Argus The EMI Authorization Service

Slides:

Advertisements

Similar presentations

1 Authorization XACML – a language for expressing policies and rules.

Advertisements

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.

Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.

Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.

XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

1 Update on the Vulnerability Assessment Effort Elisa Heymann Computer Architecture and Operating Systems Department Universitat Autònoma de Barcelona.

● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0.

EMI INFSO-RI SA2 - Quality Assurance Alberto Aimar (CERN) SA2 Leader EMI First EC Review 22 June 2011, Brussels.

Elisa Bertino Purdue University Pag. 1 Security of Distributed Systems Part II Elisa Bertino CERIAS and CS &ECE Departments Purdue University.

Maintaining Network Health. Active Directory Certificate Services Public Key Infrastructure (PKI) Provides assurance that you are communicating with the.

11 Usage policies for end point access control  XACML is Oasis standard to express enterprise security policies with a common XML based policy language.

EMI is partially funded by the European Commission under Grant Agreement RI Argus Policies Tutorial Valery Tschopp - SWITCH EGI TF Prague.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Argus gLite Authorization Service Status.

Pilot Jobs John Gordon Management Board 23/10/2007.

Glexec, SCAS & CREAM. Milestones CREAM-CE capable of large-scale direct job submission Glexec & SCAS capable of large-scale use on WN in logging only.

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks gLite Authorization Service: Technical Overview.

Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.

11 Restricting key use with XACML* for access control * Zack’-a-mul.

An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer.

EMI INFSO-RI Argus Policies in Action Valery Tschopp (SWITCH) on behalf of the Argus PT.

EMI INFSO-RI ARC tools for revision and nightly functional tests Jozef Cernak, Marek Kocan, Eva Cernakova (P. J. Safarik University in Kosice, Kosice,

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks New Authorization Service Christoph Witzig,

OSG Site Admin Workshop - Mar 2008Using gLExec to improve security1 OSG Site Administrators Workshop Using gLExec to improve security of Grid jobs by Alain.

EMI INFSO-RI Software Quality Assurance in EMI Maria Alandes Pradillo (CERN) SA2.2 Task Leader.

EMI INFSO-RI Argus The EMI Authorization Service Valery Tschopp (SWITCH) Argus Product Team.

1 Update on the Vulnerability Assessment Effort Elisa Heymann Computer Architecture and Operating Systems Department Universitat Autònoma de Barcelona.

XACML Showcase RSA Conference What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation logic n.

EMI INFSO-RI EMI Quality Assurance Tools Lorenzo Dini (CERN) SA2.4 Task Leader.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Update Authorization Service Christoph Witzig,

EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.

INFSO-RI Enabling Grids for E-sciencE SAML-XACML interoperability Oscar Koeroo.

4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.

EMI Inter-component and Large Scale Testing Infrastructure Danilo Dongiovanni INFN-CNAF.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks OpenSAML extension library and API to support.

1 Ontology based Policy Interoperability Dr. Latifur Khan Tahseen Al-Khateeb Mohammad Alam Mohammad Farhan Husain.

Access Control Policy Languages in XML Lê Anh Vũ Võ Thành Vinh

EMI is partially funded by the European Commission under Grant Agreement RI EMI Registry (EMIR) Shiraz Memon, Ivan Marton, Gabor Szigeti, Laurence.

Authorization PDP GE Course (R4) FIWARE Chapter: Security FIWARE GE: Authorization PDP FIWARE GEri: AuthZForce Authorization PDP Owner: Cyril Dangerville,

EMI is partially funded by the European Commission under Grant Agreement RI Common Authentication Library Daniel Kouril, for the CaNL PT EGI CF.

EMI INFSO-RI Testbed for project continuous Integration Danilo Dongiovanni (INFN-CNAF) -SA2.6 Task Leader Jozef Cernak(UPJŠ, Kosice, Slovakia)

EMI is partially funded by the European Commission under Grant Agreement RI Argus Policies Tutorial Valery Tschopp (SWITCH) – Argus Product Team.

