EMI INFSO-RI-261611
EMI INFSO-RI-261611
Argus
PEP Client API (Java)
Valery Tschopp (SWITCH)
valery.tschopp@switch.ch
Outline
• Argus
–Argus Services (PAP, …)
–Authorization Policies
EMI INFSO-RI-261611
EMI INFSO-RI-261611
• Argus PEP Client API
–XACML Object Model
–Authorization Decision
–Simple Java Example Demo
29/03/2012
Argus PEP Client API, EGI Community Forum 2012, München
2
Argus
• A generic authorization system
EMI INFSO-RI-261611
EMI INFSO-RI-261611
– Built on top of a XACML policy engine
– Renders consistent authorization decisions
based on XACML policies
29/03/2012
Argus PEP Client API, EGI Community Forum 2012, München
3
Argus Components
EMI INFSO-RI-261611
EMI INFSO-RI-261611
• Argus PAP: Policy Administration Point
– Provides administrators with the tools to
author policies (pap-admin)
– Stores and manages authored XACML
policies
– Provides managed authorization policies to
other authorization service components
(other PAPs or PDP)
29/03/2012
Argus PEP Client API, EGI Community Forum 2012, München
4
Argus Components (cont.)
• Argus PDP: Policy Decision Point
EMI INFSO-RI-261611
EMI INFSO-RI-261611
– Policy evaluation engine
– Receives authorization requests from the PEP
– Evaluates the authorization requests against
the XACML policies retrieved from the PAP
– Renders the authorization decision
29/03/2012
Argus PEP Client API, EGI Community Forum 2012, München
5
Argus Components (cont.)
• Argus PEP: Policy Execution Point
EMI INFSO-RI-261611
EMI INFSO-RI-261611
– Client/Server architecture
– Lightweight PEP client libraries (C and Java)
– PEP Server receives the authorization requests
from the PEP clients
• Transforms lightweight internal request into XACML
• Applies a configurable set of filters (PIPs) to the
incoming requests
• Asks the PDP to render an authorization decision
• If requested by the policy, applies the obligation
handler (OH) to determine the user mapping
29/03/2012
Argus PEP Client API, EGI Community Forum 2012, München
6
Authorization Policies
Argus is designed to answer the question:
EMI INFSO-RI-261611
EMI INFSO-RI-261611
Can user X perform action Y on resource Z ?
• Argus policies contain rules that state which
actions can be performed on which resources
by which users.
• Argus uses XACML v.2 as the policy language.
– However, XACML is hard to read and write, so we
developed a Simplified Policy Language (SPL)
29/03/2012
Argus PEP Client API, EGI Community Forum 2012, München
7
Authorization Examples
• Can user X…
EMI INFSO-RI-261611
EMI INFSO-RI-261611
– execute on this worker node (WN) ?
– submit a job to this CREAM CE ?
– access this storage area ?
– submit a job to this WMS instance ?
• User X is banned !
– Is not allowed to do anything on any
resource!
29/03/2012
Argus PEP Client API, EGI Community Forum 2012, München
8
Policies for the Demo
EMI INFSO-RI-261611
EMI INFSO-RI-261611
The Argus PAP is loaded with the following SPL
authorization policies:
# glite Example (Decision, and user mapping)
resource "test-glite" {
obligation "http://glite.org/xacml/obligation/localenvironment-map" {}
action "test" {
rule permit { vo=“dteam" }
}
}
# EMI Example (Decision only, NO USER MAPPPING)
resource "test-emi" {
action "test" {
rule permit {
subject="CN=Valery Tschopp,O=SWITCH,C=ch" }
}
}
29/03/2012
Argus PEP Client API, EGI Community Forum 2012, München
9
Argus PEP Client
EMI INFSO-RI-261611
EMI INFSO-RI-261611
• Argus PEP Client API
– Communicate with the Argus PEP Server
– HTTPS connection with client authentication
– XACML handled as an object model
– Create authorization request and submit it
– Parse the authorization response
– Enforce the decision locally
29/03/2012
Argus PEP Client API, EGI Community Forum 2012, München
10
Argus PEP Client API
EMI INFSO-RI-261611
EMI INFSO-RI-261611
• XACML Object Model
29/03/2012
Argus PEP Client API, EGI Community Forum 2012, München
11
Argus PEP Client API (cont.)
EMI INFSO-RI-261611
EMI INFSO-RI-261611
• XACML Profiles
– Define the XACML attribute identifiers,
datatypes, and their semantic
– gLite XACML Profile for CE
https://edms.cern.ch/document/1078881
– gLite XACML Profile for WN
https://edms.cern.ch/document/1058175
– EMI Common XACML Authorization Profile
https://twiki.cern.ch/twiki/bin/view/EMI/Co
mmonXACMLProfileV1_1
29/03/2012
Argus PEP Client API, EGI Community Forum 2012, München
12
EMI INFSO-RI-261611
EMI INFSO-RI-261611
Authorization Decision Processing
• If the decision is Permit, then the PEP client SHALL permit
access.
If obligations accompany the decision, then the PEP client
SHALL permit access only if it understands and it can and will
enforce those obligations.
• If the decision is Deny, then the PEP client SHALL deny access.
• If the decision is NotApplicable, meaning that no policy apply,
then the PEP client SHALL deny access.
• If the decision is Inderterminate, then the PEP client SHALL
deny access. The decision status message and status code
should be used to produce an error message.
29/03/2012
Argus PEP Client API, EGI Community Forum 2012, München
13
Simple Argus Java PEP Client
EMI INFSO-RI-261611
EMI INFSO-RI-261611
Demo Time ^_^
29/03/2012
Argus PEP Client API, EGI Community Forum 2012, München
14
Documentation
• General documentation
https://twiki.cern.ch/twiki/bin/view/EGEE/AuthorizationFramework
• PAP admin Tool
https://twiki.cern.ch/twiki/bin/view/EGEE/AuthZPAPCLI
• Argus Policy Management Tutorial
http://bit.ly/argus-policies
• Argus PEP client API for Java
EMI INFSO-RI-261611
EMI INFSO-RI-261611
https://twiki.cern.ch/twiki/bin/view/EGEE/AuthZPEPJavaAPI
29/03/2012
Argus PEP Client API, EGI Community Forum 2012, München
15
Support
• The documentation is your friend ;-)
EMI INFSO-RI-261611
EMI INFSO-RI-261611
• Support mailing list (e-group):
argus-support@cern.ch
• GGUS Tickets (ARGUS Support Unit)
https://ggus.eu
29/03/2012
Argus PEP Client API, EGI Community Forum 2012, München
16
EMI INFSO-RI-261611
EMI INFSO-RI-261611
Thank you
EMI is partially funded by the European Commission under Grant Agreement INFSO-RI-261611
29/03/2012
Argus PEP Client API, EGI Community Forum 2012,
München
17