Presentation is loading. Please wait.

Presentation is loading. Please wait.

Argus The EMI Authorization Service

Published byNeil Marshall Modified over 5 years ago

Similar presentations

Presentation on theme: "Argus The EMI Authorization Service"— Presentation transcript:

1 Argus The EMI Authorization Service
Valery Tschopp (SWITCH) Argus Product Team

2 Argus Authorization Service, EGI User Forum 2011, Vilnius
Outline Argus Authorization Service Service Deployment Authorization Policies Simplified Policy Language pap-admin Tool Pilot Jobs Authorization Argus 1.3 EMI-1 Release Conclusions 12/04/2011 Argus Authorization Service, EGI User Forum 2011, Vilnius

3 Argus Authorization Service
Renders consistent authorization decisions based on XACML policies Can user X perform action Y on resource Z? Ban user by DN, FQAN, issuing CA, … ! 12/04/2011 Argus Authorization Service, EGI User Forum 2011, Vilnius

4 Argus Authorization Service (cont.)
Argus PAP: Policy Administration Point Provides site administrators with the tools for authoring policies (pap-admin) Stores and manages authored XACML policies Provides managed authorization policies to other authorization service components (other PAPs or PDP) 12/04/2011 Argus Authorization Service, EGI User Forum 2011, Vilnius

5 Argus Authorization Service (cont.)
Argus PDP: Policy Decision Point Policy evaluation engine Receives authorization requests from the PEP Evaluates the authorization requests against the XACML policies retrieved from the PAP Renders the authorization decision 12/04/2011 Argus Authorization Service, EGI User Forum 2011, Vilnius

6 Argus Authorization Service (cont.)
Argus PEP: Policy Execution Point Client/Server architecture Lightweight PEP client libraries (C and Java) PEP Server receives the authorization requests from the PEP clients Applies additional filters to the requests (PIP) Asks the PDP to render an authorization decision Applies the obligation handler (OH) to determine the user mapping 12/04/2011 Argus Authorization Service, EGI User Forum 2011, Vilnius

7 Argus Authorization Service, EGI User Forum 2011, Vilnius
Service Deployment Argus as a service to manage consistent authorization policy based decisions 12/04/2011 Argus Authorization Service, EGI User Forum 2011, Vilnius

8 Service Deployment (cont.)
Hierarchical distribution of policies 12/04/2011 Argus Authorization Service, EGI User Forum 2011, Vilnius

9 Service Deployment (cont.)
Global banning list (EGI, NGI, …) Local site authorization policies Experiment specific policies 12/04/2011 Argus Authorization Service, EGI User Forum 2011, Vilnius

10 Argus Service Operations
Open ports (firewall): PAP: 8150 (pap-admin, policies distribution) PEP Server: 8154 (PEP client connections) Log and audit files: /var/log/argus/(pap|pdp|pepd) Init scripts: /etc/init.d/argus-pap {start|stop|status} /etc/init.d/argus-pdp {start|stop|status|reloadpolicy} /etc/init.d/argus-pepd {start|stop|status|clearcache} Nagios plugins available to monitor the service 12/04/2011 Argus Authorization Service, EGI User Forum 2011, Vilnius

11 Authorization Policies
Argus is designed to answer the questions: Can user X perform action Y on resource Z? Is user X banned? PERMIT decision Allow to authorize users to perform an action on a resource DENY decision Allow to ban users Both can be expressed with XACML policies 12/04/2011 Argus Authorization Service, EGI User Forum 2011, Vilnius

