Argus 1.7.1 (05-05-2017)¶
The Argus 1.7.1 release introduces support for different X.509 CA Authentication profiles via the new Authentication Profile Policy Information Point (PIP).
With this support, it is possible to define which authentication profiles are enabled at the VO level, and for any trusted X.509 certificate. This first level of authorization is implemented at the PEP server, that uses a special policy file, called VO-CA-AP file, to determine which authentication profiles are enabled.
Further, finer grained authorization can then be implemented as usual with policies defined in the PAP using the newly introduced x509-authn-profile attribute, in order to have differentiated access within resources of the same VO.
In summary, the highlights of this release are:
- The new Authentication Profile PIP, which provides support for different CA authentication profiles in Argus;
- The new x509-authn-profile XACML attribute, that allows to write level-of-assurance aware policies, in case you need more flexibility than what is allowed by the VO-CA-AP file first level of authorization implememented in the PEP server;
- The new x509-subject-issuer XACML attribute, which was introduced to simplify the development of the Authentication Profile PIP.
Packages¶
Packages for this release can be obtained from the Argus product team package repository:
http://argus-authz.github.io/repo
Note that EL5/CENTOS5 packages are no longer provided (CENTOS5 is now out of support).
Service configuration¶
Instructions on how to configure the Authentication Profile PIP are provided in the following section:
Upgrade procedure¶
To install Argus 1.7.1 and obtain a system with the same behavior of the former releases:
- Update the packages.
- Reconfigure the services, manually or with a configuration management system (such as Puppet, Ansible or Quattor).
- Restart the services.
Argus 1.7.1 comes with a default configuration that grants the access to resources only to certificates issued by CAs in the classic, slcs and mics IGTF profiles.
To enable IOTA CA support for selected VOs, you’ll need to:
Install the IOTA CA RPM, that provides the IOTA CA certificates and the policy info files;
Customize a VO-CA-AP policy file which states which authentication profiles are enabled for VOs and trusted certificates. This file can be provided by an RPM, such as
lcmaps-plugins-vo-ca-ap
package, or written manually by the system administrator, with the syntax described here.Edit the Argus PEP server configuration file (
/etc/argus/pepd/pepd.ini
) to point the VO-CA-AP policy file, setting theauthenticationProfilePolicyFile
property with thevo-ca-ap-file
absolute path.For example:
authenticationProfilePolicyFile = /etc/grid-security/vo-ca-ap-file
Restart the services.