Argus Policy Administration Point (PAP): Configuration¶
The PAP is configured through the use of two files:
pap_authorization.ini, located in the
/etc/argus/pap (EMI), or
$PAP_HOME/conf (gLite), directory. Most
of the information contained in these files can also be set through the
command line interface (which is the recommended way to do
configuration on the PAP).
Service configuration file¶
The service is primarily configured through the
pap_configuration.ini configuration file. This file is a standard
INI file with five defined sections.
This section contains configuration about paps. The information in this section should be set via the PAP CLI.
A paps can be defined by providing the following information (the R value in the Required? column indicates information that is required only for remote paps):
|alias.type||Defines a pap as
|alias.public||Visibility of the pap:
|alias.dn||DN of the PAP to get policies from.||R||None|
|alias.hostname||Hostname of the PAP to get policies from.||R||None|
|alias.port||Port of the PAP to get policies from.||N||8150|
|alias.path||Path of the services exposed by the PAP to get policies from.||N||/pap/services|
|alias.protocol||Protocol to use to contact the remote PAP.||N||https|
This section contains information about policy distribution and pap ordering.
|poll_interval||The polling interval (in seconds) for retrieving remote policies.||Y||None. Recommended value is 14400 (4 hours).|
|ordering||Comma separated list of pap aliases. Example: alias-1, alias-2, ..., alias-n. Defines the order of evaluation of the policies of the paps, that means that the policies of pap “alias-1” are evaluated for first, then the policies of pap “alias-2” and so on.||N||If not specified the
This section contains information about the PAP policy repository.
|location||Path to the repository directory.||N||$PAP_HOME/repository|
|consistency_check||Forces a consistency check of the repository at startup.||N||false|
|consistency_check.repair||if set to true automatically fixes problems detected by the consistency check (usually means deleting the corrupted policies).||N||false|
This section contains information about the PAP standalone service.
|hostname||The hostname or IP address the service will bind to||N||127.0.0.1|
|port||The service port number||N||8150|
|shutdown_port||The service shutdown port number||N||8151|
|shutdown_command||The command string that must be received on the shutdown port in order to shutdown the service. The command is needed in order to prevent unauthorized shutdown commands coming from localhost. This is effective only if the pap_configuration.ini file is not world-readable. If the option is not present in configuration, no check on the command will be made.||N||shutdown|
|entity_id||This is a unique identifier for the PAP. It must be a URI (URL or URN). If a URL is used it need not resolve to any specific webpage.||N||The service endpoint, e.g.
This sections contains information about PAP security configuration.
|certificate||The X.509 pem-econded service certificate||Y||/etc/grid-security/hostcert.pem|
|private_key||The unencrypted private key bound to the certificate||Y||/etc/grid-security/hostkey.pem|
|trust_store_dir||The directory where CA files and CRL are looked for||N||/etc/grid-security/certificates|
|crl_update_interval||How frequently the PAP should update CRLs, CAs and namespaces from the filesystem. The interval is defined as a string with the following format:
Service Access Control¶
Access control rules are configured through the
pap_authorization.ini configuration file. Authorization is based on
off of the Subject DN or VOMS attribute within the client certificate
used to authenticate to the PAP.
The authorization layer is based on an Access Control List (ACL), composed of several Access Control Entries (ACEs). Each ACE defines the actions that an administrator is allowed to execute on the PAP. Administrators’ privileges are defined in terms of PAP permission flags, whose meaning is described in the table below:
||Allows read access to locally defined policies|
||Allows read access to policies imported from remote PAPs|
||Allows write access to locally defined policies|
||Allows read access to PAP configuration|
||Allows write access to PAP configuration|
||All of the above permissions|
A set of permission flags can be assigned to an administrator by
defining an ACE in the
pap_authorization.ini configuration file or
by using the authorization management commands provided by the
pap-admin command line interface.
ACEs are expressed as
<principal> : <permission>
principal part of the ACE is either:
ANYONE, to assign privileges to any authenticated user (i.e., any user that presents a trusted certificate).
- a VOMS FQAN, e.g.,
- a quoted X509 certificate subject, e.g.,
"/C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Andrea Ceccanti"
permission part of the ACE is either:
- a single PAP permission flag, e.g
|separated list of PAP permission flags, e.g.
POLICY_READ_LOCAL|CONFIGURATION_READ, to grant a set of permissions.
So, for example, to grant
POLICY_READ_REMOTE permissions to a user identified by an x509
/C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Andrea Ceccanti
subject, one should write:
"/C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Andrea Ceccanti" : POLICY_READ_LOCAL|POLICY_READ_REMOTE
Note that the subject has been put into quotes! For VOMS FQANs this is not needed (FQAN syntax does not allow whitespaces inside the FQAN), so one could write:
/atlas/Role=PAP-Admin : ALL
Authorization entries are loaded at PAP service startup time so any
pap_authorization.ini modifications done “by hand” while the PAP
service is running do not take effect until the PAP service is
To modify the PAP authorization configuration at runtime, use the
authorization management commands provided by the
Changes made to the PAP ACL by these commands are immediately reflected
Configuration File Syntax¶
pap_authorization.ini file, ACEs are grouped in two stanzas
according to the type of the principal. Currently, two stanzas are
[dn], that lists ACEs defined for principals identified by an X509 certificate subject.
[fqan], that lists ACEs defined for principals identified by VOMS fqans.
An example of configuration file is given below:
[dn] "/C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Andrea Ceccanti" : ALL ANYONE : CONFIGURATION_READ|CONFIGURATION_WRITE [fqan] /voms-ws/Role=PAP-Admin : ALL