peacock.png

Argus Authorization Service - documentation archive

Note: this is no longer maintained, please refer to AuthorizationFramework instead

Summary

The Argus Authorization Service renders consistent authorization decisions for distributed services (e.g., user interfaces, portals, computing elements, storage elements). The service is based on the XACML standard, and uses authorization policies to determine if a user is allowed or denied to perform a certain action on a particular service.

The Argus Authorization Service is composed of three main components:

  • The Policy Administration Point (PAP) provides the tools to author authorization policies, organize them in the local repository and configure policy distribution among remote PAPs.
  • The Policy Decision Point (PDP) implements the authorization engine, and is responsible for the evaluation of the authorization requests against the XACML policies retrieved from the PAP.
  • The Policy Enforcement Point Server (PEP Server) ensures the integrity and consistency of the authorization requests received from the PEP clients. Lightweight PEP client libraries are also provided to ease the integration and interoperability with other EMI services or components.

The following graphic shows the interaction between the components of the service:

Argus Components

Note: In Argus, the PEP is separated in a client/server architecture. The PEP Server handles the lightweight PEP client requests, and runs on the Argus node.

Argus Service Installation

The following section provides instructions for setting up an Argus environment quickly. It does not provide an exhaustive description of every possible deployment model or configuration option, that can be found in the following Service Components and Enabled Applications sections.

Before you continue it is recommend that you read this introduction to the Argus system. This will provide you with a better understanding of how the components work together, what information passes between the components and how policies are formed.

Argus EMI Deployment

For EMI, the Argus Service is installed with YUM, and configured with YAIM. Please follow the Argus Deployment for EMI documentation

gLExec Worker Node with Argus Deployment

To install and configure an Argus compatible gLExec worker node, follow these GLExec Argus Quick Installation Guide

Service Components

If you are beginning to install the authorization service from scratch, you should install the components in the order listed here; PAP, then PDP, then PEPd. You don't have to, but it makes the most sense for most use cases.

PAP: Policy Administration Point

The Policy Administration Point (PAP) provides three major functions:
  • Provide the tools for authoring policies
  • Store and manage authored policies
  • Provide managed policies to other authorization service components

Installation Configuration Operation pap-admin CLI Simplified Policy Language Troubleshooting

PDP: Policy Decision Point

The Policy Decision Point (PDP) is a policy evaluation engine. The PDP receives authorization requests from Policy Enforcement Points and evaluates these requests against authorization policies retrieved from the PAP.

Installation Configuration Operation Troubleshooting

PEP: Policy Enforcement Point

The Policy Enforcement Point (PEP) is the client to the authorization service. It gathers information relevant to an authorization request (e.g. who the user, what action they are attempting to perform, which service they are attempting to perform the action on, etc.) and sends the request to the PDP for evaluation. The PEP then acts upon returned result by allowing the request to proceed (in the case a positive authorization decision) or by denying the action (in the event of a negative decision).

In Argus, the PEP is separated in a client/server architecture. The PEP Server handles the lightweight PEP client requests, and runs on the Argus node. Lightweight PEP client libraries are available to authorize requests from the application side, and to enforce decision locally.

PEP Server PEP Client C API PEP Client Java API
Installation Installation Installation
Configuration Programming Interface (API) Programming Interface (API)
Operation Command Line (pepcli)
Troubleshooting

Enabled Applications

The following application contain an Argus PEP client and can make authorization requests to the Argus service.

GSI PEP Callout gLExec with PEP Plug-in
Module Description Introduction
Installation Installation
Configuration Configuration
Troubleshooting Troubleshooting

Support and Monitoring

GGUS Support

General support (installation, site administrator) for Argus is available through GGUS

Argus Support Mailing List

Argus specific (developer, site administrator) questions can be sent directly to the argus-support@googlegroupsNOSPAMPLEASE.com mailing list. You don't need a Google email address or a Google account to send or receive emails from this mailing list.

NOTE: The mailing list was previously argus-support@cernNOSPAMPLEASE.ch, but it have been migrated to argus-support@googlegroupsNOSPAMPLEASE.com at the end of the EMI project (April 2013).

