The Simplified Policy Language¶
As already explained here, Argus policies contain collections of rules that state which actions can be performed on which resources by which users. XACML, the language used internally by Argus to define policies, provides great expressiveness and flexibility but it’s very hard to read and author for human beings. For this reason, Argus provides a Simplified Policy Language (SPL) to hide the complexity of XACML while providing much of its flexibility.
As an example, the following policy denies access to all the resources (under Argus control) to the members of the ATLAS VO:
resource ".*" {
action ".*" {
rule deny { vo = "atlas" }
}
}
The SPL syntax¶
resource <value> {
action <value> {
rule <permit|deny> {
<attributeId>=<attributeValue>
...
}
...
}
...
}
...
The SPL defines three stanza types: resource
, action
and
rule
. It’s possible to define multiple resource stanzas that can
contain multiple action stanzas that can contain multiple rules stanzas.
The resource
stanza is used to target a resource (or set of
resources, if wildcards are used) under the control of Argus
authorization.
The action
stanza (always defined in the context of an enclosing
resource
) is used to target an action (or set of actions, if
wildcards are used) that has to be authorized by Argus on the resource
identified by the enclosing resource
stanza.
The rule
stanza defines who is authorized (in case of a permit
rule) or not authorized (in case of a deny
rule) to perform the
action on the resource identified by the enclosing action and resource
stanzas.
Identifying actions and resources¶
Actions and resources are identified by unique identifiers that are assigned to them. This identifiers are usually URIs, but any string that is unique in your deployment may work.
You can also use wildcards in your SPL policies to target group of resources or actions, like in the following example:
resource "http://cnaf.infn.it/cream-ce-01" {
action ".*" {
rule permit { vo = "cms" }
}
}
This policy authorizes users from the CMS vo to perform any action on
the resource http://cnaf.infn.it/cream-ce-01
.
Identifying subjects¶
In Argus policies, the users (or software agents) that need to be authorized to execute an action on a specific resource are identified using a set of attributes, like:
- the subject of the user’s X509 certificate;
- the CA that issued the user’s x509 certificate;
- the VO the user belongs to;
- whether the use has a specific FQAN in its bag of VOMS attributes;
- whether the user has a specific FQAN as his primary FQAN.
The table below specifies the supported attributes for Argus 1.1:
Attribute name | Description | Example |
---|---|---|
subject |
The user’s X509 certificate subject in rfc2253 or openssl format | subject ="CN=Andrea Ceccanti,L=CNAF,OU=Personal Certificate,O=INFN,C=IT" |
subject-issuer |
The subject (in rfc2254 or openssl format) of the CA that issued the user’s x509 certificate | subject-issuer = "CN=INFN CA,O=INFN,C=IT" |
vo |
The name of the VO the user belongs to | vo = "atlas" |
fqan |
The fqan present in the user’s bag of VOMS attributes | fqan="/dteam/Role=VO-Admin" |
pfqan |
The user primary fqan | pfqan="/atlas/Role=pilot" |
The contents of the rule
stanza¶
As already pointed out, the rule
stanza defines who is authorized to
perform a specific action on a specific resource. A subject can be
identified using the attributes defined in the previous section.
resource "http://cnaf.infn.it/cream-ce-01" {
action "submit-pilot-job" {
rule permit { pfqan="/atlas/Role=pilot" }
}
}
In the above policy, only subjects that have the /atlas/Role=pilot
fqan as their primary fqan are authorized (since the rule is permit
rule) to perform the action submit-pilot-job
on the resource
http://cnaf.infn.it/cream-ce-01
. To prevent users from LHCB VO the
execution of the same action, one would write the following policy:
resource "http://cnaf.infn.it/cream-ce-01" {
action "submit-pilot-job" {
rule deny { vo = "lhcb" }
}
}
Multiple attributes inside the rule
stanza¶
It is possible to define multiple attributes inside a rule
stanza.