EMI INFSO-RI /04/2011What's new in EMI 1: Kebnekaise What’s new in EMI 1 Kathryn Cassidy (TCD)‏ EMI NA2.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Status of ARGUS support Peter Solagna – EGI.eu.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Authorization Service Christoph Witzig, SWITCH.

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks The new gLite Authorization Service Alberto.

Why you should care about glexec OSG Site Administrator’s Meeting Written by Igor Sfiligoi Presented by Alain Roy Hint: It’s about security.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Argus gLite Authorization Service Workplan.

Implementation of GLUE 2.0 support in the EMI Data Area Elisabetta Ronchieri on behalf of JRA1’s GLUE 2.0 Working Group INFN-CNAF 13 April 2011, EGI User.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Argus: command line usage and banning Christoph.

EMI INFSO-RI EMI 1 (Kebnekaise) Updates C. Aiftimiei (INFN) EMI Release Manager.

Security Chapter – Architecture & Focus on Authorization PDP Cyril Dangerville (TS), Chapter Architect, Authorization PDP GE owner 7 July 2016.

UNICORE and Argus integration Krzysztof Benedyczak ICM / UNICORE Security PT.

Argus EMI Authorization Integration

Presented By: Smriti Bhatt

Trygve Aspelien and Yuri Demchenko

Architecture Review 10/11/2004

Security of Distributed Systems Part II Elisa Bertino CERIAS and CS &ECE Departments Purdue University Purdue University.

EGI Operations Management Board

EMI Common XACML Profile

A gLite Authorization Framework

EMI Interoperability Activities

Global Banning List and Authorization Service

Robert Szuman – Poznań Supercomputing and Networking Center, Poland

Argus Authorization Service Security Training

Introduction to Cisco Identity Services Engine (ISE)

Argus: General Introduction

Groups and Permissions

Designing IIS Security (IIS – Internet Information Service)

Presentation transcript:

Argus The EMI Authorization Service Valery Tschopp (SWITCH) Argus Product Team

Argus Authorization Service, EGI User Forum 2011, Vilnius Outline Argus Authorization Service Service Deployment Authorization Policies Simplified Policy Language pap-admin Tool Pilot Jobs Authorization Argus 1.3 EMI-1 Release Conclusions 12/04/2011 Argus Authorization Service, EGI User Forum 2011, Vilnius

Argus Authorization Service Renders consistent authorization decisions based on XACML policies Can user X perform action Y on resource Z? Ban user by DN, FQAN, issuing CA, … ! 12/04/2011 Argus Authorization Service, EGI User Forum 2011, Vilnius

Argus Authorization Service (cont.) Argus PAP: Policy Administration Point Provides site administrators with the tools for authoring policies (pap-admin) Stores and manages authored XACML policies Provides managed authorization policies to other authorization service components (other PAPs or PDP) 12/04/2011 Argus Authorization Service, EGI User Forum 2011, Vilnius

Argus Authorization Service (cont.) Argus PDP: Policy Decision Point Policy evaluation engine Receives authorization requests from the PEP Evaluates the authorization requests against the XACML policies retrieved from the PAP Renders the authorization decision 12/04/2011 Argus Authorization Service, EGI User Forum 2011, Vilnius

Argus Authorization Service (cont.) Argus PEP: Policy Execution Point Client/Server architecture Lightweight PEP client libraries (C and Java) PEP Server receives the authorization requests from the PEP clients Applies additional filters to the requests (PIP) Asks the PDP to render an authorization decision Applies the obligation handler (OH) to determine the user mapping 12/04/2011 Argus Authorization Service, EGI User Forum 2011, Vilnius

Argus Authorization Service, EGI User Forum 2011, Vilnius Service Deployment Argus as a service to manage consistent authorization policy based decisions 12/04/2011 Argus Authorization Service, EGI User Forum 2011, Vilnius

