Argus 1.7.1 (05-05-2017)

The Argus 1.7.1 release introduces support for different X.509 CA Authentication profiles via the new Authentication Profile Policy Information Point (PIP).

With this support, it is possible to define which authentication profiles are enabled at the VO level, and for any trusted X.509 certificate. This first level of authorization is implemented at the PEP server, that uses a special policy file, called VO-CA-AP file, to determine which authentication profiles are enabled.

Further, finer grained authorization can then be implemented as usual with policies defined in the PAP using the newly introduced x509-authn-profile attribute, in order to have differentiated access within resources of the same VO.

In summary, the highlights of this release are:

  • The new Authentication Profile PIP, which provides support for different CA authentication profiles in Argus;
  • The new x509-authn-profile XACML attribute, that allows to write level-of-assurance aware policies, in case you need more flexibility than what is allowed by the VO-CA-AP file first level of authorization implememented in the PEP server;
  • The new x509-subject-issuer XACML attribute, which was introduced to simplify the development of the Authentication Profile PIP.

Packages

Packages for this release can be obtained from the Argus product team package repository:

http://argus-authz.github.io/repo

Note that EL5/CENTOS5 packages are no longer provided (CENTOS5 is now out of support).

Service configuration

Instructions on how to configure the Authentication Profile PIP are provided in the following section:

Upgrade procedure

To install Argus 1.7.1 and obtain a system with the same behavior of the former releases:

  1. Update the packages.
  2. Reconfigure the services, manually or with a configuration management system (such as Puppet, Ansible or Quattor).
  3. Restart the services.

Argus 1.7.1 comes with a default configuration that grants the access to resources only to certificates issued by CAs in the classic, slcs and mics IGTF profiles.

To enable IOTA CA support for selected VOs, you’ll need to:

  1. Install the IOTA CA RPM, that provides the IOTA CA certificates and the policy info files;

  2. Customize a VO-CA-AP policy file which states which authentication profiles are enabled for VOs and trusted certificates. This file can be provided by an RPM, such as lcmaps-plugins-vo-ca-ap package, or written manually by the system administrator, with the syntax described here.

  3. Edit the Argus PEP server configuration file (/etc/argus/pepd/pepd.ini) to point the VO-CA-AP policy file, setting the authenticationProfilePolicyFile property with the vo-ca-ap-file absolute path.

    For example:

    authenticationProfilePolicyFile = /etc/grid-security/vo-ca-ap-file

  4. Restart the services.

Main fixes

PEP Server

Milestone argus-pep-server-1.7.1:

  • Introduce support for Authentication Profiles in Argus [pep-21].
  • Introduce new x509-subject-issuer and x509-authn-profile attributes [pep-22].

PAP

Milestone argus-pap-1.7.1:

  • Introduce new x509-subject-issuer and x509-authn-profile attributes [pap-14], [pap-15].