12 Authorization Policies (cont.)
XACML policies !?! <xacml:PolicySet xmlns:xacml="urn:oasis:names:tc:xacml:2.0:policy:schema:os”PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:first-applicable" PolicySetId="9784d9ce-16a9-41b9-9d26-b81a97f93616" Version="1"> <xacml:Target> <xacml:Resources> <xacml:Resource> <xacml:ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"> <xacml:AttributeValue DataType=" <xacml:ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType=" MustBePresent="false"/> </xacml:ResourceMatch> </xacml:Resource> </xacml:Resources> </xacml:Target> <xacml:PolicyIdReference>public_2d8346b8-5cd2-44ad-9ad1-0eff5d8a6ef1</xacml:PolicyIdReference> </xacml:PolicySet> <xacml:Policy xmlns:xacml="urn:oasis:names:tc:xacml:2.0:policy:schema:os” PolicyId="public_2d8346b8-5cd2-44ad-9ad1-0eff5d8a6ef1” RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1"> <xacml:Actions> <xacml:Action> <xacml:ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"> <xacml:ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType=" MustBePresent="false"/> </xacml:ActionMatch> </xacml:Action> </xacml:Actions> <xacml:Rule Effect="Deny" RuleId="43c ee-b13c-53f672d0de77"> ... 12/04/2011 Argus Authorization Service, EGI User Forum 2011, Vilnius

13 Authorization Policies (cont.)
Problem? XACML not easy to read and/or understand XACML not easy to write, prone to error Solution Hide the XACML language complexity Introduce a Simplified Policy Language (SPL) Provide administrators with simple tool to manage the policies pap-admin to create, edit, delete permit/deny policy rules 12/04/2011 Argus Authorization Service, EGI User Forum 2011, Vilnius

14 Simplified Policy Language
Ban a particular user by DN resource ".*" { action ".*" { rule deny { subject="/C=CH/O=SWITCH/CN=Valery Tschopp" } } Permit ATLAS users (FQAN) to execute a job on a worker node (WN) resource " { action " { rule permit { fqan="/atlas" } 12/04/2011 Argus Authorization Service, EGI User Forum 2011, Vilnius

15 Argus Authorization Service, EGI User Forum 2011, Vilnius
pap-admin Tool Administrator’s tool to manage the PAP Policies management PAP server management PAP authorization management Simple way to ban user Simple way to create, edit and delete authorization policies 12/04/2011 Argus Authorization Service, EGI User Forum 2011, Vilnius

16 Argus Authorization Service, EGI User Forum 2011, Vilnius
pap-admin Tool (cont.) Create authorization policies Permit a user by distinguished name (DN) $ pap-admin add-policy --resource “ --action “ permit subject="CN=Valery Tschopp,O=SWITCH,C=ch” Permit users by primary FQAN $ pap-admin ap permit pfqan=”/atlas” Ban a user for any action and resource $ pap-admin ban subject "CN=John Doe,O=ACME,C=org” 12/04/2011 Argus Authorization Service, EGI User Forum 2011, Vilnius

17 Argus Authorization Service, EGI User Forum 2011, Vilnius
pap-admin Tool (cont.) Listing existing authorization policies $ pap-admin lp Enter the passphrase for the private key /home/tschopp/.globus/userkey.pem: default (local): resource ”.*" { action ”.*" { rule deny { subject="CN=John Doe,O=ACME,C=org” } } resource ” { obligation " { } action ” { rule permit { pfqan="/atlas" } rule permit { subject="CN=Valery Tschopp,O=SWITCH,C=ch” 12/04/2011 Argus Authorization Service, EGI User Forum 2011, Vilnius

18 Pilot Jobs Authorization
Payload is downloaded on the WN gLExec runs it under the end-user identity 12/04/2011 Argus Authorization Service, EGI User Forum 2011, Vilnius

19 Pilot Job Authorization (cont.)
Pilot Job Policy resource ” { obligation " { } action ” { rule permit { pfqan="/atlas/Role=pilot" } fqan=”/atlas/analysis” 12/04/2011 Argus Authorization Service, EGI User Forum 2011, Vilnius

20 Argus Authorization Service, EGI User Forum 2011, Vilnius
Argus 1.3 EMI-1 Release Argus 1.3 Compatible with gLite 3.2 Argus PEP client libraries (C and Java) Support for LFC/DPM banning engine Bug fixes Will be released for EMI-1 (end April) Is it a problem for gLite 3.2 site ? Install the Argus 1.3 EMI-1 service (standalone) Keep the existing gLite 3.2 applications 12/04/2011 Argus Authorization Service, EGI User Forum 2011, Vilnius

