Argus PT Workplan

General Plan

The main goal is to add the functionalities required by other components (CREAM, UNICORE, ARC, data management, ...) for the integration with the Argus authorization Service, as well as to integrate the feedback received from the users (deployment, production).

Harmonization Activities

• Define the common EMI XACML profiles to support the EMI use cases. See EmiJra1T4XACML
• UNICORE integration with Argus
• ARC integration with Argus
• Data management (DPM/LFC, Storm, dCache) integration with Argus (Global banning, ...)

Evolution Activities

Major activities:

• Importing of raw XACML policies into the PAP
• PAP support for multiple profiles (attribute-mappings.ini)
• Integration of the EES as obligation handler.
• Add a SOAP SAML/XACML authorization endpoint in the PEP server
• Integration with WMS?
• Argus enabled PAM module development.

Minor activities and bug fixes:

• Refactoring of the OH and PIP to work directly on the XACML model.
• Upgrade to version 1.0 of the HERASF XACML engine in the PDP.
• Policy repository on a RDBMS (initial support for mysql).
• Improved PAP CLI response time, https://savannah.cern.ch/bugs/?60050
• YAIM support for generic remote paps configuration.
• YAIM configuration for opened PDP port (UNICORE callouts)
• Temporal attributes support in SPL policies, to enable policies like "this principal is allowed to do this action on this resource only at night on weekdays"
• Web based policy search/management interface (may be further postponed the next year)
• Clustered obligation handlers for the PEP daemon (if high availability, load balancing is required)
• Publish the OH as separate libraries (plugins)
• Implement a working fqan-regexp-match matching function in the PAP and PDP

Argus 1.3.1 (EMI-1 update)

Argus 1.3.1 is the bug fix release for EMI-1

See the savannah task #20989, ARGUS v. 1.3.1 for more information.

Release Notes

What's New:

• The Argus PAP handles kerberized style DN correctly (e.g. "/CN=service/host.example.com").
• The Argus PEP Server mapping obligation handler updates the timestamp of the lease file each time a mapping is done.
• The Argus PEP Server mapping obligation handler have a new option 'useSecondaryGroupNamesForMapping' to create lease file names with or without the secondary groups of the user (default: true).
• The Argus PEP Server mapping obligation handler lease file names encoding is fully compliant with the legacy gLExec LCAS/LCMAP encoding.

Deployment Notes:

• After the update is applied the PAP and the PEP Server services are stopped.
• You must re-configure the Argus services with YAIM. This will automatically restart the services.

Requests for Change (RfC) implemented

• Argus PAP does not support kerberized style DN: http://savannah.cern.ch/bugs/?82193
• Argus PEP Server mapping obligation handler does not update the timestamp of the lease file in the gridmapdir: https://savannah.cern.ch/bugs/index.php?83281
• Argus PEP Server mapping obligation handler implements the legacy LCAS/LCMAP lease filename encoding in the gridmapdir: https://savannah.cern.ch/bugs/?83419
• Argus PEP Server mapping obligation handler have a new configuration option useSecondaryGroupNamesForMapping (default: true) to simulation gLExec default config: https://savannah.cern.ch/bugs/?83317

Bugs Fixed

• argus-pap RPM upgrade overwrite pap-admin.properties: https://savannah.cern.ch/bugs/?81738

Argus 1.3 release (EMI-1)

Argus 1.3 is the release for EMI-1.

See the savannah task #18586 Argus 1.3.0 for more information.

Release Notes

What's New:

• First EMI release of the Argus Authorization Service.
• The Argus components have all been repackaged to be compliant with EMI packaging policies.
• A new thread-safe Argus PEP client library for C have been released.
• Support for the DPM/LFC banning engine have been added to the Argus PEP Server.
• Support for direct PDP XACML requests for UNICORE have been improved in the Argus PDP.
• Some minor bugs have been fixed.

Deployment Notes:

• The yum emi-argus metapackage is available to install the Argus Authorization Service.
• The yaim ARGUS_server node type is used to configure the Argus Authorization Service.

Known Issues:

• The common EMI XACML profile is not yet finalize, and not yet implemented by the Argus service.