Nagios Monitoring

Nagios plugins are available to monitor an Argus server.

Development Information

Argus Product Team

Since the beginning of EMI the Argus development is led by the Argus PT.

Security Assessment

In June 2011, the Universitat AutÚnoma de Barcelona (Manuel Brugnoli and Elisa Heymann, CAOS - UAB) have finished the vulnerabitlity assessment of the Argus services. The document is available here:

Specifications

Requirements

Presentations

Souce Code Information

We have migrated the Argus source code to GitHub.

The source code was previousely stored in the CERN subversion server. Please do not use the SVN repository anymore

Development Tools

The Argus PT uses the following development tools.

For performance and load testing we use the following testing suite.

Argus Production Settings and Optimization

Production sites can optimize the Argus Service settings to their specific needs. Please have a look at the Argus Fine Tuning documentation.

Perfomance and Load Testing

Results and metrics of the performance and load testing can be found here:

Additional Support

  • HERAS-AF project has supported the project by providing a good XACML policy engine and excellent, ongoing, support of their code.
  • YourKit is kindly supporting this open source projects with its full-featured Java Profiler. YourKit, LLC is the creator of innovative and intelligent tools for profiling Java and .NET applications. Take a look at YourKit's leading software products: YourKit Java Profiler and YourKit .NET Profiler.
  • This product includes software developed by the Caucho Technology.

About the name Argus

In Greek mythology Argus was a 100-eyed giant that was meant to watch and protect various things and people including the Goddess Io. He was slain by Hermes but the gods chose to preserve his hundred eyes and affix them to the tail-feathers of a brilliantly colored bird, the peacock, in homage. The peacock logo is provided by the royalty free clip art site clker.com.

Twiki Related Links

Topic attachments
I Attachment History Action Size Date Who Comment
PowerPointppt 100602_argus_intro_rod.ppt r1 manage 4562.0 K 2010-06-03 - 12:35 ChristophWitzigExCern Introduction to Argus for ROD (EGI ROD Workshop, June 2, 2010, Amsterdam)
PowerPointppt 20100917_EGI-TF_ArgusSecurity.ppt r1 manage 1775.5 K 2010-09-22 - 11:28 ValeryTschoppExCern Argus Security (EGI TF 2010 Security Session, Sept. 17, Amsterdam)
PowerPointppt 20110412-EGI_UF_2011-Argus.ppt r1 manage 2228.5 K 2011-09-08 - 14:48 ValeryTschoppExCern Argus the EMI Authorization Service (EGI UF 2011, April 12, Vilnus)
PowerPointppt 20110531-EMI_AllHands_2011-Argus_Integration.ppt r1 manage 2154.5 K 2011-09-08 - 14:51 ValeryTschoppExCern Argus Authorization Integration (EMI AH 2011, May 31, Lund)
PDFpdf 20110601-Argus_Vulnerability_Assessment.pdf r1 manage 193.3 K 2011-09-08 - 15:02 ValeryTschoppExCern Argus Vulnerability Assessment (Universtat AutÚnoma de Barcelona, June 2011)
PNGpng glite-ARGUS_components-v2.png r3 r2 r1 manage 323.1 K 2010-10-14 - 14:06 ValeryTschoppExCern Argus Components
PowerPointppt global_banning.ppt r1 manage 8143.0 K 2009-03-19 - 17:19 ChristophWitzig Presentation to the OSCT March 13, 2009
PowerPointppt introduction_authz_service.ppt r2 r1 manage 6016.5 K 2009-05-14 - 16:12 ChristophWitzig General introduction to the authorization service
PNGpng peacock.png r1 manage 11.3 K 2009-06-16 - 08:25 ChadLaJoie peacock logo provided by clker.com
JPEGjpg service_components.jpg r3 r2 r1 manage 43.0 K 2009-02-06 - 11:22 ChadLaJoie  
Edit | Attach | Watch | Print version | History: r97 < r96 < r95 < r94 < r93 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r97 - 2016-08-11 - MaartenLitmaath
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    EGEE All webs login

This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright &© by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Ask a support question or Send feedback