Service Reference Card (Argus 1.4.0 for EMI-1)

  • Functional description: Render authorization decisions based on XACML policies: "Can user X performs action Y on resource Z ?" or "Is user X banned for any action on any resource ?"
  • Services running:
    • PAP: (Java application) org.glite.authz.pap.server.standalone.PAPServer
    • PDP: (Java application) org.glite.authz.pdp.server.PDPDaemon
    • PEP Server: (Java application) org.glite.authz.pep.server.PEPDaemon
  • Init scripts and options:
    • PAP: /etc/init.d/argus-pap {start|stop|status|restart}
    • PDP: /etc/init.d/argus-pdp {start|stop|status|restart|reloadpolicy}
    • PEP Server: /etc/init.d/argus-pepd {start|stop|status|restart|clearcache}
  • Configuration files location with example:
  • Logfile locations (and management) and other useful audit information:
    • PAP:
      • Logging directory: /var/log/argus/pap
      • Logging configuration: /etc/argus/pap/logging/standalone/logback.xml
    • PDP:
      • Logging directory: /var/log/argus/pdp
      • Logging configuration: /etc/argus/pdp/logging.xml
    • PEP Server:
      • Logging directory: /var/log/argus/pepd
      • Logging configuration: /etc/argus/pepd/logging.xml
  • Open ports:
    • PAP:
      • Service port: *:8150
      • Admin port: localhost:8151
    • PDP:
      • Service port: localhost:8152
      • Admin port: localhost:8153
    • PEP Server:
      • Service port: *:8154
      • Admin port: localhost:8155
  • Possible unit test of the service: Nagios plugins are available to monitor the services, see https://twiki.cern.ch/twiki/bin/view/EGEE/AuthZNagios
  • Where is service state held (and can it be rebuilt): The services (PAP, PDP, PEP Server) are stateless. However:
    • PAP: The XACML policies are stored locally in the /usr/share/argus/pap/repository directory.
    • PEP Server: The user pool account mapping leases are kept in the /etc/grid-security/gridmapdir directory
  • Cron jobs: None
  • Security information
    • Access control mechanism (authentication & authorization):
      • Authentication: SSL/TLS client authentication on the service ports
      • Authorization: PAP uses access control list
    • How to block/ban a user
    • Network Usage
    • Firewall configuration
    • Security recommendations
    • Security incompatibilities
    • List of externals (packages are NOT maintained by Red Hat)
    • Other security relevant comments
  • Utility scripts:
    • /etc/init.d/argus-pdp reloadpolicy forces the PDP to reload the policies from the PAP
    • /etc/init.d/argus-pepd clearcache clears the PEP daemon response cache
  • Location of reference documentation for users: Not applicable
  • Location of reference documentation for administrators:
Edit | Attach | Watch | Print version | History: r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r1 - 2013-02-14 - ValeryTschoppExCern
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    EMI All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2020 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback