1 / 8

Introduction

Introduction. https://twiki.cern.ch/twiki/bin/view/EGEE/AuthorizationFramework https://twiki.cern.ch/twiki/bin/view/EGEE/AuthZIntro. Few Points. Argus can be used as centralize authorization service It is an attribute base service as appose to identity base service we currently use.

acton
Télécharger la présentation

Introduction

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Introduction • https://twiki.cern.ch/twiki/bin/view/EGEE/AuthorizationFramework • https://twiki.cern.ch/twiki/bin/view/EGEE/AuthZIntro

  2. Few Points • Argus can be used ascentralize authorization service • It is an attribute base service as appose to identity base service we currently use. • Only available for glexec for now • It is meant to replace LCMAPS based authorization in future.

  3. Policy Administration Point (PAP) • Provide tools for authorizing policy • Store and manage policy • Policy Decision Point (PDP) • The PDP receives authorization requests from Policy Enforcement Points and evaluates these requests against authorization policies retrieved from the PAP • Policy Enforcement Point(PEP) • It gather request from client and send it to PDP for evaluation and then PEP act upon by either denying or accepting authorization.

  4. Installation and Configuration • Yum install lcg-CA glite-APEL • Yaim –c –s site-info.def –n ARGUS_server • Site-info.def • mount /etc/grid-security/gridmapdir • Check it • /opt/argus/pap/bin/pap-admin list-policies default (local): ARGUS_HOST= PAP_ADMIN_DN= USERS_CONF= GROUPS_CONF= VOS=

  5. Configuring WN • Yum install glite-GLEXEC_wn • Configure GLEXEC on WN GLEXEC_WN_ARGUS_ENABLED="yes" ARGUS_PEPD_ENDPOINTS="https://t2argus02.physics.ox.ac.uk:8154/authz" GLEXEC_WN_OPMODE="setuid" GLEXEC_WN_LOG_DESTINATION=file GLEXEC_WN_LOG_FILE=/var/log/glexec/glexec_log GLEXEC_WN_INPUT_LOCK=flock GLEXEC_WN_TARGET_LOCK=flock /opt/glite/yaim/bin/yaim -c -s /etc/yaim/site-info.def –n glite-GLEXEC_wn By default opspilot, lhcbpilot and atlaspilot are whiltelisted by /opt/glite/etc/glexec.conf file to use glexec.

  6. Adding and Loading Policy • Define policy resource "http://authz-interop.org/xacml/resource/resource-type/wn" { obligation "http://glite.org/xacml/obligation/local-environment-map" {} action "http://glite.org/xacml/action/execute" { rule permit { vo = dteam } rule permit {pfqan = "/ops/Role=pilot" } rule permit {pfqan = "/atlas/Role=pilot" } } } • Add and Load policy /opt/argus/pap/bin/pap-admin afpdteam_policy /etc/init.d/pdpreloadpolicy /etc/init.d/pepdclearcache

More Related