EMI INFSO-RI-261611 Argus Policies in Action Valery Tschopp (SWITCH) on behalf of the Argus PT.

Slides:



Advertisements
Similar presentations
Data Management Expert Panel - WP2. WP2 Overview.
Advertisements

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.
XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.
Makrand Siddhabhatti Tata Institute of Fundamental Research Mumbai 17 Aug
Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.
INFSO-RI Enabling Grids for E-sciencE XACML and G-PBox update MWSG 14-15/09/2005 Presenter: Vincenzo Ciaschini.
XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
1 Update on the Vulnerability Assessment Effort Elisa Heymann Computer Architecture and Operating Systems Department Universitat Autònoma de Barcelona.
Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.
European Middleware Initiative (EMI) – Release Process Doina Cristina Aiftimiei (INFN) EGI Technical Forum, Amsterdam 17. Sept.2010.
11 Usage policies for end point access control  XACML is Oasis standard to express enterprise security policies with a common XML based policy language.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
EMI is partially funded by the European Commission under Grant Agreement RI Argus Policies Tutorial Valery Tschopp - SWITCH EGI TF Prague.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Argus gLite Authorization Service Status.
Mine Altunay July 30, 2007 Security and Privacy in OSG.
Glexec, SCAS & CREAM. Milestones CREAM-CE capable of large-scale direct job submission Glexec & SCAS capable of large-scale use on WN in logging only.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks gLite Authorization Service: Technical Overview.
Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.
Security Token Service (STS) Design & Development Plans Henri Mikkonen / HIP 3 rd EMI All-Hands Meeting , Padova, Italy.
INFSO-RI Enabling Grids for E-sciencE EGEE is a project funded by the European Union under contract INFSO-RI Grid Accounting.
INFSO-RI Enabling Grids for E-sciencE G-PBox Auth meeting 13/9/2005 Presenter: Vincenzo Ciaschini.
OSG AuthZ components Dane Skow Gabriele Carcassi.
Glite. Architecture Applications have access both to Higher-level Grid Services and to Foundation Grid Middleware Higher-Level Grid Services are supposed.
11 Restricting key use with XACML* for access control * Zack’-a-mul.
DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks New Authorization Service Christoph Witzig,
OSG Site Admin Workshop - Mar 2008Using gLExec to improve security1 OSG Site Administrators Workshop Using gLExec to improve security of Grid jobs by Alain.
EMI INFSO-RI Argus The EMI Authorization Service Valery Tschopp (SWITCH) Argus Product Team.
DIRAC Pilot Jobs A. Casajus, R. Graciani, A. Tsaregorodtsev for the LHCb DIRAC team Pilot Framework and the DIRAC WMS DIRAC Workload Management System.
1 Update on the Vulnerability Assessment Effort Elisa Heymann Computer Architecture and Operating Systems Department Universitat Autònoma de Barcelona.
XACML Showcase RSA Conference What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation logic n.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Update Authorization Service Christoph Witzig,
EMI INFSO-RI European Middleware Initiative (EMI) Alberto Di Meglio (CERN) Project Director.
INFSO-RI Enabling Grids for E-sciencE Policy management and fair share in gLite Andrea Guarise HPDC 2006 Paris June 19th, 2006.
EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.
EMI Inter-component and Large Scale Testing Infrastructure Danilo Dongiovanni INFN-CNAF.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks OpenSAML extension library and API to support.
Placeholder ES 1 CERN IT EGI Technical Forum, Experiment Support group AAI usage, issues and wishes for WLCG Maarten Litmaath CERN.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Study on Authorization Christoph Witzig,
Authorization PDP GE Course (R4) FIWARE Chapter: Security FIWARE GE: Authorization PDP FIWARE GEri: AuthZForce Authorization PDP Owner: Cyril Dangerville,
EMI is partially funded by the European Commission under Grant Agreement RI Common Authentication Library Daniel Kouril, for the CaNL PT EGI CF.
EMI INFSO-RI Testbed for project continuous Integration Danilo Dongiovanni (INFN-CNAF) -SA2.6 Task Leader Jozef Cernak(UPJŠ, Kosice, Slovakia)
EMI is partially funded by the European Commission under Grant Agreement RI Argus Policies Tutorial Valery Tschopp (SWITCH) – Argus Product Team.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Job Management Claudio Grandi.
EMI INFSO-RI /04/2011What's new in EMI 1: Kebnekaise What’s new in EMI 1 Kathryn Cassidy (TCD)‏ EMI NA2.
DGAS Distributed Grid Accounting System INFN Workshop /05/1009, Palau Giuseppe Patania Andrea Guarise 6/18/20161.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Authorization Service Christoph Witzig, SWITCH.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks The new gLite Authorization Service Alberto.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Services for Distributed e-Infrastructure Access Tiziana Ferrari on behalf.
INFSO-RI Enabling Grids for E-sciencE GUMS vs. LCMAPS Oscar Koeroo.
The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) gLite Grid Introduction Salma Saber Electronic.
Security Area Christoph Witzig (SWITCH) on behalf of John White (HIP)
Why you should care about glexec OSG Site Administrator’s Meeting Written by Igor Sfiligoi Presented by Alain Roy Hint: It’s about security.
Enabling Grids for E-sciencE Claudio Cherubino INFN DGAS (Distributed Grid Accounting System)
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Argus gLite Authorization Service Workplan.
Implementation of GLUE 2.0 support in the EMI Data Area Elisabetta Ronchieri on behalf of JRA1’s GLUE 2.0 Working Group INFN-CNAF 13 April 2011, EGI User.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Argus: command line usage and banning Christoph.
UNICORE and Argus integration Krzysztof Benedyczak ICM / UNICORE Security PT.
Argus EMI Authorization Integration
AuthN and AuthZ in StoRM A short guide
EMI Common XACML Profile
A gLite Authorization Framework
EMI Interoperability Activities
Global Banning List and Authorization Service
Argus Authorization Service Security Training
Introduction to Cisco Identity Services Engine (ISE)
Argus: General Introduction
Argus The EMI Authorization Service
Groups and Permissions
Presentation transcript:

