Argus: The Simplified Policy Language

Similar documents
SGS11: Swiss Grid School 2011 Argus The EMI Authorization Service

Federated Authentication with Web Services Clients

Argus Authorization Service

Argus Documentation. Release Andrea Ceccanti, Valery Tschopp, Michel Jouvin, Marco Caberlett

Argus Vulnerability Assessment *1

INDIGO-Datacloud Identity and Access Management Service

An XACML Attribute and Obligation Profile for Authorization Interoperability in Grids

glite Java Authorisation Framework (gjaf) and Authorisation Policy coordination

An XACML Attribute and Obligation Profile for Authorization Interoperability in Grids

Improving Grid User's Privacy with glite Pseudonymity Service

Failover procedure for Grid core services

MyProxy Server Installation

Grid Authentication and Authorisation Issues. Ákos Frohner at CERN

SLCS and VASH Service Interoperability of Shibboleth and glite

[GSoC Proposal] Securing Airavata API

Grid services. Enabling Grids for E-sciencE. Dusan Vudragovic Scientific Computing Laboratory Institute of Physics Belgrade, Serbia

Monitoring tools in EGEE

Beyond X.509: Token-based Authentication and Authorization with the INDIGO Identity and Access Management Service

Obligation Standardization

EGEE (JRA4) Loukik Kudarimoti DANTE. RIPE 51, Amsterdam, October 12 th, 2005 Enabling Grids for E-sciencE.

Authorisation Policy coordination and glite Java Authorisation Framework (gjaf)

Grid4All Security User's Manual, Release 0.6

GLOBUS TOOLKIT SECURITY

Enabling Grids for E-sciencE. EGEE security pitch. Olle Mulmo. EGEE Chief Security Architect KTH, Sweden. INFSO-RI

Grid Technologies for AAI*

PERMIS An Application Independent Authorisation Infrastructure. David Chadwick

Bob Jones. EGEE and glite are registered trademarks. egee EGEE-III INFSO-RI

Attributes used for Authorisation in Network Resource Provisioning

AMGA metadata catalogue system

StoRM configuration. namespace.xml

glite Grid Services Overview

Setup Desktop Grids and Bridges. Tutorial. Robert Lovas, MTA SZTAKI

Enabling Grids for E-sciencE. A centralized administration of the Grid infrastructure using Cfengine. Tomáš Kouba Varna, NEC2009.

EGEE and Interoperation

g-eclipse A Framework for Accessing Grid Infrastructures Nicholas Loulloudes Trainer, University of Cyprus (loulloudes.n_at_cs.ucy.ac.

3rd UNICORE Summit, Rennes, Using SAML-based VOMS for Authorization within Web Services-based UNICORE Grids

INDIGO AAI An overview and status update!

Understanding StoRM: from introduction to internals

Implementing GRID interoperability

XACML Profile for Requests for Multiple Resources

Hierarchical Resources: Non-XML Resource Use Case

E G E E - I I. Document identifier: Date: 10/08/06. Document status: Document link:

Hierarchical Resource profile of XACML

XACML Profile and Implementation for Authorization Interoperability between OSG and EGEE

DEVELOPMENT OF A NEW POLICY EVALUATION PROCEDURE FOR XACML

EUROPEAN MIDDLEWARE INITIATIVE

Identity, Authentication and Authorization. John Slankas

OGF Production Grid Infrastructure. Glossary of Acronyms and Terms

The glite middleware. Presented by John White EGEE-II JRA1 Dep. Manager On behalf of JRA1 Enabling Grids for E-sciencE

Dynamic Security Context Management in Grid-based Applications

DIRAC distributed secure framework

Grid Services Security Vulnerability and Risk Analysis

Introduzione al GRID computing

David W Chadwick, Linying Su, Romain Laborde,

DIRAC Distributed Secure Framework

Deploying virtualisation in a production grid

Lesson 22 XACML Service Oriented Architectures Security Module 1 - Basic technologies Unit 1 Introduction

Grids and Security. Ian Neilson Grid Deployment Group CERN. TF-CSIRT London 27 Jan

