Difference between revisions of "EMI Argus-EES test plan"

From PDP/Grid Wiki
Jump to navigationJump to search
Line 109: Line 109:
 
For the PEPd '''/var/log/argus/pepd/process.log''' should provide detailed information on the incoming authorization requests if the loglevel has been sufficiently raised in '''/etc/argus/pepd/logging.xml''' (loglevel 'ALL' is useful here).
 
For the PEPd '''/var/log/argus/pepd/process.log''' should provide detailed information on the incoming authorization requests if the loglevel has been sufficiently raised in '''/etc/argus/pepd/logging.xml''' (loglevel 'ALL' is useful here).
  
The EES will log to syslog (usually '''/var/log/messages''') and should provide basic information on the incoming authorization requests.
+
The EES will log to syslog (usually '''/var/log/messages''') and must provide basic information on the incoming authorization requests.
  
 
=== Performance tests ===
 
=== Performance tests ===

Revision as of 11:24, 29 April 2011

This test plan is following the EMI SA2 template.

EES Test Plan

Service Description

The EES is a daemon that acts as an obligation transformer for requests to the PEPd. The EES takes SAML2-XACML2 authorization request messages as input. The EES takes the local site policy into account to transform the incoming request. The EES will start a new execution thread and apply the defined policy to the incoming request.

More information on the EES.

Yum Installation

To install the EES configure the YUM-based EPEL repository and the YUM repository which hold our the EMI packages. The IGTF distribution can also be done through a YUM-based repository, including the FetchCRL3 utility to refresh the CA CRLs.

The EES depends directly on:

  • SAML2-XACML2-C-LIB
  • (g)libc

EES configurations specify plugins which operate on the incoming request. The EES ships with a transformer plug-in, which is used to unpack XACML obligations from an XACML request from the PDP.

Install the EES service by performing: yum install ees This will install the package ees which will pull in the following packages:

  • ees
  • saml2-xacml2-c-lib

Install the EES obligation handler by performing: yum install ees-pepd-oh This will install the package ees-pepd-oh which will pull in the following packages:

  • argus-pep-server
  • java

This is the first release of the EES service and the EES obligation handler in EMI. There is nothing to upgrade from.

System tests

Test setup EES

First we install and setup the system for testing. This means to prepare the system taking a clean CentOS 5 or Scientific Linux 5 machine as a baseline.

yum install ees

The basic installation is now done. We can now test the basic functionality of the EES by using the following script.

#!/bin/bash

# Configuration
host=0.0.0.0
port=6217

MSG='<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:XACMLcontext="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:XACMLassertion="urn:oasis:names:tc:xacml:2.0:profile:saml2.0:v2:schema:assertion" xmlns:XACMLpolicy="urn:oasis:names:tc:xacml:2.0:policy:schema:os" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:XACMLService="http://www.globus.org/security/XACMLAuthorization/bindings" xmlns:XACMLsamlp="urn:oasis:names:tc:xacml:2.0:profile:saml2.0:v2:schema:protocol" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<SOAP-ENV:Body>
<XACMLsamlp:XACMLAuthzDecisionQuery CombinePolicies="true" ReturnContext="true" InputContextOnly="false" IssueInstant="2010-03-25T14:55:01Z" Version="2.0" ID="ID-1804289383">
<saml:Issuer xsi:type="saml:NameIDType" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">NetCat</saml:Issuer>
<XACMLcontext:Request xsi:type="XACMLcontext:RequestType">
<XACMLcontext:Action xsi:type="XACMLcontext:ActionType">
</XACMLcontext:Action>
</XACMLcontext:Request>
</XACMLsamlp:XACMLAuthzDecisionQuery>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
'

# Takes three args, a test string and a pattern to match to
test_main() {
  output=`echo -n "$1" | nc -n -i1 $host $port | grep -w "$2"`
  if [ -z "$output" ]
  then
    echo "ERR"
  else
    echo "OK"
  fi  
}

echo -n "Basic sanity test\t"
test_main "$MSG" "200 OK"
echo -n "Basic failure test\t"
test_main "<TEST>" "500 Internal"

Test setup EES Obligation handler

EES preparation

The default /etc/ees.conf configuration file will contain the EES transformer plugin which is able to decode obligations from incoming XACML requests. Here is a ees.conf snippet which loads the transformer plug-in:

 # plug-ins
   transformer        = "ees_plugin_transformer.mod"
   good               = "ees_dummy_good.mod"
 # policies
 transformer:
   transformer -> good

To test integration in the Argus PEPd, configure the EES OH in the pepd.ini configuration file.

PEPd preparation

Install the OH plug-in .jar file by copying it to /opt/argus/pepd/lib/ or equivalent PEPd library directory. Configure the PEPd to use the EES OH and specify the url of a running EES instance. Here is a pepd.ini snippet:

 [EES_OH]
 ENDPOINT = http://ees_instance:6217/
 parserClass = org.glite.authz.pep.obligation.eesmap.EESObligationHandlerConfigurationParser

Basic functionality tests (manual)

Configure gLExec to use the lcmaps-plugins-c-pep plug-in and the lcmaps-plugins-basic plug-in. Configure the C-PEP plug-in to connect to your running PEPd instance and configure the LCMAPS good plug-in to map to the 'nobody:nobody' account. The expected result is a account mapping by gLExec to the user 'nobody:nobody' account. This can be verified by running the following command and verifying activity by the PEPd and the EES by tailing their log files.

 glexec /usr/bin/id -a

For the PEPd /var/log/argus/pepd/process.log should provide detailed information on the incoming authorization requests if the loglevel has been sufficiently raised in /etc/argus/pepd/logging.xml (loglevel 'ALL' is useful here).

The EES will log to syslog (usually /var/log/messages) and must provide basic information on the incoming authorization requests.

Performance tests

Using ab, the Apache benchmarking tool, the EES performance can be benchmarked. Create a request.xml containing a typical XACML request (similar to the excerpt shown in the automated functionality test script) and invoke ab.

 ab -n 1000 -c 100 -p ~/request.xml http://ees_instance:6217/

You should see something like this (or better)

 Requests per second:    272.75 [#/sec] (mean)
 Time per request:       366.632 [ms] (mean)

Regression tests

Not applicable