EMI INFSO-RI Argus Policies in Action Valery Tschopp (SWITCH) on behalf of the Argus PT

EMI INFSO-RI What is authorization ? 220/09/2011 Argus Policies in Action, EGI Technical Forum 2011, Lyon

EMI INFSO-RI Can user X perform action Y on resource Z ? 320/09/2011 Argus Policies in Action, EGI Technical Forum 2011, Lyon

EMI INFSO-RI Can user X… – execute on this worker node (WN) ? – submit a job to this CREAM CE ? – access this storage area ? – submit a job to this WMS instance ? User X is banned ! – Is not allowed to do anything on any resource! Authorization Examples 420/09/2011 Argus Policies in Action, EGI Technical Forum 2011, Lyon

EMI INFSO-RI Each Grid service has its own authorization mechanism – Administrators need to know them all – Authorization rules at a site become difficult to understand and manage No global banning mechanism – Urgent ban of malicious users cannot be easily and timely enforced on distributed sites Authorization policies are static – Hard to change policies without reconfiguring services Monitoring authorization decisions is hard Motivations for Argus 520/09/2011 Argus Policies in Action, EGI Technical Forum 2011, Lyon

EMI INFSO-RI A generic authorization system – Built on top of a XACML policy engine – Renders consistent authorization decisions based on XACML policies Argus 620/09/2011 Argus Policies in Action, EGI Technical Forum 2011, Lyon

EMI INFSO-RI Argus PAP: Policy Administration Point – Provides administrators with the tools to author policies (pap-admin) – Stores and manages authored XACML policies – Provides managed authorization policies to other authorization service components (other PAPs or PDP) Argus Components 720/09/2011 Argus Policies in Action, EGI Technical Forum 2011, Lyon

EMI INFSO-RI Argus PDP: Policy Decision Point – Policy evaluation engine – Receives authorization requests from the PEP – Evaluates the authorization requests against the XACML policies retrieved from the PAP – Renders the authorization decision Argus Components (cont.) 820/09/2011 Argus Policies in Action, EGI Technical Forum 2011, Lyon

EMI INFSO-RI Argus PEP: Policy Execution Point – Client/Server architecture – Lightweight PEP client libraries (C and Java) – PEP Server receives the authorization requests from the PEP clients Transforms lightweight internal request into XACML Applies a configurable set of filters (PIPs) to the incoming requests Asks the PDP to render an authorization decision If requested by the policy, applies the obligation handler (OH) to determine the user mapping Argus Components (cont.) 920/09/2011 Argus Policies in Action, EGI Technical Forum 2011, Lyon

EMI INFSO-RI Argus Service Deployment 1020/09/2011 Argus Policies in Action, EGI Technical Forum 2011, Lyon

EMI INFSO-RI Argus is designed to answer the question: Can user X perform action Y on resource Z ? Argus policies contain rules that state which actions can be performed on which resources by which users. Argus uses XACML v.2 as the policy language. – However, XACML is hard to read and write, so we developed a Simplified Policy Language (SPL) Argus Authorization Policies 1120/09/2011 Argus Policies in Action, EGI Technical Forum 2011, Lyon

EMI INFSO-RI User X should not be allowed to do anything on any resource ! Use Case: User Banning 1220/09/2011 Argus Policies in Action, EGI Technical Forum 2011, Lyon

EMI INFSO-RI XACML policies anyone … ? Use Case: User Banning (XACML).* public_2d8346b8-5cd2-44ad-9ad1-0eff5d8a6ef1 <xacml:Policy xmlns:xacml="urn:oasis:names:tc:xacml:2.0:policy:schema:os” PolicyId="public_2d8346b8-5cd2-44ad-9ad1-0eff5d8a6ef1” RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1">.* /09/2011 Argus Policies in Action, EGI Technical Forum 2011, Lyon

