> = <attribute_value> ... } ... }}...
EMI I
NFS
O-R
I-261
611
EMI I
NFS
O-R
I-261
611
We have two CEs at our site, ce_1 and ce_2. We want to authorize Valery to contact one, but not the other.
SPL Examples
1820/09/2011 Argus Policies in Action, EGI Technical Forum 2011, Lyon
resource “ce_1” { action “.*” { rule permit {
subject = “CN=Valery Tschopp, O=SWITCH, C=CH” } }}resource “ce_2” { action “.*” { rule deny {
subject = “CN=Valery Tschopp, O=SWITCH, C=CH” } }}
resource “ce_1” { action “.*” { rule permit {
subject = “CN=Valery Tschopp, O=SWITCH, C=CH” } }}resource “ce_2” { action “.*” { rule deny {
subject = “CN=Valery Tschopp, O=SWITCH, C=CH” } }}
EMI I
NFS
O-R
I-261
611
EMI I
NFS
O-R
I-261
611
We have to ban all users member of VO ‘dteam’ from ce_1, but not those who have certificate signed by the INFA CA.
SPL Examples (cont.)
1920/09/2011 Argus Policies in Action, EGI Technical Forum 2011, Lyon
resource “ce_1” { action “.*” { rule permit {
vo = “dteam” ca = “CN=INFN CA,O=INFN,C=IT”
} rule deny {
vo = “dteam” } }}
resource “ce_1” { action “.*” { rule permit {
vo = “dteam” ca = “CN=INFN CA,O=INFN,C=IT”
} rule deny {
vo = “dteam” } }}
EMI I
NFS
O-R
I-261
611
EMI I
NFS
O-R
I-261
611
• List currently active policies:pap-admin list-policies
• Import policies from a SPL file:pap-admin add-policy-from-file cms_policies.spl.txt
• Ban/unban users:pap-admin ban subject "CN=John Doe,O=ACME,C=org”pap-admin unban vo ”atlas“
• Add a generic permit policypap-admin add-policy
--resource “http://grid.switch.ch/ce_1”
--action “.*” permit fqan=”/atlas/production”
The pap-admin Tool
20/09/2011 Argus Policies in Action, EGI Technical Forum 2011, Lyon 20
EMI I
NFS
O-R
I-261
611
EMI I
NFS
O-R
I-261
611
Hierarchical Policy Distribution
20/09/2011 Argus Policies in Action, EGI Technical Forum 2011, Lyon 21
EMI I
NFS
O-R
I-261
611
EMI I
NFS
O-R
I-261
611
• The pilot is authorized on the CE• The payload is downloaded on the WN• gLExec runs it under the end-user identity
Pilot Jobs Authorization
2220/09/2011 Argus Policies in Action, EGI Technical Forum 2011, Lyon
EMI I
NFS
O-R
I-261
611
EMI I
NFS
O-R
I-261
611
• A single authorization point for many Grid services
• A simple, flexible and powerful language to express authorization policies
• A simple tool to manage complex policies• A policy distribution mechanism that
allow to import from remote sites while keeping full authorization control on local resources (global banning)
So Why Argus Simplifies my Life?
2320/09/2011 Argus Policies in Action, EGI Technical Forum 2011, Lyon
EMI I
NFS
O-R
I-261
611
EMI I
NFS
O-R
I-261
611
• Argus 1.3.1– Compatible with gLite 3.2 Argus PEP client
libraries (C and Java)– Support for LFC/DPM banning engine– Bug fixes
• Already released in EMI-1 and in UMD
• Argus 1.4 coming soon (3rd week of Sept.)– Only optimizations (log files, memory, …)
Argus Releases
2420/09/2011 Argus Policies in Action, EGI Technical Forum 2011, Lyon
EMI I
NFS
O-R
I-261
611
EMI I
NFS
O-R
I-261
611
• General documentation https://twiki.cern.ch/twiki/bin/view/EGEE/AuthorizationFramework
• Service Reference Card https://twiki.cern.ch/twiki/bin/view/EMI/ArgusSRC
• PAP admin Tool https://twiki.cern.ch/twiki/bin/view/EGEE/AuthZPAPCLI
• Simplified Policy Language https://twiki.cern.ch/twiki/bin/view/EGEE/SimplifiedPolicyLanguage
Documentation
2520/09/2011 Argus Policies in Action, EGI Technical Forum 2011, Lyon
EMI I
NFS
O-R
I-261
611
EMI I
NFS
O-R
I-261
611
• GGUS Tickets (ARGUS Support Unit)https://ggus.eu
• Support mailing list (e-group):[email protected]
Support
2620/09/2011 Argus Policies in Action, EGI Technical Forum 2011, Lyon
EMI I
NFS
O-R
I-261
611
EMI I
NFS
O-R
I-261
611
Thank you
EMI is partially funded by the European Commission under Grant Agreement INFSO-RI-261611
2720/09/2011 Argus Policies in Action, EGI Technical Forum 2011, Lyon