Argus Service Reference Card¶
Definitions¶
- PAP
- The Policy Administration Point manages and publishes the authorization policies.
- PDP
- The Policy Decision Point evaluates the authorization requests.
- PEP Server
- The Policy Enforcement Point server processes the PEP clients requests and responses.
- PEP client
- Lightweight PEP client library available for Java and C. Enforces the authorization decision locally.
Service Reference Card¶
- Functional description:
- Render authorization decisions based on XACML policies: “Can user X performs action Y on resource Z ?” or “Is user X banned for any action on any resource ?”
- Services running:
- PAP: (Java application)
org.glite.authz.pap.server.standalone.PAPServer
- PDP: (Java application)
org.glite.authz.pdp.server.PDPDaemon
- PEP Server: (Java application)
org.glite.authz.pep.server.PEPDaemon
- PAP: (Java application)
- Init scripts and options:
- PAP:
systemctl {start|stop|restart|status} argus-pap
orservice argus-pap {start|stop|restart|status}
- PDP:
systemctl {start|stop|restart|status} argus-pdp
orservice argus-pdp {start|stop|restart|status}
- PEP Server:
systemctl {start|stop|restart|status} argus-pepd
orservice argus-pepd {start|stop|restart|status}
- PAP:
- Configuration files location with example:
- PAP:
- Config directory:
/etc/argus/pap
- Config files: pap_configuration.ini and pap_authorization.ini
- Config directory:
- PDP:
- Config directory:
/etc/argus/pdp
- Config file: pdp.ini
- Config directory:
- PEP Server:
- Config directory:
/etc/argus/pepd
- Config file: pepd.ini
- Config directory:
- Logfile locations (and management) and other useful audit information:
- PAP:
- Logging directory:
/var/log/argus/pap
- Logging configuration:
/etc/argus/pap/logging/standalone/logback.xml
- Example: PAP logback.xml
- Status handler:
https://HOSTNAME:8150/pap/status
- Logging directory:
- PDP:
- Logging directory:
/var/log/argus/pdp
- Logging configuration:
/etc/argus/pdp/logging.xml
- Example: PDP logging.xml
- Status handler:
https://HOSTNAME:8152/status
- Logging directory:
- PEP Server:
- Logging directory:
/var/log/argus/pepd
- Logging configuration:
/etc/argus/pepd/logging.xml
- Example: PEP logging.xml
- Status handler:
https://HOSTNAME:8154/status
- Logging directory:
- Open ports:
- PAP:
- Service port:
*:8150
- Admin port:
localhost:8151
- Service port:
- PDP:
- Service port:
*:8152
- Admin port:
localhost:8153
- Service port:
- PEP Server:
- Service port:
*:8154
- Admin port:
localhost:8155
- Service port:
- Possible unit test of the service:
- Nagios probes are available to monitor the services, see Nagios Probes for Argus (UMD).
- Where is service state held (and can it be rebuilt):
The services (PAP, PDP, PEP Server) are stateless. However:
- PAP: The XACML policies are stored locally in the
/usr/share/argus/pap/repository
directory. - PEP Server: The user pool account mapping leases are kept in the
/etc/grid-security/gridmapdir
directory.
- PAP: The XACML policies are stored locally in the
- Cron jobs:
- None
- Security information
- Access control mechanism (authentication & authorization):
- Authentication: SSL/TLS client authentication on the service ports
- Authorization: PAP uses access control list
- How to block/ban a user
- Network Usage
- Firewall configuration
- Security recommendations
- Security incompatibilities
- List of externals (packages are NOT maintained by Red Hat)
- Other security relevant comments
- Utility scripts:
pap-admin
CLI to manage the PAP policiespdpctl {reloadPolicy|version|status}
forces the PDP to reload the policies from the PAP, print version, print statuspepdctl {clearResponseCache|version|status}
clears the PEP daemon response cache, print version, print status
- Location of reference documentation for users:
- Not applicable
- Location of reference documentation for administrators:
- General documentation: Argus Authorization Service
- PAP admin CLI: Argus Policy Administration Point (PAP): Administration
- Simplified Policy Language: The Simplified Policy Language