EMI INFSO-RI-261611 Argus Policies in Action Valery Tschopp (SWITCH) on behalf of the Argus PT.

EMI I

NFS

O-R

I-261

611

EMI I

NFS

O-R

I-261

611

ArgusPolicies in Action

Valery Tschopp (SWITCH)on behalf of the Argus PT

EMI I

NFS

O-R

I-261

611

EMI I

NFS

O-R

I-261

611

What is authorization ?

220/09/2011 Argus Policies in Action, EGI Technical Forum 2011, Lyon

EMI I

NFS

O-R

I-261

611

EMI I

NFS

O-R

I-261

611

Can user X perform action Yon resource Z ?


EMI I

NFS

O-R

I-261

611

EMI I

NFS

O-R

I-261

611

• Can user X…– execute on this worker node (WN) ?– submit a job to this CREAM CE ?– access this storage area ?– submit a job to this WMS instance ?

• User X is banned !– Is not allowed to do anything on any

resource!

Authorization Examples


EMI I

NFS

O-R

I-261

611

EMI I

NFS

O-R

I-261

611

• Each Grid service has its own authorization mechanism– Administrators need to know them all– Authorization rules at a site become difficult to

understand and manage

• No global banning mechanism– Urgent ban of malicious users cannot be easily and

timely enforced on distributed sites

• Authorization policies are static– Hard to change policies without reconfiguring services

• Monitoring authorization decisions is hard

Motivations for Argus


EMI I

NFS

O-R

I-261

611

EMI I

NFS

O-R

I-261

611

• A generic authorization system– Built on top of a XACML policy engine– Renders consistent authorization decisions

based on XACML policies

Argus


EMI I

NFS

O-R

I-261

611

EMI I

NFS

O-R

I-261

611

• Argus PAP: Policy Administration Point– Provides administrators with the tools to

author policies (pap-admin)– Stores and manages authored XACML

policies – Provides managed authorization policies to

other authorization service components (other PAPs or PDP)

Argus Components


EMI I

NFS

O-R

I-261

611

EMI I

NFS

O-R

I-261

611

• Argus PDP: Policy Decision Point– Policy evaluation engine– Receives authorization requests from the PEP– Evaluates the authorization requests against

the XACML policies retrieved from the PAP– Renders the authorization decision

Argus Components (cont.)


EMI I

NFS

O-R

I-261

611

EMI I

NFS

O-R

I-261

611

• Argus PEP: Policy Execution Point– Client/Server architecture– Lightweight PEP client libraries (C and Java)– PEP Server receives the authorization requests

from the PEP clients• Transforms lightweight internal request into XACML• Applies a configurable set of filters (PIPs) to the

incoming requests• Asks the PDP to render an authorization decision• If requested by the policy, applies the obligation

handler (OH) to determine the user mapping

Argus Components (cont.)


EMI I

NFS

O-R

I-261

611

EMI I

NFS

O-R

I-261

611Argus Service Deployment


EMI I

NFS

O-R

I-261

611

EMI I

NFS

O-R

I-261

611

Argus is designed to answer the question:

Can user X perform action Y on resource Z ?

•Argus policies contain rules that state which actions can be performed on which resources by which users.•Argus uses XACML v.2 as the policy language.–However, XACML is hard to read and write, so we developed a Simplified Policy Language (SPL)

Argus Authorization Policies


EMI I

NFS

O-R

I-261

611

EMI I

NFS

O-R

I-261

611

User X should not be allowed to do anything on any resource !

Use Case: User Banning


EMI I

NFS

O-R

I-261

611

EMI I

NFS

O-R

I-261

611

• XACML policies anyone … ?

Use Case: User Banning (XACML)

<xacml:PolicySet xmlns:xacml="urn:oasis:names:tc:xacml:2.0:policy:schema:os”PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:first-applicable" PolicySetId="9784d9ce-16a9-41b9-9d26-b81a97f93616" Version="1">

<xacml:Target>

<xacml:Resources>

<xacml:Resource>

<xacml:ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">

<xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">.*</xacml:AttributeValue>

<xacml:ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>

</xacml:ResourceMatch>

</xacml:Resource>

</xacml:Resources>

</xacml:Target>

<xacml:PolicyIdReference>public_2d8346b8-5cd2-44ad-9ad1-0eff5d8a6ef1</xacml:PolicyIdReference>

</xacml:PolicySet>

<xacml:Policy xmlns:xacml="urn:oasis:names:tc:xacml:2.0:policy:schema:os” PolicyId="public_2d8346b8-5cd2-44ad-9ad1-0eff5d8a6ef1”RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1">

<xacml:Target>

<xacml:Actions>

<xacml:Action>

<xacml:ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">

<xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">.*</xacml:AttributeValue>

<xacml:ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>

</xacml:ActionMatch>

</xacml:Action>

</xacml:Actions>

</xacml:Target>

<xacml:Rule Effect="Deny" RuleId="43c15124-6635-47ee-b13c-53f672d0de77">

...


EMI I

NFS

O-R

I-261

611

EMI I

NFS

O-R

I-261

611

• The Simplified Policy Language

resource ".*" {

action ".*" {

rule deny {

subject="CN=Valery Tschopp,

O=SWITCH,C=CH"

}

}

}

Use Case: User Banning (SPL)


EMI I

NFS

O-R

I-261

611

EMI I

NFS

O-R

I-261

611

• Actions and Resources are identified by unique ID or “names”, that are assigned to them– Typically URIs, but any string will work

• Resource ID example:http://cnaf.infn.it/resource/cream-ce-1

• Action ID example:http://cnaf.infn.it/action/submit-job

SPL: Identifying Actions and Resources


EMI I

NFS

O-R

I-261

611

EMI I

NFS

O-R

I-261

611

Subject in a policy can be identified via the following attributes:

subject X509 certificate DN subject="CN=Valery Tschopp,O=SWITCH,C=CH”

ca the CA certificate DNca="CN=INFN CA,O=INFN,C=IT”

vo the name of the Virtual Organizationvo=”cms”

fqan a VOMS fully qualified attribute namefqan=”/atlas/analysis”

pfqan the VOMS primary FQANpfqan=”/atlas/Role=pilot”

SPL: Identifying Subjects


EMI I

NFS

O-R

I-261

611

EMI I

NFS

O-R

I-261

611

• AND logic for attributes inside a block• Policy order matters!– First match algorithm

SPL Syntax


resource <value> { action <value> { rule (permit|deny) { <subject_attribute> = <attribute_value> ... } ... }}...

resource <value> { action <value> { rule (permit|deny) { <subject_attribute> = <attribute_value> ... } ... }}...

EMI I

NFS

O-R

I-261

611

EMI I

NFS

O-R

I-261

611

We have two CEs at our site, ce_1 and ce_2. We want to authorize Valery to contact one, but not the other.

SPL Examples


resource “ce_1” { action “.*” { rule permit {

subject = “CN=Valery Tschopp, O=SWITCH, C=CH” } }}resource “ce_2” { action “.*” { rule deny {

subject = “CN=Valery Tschopp, O=SWITCH, C=CH” } }}


subject = “CN=Valery Tschopp, O=SWITCH, C=CH” } }}resource “ce_2” { action “.*” { rule deny {

subject = “CN=Valery Tschopp, O=SWITCH, C=CH” } }}

EMI I

NFS

O-R

I-261

611

EMI I

NFS

O-R

I-261

611

We have to ban all users member of VO ‘dteam’ from ce_1, but not those who have certificate signed by the INFA CA.

SPL Examples (cont.)



vo = “dteam” ca = “CN=INFN CA,O=INFN,C=IT”

} rule deny {

vo = “dteam” } }}


vo = “dteam” ca = “CN=INFN CA,O=INFN,C=IT”

} rule deny {

vo = “dteam” } }}

EMI I

NFS

O-R

I-261

611

EMI I

NFS

O-R

I-261

611

• List currently active policies:pap-admin list-policies

• Import policies from a SPL file:pap-admin add-policy-from-file cms_policies.spl.txt

• Ban/unban users:pap-admin ban subject "CN=John Doe,O=ACME,C=org”pap-admin unban vo ”atlas“

• Add a generic permit policypap-admin add-policy

--resource “http://grid.switch.ch/ce_1”

--action “.*” permit fqan=”/atlas/production”

The pap-admin Tool

20/09/2011 Argus Policies in Action, EGI Technical Forum 2011, Lyon 20

EMI I

NFS

O-R

I-261

611

EMI I

NFS

O-R

I-261

611

Hierarchical Policy Distribution

20/09/2011 Argus Policies in Action, EGI Technical Forum 2011, Lyon 21

EMI I

NFS

O-R

I-261

611

EMI I

NFS

O-R

I-261

611

• The pilot is authorized on the CE• The payload is downloaded on the WN• gLExec runs it under the end-user identity

Pilot Jobs Authorization


EMI I

NFS

O-R

I-261

611

EMI I

NFS

O-R

I-261

611

• A single authorization point for many Grid services

• A simple, flexible and powerful language to express authorization policies

• A simple tool to manage complex policies• A policy distribution mechanism that

allow to import from remote sites while keeping full authorization control on local resources (global banning)

So Why Argus Simplifies my Life?


EMI I

NFS

O-R

I-261

611

EMI I

NFS

O-R

I-261

611

• Argus 1.3.1– Compatible with gLite 3.2 Argus PEP client

libraries (C and Java)– Support for LFC/DPM banning engine– Bug fixes

• Already released in EMI-1 and in UMD

• Argus 1.4 coming soon (3rd week of Sept.)– Only optimizations (log files, memory, …)

Argus Releases


EMI I

NFS

O-R

I-261

611

EMI I

NFS

O-R

I-261

611

• General documentation https://twiki.cern.ch/twiki/bin/view/EGEE/AuthorizationFramework

• Service Reference Card https://twiki.cern.ch/twiki/bin/view/EMI/ArgusSRC

• PAP admin Tool https://twiki.cern.ch/twiki/bin/view/EGEE/AuthZPAPCLI

• Simplified Policy Language https://twiki.cern.ch/twiki/bin/view/EGEE/SimplifiedPolicyLanguage

Documentation


EMI I

NFS

O-R

I-261

611

EMI I

NFS

O-R

I-261

611

• GGUS Tickets (ARGUS Support Unit)https://ggus.eu

• Support mailing list (e-group):[email protected]

Support


EMI I

NFS

O-R

I-261

611

EMI I

NFS

O-R

I-261

611

Thank you

EMI is partially funded by the European Commission under Grant Agreement INFSO-RI-261611


EMI INFSO-RI-261611 Argus Policies in Action Valery Tschopp (SWITCH) on behalf of the Argus PT.

Documents

Transcript of EMI INFSO-RI-261611 Argus Policies in Action Valery Tschopp (SWITCH) on behalf of the Argus PT.