Difference between revisions of "EES Service Reference Card"

From PDP/Grid Wiki
Jump to navigationJump to search
 
(6 intermediate revisions by the same user not shown)
Line 1: Line 1:
Execution Environment Service (EES)
+
Execution Environment Service ([[EES]])
  
 
== Functional description ==
 
== Functional description ==
The EES is a pluggable, configurable authorisation service similar to the Site Central Authorisation Service (SCAS).
+
The [[EES]] is a pluggable, configurable authorisation service similar to the Site Central Authorisation Service (SCAS).
 
The role of the EES is to ensure that an appropriate site-specific execution environment is procured
 
The role of the EES is to ensure that an appropriate site-specific execution environment is procured
 
based on the site-agnostic obligations and attributes it receives as input in the form of SAML2-XACML2
 
based on the site-agnostic obligations and attributes it receives as input in the form of SAML2-XACML2
Line 21: Line 21:
 
/usr/sbin/ees
 
/usr/sbin/ees
  
== Init scripts and options (start|stop|restart|reload|status) ==
+
== Init scripts and options (start|stop|restart|condrestart|reload|force-reload|status) ==
 
/etc/init.d/ees
 
/etc/init.d/ees
  
Line 35: Line 35:
 
syslog available: yes
 
syslog available: yes
  
Custom log file can be configured
+
Custom log file and log options can be configured
  
 
OPEN PORTS
 
OPEN PORTS
Line 41: Line 41:
  
 
== Possible unit test of the service ==
 
== Possible unit test of the service ==
a high-level test script (test_ees.sh) is available.
+
a high-level test script (test_ees_with_curl.sh) is available in the source tarball.
 
In addition a nagios probe is available.
 
In addition a nagios probe is available.
  
 
== Where is service state held ==
 
== Where is service state held ==
 
the EES uses plug-ins to connect to various other middleware.
 
the EES uses plug-ins to connect to various other middleware.
The configuration file for the EES defines the plug-ins used, as well as any dependant configuration files such as /etc/grid-security/gridmapfile and gridmapdir.
+
The configuration file for the EES defines the plug-ins used.
  
 
An integral part of the EES is the Attribute and Obligations Store (AOS), which is a component that allows plug-ins
 
An integral part of the EES is the Attribute and Obligations Store (AOS), which is a component that allows plug-ins
Line 84: Line 84:
 
== Location of reference information for users ==
 
== Location of reference information for users ==
 
argus documentation
 
argus documentation
 +
 +
manpages (included in RPM):
 +
* ees.1
 +
* ees.conf.5
 +
* ees_dummy_good.mod.8
 +
* ees_dump_aos.mod.8
 +
* ees_transformer.mod.8
  
 
== Location of reference information for administrators ==
 
== Location of reference information for administrators ==
 
[[EES|https://wiki.nikhef.nl/grid/EES]]
 
[[EES|https://wiki.nikhef.nl/grid/EES]]

Latest revision as of 14:17, 29 September 2014

Execution Environment Service (EES)

Functional description

The EES is a pluggable, configurable authorisation service similar to the Site Central Authorisation Service (SCAS). The role of the EES is to ensure that an appropriate site-specific execution environment is procured based on the site-agnostic obligations and attributes it receives as input in the form of SAML2-XACML2 requests. It runs as a standalone service, responding to requests from a Policy Enforcement Point (PEP) which have been augmented with information from a Policy Decision Point (PDP).

From the outside, the EES can be viewed as an obligation transformer; for example it can be used to transform a site-agnostic obligation for a local account mapping to a site-specific obligation for on-demand virtual machine deployment.

To integrate the EES with an existing Argus installation, a separate component called the EES Obligation Handler should be configured in the PEP daemon. For more details regarding integration in Argus, please see the documentation for this component. The EES itself ships with a pre-configured transformer plug-in which extracts PDP data from the SAML2-XACML2 environment attributes. This plug-in is not required when PDP data is not transmitted to the EES.

Daemons running

/usr/sbin/ees

Init scripts and options (start|stop|restart|condrestart|reload|force-reload|status)

/etc/init.d/ees

Configuration files with example or template

the EES is designed to be highly customizable. Its configuration model allows policies to be expressed as state machines in the Policy Description Language (PDL), whose branches end in pre-configured plug-in instances. A small example as well as an ees.conf manpage is provided.

/etc/ees.conf

Logfile locations (and management) and other useful audit information

syslog available: yes

Custom log file and log options can be configured

OPEN PORTS 6217

Possible unit test of the service

a high-level test script (test_ees_with_curl.sh) is available in the source tarball. In addition a nagios probe is available.

Where is service state held

the EES uses plug-ins to connect to various other middleware. The configuration file for the EES defines the plug-ins used.

An integral part of the EES is the Attribute and Obligations Store (AOS), which is a component that allows plug-ins to query the (transient) SAML2-XACML2 data received. This object store is exposed through a simple API. This data is logged, but the intermediate state is not saved.

Cron jobs

None.

Security information

The EES should run firewalled from the rest of the network, only allowing the Argus PEPd access.

Access control mechanism description (authentication & authorization)

Mandated by plug-in and network configuration.

How to block / ban a user

Through Argus.

Network usage

Exposes a SOAP service that transforms SAML2-XACML2 requests.

Firewall configuration

the EES currently has no support for TLS connections. System administrators should configure the EES host to only allow access to the EES from the PEPd host.

Security recommendations

Security incompatibilities

List of external packages

Other security relevant comments

Utility scripts

Location of reference information for users

argus documentation

manpages (included in RPM):

  • ees.1
  • ees.conf.5
  • ees_dummy_good.mod.8
  • ees_dump_aos.mod.8
  • ees_transformer.mod.8

Location of reference information for administrators

https://wiki.nikhef.nl/grid/EES