Argus: Policy Enforcement Point Daemon: Troubleshooting

PEP Daemon Returns "Stale" Results

The PEPd keeps a short (10 minutes by default) response cache. So identical requests made within a short time period will always provide the same answer. If you're testing this can be a pain. You can clear the cache using the pepdctl clearResponseCache command. You can also turn of the cache through the maximumCachedResponses documented in the PEPd configuration. Just be sure to enable it again before you put the system under heavy load.

Note that the PDP also caches the policies it reads, so during testing you may also want to configure the PDP to more quickly pick up policies from the PAP via the retentionInterval option.

Testing a policy without submitting a job

When authoring new policies or troubleshooting an existing policies it can be helpful to mock up requests, instead of getting users to perform the request over and over as you diagnose the problem. The PEPd offers a C and Java command line tool. The C tool is useful for specifically testing cases where policies are based on the resource ID, action ID, subject ID, and FQAN attributes. The Java tool allows you to mock up any request.

Here is an example of using the C command line tool to test a job submission. It specifies the PEPd service, resource ID, action ID, user's DN, and primary FQAN.

/opt/glite/bin/pepcli  -v -x \
   -p http://vesta.switch.ch:8154/authz \
   -r http://authz-interop.org/xacml/resource/resource-type/wn \
   -a http://authz-interop.org/xacml/action/action-type/execute-now \
   -s "CN=Alessandro Usai,O=SWITCH,C=CH,DC=users,DC=switch,DC=grid,DC=quovadisglobal,DC=com" \
   -f /dech \