EMI Deployment Planning. C. Aiftimiei D. Dongiovanni INFN

Virtualization in a Grid Environment. Nils Dijk - Hogeschool van Amsterdam Instituut voor Informatica

The PRIMA Grid Authorization System

NAC 2007 Spring Conference

Eurogrid: a glideinwms based portal for CDF data analysis - 19th January 2012 S. Amerio. (INFN Padova) on behalf of Eurogrid support group

glite Middleware Usage

30 Nov Dec Advanced School in High Performance and GRID Computing Concepts and Applications, ICTP, Trieste, Italy

RB-GACA: A RBAC based Grid Access Control Architecture

Delegated authentication Electronic identity: delegated and federated authentication, policy-based access control

LCG User Registration & VO management

dcache Introduction Course

Release 0.1. Paolo Andreetto

R-GMA (Relational Grid Monitoring Architecture) for monitoring applications

GWD-R (proposed) June 2003

The glite middleware. Ariel Garcia KIT

Bookkeeping and submission tools prototype. L. Tomassetti on behalf of distributed computing group

The LHC Computing Grid

Grid Security Infrastructure

LCG Installation LCFGng

Policy Machine PRESENTED BY: SMRITI BHATT

The EPIKH, GILDA and GISELA Projects

YAIM Overview. Bruce Becker Meraka Institute. Co-ordination & Harmonisation of Advanced e-infrastructures for Research and Education Data Sharing

Overview of WMS/LB API

extensible Access Control Markup Language (XACML) Anne Anderson Sun Microsystems, Inc. GSA Identity Workshop 27 Feb 2007

Milestone deliverable reference number M.4.1 (Part 1 of the Deliverable D.4.1)

THEBES: THE GRID MIDDLEWARE PROJECT Project Overview, Status Report and Roadmap

glideinwms Training Glidein Internals How they work and why by Igor Sfiligoi, Jeff Dost (UCSD) glideinwms Training Glidein internals 1

Credential Management in the Grid Security Infrastructure. GlobusWorld Security Workshop January 16, 2003

Advanced Job Submission on the Grid

Cluster Nazionale CSN4

Grouper after Groups Enabling Net+ Services with PAP, PEP, and PDP...Oh My!

Summer Student Work: Accounting on Grid-Computing

A QUICK INTRODUCTION TO VOMS

Trust Eleva,on Architecture v03

Andrea Sciabà CERN, Switzerland

The SweGrid Accounting System

Privacy Policy Languages:

LCG-2 and glite Architecture and components

ShibVomGSite: A Framework for Providing Username and Password Support to GridSite with Attribute based Authorization using Shibboleth and VOMS

RIPPLESTONE SUMMARY

Introduction to Grid Security

glideinwms architecture by Igor Sfiligoi, Jeff Dost (UCSD)

Transcription:

Argus: The Simplified Policy Language Andrea Ceccanti INFN-CNAF andrea.ceccanti@cnaf.infn.it EGEE 09 September 2009, Barcelona www.eu-egee.org EGEE and glite are registered trademarks

Argus High level overview PAP: author, store, manage and distribute policies PDP: evaluate requests against policies PEP: create request and enforce PDP decisions 2

AuthZ Argus is designed to answer the question: Can user X perform action Y on resource Z? Argus policies contain rules that state which actions can be performed on which resources by which users. Argus uses XACML v.2.0 as the policy language. however, XACML is hard to read and write, so we developed a Simplified Policy Language (SPL) to suit our needs 3

The banning use case User X should not be allowed to do anything on any resource (for this example X will be my certificate subject) 4

An XACML banning policy...? 5

The corresponding SPL policy resource ".*" { action ".*" { rule deny { subject="cn=andrea Ceccanti,L=CNAF,OU=Personal Certificate,O=INFN,C=IT" 6

resource <value> {... action <value> {...... Enabling Grids for E-sciencE rule <permit deny> { <attributeid> = <attributevalue> The SPL Syntax (1) You can have multiple resource stanzas, one for each resource (or group of resources) that you want to protect. Inside each resource stanza, you may define multiple action stanzas, to authorize specific actions on such resource. Inside each action stanza, you can define multiple rule stanzas. Each rule defines a subject that is authorized (in case of a permit rule) or not authorized (in case of a deny rule) to perform the action on the resource identified by the enclosing action and resource stanzas. 7

