Argus Policy Administration Point (PAP): Configuration

Configuration Files

The PAP is configured through the use of two files: pap_configuration.ini and pap_authorization.ini, located in the /etc/argus/pap directory. Most of the information contained in these files can also be set through the command line interface (which is the recommended way to do configuration on the PAP).

There is also an environment file, located in /etc/sysconfig/argus-pap, that contains environment variables used by the init script that manage the service.

Service configuration file

The service is primarily configured through the pap_configuration.ini configuration file. This file is a standard INI file with five defined sections.

Section: [paps]

This section contains configuration about PAPs. The information in this section should be set via the PAP CLI.

A PAPs can be defined by providing the following information (the R value in the Required? column indicates information that is required only for remote PAPs):

Property Description Required? Default Value
alias.type Defines a PAP as local or remote . Y None
alias.public Visibility of the PAP: true or false. If false its policies are not sent to other PAPs. N false
alias.enabled true or false. If false its policies are not sent to PDPs. N false
alias.dn DN of the PAP to get policies from. R None
alias.hostname Hostname of the PAP to get policies from. R None
alias.port Port of the PAP to get policies from. N 8150
alias.path Path of the services exposed by the PAP to get policies from. N /pap/services
alias.protocol Protocol to use to contact the remote PAP. N https

Section: [paps:properties]

This section contains information about policy distribution and PAP ordering.

Property Description Required? Default Value
poll_interval The polling interval (in seconds) for retrieving remote policies. Y None. Recommended value is 14400 (4 hours).
ordering Comma separated list of PAP aliases. Example: alias-1, alias-2, …, alias-n. Defines the order of evaluation of the policies of the PAPs, that means that the policies of PAP “alias-1” are evaluated for first, then the policies of PAP “alias-2” and so on. N If not specified the default pap is always the first one.

Section: [repository]

This section contains information about the PAP policy repository.

Property Description Required? Default Value
location Path to the repository directory. N $PAP_HOME/repository
consistency_check Forces a consistency check of the repository at startup. N false
consistency_check.repair if set to true automatically fixes problems detected by the consistency check (usually means deleting the corrupted policies). N false

Section: [standalone-service]

This section contains information about the PAP standalone service.

Property Description Required? Default Value
hostname The hostname or IP address the service will bind to N 127.0.0.1
port The service port number N 8150
shutdown_port The service shutdown port number N 8151
shutdown_command The command string that must be received on the shutdown port in order to shutdown the service. The command is needed in order to prevent unauthorized shutdown commands coming from localhost. This is effective only if the pap_configuration.ini file is not world-readable. If the option is not present in configuration, no check on the command will be made. N shutdown
entity_id This is a unique identifier for the PAP. It must be a URI (URL or URN). If a URL is used it need not resolve to any specific webpage. N The service endpoint, e.g. https://pap.cern.ch:8150/pap/services/ProvisioningService

Section: [security]

This sections contains information about PAP security configuration.

Property Description Required? Default Value
certificate The X.509 pem-econded service certificate Y /etc/grid-security/hostcert.pem
private_key The unencrypted private key bound to the certificate Y /etc/grid-security/hostkey.pem
trust_store_dir The directory where CA files and CRL are looked for N /etc/grid-security/certificates
crl_update_interval How frequently the PAP should update CRLs, CAs and namespaces from the filesystem. The interval is defined as a string with the following format: N{s,m,h,d} where N in the number of either (s=seconds, m=minutes, h=hours, d=days). N 30m

Service Access Control

Access control rules are configured through the pap_authorization.ini configuration file. Authorization is based on off of the Subject DN or VOMS attribute within the client certificate used to authenticate to the PAP.

PAP permissions

The authorization layer is based on an Access Control List (ACL), composed of several Access Control Entries (ACEs). Each ACE defines the actions that an administrator is allowed to execute on the PAP. Administrators’ privileges are defined in terms of PAP permission flags, whose meaning is described in the table below:

Permission Flag Meaning
POLICY_READ_LOCAL Allows read access to locally defined policies
POLICY_READ_REMOTE Allows read access to policies imported from remote PAPs
POLICY_WRITE Allows write access to locally defined policies
CONFIGURATION_READ Allows read access to PAP configuration
CONFIGURATION_WRITE Allows write access to PAP configuration
ALL All of the above permissions

A set of permission flags can be assigned to an administrator by defining an ACE in the pap_authorization.ini configuration file or by using the authorization management commands provided by the pap-admin command line interface.

ACEs are expressed as

<principal> : <permission>

couples.

The principal part of the ACE is either:

  • ANYONE, to assign privileges to any authenticated user (i.e., any user that presents a trusted certificate).
  • a VOMS FQAN, e.g., /atlas/Role=VO-Admin
  • a quoted X509 certificate subject, e.g., "/C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Andrea Ceccanti"

The permission part of the ACE is either:

  • a single PAP permission flag, e.g CONFIGURATION_READ
  • a | separated list of PAP permission flags, e.g. POLICY_READ_LOCAL|CONFIGURATION_READ, to grant a set of permissions.

So, for example, to grant POLICY_READ_LOCAL and POLICY_READ_REMOTE permissions to a user identified by an x509 certificate with /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Andrea Ceccanti subject, one should write:

"/C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Andrea Ceccanti" : POLICY_READ_LOCAL|POLICY_READ_REMOTE

Note that the subject has been put into quotes! For VOMS FQANs this is not needed (FQAN syntax does not allow whitespaces inside the FQAN), so one could write:

/atlas/Role=PAP-Admin : ALL

Authorization entries are loaded at PAP service startup time so any pap_authorization.ini modifications done “by hand” while the PAP service is running do not take effect until the PAP service is restarted.

To modify the PAP authorization configuration at runtime, use the authorization management commands provided by the pap-admin CLI. Changes made to the PAP ACL by these commands are immediately reflected on the pap_authorization.ini file.

Configuration File Syntax

In the pap_authorization.ini file, ACEs are grouped in two stanzas according to the type of the principal. Currently, two stanzas are supported:

  • [dn], that lists ACEs defined for principals identified by an X509 certificate subject.
  • [fqan], that lists ACEs defined for principals identified by VOMS fqans.

An example of configuration file is given below:

[dn]

"/C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Andrea Ceccanti" : ALL

ANYONE : CONFIGURATION_READ|CONFIGURATION_WRITE

[fqan]

/voms-ws/Role=PAP-Admin : ALL

Environment file

In the /etc/sysconfig/argus-pap file are defined Argus PAP environment variables, described in the table below.

Variable Default value Meaning
PAP_HOME /usr/share/argus/pap Absolute path of PAP installation directory
PAP_RUN_FILE /var/run/argus-pap.pid Absolute path of PAP service PID
PAP_JAVA_OPTS empty Optional parameters to pass to the JVM when PAP service is started/stopped