Argus GSI PEP Callout¶
Module Description¶
The Globus Toolkit version 3.2 and later have the ability to customize the authorization and gridmap lookup (currently available in the GridFTP and Gatekeeper servers). The Globus Authorization Callouts framework allows to plug in authorization and mapping modules.
The GSI PEP Callout module implements the functionality to authorize and map the user by calling out to the Argus PEP Server.
Authorization and Mapping¶
Based on the Grid credientials, typically a proxy certificate, the GSI PEP Callout module will send an authorization request to the Argus PEP Server, and then parse the authorization response decision to authorize the user and the obligations to map him to a local account.
XACML Profile¶
The GSI PEP Callout module implements the XACML Grid Worker Node Authorization Profile 1.0, and by default uses the identifiers described in the profile.
XACML Request¶
The GSI PEP Callout module sends a request to the PEP Daemon with the following elements:
- XACML subject with the attribute element:
- AttributeId:
urn:oasis:names:tc:xacml:1.0:subject:key-info
- Value: The PEM encoded Grid credentials provided by the calling service
- AttributeId:
- XACML resource with the attribute element:
- AttributeId:
urn:oasis:names:tc:xacml:1.0:resource:resource-id
- Value: The value of the GSI PEP Callout configuration directive
xacml_resourceid
.
- AttributeId:
- XACML action with the attribute element:
- AttributeId:
urn:oasis:names:tc:xacml:1.0:action:action-id
- Value: The service being requested by the client (e.g.
file
for GridFTP) or the name of the service passed to the gatekeeper.
- AttributeId:
- XACML environment with the attribute element:
- AttributeId:
http://glite.org/xacml/attribute/profile-id
- Value:
http://glite.org/xacml/profile/grid-wn/1.0
(Default)
- AttributeId:
XACML Response¶
The PEP Daemon sends back a response to the GSI PEP Callout module. The following response elements are parsed to authorize and map the user:
- XACML decision element: Contains the authorization decision
Permit
,Deny
,Indeterminate
orNotApplicable
- XACML obligation, ObligationId:
http://glite.org/xacml/obligation/local-environment-map/posix
, with the attribute assignment element:- AttributeId:
http://glite.org/xacml/attribute/user-id
- Value: Contains the local identity mapping of the user.
- AttributeId:
The local identity mapping will only succeed if the authorization
decision is Permit
.
Argus GSI PEP Callout: Installation¶
Manual Installation¶
The GSI PEP Callout module requires the following RPM:
yum install argus-gsi-pep-callout
The package includes the shared library implementing the GSI authorization and mapping module.
Configuration¶
Manual Configuration¶
To configure the GSI PEP Callout module, you first have to configure the Globus Authorization Callouts framework to use the GSI PEP Callout library to do the authorization and mapping. Then the GSI PEP Callout module must be configured.
Globus Authorization Callouts Configuration¶
Configuration file and configuration directives for the Globus Authorization Callouts to enable the GSI PEP Callout module.
Configuration File¶
The Globus Authorization Callouts framework uses the following locations (in order) for the callout configurations file:
$GSI_AUTHZ_CONF
(Environment variable)/etc/grid-security/gsi-authz.conf
$GLOBUS_LOCATION/etc/gsi-authz.conf
$HOME/.gsi-authz.conf
EMI-1 Configuration Directives¶
Content of the Globus Authorization Callouts configuration file to
enable the GSI Argus PEP Callout function argus_pep_callout
for EMI:
# Globus authorization and mapping callout to the ARGUS GSI PEP Callout module
# format: globus_mapping <library_path> <function_name>
globus_mapping /usr/lib64/libgsi_pep_callout.so argus_pep_callout
For EMI the Argus PEP GSI callout library is installed in the
/usr/lib64
directory.
GSI PEP Callout Configuration¶
Configuration file and configuration directives for the GSI PEP Callout module.
Configuration File¶
The GSI PEP Callout module uses the following locations (in order) for the configurations file:
$GSI_PEP_CALLOUT_CONF
(Environment variable)/etc/grid-security/gsi-pep-callout.conf
Configuration Directives¶
The configuration directives for the GSI PEP Callout are single name
value
lines. Lines with comments #
are allowed.
Directive | Description | Mandatory? | Default Value | Example | Since |
---|---|---|---|---|---|
pep_url |
The endpoint URL of the PEP daemon. | Yes | pep_url https://pepd.example.org:8154/authz |
1.0 | |
xacml_resourceid |
XACML request resource-id value | Yes | xacml_resourceid x-urn:example.org:resource:ce:gridftp |
1.0 | |
xacml_actionid |
XACML request action-id value. Define this parameter to overwrite the service name passed to the module by the application | No | xacml_actionid http://glite.org/xacml/action/access |
1.0 | |
xacml_profileid |
XACML request profile-id value. Define this parameter to overwrite the default profile id | No | http://glite.org/xacml/profile/grid-wn/1.0 |
xacml_profileid http://glite.org/xacml/profile/grid-ce/1.0 |
1.2 |
pep_timeout |
Connection timeout in seconds | No | 30 |
pep_timeout 60 |
1.0 |
pep_ssl_validation |
Enable SSL validation of the PEP daemon endpoint URL (HTTPS) | No | true |
pep_ssl_validation false |
1.0 |
pep_ssl_server_capath |
CA directory path for the HTTPS validation of the PEP daemon endpoint URL | No | /etc/grid-security/certificates |
pep_ssl_server_capath /etc/grid-security/certificates |
1.0 |
pep_ssl_server_cert |
Certificate file for the HTTPS validation of the PEP daemon endpoint URL | No | pep_ssl_server_cert /etc/grid-security/pepdcert.pem |
1.0 | |
pep_ssl_client_cert |
Client certificate file for the TLS client authentication on the PEP daemon endpoint URL | No | /etc/grid-security/hostcert.pem |
pep_ssl_client_cert /etc/ssl/mycert.pem |
1.0 |
pep_ssl_client_key |
Client private key file for the TLS client authentication on the PEP daemon endpoint URL | No | /etc/grid-security/hostkey.pem |
pep_ssl_server_key /etc/ssl/mykey.pem |
1.0 |
pep_ssl_client_keypasswd |
Client private key password | Only if pep_ssl_client_key is encrypted |
pep_ssl_server_keypasswd mykeypassword |
1.0 |
Configuration Example¶
Example of a valid configuration file for the GSI PEP Callout module:
#
# GSI PEP Callout configuration example
#
pep_url https://chaos.switch.ch:8154/authz
xacml_resourceid http://ce.example.org/cream/gridftp
YAIM Configuration¶
The yaim-core (>= 4.0.12) the function config_lcas_lcmaps_gt4
is now
able to configure the Argus GSI PEP callout module.
In your site-info.def
set the following variables:
USE_ARGUS=yes
ARGUS_PEPD_ENDPOINTS="<Argus_URL> ..."
CREAM_PEPC_RESOURCEID=<CreamCE_XACML_resouce_id>
where Argus_URL
is the Argus PEP daemon endpoint URL. e.g.
ARGUS_PEPD_ENDPOINTS=https://argus.example.org:8154/authz
where CreamCE_XACML_resouce_id
is the XACML resource identifier for
this cream CE. e.g.
CREAM_PEPC_RESOURCEID=http://glite.org/xacml/resource/cream-ce
Troubleshooting¶
Syslog¶
By default the GSI PEP Callout module logs info and error via syslog.
The syslog facility used is local5
and the identifier is
gsi_pep_callout
. These log messages are typically in
/var/log/messages
Enabling Debug Information¶
You can enable the debugging mode of the GSI PEP Callout module to troubleshoot your problem.
Environment Variables¶
You can set the following environment variables to enable debug mode:
GSI_PEP_CALLOUT_DEBUG_LEVEL
Set the debug level from0
(none) to9
(lot of info). Default is0
.GSI_PEP_CALLOUT_DEBUG_FILE
Set the file to log the debugging information. Default isstderr
.
Example¶
This example shows how to start the GridFTP server in debug mode. The
configuration files gsi-authz.conf
and gsi-pep-callout.conf
must
be correctly configured as previously described.
export GLOBUS_CALLOUT_DEBUG_LEVEL=5
# set the gsi-authz config to use (default /etc/grid-security/gsi-authz.conf)
export GSI_AUTHZ_CONF=/etc/grid-security/gsi-authz.conf
# set the gsi-pep-callout config to use (default /etc/grid-security/gsi-pep-callout.conf)
export GSI_PEP_CALLOUT_CONF=/etc/grid-security/gsi-pep-callout.conf
export GSI_PEP_CALLOUT_DEBUG_LEVEL=5
globus-gridftp-server -d 255 -p 9999 -debug
The GridFTP server is now running and listening on port 9999
. Use
the uberftp
client or globus-url-copy
to connect to the server
with your Grid credentials and obtain debugging information from the
server:
uberftp -P 9999 HOSTNAME
globus-url-copy file:///etc/passwd gsiftp://HOSTNAME:9999/tmp/e33