Actions and Resources Actions and resources are identified by unique identifiers that are assigned to them. tipically URIs, but any string could work An example Resource ID: http://authz.cnaf.infn.it/resource/cream-ce An example Action ID: http://authz.infn.it/cream-ce/action/submit-job More info here: https://twiki.cern.ch/twiki/bin/view/egee/authzintro 8

Identifying subjects A subject in a policy is described by a set of attributes: subject, an X509 certificate subject, ex: subject= CN=Andrea Ceccanti,L=CNAF,OU=Personal Certificate,O=INFN,C=IT ca, the certificate subject of a CA, ex: ca= CN=INFN CA,O=INFN,C=IT vo, the name of a Virtual Organization vo= test_vo fqan, a VOMS Fully Qualified Attribute Name fqan= /test_vo/production pfqan, the primary VOMS FQAN pfqan= /test_vo/role=pilot 9

resource <value> { action <value> { Enabling Grids for E-sciencE The SPL Syntax (2) Resources and actions are identified via regular expressions (the <value> field) that are matched against resource and action ids in the authorization request.......... rule <permit deny> { <attributeid> = <attributevalue> Each rule contains a list of attributes that are matched against the subject attributes in the authorization request. Attributes inside a rule are ANDed, i.e. the subject attributes in the request must match all the attribute listed in the rule for the rule to be applied. Only one rule is applied at a time, the first one that matches the request: order matters! 10

Examples We have two CEs at our site, ce_1 and ce_2. We want to authorize Andrea Ceccanti to contact one but not the other. resource ce_1 { action.* { rule permit { subject = CN=Andrea Ceccanti,L=CNAF,OU=Personal Certificate,O=INFN,C=IT resource ce_2 { action.* { rule deny{ subject = CN=Andrea Ceccanti,L=CNAF,OU=Personal Certificate,O=INFN,C=IT 11

Examples We want to ban users from VO test_vo from ce_1 but not those who have a certificate signed by INFN CA. resource ce_1 { action.* { rule permit { vo = test_vo ca = CN=INFN CA,O=INFN,C=IT rule deny { vo = test_vo 12

Examples On ce_1 we want to allow all test_vo members, except submitters with role /test_vo/role=pilot as the primary FQAN resource ce_1 { action.* { rule deny { pfqan = /test_vo/role=pilot rule permit { vo = test_vo 13

List currently active policies: PAP command line tools pap-admin list-policies Import policies expressed in the SPL from a file: pap-admin add-policies-from-file my-policies.txt easily ban/un-ban users, vos: pap-admin ban vo test_vo pap-admin un-ban vo test_vo add a generic policy: pap-admin add-policy --resource ce_1 --action.* \ permit pfqan= /test_vo/role=pilot 14

Resources & Contacts Enabling Grids for E-sciencE Argus documentation home: https://twiki.cern.ch/twiki/bin/view/egee/authorizationframework Simplified Policy Language documentation: https://twiki.cern.ch/twiki/bin/view/egee/simplifiedpolicylanguage PAP documentation: https://twiki.cern.ch/twiki/bin/view/egee/authzpap Argus getting started guides: https://twiki.cern.ch/twiki/bin/view/egee/gettingstarted https://twiki.cern.ch/twiki/bin/view/egee/gettingstarted2 Contacts: project-egee-authz-service@cern.ch 15

Questions?? 16

Hands on screencast Vimeo: http://www.vimeo.com/6653732 Quicktime movie: http://tinyurl.com/pap-spl-screencast 17

Screencast setup 18

Custom Argus service conf. Argus services installed following the Getting Started guide: https://twiki.cern.ch/twiki/bin/view/egee/gettingstarted with some changes to default configuration No caching of decisions on the PEP daemon The PDP refreshes policies from the PAP every minute And also to VOMS server default configuration use the --shortfqans option to make the voms server issue short fqans, ie. things like /test_vo/analysis instead of /test_vo/ analysis/role=null/capability=null If you don t do this you have to write all that NULL stuff into your policies if you want a working demo 19

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback