Difference between revisions of "LCMAPS C PEP plugin"
| Line 138: | Line 138: | ||
| === Further reading === | === Further reading === | ||
| − | See the man page lcmaps_plugins_c_pep(8) for more information on the supported profiles. | + | See the man page <tt>lcmaps_plugins_c_pep</tt>(8) for more information on the supported profiles. | 
Latest revision as of 08:57, 28 August 2012
The LCMAPS C PEP plugin is the LCMAPS plugin to interact with the Argus PEPd server.
Description
The LCMAPS C PEP plugin is typically used in the gLExec-on-workernode scenario. It utilizes the Argus PEP-C library to contact the PEP daemon, sending the user credentials and, if applicable, the pilot job credentials and extra information to the PEP daemon.
The PEP daemon will process the request and query the PDP, PAP, EES chain for a policy decision. The PEP daemon will return a Permit statement with a Unix account. The Unix account must be composed of a Unix User ID and Unix Group ID. Optionally Unix Secondary GIDs may be returned. All of these IDs must be returned in numerical form. The results will then be published in the LCMAPS framework.
The plug-in will use the credentials loaded in the LCMAPS framework for the primary authorization decision. The returned Unix account will reflect this identity . Additionally to this identity, in a multi-user pilot job scenario, the X509_US ER_PROXY environment variable is read to add information about the identity that executes the pilot job framework and triggered the execution of this plug-in. This probably with the use of gLExec.
Options
| Option | Description | Mandatory? | Valid Input | Example | 
|---|---|---|---|---|
| pep-daemon-endpoint-url | The endpoint URL of the PEP daemon. This directive can be used multiple times for failover (in order) | Yes | An URL (max. 256 chars) | --pep-daemon-endpoint-url https://pepd.example.org:8154/authz | 
| resourceid | XACML request resource-id value* | Yes, XOR(1) | An URI (max 512 chars) | --resourceid http://authz-interop.org/xacml/resource/resource-type/wn | 
| resourcetype | XACML request resource-id value (short notation). Set the XACML request resource-id value to http://authz-interop.org/xacml/resource/resource-type/<value> | Yes, XOR(1) | se, ce, rb, wn | --resourcetype wn | 
| actionid | XACML request action-id value* | Yes, XOR(2) | An URI (max 512 chars) | --actionid http://glite.org/xacml/action/execute | 
| actiontype | XACML request action-id value (short notation). Set the XACML request action-id value to http://authz-interop.org/xacml/action/action-type/<value> | Yes, XOR(2) | execute-now, queue, access | --actiontype execute-now | 
| check-certificates | force the PEP-C library to do SSL validation checks, regardless of its default setting | No | n/a | --check-certificates | 
| no-check-certificates | force the PEP-C library to ignore SSL validation checks | No | n/a | --no-check-certificates | 
| capath | Sets the CA path to the directory with CA certificates and CRL files | No | A path, it's max. length is equal to the system limit | --capath /etc/grid-security/certificates/ | 
| cafile | A file with a CA certificate or set of certificates | No | A file path, it's max. length is equal to the system limit | --cafile /etc/grid-security/certificate/123dasd.0 | 
| pep-certificate-mode | Use implicit user proxy, explicit file or no client certificate at all | No | implicit, explicit, none | --pep-certificate-mode implicit | 
| certificate | Certificate to use to contact PEPd | No | A file path, it's max. length is equal to the system limit | --certificate /etc/grid-security/hostcert.pem | 
| key | Private key file used to contact PEPd | No | A file path, it's max. length is equal to the system limit | --key /etc/grid-security/hostkey.pem | 
| pass | Password for the certificate's private key file | No | A password string | --pass supersecretpassword | 
| passfile | Password file for the certificate private key | No | A file path, it's max. length is equal to the system limit | --passfile /root/secretpassfile | 
| pep-c-debug | Enable verbose logging in the libpepc library | No | n/a | --pep-c-debug | 
| profile | Selects the attribute profile in which the attributes are sent (both can be received and processed) | No | http://authz-interop.org/profile/1.1 or http://glite.org/xacml/profile/grid-wn/1.0 | --profile http://authz-interop.org/profile/1.1 or --profile http://glite.org/xacml/profile/grid-wn/1.0 | 
| ssl-cipher-list | Specify the cipher list to be used for the SSL session. This is required on systems that use libcurl build against libnss such as RH 6 and derivatives when talking to older Argus servers. | No | String containg SSL ciphers to use | --ssl-cipher-list "DEFAULT:-ECDH" | 
| use-pilot-proxy-as-cafile | Use the pilot proxy also as --cafile option, necessary for NSS based SSL (RH6 and alike). | No | n/a | --use-pilot-proxy-as-cafile | 
The valid XACML values for the resourceid and actionid are defined in the document XACML Grid Worker Node Authorization Profile, Version 1.0 for the new default profile. The previously used profile is defined in the document An XACML Attribute and Obligation Profile for Authorization Interoperability in Grids.
When an https end point is used for the PEP daemon, client-side authentication can be enabled by specifying a file with a certificate chain and a file with the associated private key. If an https end point is specified but no certificate or key is provided, an anonymous secure connection is established. The server identity is always verified using the trust anchor repository specified by the --capath or --cafile options. If neither of these is specified, the plugin will use the directory referred to by the X509_CERT_DIR environment variable, or fall back to /etc/grid-security/certificates. If neither directory can be found, the system default trust anchor store is used.
Notes
Environment
| X509_USER_PROXY | The value of the X509_USER_PROXY environment holds the path to the proxy certificate. This is not the primary identity on which the authorization decision is based on. This proxy certificate identifies the Pilot Job executor. This identity is responsible for pulling a pilot job payload associated with a proxy onto a Worker Node during a job execution. | 
| X509_CERT_DIR | Used to look for trust anchors in case of using https to connect to the Argus PEPd server. | 
Further reading
See the man page lcmaps_plugins_c_pep(8) for more information on the supported profiles.
