argus command line usage and banning n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Argus: command line usage and banning PowerPoint Presentation
Download Presentation
Argus: command line usage and banning

Loading in 2 Seconds...

play fullscreen
1 / 16

Argus: command line usage and banning - PowerPoint PPT Presentation


  • 107 Views
  • Uploaded on

Argus: command line usage and banning. Christoph Witzig, SWITCH (christoph.witzig@switch.ch). Outline. Introduction Command line interface Global Banning Summary. Introduction. Institutions involved: CNAF, HIP, NIKHEF, SWITCH Argus = Attribute-based Authorization service

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Argus: command line usage and banning' - jayme-branch


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
argus command line usage and banning

Argus: command line usage and banning

Christoph Witzig, SWITCH

(christoph.witzig@switch.ch)

outline
Outline
  • Introduction
  • Command line interface
  • Global Banning
  • Summary

OSCT/MWSG meeting, EGEE09, Sept 22, 2009

introduction
Introduction
  • Institutions involved:
    • CNAF, HIP, NIKHEF, SWITCH
  • Argus = Attribute-based Authorization service
    • Attributes = DN, CA, FQAN, ….
    • Internal engine that determines whether a request containing a set of attributes shall be authorized or not
  • Decisions are taken for a given resource and a given action:
    • E.g. A WN has a resource id and the action may be “execute_pilot”
    • Policies are formulated for
      • Individual resource and action
      • Groups of resources and groups of action
      • All resources and all actions
  • Default deployment: all components on a single host
  • Note abbreviation: authZ = authorization

OSCT/MWSG meeting, EGEE09, Sept 22, 2009

on the ce
On the CE

OSCT/MWSG meeting, EGEE09, Sept 22, 2009

proposed deployment plan
Proposed Deployment Plan

Adoption

during

EGEE-III

Deployment

during

EGEE-III

OSCT/MWSG meeting, EGEE09, Sept 22, 2009

outline1
Outline
  • Introduction
  • Command line interface
  • Global Banning
  • Summary

OSCT/MWSG meeting, EGEE09, Sept 22, 2009

argus cli
Argus CLI
  • Argus is operated from the command line
  • Policies either
    • Added/removed from command line
    • Import/export of file in simplified policy language (optional!)
      • see A.Ceccanti’s talk in MWSG
  • Banning and unbanning users
  • Evaluating authZ decisions

OSCT/MWSG meeting, EGEE09, Sept 22, 2009

banning users
Banning Users
  • To ban a user on the entire site:pap-admin ban subject <dn>pap-admin ban fqan <fqan>
  • To un-ban a user on the entire site:pap-admin un-ban subject <dn>pap-admin un-ban fqan <fqan>
  • To ban a user on a specific resource: pap-admin ban -r resource_id subject <dn>

OSCT/MWSG meeting, EGEE09, Sept 22, 2009

evaluating authz decisions
Evaluating authZ Decisions
  • pepcli -p https://ares.switch.ch:8154/authz -c /tmp/x509up_u964 -r res_nok -a my_action

Decision: Deny

  • pepcli -p https://ares.switch.ch:8154/authz -c /tmp/x509up_u964 -r res_ok -a my_action

Decision: Permit

Username=testb001

UID=5100

GID=5100

  • pepcli -p https://ares.switch.ch:8154/authz -s <dn> -f /switch -f /switch/test -r test -a test

Decision: Permit

Username=testb002

UID=5101

GID=5100

Secondary GIDs=5300

OSCT/MWSG meeting, EGEE09, Sept 22, 2009

outline2
Outline
  • Introduction
  • Command line interface
  • Global Banning
  • Summary

OSCT/MWSG meeting, EGEE09, Sept 22, 2009

grid wide banning by osct
Grid-wide Banning by OSCT
  • OSCT offers centralized banning list to the sites
  • Allows banning for:
      • DN (with or without SN)
      • CA
      • VO
      • FQAN
      • As well as regular expressions of the above
  • Operated (same as for local Argus instance)
      • From the CLI
        • pap-admin ban-user <DN>
        • pap-admin ban-fqan <fqan>
      • Import / export of files in a simplified notation

OSCT/MWSG meeting, EGEE09, Sept 22, 2009

operational policy
Operational Policy

OSCT/MWSG meeting, EGEE09, Sept 22, 2009

Each site manages its own access policies

  • Local site autonomy

OSCT operates a central banning service (CBS)

  • Sites SHOULD deploy CBS
  • Sites SHOULD give CBS priority over local policies
  • Sites SHOULD configure CBS so any ban/restore action is active in under 6 hours
    • Time period still under discussion
  • Grid Security Operations MUST inform VO manager whenever user/group access is changed (ban & restore)

SHOULD= Obligation with escape clause

  • Inform Grid Security Office.

Currently proposed by JSPG

  • Discussions continuing.
policy for global banning full text
Policy for Global Banning(Full text)
  • Each site manages its own local access policies to its resources. In addition, Grid security operations SHOULD operate a central banning service. Whenever Grid security operations bans a user or group of users, or restores their access, they MUST inform the appropriate VO Manager.
  • Sites SHOULD deploy this central banning service and give it priority over local policies.
  • The site implementation of the central banning service SHOULD be configured such that any ban or restore action made by Grid security operations is active at the site without a delay of more than 6 hours

OSCT/MWSG meeting, EGEE09, Sept 22, 2009

outline3
Outline
  • Introduction
  • Short Description of the Service
  • Deployment Proposal
  • Global Banning
  • Summary

OSCT/MWSG meeting, EGEE09, Sept 22, 2009

summary
Summary
  • Gradual deployment in six self-contained steps
  • Simple CLI for
    • Banning/unbanning users
    • Adding/removing policies
    • Evaluating request for debugging
  • OSCT global banning list
  • Feedback and volunteer from sites / OSCT for trying service out is highly welcome

OSCT/MWSG meeting, EGEE09, Sept 22, 2009

further information
Further Information
  • About the service:
    • authZ service design document: https://edms.cern.ch/document/944192/1
    • Deployment plan: https://edms.cern.ch/document/984088/1
  • General EGEE grid security:
    • Authorization study: https://edms.cern.ch/document/887174/1
    • gLite security: architecture: https://edms.cern.ch/document/935451/2
  • Other:
    • Wiki: (under development) https://twiki.cern.ch/twiki/bin/view/EGEE/AuthorizationFramework

OSCT/MWSG meeting, EGEE09, Sept 22, 2009