Requests for Change (RfC) implemented

• The Argus components (services, client libraries) have been repackaged to be compliant with EMI packaging policies: https://savannah.cern.ch/bugs/?77532
• A new thread-safe Argus PEP client library for C have been released: https://savannah.cern.ch/bugs/?77525
• The Argus PEP Server includes a new PIP to convert OpenSSL subject DN into RFC2253 compliant subject DN. This PIP allows the DPM/LFC banning engine to integrate with Argus: https://savannah.cern.ch/bugs/?77527 and https://savannah.cern.ch/bugs/?77528
• The Argus PEP Server includes a new PIP to validate incoming authorization requests: https://savannah.cern.ch/bugs/?78414

Bugs Fixed

• PAP maven project as child of argus-parent: https://savannah.cern.ch/bugs/?77584
• PAP changes bind IP if it is configured to use localhost: https://savannah.cern.ch/bugs/?75538
• PAP Clean up package: drop tomcat war and don't repackage jar files: https://savannah.cern.ch/bugs/?77522
• PAP argus-pap.pid file is written on /usr (could be ready only): https://savannah.cern.ch/bugs/?80510
• Log files format (date/time, message, ...) for PAP, PDP and PEP daemon: https://savannah.cern.ch/bugs/?77524
• PDP XACML SOAP handler sends empty HTTP error response: https://savannah.cern.ch/bugs/?75860
• PDP throws exception on missing Action or Resource: https://savannah.cern.ch/bugs/?77429
• PEP Server: first authz request after service start timeout: https://savannah.cern.ch/bugs/?78751
• PEP Server: mapping OH fails to match pool accounts which contain non alphabetic characters: https://savannah.cern.ch/bugs/?80526
• Processing error in Argus PEP server should return INDETERMINATE decision: https://savannah.cern.ch/bugs/?78831
• Add a xacml_profileid config parameter for the GSI PEP callout: https://savannah.cern.ch/bugs/?71796
• GSI PEP plugin using the thread-safe PEP client v.2.0: https://savannah.cern.ch/bugs/?77739
• GSI PEP plugin: Problems with gridftp + argus in EMI-RC1: https://savannah.cern.ch/bugs/?79412

Argus 1.2 release (gLite 3.2)

The Argus release 1.2 is the first release, completely done within the Argus PT (bug fixes, packaging, certification).

This release include minor improvements, and bug fixes, based on the feedback received during the pilot phase.

The Argus 1.2 release is in savannah patch #4367

glite-ARGUS is included in the gLite 3.2.0 Update 20

Security

• Implement the required security recommendations made by PSNC Security Team

PEP daemon mapping OH

• Implement a consistent FQAN/DN based user mapping strategy. See the mapping proposal
• Add support for DN based group account mapping in group-mapfile. https://savannah.cern.ch/bugs/index.php?68805
• Add preferDNForGroupName configuration property.

XACML profiles

• Finalize the XACML Grid CE profile v.1.0 for CREAM (feedback required)
• Update PIP to support the XACML Grid CE profile. https://savannah.cern.ch/bugs/index.php?68808

PEP client library

• Release the PEP-Java client library, with the eventual modifications required for the CE profile and CREAM (feedback required). https://savannah.cern.ch/bugs/?63023

PAP admin

• Add the pap-admin add-policy -obligation <obligation-id> parameter https://savannah.cern.ch/bugs/?68595

Bug Fixes

• Profile attribute/group-id doesn't contain primary group. https://savannah.cern.ch/bugs/?64340
• Pool account mapping problem: .dteam -> dteamprod001. https://savannah.cern.ch/bugs/?66574
• Timestamps in Argus log files do not show the date. https://savannah.cern.ch/bugs/?64197
• PEP-C include files are not actually ANSI C. https://savannah.cern.ch/bugs/?67387
• pap-admin lp command should support filtering by resource and action. https://savannah.cern.ch/bugs/?60044
• pap-admin script doesn't resolve softlink. https://savannah.cern.ch/bugs/?63180
• pap-admin remove-policy not able to remove exiting obligation. https://savannah.cern.ch/bugs/?68599
• pap-admin fails with certificate containing the '/' character in an RDN. http://savannah.cern.ch/bugs/?66669
• PAP should have a status handler on localhost:8151. https://savannah.cern.ch/bugs/?65802
• yaim-argus /etc/init.d scripts 'status' command doesn't return 1 on error. https://savannah.cern.ch/bugs/?65542
• pepd.ini without SECURITY section cause a NullPointerException at start. https://savannah.cern.ch/bugs/?68858