Argus: The Simplified Policy Language Andrea Ceccanti INFN-CNAF andrea.ceccanti@cnaf.infn.it EGEE 09 September 2009, Barcelona www.eu-egee.org EGEE and glite are registered trademarks
Argus High level overview PAP: author, store, manage and distribute policies PDP: evaluate requests against policies PEP: create request and enforce PDP decisions 2
AuthZ Argus is designed to answer the question: Can user X perform action Y on resource Z? Argus policies contain rules that state which actions can be performed on which resources by which users. Argus uses XACML v.2.0 as the policy language. however, XACML is hard to read and write, so we developed a Simplified Policy Language (SPL) to suit our needs 3
The banning use case User X should not be allowed to do anything on any resource (for this example X will be my certificate subject) 4
An XACML banning policy...? 5
The corresponding SPL policy resource ".*" { action ".*" { rule deny { subject="cn=andrea Ceccanti,L=CNAF,OU=Personal Certificate,O=INFN,C=IT" 6
resource <value> {... action <value> {...... Enabling Grids for E-sciencE rule <permit deny> { <attributeid> = <attributevalue> The SPL Syntax (1) You can have multiple resource stanzas, one for each resource (or group of resources) that you want to protect. Inside each resource stanza, you may define multiple action stanzas, to authorize specific actions on such resource. Inside each action stanza, you can define multiple rule stanzas. Each rule defines a subject that is authorized (in case of a permit rule) or not authorized (in case of a deny rule) to perform the action on the resource identified by the enclosing action and resource stanzas. 7
Actions and Resources Actions and resources are identified by unique identifiers that are assigned to them. tipically URIs, but any string could work An example Resource ID: http://authz.cnaf.infn.it/resource/cream-ce An example Action ID: http://authz.infn.it/cream-ce/action/submit-job More info here: https://twiki.cern.ch/twiki/bin/view/egee/authzintro 8
Identifying subjects A subject in a policy is described by a set of attributes: subject, an X509 certificate subject, ex: subject= CN=Andrea Ceccanti,L=CNAF,OU=Personal Certificate,O=INFN,C=IT ca, the certificate subject of a CA, ex: ca= CN=INFN CA,O=INFN,C=IT vo, the name of a Virtual Organization vo= test_vo fqan, a VOMS Fully Qualified Attribute Name fqan= /test_vo/production pfqan, the primary VOMS FQAN pfqan= /test_vo/role=pilot 9
resource <value> { action <value> { Enabling Grids for E-sciencE The SPL Syntax (2) Resources and actions are identified via regular expressions (the <value> field) that are matched against resource and action ids in the authorization request.......... rule <permit deny> { <attributeid> = <attributevalue> Each rule contains a list of attributes that are matched against the subject attributes in the authorization request. Attributes inside a rule are ANDed, i.e. the subject attributes in the request must match all the attribute listed in the rule for the rule to be applied. Only one rule is applied at a time, the first one that matches the request: order matters! 10
Examples We have two CEs at our site, ce_1 and ce_2. We want to authorize Andrea Ceccanti to contact one but not the other. resource ce_1 { action.* { rule permit { subject = CN=Andrea Ceccanti,L=CNAF,OU=Personal Certificate,O=INFN,C=IT resource ce_2 { action.* { rule deny{ subject = CN=Andrea Ceccanti,L=CNAF,OU=Personal Certificate,O=INFN,C=IT 11
Examples We want to ban users from VO test_vo from ce_1 but not those who have a certificate signed by INFN CA. resource ce_1 { action.* { rule permit { vo = test_vo ca = CN=INFN CA,O=INFN,C=IT rule deny { vo = test_vo 12
Examples On ce_1 we want to allow all test_vo members, except submitters with role /test_vo/role=pilot as the primary FQAN resource ce_1 { action.* { rule deny { pfqan = /test_vo/role=pilot rule permit { vo = test_vo 13
List currently active policies: PAP command line tools pap-admin list-policies Import policies expressed in the SPL from a file: pap-admin add-policies-from-file my-policies.txt easily ban/un-ban users, vos: pap-admin ban vo test_vo pap-admin un-ban vo test_vo add a generic policy: pap-admin add-policy --resource ce_1 --action.* \ permit pfqan= /test_vo/role=pilot 14
Resources & Contacts Enabling Grids for E-sciencE Argus documentation home: https://twiki.cern.ch/twiki/bin/view/egee/authorizationframework Simplified Policy Language documentation: https://twiki.cern.ch/twiki/bin/view/egee/simplifiedpolicylanguage PAP documentation: https://twiki.cern.ch/twiki/bin/view/egee/authzpap Argus getting started guides: https://twiki.cern.ch/twiki/bin/view/egee/gettingstarted https://twiki.cern.ch/twiki/bin/view/egee/gettingstarted2 Contacts: project-egee-authz-service@cern.ch 15
Questions?? 16
Hands on screencast Vimeo: http://www.vimeo.com/6653732 Quicktime movie: http://tinyurl.com/pap-spl-screencast 17
Screencast setup 18
Custom Argus service conf. Argus services installed following the Getting Started guide: https://twiki.cern.ch/twiki/bin/view/egee/gettingstarted with some changes to default configuration No caching of decisions on the PEP daemon The PDP refreshes policies from the PAP every minute And also to VOMS server default configuration use the --shortfqans option to make the voms server issue short fqans, ie. things like /test_vo/analysis instead of /test_vo/ analysis/role=null/capability=null If you don t do this you have to write all that NULL stuff into your policies if you want a working demo 19