UNICORE and Argus integration Krzysztof Benedyczak ICM / UNICORE Security PT
EMI INFSO-RI ICM, University of Warsaw 2 10/1/2016 Short outline Authorization without Argus in UNICORE What does Argus provide? Integration option 1: usage of Argus PDP Integration option 2: usage of Argus PAP Future work
EMI INFSO-RI ICM, University of Warsaw 3 10/1/2016 USE container and PDP Most of the UNICORE servers (UNICORE/X, Registry, Workflow Service, Service Orchestrator,...) use the same container: UNICORE Services Environment (USE). – UNICORE Gateway and TSI are exceptions. USE provides Grid fabric foundation, including authorization mechanism. – The authZ subsystem is simply called PDP. – AuthZ is therefore configured in the same way for all UNICORE Grid servers and has the same features.
EMI INFSO-RI ICM, University of Warsaw 4 10/1/2016 Authorization in USE By default USE provides two similar implementations of the PDP: XACML 1.x and XACML 2.0 – both are configured by a XACML document(s) stored in file(s) on local disk, The UNICORE policy is designed in such way that administrator rarely (if ever) needs to tweak it. – Conventions are used, e.g. all with the role='user' can submit jobs, all with the role='admin' can do everything. USE provides a very flexible mechanism to collect user's attributes, which are the input for the policy evaluation.
EMI INFSO-RI ICM, University of Warsaw 5 10/1/2016 Argus system Argus is name of 4 servers and some additional libraries. Three of them are tightly coupled: – PAP – provides an administrative interface to manage policies, using a simplified policy language. It is translated to XACML 2.0 by the PAP. – PDP – takes XACML policies from PAP and can evaluate XACML requests. – PEP – takes authZ requests in lightweight Hessian based proprietary protocol, translates to XACML and forwards to PDP. Separation of PDP and PEP is at least questionable.
EMI INFSO-RI ICM, University of Warsaw 6 10/1/2016 Argus system There is also Argus-EES (early development stage) which handles post authorization task: it is preparing job's execution environment. – Typically this means: assigning pool account and or pool group. Probably it isn't used anywhere yet(??)
EMI INFSO-RI ICM, University of Warsaw 7 10/1/2016 UNICORE and Argus PDP The first integration option of UNICORE is to use Argus PDP directly instead of local policy file(s). Why we don't use Argus PEP? – PEP was implemented to allow gLite C clients not to use XML/SOAP/XACML stack, but something simple. For UNICORE (as it has this stack anyway) it is just an additional overhead. This feature is already implemented however not useful yet. – Argus PDP can take policies only from Argus PAP. Argus PAP uses simplified policy language which is too simple to express the default UNICORE authZ policy. Will be fixed in Argus...
EMI INFSO-RI ICM, University of Warsaw 8 10/1/2016 Disadvantages of Argus PDP usage Despite of pros (see later) there are obvious disadvantages of using Argus PDP in comparison to the local UNICORE policy: – UNICORE performs authZ queries very often. When those queries are done via remote WS calls a significant overhead is added. – Argus PDP is an (another) potential failure point. If it fails (or network connection to the PDP) then the whole UNICORE system is also down. Redundant Argus servers, network links, dynamic routing etc. help but this greatly complicates setup and maintenance for potential administrators.
EMI INFSO-RI ICM, University of Warsaw 9 10/1/2016 UNICORE and Argus PAP Alternative solution is being developed for UNICORE: – Argus PDP can be ignored as its functionality is anyway in the USE. – Policies can be downloaded from the PAP server directly as PAP server uses a standard protocol to publish them. Such approach: – Eliminates overhead of authZ query over the net. – Is fault-resistant (the only problem is that the downloaded policy might be slightly outdated, what is negligible). – Provides an additional feature: local policy rules can be merged with the downloaded one. Therefore even without Argus changes this solution will be useful right after being finished.
EMI INFSO-RI ICM, University of Warsaw 10 10/1/2016 When to use Argus in UNICORE? In most cases administrator can control users via attributes. If it is enough then Argus is spurious. However if: – Administrators do not want to play with attribute assignments (e.g. site is using many central attribute authorities and locally overriding them turns out to be complicated). – Site wants to deploy different middlewares and control access in a uniform way. – Admins need to change the default UNICORE policy and it happens that those changes can be expressed in the Argus simplified policy language. then Argus is a good option.
EMI INFSO-RI ICM, University of Warsaw 11 10/1/2016 Future plans Currently there is not direct work to support Argus-EES. – This is not easy as there is no natural plug-in point for it in USE. UNICORE uses a quite different approach to the problem. There are some initial plans to refactor USE to provide a place to call Argus-EES but this won't be done in a close future and requires more discussions and investigation. – Anyway it seems that Argus-EES offers only minimal set of features right now.
EMI is partially funded by the European Commission under Grant Agreement RI Thank you!