Service Deployment (cont.) Hierarchical distribution of policies 12/04/2011 Argus Authorization Service, EGI User Forum 2011, Vilnius

Service Deployment (cont.) Global banning list (EGI, NGI, …) Local site authorization policies Experiment specific policies 12/04/2011 Argus Authorization Service, EGI User Forum 2011, Vilnius

Argus Service Operations Open ports (firewall): PAP: 8150 (pap-admin, policies distribution) PEP Server: 8154 (PEP client connections) Log and audit files: /var/log/argus/(pap|pdp|pepd) Init scripts: /etc/init.d/argus-pap {start|stop|status} /etc/init.d/argus-pdp {start|stop|status|reloadpolicy} /etc/init.d/argus-pepd {start|stop|status|clearcache} Nagios plugins available to monitor the service 12/04/2011 Argus Authorization Service, EGI User Forum 2011, Vilnius

Authorization Policies Argus is designed to answer the questions: Can user X perform action Y on resource Z? Is user X banned? PERMIT decision Allow to authorize users to perform an action on a resource DENY decision Allow to ban users Both can be expressed with XACML policies 12/04/2011 Argus Authorization Service, EGI User Forum 2011, Vilnius

Authorization Policies (cont.) XACML policies !?! <xacml:PolicySet xmlns:xacml="urn:oasis:names:tc:xacml:2.0:policy:schema:os”PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:first-applicable" PolicySetId="9784d9ce-16a9-41b9-9d26-b81a97f93616" Version="1"> <xacml:Target> <xacml:Resources> <xacml:Resource> <xacml:ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"> <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">.*</xacml:AttributeValue> <xacml:ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/> </xacml:ResourceMatch> </xacml:Resource> </xacml:Resources> </xacml:Target> <xacml:PolicyIdReference>public_2d8346b8-5cd2-44ad-9ad1-0eff5d8a6ef1</xacml:PolicyIdReference> </xacml:PolicySet> <xacml:Policy xmlns:xacml="urn:oasis:names:tc:xacml:2.0:policy:schema:os” PolicyId="public_2d8346b8-5cd2-44ad-9ad1-0eff5d8a6ef1” RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1"> <xacml:Actions> <xacml:Action> <xacml:ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"> <xacml:ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/> </xacml:ActionMatch> </xacml:Action> </xacml:Actions> <xacml:Rule Effect="Deny" RuleId="43c15124-6635-47ee-b13c-53f672d0de77"> ... 12/04/2011 Argus Authorization Service, EGI User Forum 2011, Vilnius

Authorization Policies (cont.) Problem? XACML not easy to read and/or understand XACML not easy to write, prone to error Solution Hide the XACML language complexity Introduce a Simplified Policy Language (SPL) Provide administrators with simple tool to manage the policies pap-admin to create, edit, delete permit/deny policy rules 12/04/2011 Argus Authorization Service, EGI User Forum 2011, Vilnius

Simplified Policy Language Ban a particular user by DN resource ".*" { action ".*" { rule deny { subject="/C=CH/O=SWITCH/CN=Valery Tschopp" } } Permit ATLAS users (FQAN) to execute a job on a worker node (WN) resource "http://grid.switch.ch/wn" { action "http://glite.org/xacml/action/execute" { rule permit { fqan="/atlas" } 12/04/2011 Argus Authorization Service, EGI User Forum 2011, Vilnius

Argus Authorization Service, EGI User Forum 2011, Vilnius pap-admin Tool Administrator’s tool to manage the PAP Policies management PAP server management PAP authorization management Simple way to ban user Simple way to create, edit and delete authorization policies 12/04/2011 Argus Authorization Service, EGI User Forum 2011, Vilnius

