glite-ARGUS Service Reference Card

Definitions

PAP

The Policy Administration Point manages and publishes the authorization policies.

PDP

The Policy Decision Point evaluates the authorization requests.

PEP Daemon

The Policy Enforcement Point daemon processes the PEP clients requests and responses.

PEP client

Lightweight PEP client library available for Java and C. Requests and enforces the authorization decision locally (e.g. gLExec LCMAPS PEP plugin).

Service Reference Card (Argus 1.2 for gLite 3.2)

• Functional description: Render authorization decisions based on XACML policies: "Can user X performs action Y on resource Z ?" or "Is user X banned for any action on any resource ?"
• Services running:
  • PAP: (Java application) org.glite.authz.pap.server.standalone.PAPServer
  • PDP: (Java application) org.glite.authz.pdp.server.PDPDaemon
  • PEP Server: (Java application) org.glite.authz.pep.server.PEPDaemon
• Init scripts and options:
  • PAP: /etc/init.d/pap-standalone {start|stop|status|restart}
  • PDP: /etc/init.d/pdp {start|stop|status|reloadpolicy}
  • PEP Server: /etc/init.d/pepd {start|stop|status|clearcache}
• Configuration files location with example:
  • PAP:
    • Config directory: /opt/argus/pap/conf
    • Examples: pap_configuration.ini and pap_authorization.ini
  • PDP:
    • Config directory: /opt/argus/pdp/conf
    • Examples: pdp.ini
  • PEP Server:
    • Config directory: /etc/argus/pepd/conf
    • Examples: pepd.ini
• Logfile locations (and management) and other useful audit information:
  • PAP:
    • Logging directory: /opt/argus/pap/logs
    • Logging configuration: /opt/argus/pap/conf/logging/standalone/logback.xml
  • PDP:
    • Logging directory: /opt/argus/pdp/logs
    • Logging configuration: /opt/argus/pdp/conf/logging.xml
  • PEP Server:
    • Logging directory: /opt/argus/pepd/logs
    • Logging configuration: /opt/argus/pepd/conf/logging.xml
• Open ports:
  • PAP:
    • Service port: *:8150
    • Admin port: localhost:8151
  • PDP:
    • Service port: localhost:8152
    • Admin port: localhost:8153
  • PEP Server:
    • Service port: *:8154
    • Admin port: localhost:8155
• Possible unit test of the service: Nagios plugins are available to monitor the services, see https://twiki.cern.ch/twiki/bin/view/EGEE/AuthZNagios
• Where is service state held (and can it be rebuilt): The services (PAP, PDP, PEP Daemon) are stateless. However:
  • PAP: The XACML policies are stored locally in the /opt/argus/pap/repository directory.
  • PEP Server: The user pool account mapping leases are kept in the /etc/grid-security/gridmapdir directory
• Cron jobs:
  • fetch-crl
• Security information
  • Access control mechanism (authentication & authorization):
    • Authentication: SSL/TLS client authentication on the service ports (8150 and 8154)
    • Authorization: PAP uses access control list
  • How to block/ban a user
  • Network Usage
  • Firewall configuration
  • Security recommendations
  • Security incompatibilities
  • List of externals (packages are NOT maintained by Red Hat)
  • Other security relevant comments
• Utility scripts:
  • /etc/init.d/pdp reloadpolicy forces the PDP to reload the policies from the PAP
  • /etc/init.d/pepd clearcache clears the PEP daemon response cache
• Location of reference documentation for users: Not applicable
• Location of reference documentation for administrators:
  • General documentation: https://twiki.cern.ch/twiki/bin/view/EGEE/AuthorizationFrameworkArchive
  • PAP admin CLI: https://twiki.cern.ch/twiki/bin/view/EGEE/AuthZPAPCLI
  • Simplified Policy Language: https://twiki.cern.ch/twiki/bin/view/EGEE/SimplifiedPolicyLanguage