21 Argus Authorization Service, EGI User Forum 2011, Vilnius
Conclusions Global banning list policies Site specific authorization policies Experiment specific authorization policies Consistent authorization decisions across the whole middleware stack (CE, WN, …) Pilot Jobs authorization and mapping Simple tool to manage authorization 12/04/2011 Argus Authorization Service, EGI User Forum 2011, Vilnius

22 Argus Authorization Service, EGI User Forum 2011, Vilnius
Documentation General documentation Service Reference Card PAP admin CLIhttps://twiki.cern.ch/twiki/bin/view/EGEE/AuthZPAPCLI Simplified Policy Language 12/04/2011 Argus Authorization Service, EGI User Forum 2011, Vilnius

23 Argus Authorization Service, EGI User Forum 2011, Vilnius
Support GGUS Tickets (ARGUS Support Unit) Support mailing list (e-group): 12/04/2011 Argus Authorization Service, EGI User Forum 2011, Vilnius

24 Argus Authorization Service, EGI User Forum 2011, Vilnius
Thank you EMI is partially funded by the European Commission under Grant Agreement INFSO-RI 12/04/2011 Argus Authorization Service, EGI User Forum 2011, Vilnius

Download ppt "Argus The EMI Authorization Service"

Similar presentations

1 Authorization XACML – a language for expressing policies and rules.

1 Authorization XACML – a language for expressing policies and rules.
XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.
XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.

XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.
Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.

Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.
Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.

Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.
XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.

XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
1 Update on the Vulnerability Assessment Effort Elisa Heymann Computer Architecture and Operating Systems Department Universitat Autònoma de Barcelona.

1 Update on the Vulnerability Assessment Effort Elisa Heymann Computer Architecture and Operating Systems Department Universitat Autònoma de Barcelona.
● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0.

● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0.
EMI INFSO-RI-261611 SA2 - Quality Assurance Alberto Aimar (CERN) SA2 Leader EMI First EC Review 22 June 2011, Brussels.

EMI INFSO-RI SA2 - Quality Assurance Alberto Aimar (CERN) SA2 Leader EMI First EC Review 22 June 2011, Brussels.
Elisa Bertino Purdue University Pag. 1 Security of Distributed Systems Part II Elisa Bertino CERIAS and CS &ECE Departments Purdue University.

Elisa Bertino Purdue University Pag. 1 Security of Distributed Systems Part II Elisa Bertino CERIAS and CS &ECE Departments Purdue University.
Maintaining Network Health. Active Directory Certificate Services Public Key Infrastructure (PKI) Provides assurance that you are communicating with the.

Maintaining Network Health. Active Directory Certificate Services Public Key Infrastructure (PKI) Provides assurance that you are communicating with the.
11 Usage policies for end point access control  XACML is Oasis standard to express enterprise security policies with a common XML based policy language.

11 Usage policies for end point access control  XACML is Oasis standard to express enterprise security policies with a common XML based policy language.
EMI is partially funded by the European Commission under Grant Agreement RI-261611 Argus Policies Tutorial Valery Tschopp - SWITCH EGI TF Prague.

EMI is partially funded by the European Commission under Grant Agreement RI Argus Policies Tutorial Valery Tschopp - SWITCH EGI TF Prague.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Argus gLite Authorization Service Status.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Argus gLite Authorization Service Status.
Pilot Jobs John Gordon Management Board 23/10/2007.

Pilot Jobs John Gordon Management Board 23/10/2007.
Glexec, SCAS & CREAM. Milestones CREAM-CE capable of large-scale direct job submission Glexec & SCAS capable of large-scale use on WN in logging only.

Glexec, SCAS & CREAM. Milestones CREAM-CE capable of large-scale direct job submission Glexec & SCAS capable of large-scale use on WN in logging only.
EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks gLite Authorization Service: Technical Overview.

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks gLite Authorization Service: Technical Overview.
Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.

Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.
11 Restricting key use with XACML* for access control * Zack’-a-mul.

11 Restricting key use with XACML* for access control * Zack’-a-mul.

Similar presentations

Ads by Google