EMI INFSO-RI The Simplified Policy Language resource ".*" { action ".*" { rule deny { subject="CN=Valery Tschopp, O=SWITCH,C=CH" } Use Case: User Banning (SPL) 1420/09/2011 Argus Policies in Action, EGI Technical Forum 2011, Lyon

EMI INFSO-RI Actions and Resources are identified by unique ID or “names”, that are assigned to them – Typically URIs, but any string will work Resource ID example: Action ID example: SPL: Identifying Actions and Resources 1520/09/2011 Argus Policies in Action, EGI Technical Forum 2011, Lyon

EMI INFSO-RI Subject in a policy can be identified via the following attributes: subject X509 certificate DN subject="CN=Valery Tschopp,O=SWITCH,C=CH” ca the CA certificate DN ca="CN=INFN CA,O=INFN,C=IT” vo the name of the Virtual Organization vo=”cms” fqan a VOMS fully qualified attribute name fqan=”/atlas/analysis” pfqan the VOMS primary FQAN pfqan=”/atlas/Role=pilot” SPL: Identifying Subjects 1620/09/2011 Argus Policies in Action, EGI Technical Forum 2011, Lyon

EMI INFSO-RI AND logic for attributes inside a block Policy order matters! – First match algorithm SPL Syntax 1720/09/2011 Argus Policies in Action, EGI Technical Forum 2011, Lyon resource { action { rule (permit|deny) { =... }... }... resource { action { rule (permit|deny) { =... }... }...

EMI INFSO-RI We have two CEs at our site, ce_1 and ce_2. We want to authorize Valery to contact one, but not the other. SPL Examples 1820/09/2011 Argus Policies in Action, EGI Technical Forum 2011, Lyon resource “ce_1” { action “.*” { rule permit { subject = “CN=Valery Tschopp, O=SWITCH, C=CH” } resource “ce_2” { action “.*” { rule deny { subject = “CN=Valery Tschopp, O=SWITCH, C=CH” } resource “ce_1” { action “.*” { rule permit { subject = “CN=Valery Tschopp, O=SWITCH, C=CH” } resource “ce_2” { action “.*” { rule deny { subject = “CN=Valery Tschopp, O=SWITCH, C=CH” }

EMI INFSO-RI We have to ban all users member of VO ‘dteam’ from ce_1, but not those who have certificate signed by the INFA CA. SPL Examples (cont.) 1920/09/2011 Argus Policies in Action, EGI Technical Forum 2011, Lyon resource “ce_1” { action “.*” { rule permit { vo = “dteam” ca = “CN=INFN CA,O=INFN,C=IT” } rule deny { vo = “dteam” } resource “ce_1” { action “.*” { rule permit { vo = “dteam” ca = “CN=INFN CA,O=INFN,C=IT” } rule deny { vo = “dteam” }

EMI INFSO-RI List currently active policies: pap-admin list-policies Import policies from a SPL file: pap-admin add-policy-from-file cms_policies.spl.txt Ban/unban users: pap-admin ban subject "CN=John Doe,O=ACME,C=org” pap-admin unban vo ”atlas“ Add a generic permit policy pap-admin add-policy --resource “ --action “.*” permit fqan=”/atlas/production” The pap-admin Tool 20/09/2011 Argus Policies in Action, EGI Technical Forum 2011, Lyon 20

EMI INFSO-RI Hierarchical Policy Distribution 20/09/2011 Argus Policies in Action, EGI Technical Forum 2011, Lyon 21

EMI INFSO-RI The pilot is authorized on the CE The payload is downloaded on the WN gLExec runs it under the end-user identity Pilot Jobs Authorization 2220/09/2011 Argus Policies in Action, EGI Technical Forum 2011, Lyon

EMI INFSO-RI A single authorization point for many Grid services A simple, flexible and powerful language to express authorization policies A simple tool to manage complex policies A policy distribution mechanism that allow to import from remote sites while keeping full authorization control on local resources (global banning) So Why Argus Simplifies my Life? 2320/09/2011 Argus Policies in Action, EGI Technical Forum 2011, Lyon

EMI INFSO-RI Argus – Compatible with gLite 3.2 Argus PEP client libraries (C and Java) – Support for LFC/DPM banning engine – Bug fixes Already released in EMI-1 and in UMD Argus 1.4 coming soon (3 rd week of Sept.) – Only optimizations (log files, memory, …) Argus Releases 2420/09/2011 Argus Policies in Action, EGI Technical Forum 2011, Lyon

EMI INFSO-RI General documentation Service Reference Card PAP admin Tool Simplified Policy Language Documentation 2520/09/2011 Argus Policies in Action, EGI Technical Forum 2011, Lyon

EMI INFSO-RI GGUS Tickets (ARGUS Support Unit) Support mailing list (e-group): Support 2620/09/2011 Argus Policies in Action, EGI Technical Forum 2011, Lyon

EMI INFSO-RI Thank you EMI is partially funded by the European Commission under Grant Agreement INFSO-RI /09/2011 Argus Policies in Action, EGI Technical Forum 2011, Lyon