Argus PT Workplan
General Plan
The main goal is to add the functionalities required by other components (CREAM, UNICORE, ARC, data management, ...) for the integration with the Argus authorization Service, as well as to integrate the feedback received from the users (deployment, production).
Harmonization Activities
- Define the common EMI XACML profiles to support the EMI use cases. See EmiJra1T4XACML
- UNICORE integration with Argus
- ARC integration with Argus
- Data management (DPM/LFC, Storm, dCache) integration with Argus (Global banning, ...)
Evolution Activities
Major activities:
- Importing of raw XACML policies into the PAP
- PAP support for multiple profiles (attribute-mappings.ini)
- Integration of the EES as obligation handler.
- Add a SOAP SAML/XACML authorization endpoint in the PEP server
- Integration with WMS?
- Argus enabled PAM module development.
Minor activities and bug fixes:
- Refactoring of the OH and PIP to work directly on the XACML model.
- Upgrade to version 1.0 of the HERASF XACML engine in the PDP.
- Policy repository on a RDBMS (initial support for mysql).
- Improved PAP CLI response time, https://savannah.cern.ch/bugs/?60050
- YAIM support for generic remote paps configuration.
- YAIM configuration for opened PDP port (UNICORE callouts)
- Temporal attributes support in SPL policies, to enable policies like "this principal is allowed to do this action on this resource only at night on weekdays"
- Web based policy search/management interface (may be further postponed the next year)
- Clustered obligation handlers for the PEP daemon (if high availability, load balancing is required)
- Publish the OH as separate libraries (plugins)
- Implement a working fqan-regexp-match matching function in the PAP and PDP
Argus 1.3.1 (EMI-1 update)
Argus 1.3.1 is the bug fix release for EMI-1
See the savannah
task #20989, ARGUS v. 1.3.1 for more information.
Release Notes
What's New:
- The Argus PAP handles kerberized style DN correctly (e.g. "/CN=service/host.example.com").
- The Argus PEP Server mapping obligation handler updates the timestamp of the lease file each time a mapping is done.
- The Argus PEP Server mapping obligation handler have a new option 'useSecondaryGroupNamesForMapping' to create lease file names with or without the secondary groups of the user (default: true).
- The Argus PEP Server mapping obligation handler lease file names encoding is fully compliant with the legacy gLExec LCAS/LCMAP encoding.
Deployment Notes:
- After the update is applied the PAP and the PEP Server services are stopped.
- You must re-configure the Argus services with YAIM. This will automatically restart the services.
Requests for Change (RfC) implemented
Bugs Fixed
Argus 1.3 release (EMI-1)
Argus 1.3 is the release for EMI-1.
See the savannah
task #18586 Argus 1.3.0 for more information.
Release Notes
What's New:
- First EMI release of the Argus Authorization Service.
- The Argus components have all been repackaged to be compliant with EMI packaging policies.
- A new thread-safe Argus PEP client library for C have been released.
- Support for the DPM/LFC banning engine have been added to the Argus PEP Server.
- Support for direct PDP XACML requests for UNICORE have been improved in the Argus PDP.
- Some minor bugs have been fixed.
Deployment Notes:
- The yum emi-argus metapackage is available to install the Argus Authorization Service.
- The yaim ARGUS_server node type is used to configure the Argus Authorization Service.
Known Issues:
- The common EMI XACML profile is not yet finalize, and not yet implemented by the Argus service.
Requests for Change (RfC) implemented
Bugs Fixed
Argus 1.2 release (gLite 3.2)
The Argus release 1.2 is the first release, completely done within the Argus PT (bug fixes, packaging, certification).
This release include minor improvements, and bug fixes, based on the feedback received during the pilot phase.
The Argus 1.2 release is in savannah
patch #4367
glite-ARGUS is included in the gLite 3.2.0 Update 20
Security
- Implement the required security recommendations made by PSNC Security Team
PEP daemon mapping OH
XACML profiles
PEP client library
PAP admin
Bug Fixes