Argus Authorization Service, EGI User Forum 2011, Vilnius pap-admin Tool (cont.) Create authorization policies Permit a user by distinguished name (DN) $ pap-admin add-policy --resource “http://grid.switch.ch/wn” --action “http://glite.org/xacml/action/execute” permit subject="CN=Valery Tschopp,O=SWITCH,C=ch” Permit users by primary FQAN $ pap-admin ap permit pfqan=”/atlas” Ban a user for any action and resource $ pap-admin ban subject "CN=John Doe,O=ACME,C=org” 12/04/2011 Argus Authorization Service, EGI User Forum 2011, Vilnius

Argus Authorization Service, EGI User Forum 2011, Vilnius pap-admin Tool (cont.) Listing existing authorization policies $ pap-admin lp Enter the passphrase for the private key /home/tschopp/.globus/userkey.pem: default (local): resource ”.*" { action ”.*" { rule deny { subject="CN=John Doe,O=ACME,C=org” } } resource ”http://grid.switch.ch/atlas-cluster" { obligation "http://glite.org/xacml/obligation/local-environment-map" { } action ”http://glite.org/xacml/action/execute" { rule permit { pfqan="/atlas" } rule permit { subject="CN=Valery Tschopp,O=SWITCH,C=ch” … 12/04/2011 Argus Authorization Service, EGI User Forum 2011, Vilnius

Pilot Jobs Authorization Payload is downloaded on the WN gLExec runs it under the end-user identity 12/04/2011 Argus Authorization Service, EGI User Forum 2011, Vilnius

Pilot Job Authorization (cont.) Pilot Job Policy resource ”http://grid.switch.ch/wn" { obligation "http://glite.org/xacml/obligation/local-environment-map" { } action ”http://glite.org/xacml/action/execute" { rule permit { pfqan="/atlas/Role=pilot" } fqan=”/atlas/analysis” 12/04/2011 Argus Authorization Service, EGI User Forum 2011, Vilnius

Argus Authorization Service, EGI User Forum 2011, Vilnius Argus 1.3 EMI-1 Release Argus 1.3 Compatible with gLite 3.2 Argus PEP client libraries (C and Java) Support for LFC/DPM banning engine Bug fixes Will be released for EMI-1 (end April) Is it a problem for gLite 3.2 site ? Install the Argus 1.3 EMI-1 service (standalone) Keep the existing gLite 3.2 applications 12/04/2011 Argus Authorization Service, EGI User Forum 2011, Vilnius

Argus Authorization Service, EGI User Forum 2011, Vilnius Conclusions Global banning list policies Site specific authorization policies Experiment specific authorization policies Consistent authorization decisions across the whole middleware stack (CE, WN, …) Pilot Jobs authorization and mapping Simple tool to manage authorization 12/04/2011 Argus Authorization Service, EGI User Forum 2011, Vilnius

Argus Authorization Service, EGI User Forum 2011, Vilnius Documentation General documentation https://twiki.cern.ch/twiki/bin/view/EGEE/AuthorizationFramework Service Reference Card https://twiki.cern.ch/twiki/bin/view/EMI/ArgusSRC PAP admin CLIhttps://twiki.cern.ch/twiki/bin/view/EGEE/AuthZPAPCLI Simplified Policy Language https://twiki.cern.ch/twiki/bin/view/EGEE/SimplifiedPolicyLanguage 12/04/2011 Argus Authorization Service, EGI User Forum 2011, Vilnius

Argus Authorization Service, EGI User Forum 2011, Vilnius Support GGUS Tickets (ARGUS Support Unit) https://gus.fzk.de Support mailing list (e-group): argus-support@cern.ch 12/04/2011 Argus Authorization Service, EGI User Forum 2011, Vilnius

Argus Authorization Service, EGI User Forum 2011, Vilnius Thank you EMI is partially funded by the European Commission under Grant Agreement INFSO-RI-261611 12/04/2011 Argus Authorization Service, EGI User Forum 2011, Vilnius