All the attributes defined in the rule stanza need to match with the
subject attributes present in the authorization request for the rule to
be applied. This can be explained more clearly using an example:
resource "http://cnaf.infn.it/cream-ce-01" {
action "submit-job" {
rule permit {
vo = "cms"
subject-issuer = "CN=INFN CA,O=INFN,C=IT"
}
}
}
The meaning of the above policy is that only members from the VO CMS
that have a certificate signed by the CN=INFN CA,O=INFN,C=IT
CA will
be authorized to perform the action submit-job
on resource
http://cnaf.infn.it/cream-ce-01
. CMS members with certificates
signed by the CERN CA, for instance, will not be authorized.
Since all the attributes defined in a rule must be “matched” in the request for the rule to be applied, one can think about multiple attributes inside a rule stanza as conditions that are ANDed to select who will be authorized to perform the action the rule is about.
How policies are evaluated¶
The first applicable policy (and only that one) that matches the authorization request is the one that is applied by Argus. This means that order matters. An example will help in understanding this concept.
Suppose we want to grant access to our CE to all members of VO CMS but
not those that have /cms/Role=pilot
as their primary FQAN. We would
write a policy like this:
resource "http://cnaf.infn.it/cream-ce-01" {
action ".*" {
rule deny{ pfqan = "/cms/Role=pilot"}
rule permit { vo = "cms" }
}
}
Since the deny rule precedes the permit rule in the above policy, we are able to deny access only to CMS users with the pilot role, but grant access to other members of CMS. This is due to the fact that the first deny rule will not match to CMS users that do not have the pilot role, so the following permit rule will be applied. On the contrary, if we reversed the order of the two rules like in the following policy:
resource "http://cnaf.infn.it/cream-ce-01" {
action ".*" {
rule permit { vo = "cms" }
rule deny{ pfqan = "/cms/Role=pilot" }
}
}
the deny rule would be useless, since the permit rule that precedes it would always match any CMS member.
The obligation
stanza¶
Starting with Argus version 1.1, the SPL supports obligation
stanzas. The syntax of the obligation stanza is as follows:
obligation "obligationId" {
[attributeId = attributeValue]*
}
Obligation stanzas can be placed either in the resource or action context and are used to define a set operations that must be performed by the Argus PEP in conjunction with an authorization decision. An obligation stanza can define 0..N attribute definitions, that are passed as parameters to the PEP for the fulfillment of the obligation.
An example of policy with an obligation is the following:
resource "http://cnaf.infn.it/wn"{
obligation "http://glite.org/xacml/obligation/local-environment-map" {}
action "http://glite.org/xacml/action/execute"{
rule permit { vo = "dteam" }
}
}
The Argus PEP currently supports only the map-to-local-environment
obligation.
The map-to-local-environment
obligation¶
The map-to-local-environment
obligation, identified by the following
id:
http://glite.org/xacml/obligation/local-environment-map
is used within a policy to signify that a mapping to a local Posix account will be produced by the Argus server as a result of a permit policy.
The use of this obligation is mandatory for the policies that authorize the execution and mapping of pilot jobs on the worker node.
Examples¶
Ban policies¶
Ban policies are used to deny a subject on all possible resources. For this reason ban policies need to be placed at the top and defined for any action on all the resources.
resource ".*" {
action ".*" {
rule deny { subject = "CN=Alberto Forti,L=CNAF,OU=Personal Certificate,O=INFN,C=IT" }
rule deny { fqan = /dteam/test }
}
}
Glexec on the WN policies¶
Policy that authorize execution and mapping of pilot jobs on the WN need
to specify the map-to-local-environment
obligation to produce a
mapping that gLexec can use to do the user switch. An example of such
policy is the following:
resource "http://cnaf.infn.it/wn"{
obligation "http://glite.org/xacml/obligation/local-environment-map" {}
action "http://glite.org/xacml/action/execute"{
rule permit { vo = "dteam" }
rule permit { pfqan = "/atlas/Role=pilot" }
rule permit { pfqan = "/ops/Role=pilot" }
}
}
The above policy authorizes the execution of jobs on the WN by:
- people from the dteam VO,
- people that have
/atlas/Role=pilot
as the primary fqan - people that have
/ops/Role=pilot
as the primary fqan