Argus Quick Start: Site Policy Setup¶
Policy Basics¶
A site’s policies are maintained using the command
pap-admin
. Initially the PAP contains an empty
policy for the site so no one will be permitted to do anything.
The command
pap-admin list-policies
lists policies, in the simplified policy language notation, currently active in the PAP.
The policies you add will be evaluated from most to least recent and the first policy that matches is the result returned by Argus. So, if you added a policy that would deny a user and then added one that would permit the user the result of an authorization request will be permit since the permit policy is most recent. While not covered here, the exhaustive PAP command line interface reference provides information for how to re-order policies.
To begin, you will need to create permit policies, for individuals
users, VOs, and FQANs, which reflect your site’s access policy. Each of
the commands listed require a resource ID and action ID which are
deployment and application specific, respectively. These ID were
described in the introduction to the Argus system. For
the purposes of this quick-start we’ll use http://example.org
as the
resource ID and http://example.org/action
as the action ID. At this
point you do not need to worry about what the correct values would be
for a production deployment.
Note
As you change policies you will need to restart the PDP in order to force it to reread the policy from the PAP. It would do this by default but only after a couple of hours. Restarting forces it do this immediately.
Permit by User¶
Command:
pap-admin add-policy permit --resource "RESOURCE_ID" --action "ACTION_ID" dn="USER_DN"
The provided USER_DN must be in the RFC2253 standard form, not the proprietary format used by OpenSSL by default. To get the standard form of the DN you can use the command
openssl x509 -noout -nameopt RFC2253 -subject -in CERT_PATH
Here’s an example that permits a user identified by their DN:
pap-admin add-policy permit --resource "http://example.org" --action "http://example.org/action" dn="CN=John Smith,OU=Standard Commercial Certificate,O=SWITCH,L=Zuerich,ST=Zuerich,C=CH"
Permit by VO¶
Command:
pap-admin add-policy permit --resource "RESOURCE_ID" --action "ACTION_ID" vo="VO"
The name of a VO is the string that appears between, but no including, the first two forward slashes (‘/’) of an FQAN.
Here’s an example that permits a user identified by their VO:
pap-admin add-policy permit --resource "http://example.org" --action "http://example.org/action" vo="atlas"
Permit by Primary FQAN¶
Command:
pap-admin add-policy permit --resource "RESOURCE_ID" --action "ACTION_ID" pfqan="FQAN"
The provided FQAN must be in full canonical (long) form (e.g.
/atlas/Role=Production/Capability=NULL
or
/atlas/Role=NULL/Capability=NULL
). You may use
Java regular expression
in this string.
Here’s an example that permits a user identified by their primary FQAN:
pap-admin add-policy permit --resource "http://example.org" --action "http://example.org/action" pfqan="/atlas/Role=Production/.*"
Permit by Secondary FQAN¶
Command:
pap-admin add-policy permit --resource "RESOURCE_ID" --action "ACTION_ID" fqan="FQAN"
The provided FQAN must be in full canonical (long) form (e.g.
/atlas/Role=Production/Capability=NULL
or
/atlas/Role=NULL/Capability=NULL
). You may use
Java regular expression
in this string.
Here’s an example that permits a user identified by their secondary FQAN:
pap-admin add-policy permit --resource "http://example.org" --action "http://example.org/action" pfqan="/atlas/higgs/Role=NULL/Capability=NULL"
Explicit Banning¶
At times you may wish to deny a specific user, FQAN, or VO. As you may
have guessed by looking at the commands above, you can create deny
policies by changing the permit
argument to deny
.
Here are some examples:
pap-admin add-policy deny --resource "http://example.org" --action "http://example.org/action" pfqan="/atlas/higgs/Role=NULL/Capability=NULL"
pap-admin add-policy deny --resource "http://example.org" --action "http://example.org/action" vo="cms"
Removing Policies¶
The command
pap-admin remove-policy POLICY_ID
will remove an existing policy from the PAP. The POLICY_ID is the ID for the policy shown by the command
pap-admin list-policies --show-all-ids
Loading and Testing Policies¶
Now that you have some basic policy commands you should experiment with creating and testing policies.
To test the policies you can use the command pepcli
. This debugging
tool can be used in two different ways. First you can supply it the certificate
of a user or you can mock up a request by specifying a subject DN and
primary and second FQANs. See the pepcli
documentation for complete list of options or use the
examples below.
This command provides the result that the user, represented by the given certificate, would receive:
pepcli --pepd !http://127.0.0.1:8154/authz --resourceid "http://example.org" --actionid "http://example.org/action" --certchain CERT_PATH
The certificate may be an end-entity certificate, a plain proxy certificate, or a proxy certificate with VOMS extensions.
This command allows you to create a request containing a specific user DN, primary FQAN (the first one listed), and secondary FQANs (subsequent ones listed):
pepcli --pepd !http://127.0.0.1:8154/authz --resourceid "http://example.org" --actionid "http://example.org/action" --subjectid USER_DN --fqan PRIMARY_FQAN --fqan SECONDARY_FQAN --fqan SECONDARY_FQAN
So, for example add a policy to allows people with the primary FQAN of
/atlas/higgs/Role=NULL/Capability=NULL
to be permitted using the
following command
pap-admin add-policy permit --resource "http://example.org" --action "http://example.org/action" pfqan="/atlas/higgs/Role=NULL/Capability=NULL"
Then test the policy using the pepcli
command
pepcli --pepd !http://127.0.0.1:8154/authz --resourceid "http://example.org" --actionid "http://example.org/action" --subjectid "CN=John Smith,OU=Standard Commercial Certificate,O=SWITCH,L=Zuerich,ST=Zuerich,C=CH" --fqan "/atlas/higgs/Role=NULL/Capability=NULL"
The result should be a permit.
Cleaning Up¶
Before you go further be sure to clean out of your test policies from the PAP. You do this by removing select policies as shown above or you may use the command
pap-admin remove-all-policies
to remove all policies from the PAP. Be sure to restart your PDP as well so that it picks up your new policy set.
Note
You are now done with this quick-start guide. At this point you should have a functioning Argus service and be able to add/remove basic policies from your site. It is recommended that you