Difference between revisions of "Lcmaps-plugins-vo-ca-ap"
Line 18: | Line 18: | ||
Each line in the vo-ca-ap file first contains the name of a VO (starting with a slash and allowing wildchars), followed by a list of DNs or .info files. Long lines can be broken using a continuation character \, and anything after a # is ignored. | Each line in the vo-ca-ap file first contains the name of a VO (starting with a slash and allowing wildchars), followed by a list of DNs or .info files. Long lines can be broken using a continuation character \, and anything after a # is ignored. | ||
+ | == Example lcmaps.db file == | ||
+ | The plugin would typically called in an LCMAPS db file like: | ||
+ | [...] | ||
+ | vo_ca_ap = "lcmaps_vo_ca_ap.mod" | ||
+ | " -certdir /etc/grid-security/certificates" | ||
+ | " -vo_ca_ap_file /etc/grid-security/vo-ca-ap-file" | ||
+ | [...] | ||
+ | |||
+ | # policies | ||
+ | mapping: | ||
+ | vo_ca_ap -> my-first-plugin | ||
+ | my-first-plugin -> ... | ||
+ | |||
+ | == vo-ca-ap-file == | ||
=== Reference WLCG / IGTF VO-CA-AP file === | === Reference WLCG / IGTF VO-CA-AP file === | ||
The default vo-ca-ap-file as shipped in <tt>/etc/grid-security/vo-ca-ap-file</tt> | The default vo-ca-ap-file as shipped in <tt>/etc/grid-security/vo-ca-ap-file</tt> | ||
Line 81: | Line 95: | ||
# Non-VOMS proxies only allowed for Classic | # Non-VOMS proxies only allowed for Classic | ||
"-" file:policy-igtf-classic.info | "-" file:policy-igtf-classic.info | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
= Software = | = Software = |
Revision as of 20:57, 16 February 2017
Introduction
The LCMAPS-plugins-vo-ca-ap package provides the functionality for making authorization decisions based on the combination of an Authentication Profile (AP) or CA signing the End-Entity certificate and VO used by the user.
Background
Until recently a site would typically accept any signing CA, as long as it belonged to any of the supported IGTF APs. A site could only selectively decide not to support a certain AP or CA. On the other hand, with the advent of using federated logins and logins using social IdPs such as Google and Facebook, some (typically online) CAs have a lower 'Level of Assurance' (LoA). This has led to the IGTF IOTA Profile.
In itself such a lower LoA would not be sufficient for allowing a user to enter a site. On the other hand, certain VOs do a strong identity vetting before allowing users into their VO. In such cases, the combined LOA would actually be sufficient to trust a user into a site. As a temporarily solution, CERN has introduced a new CA, the CERN IOTA CA, which is an IOTA CA, but will only produce certificates for users that are member of one of the (strongly vetted) CERN VOs. Such a solution can only be employed on a temporary or one-off basis, for a proper solution it is necessary to be able to perform combined VO+AP+CA authorization decisions. This LCMAPS plugin provides the necessary logic to make that possible.
Usage
The plugin should be inserted somewhere in a LCMAPS policy, but preferable at the beginning. The plugin accepts two arguments,
-vo-ca-ap-file | File containing VO ↔ CA or AP mapping |
-certdir or -capath | Directory containing the .info files, default /etc/grid-security/certificates |
Each line in the vo-ca-ap file first contains the name of a VO (starting with a slash and allowing wildchars), followed by a list of DNs or .info files. Long lines can be broken using a continuation character \, and anything after a # is ignored.
Example lcmaps.db file
The plugin would typically called in an LCMAPS db file like:
[...] vo_ca_ap = "lcmaps_vo_ca_ap.mod" " -certdir /etc/grid-security/certificates" " -vo_ca_ap_file /etc/grid-security/vo-ca-ap-file" [...] # policies mapping: vo_ca_ap -> my-first-plugin my-first-plugin -> ...
vo-ca-ap-file
Reference WLCG / IGTF VO-CA-AP file
The default vo-ca-ap-file as shipped in /etc/grid-security/vo-ca-ap-file
# Realistic example vo-ca-ap file, can be used with lcmaps-plugins-vo-ca-ap # CERN VOs are allowed to use any AP, including IOTA /atlas file:policy-igtf-classic.info, file:policy-igtf-mics.info,\ file:policy-igtf-slcs.info, file:policy-igtf-iota.info /cms file:policy-igtf-classic.info, file:policy-igtf-mics.info,\ file:policy-igtf-slcs.info, file:policy-igtf-iota.info /lhcb file:policy-igtf-classic.info, file:policy-igtf-mics.info,\ file:policy-igtf-slcs.info, file:policy-igtf-iota.info /alice file:policy-igtf-classic.info, file:policy-igtf-mics.info,\ file:policy-igtf-slcs.info, file:policy-igtf-iota.info # Any other VO only for classic, mics and slcs /* file:policy-igtf-classic.info, file:policy-igtf-mics.info,\ file:policy-igtf-slcs.info # Any non-VOMS proxy also only for classic, mics and slcs "-" file:policy-igtf-classic.info, file:policy-igtf-mics.info,\ file:policy-igtf-slcs.info
Reference ca-policy-egi-cam.vo-ca-ap as shipped with the ca-policy-egi-cam package
The following file is part of the ca-policy-egi-cam package, and applicable to those site that install the EGI-repackaged trust anchor distribution (and who thus may not have the IGTF default files used above). It implements the EGI policy on acceptable authentication assurance and the set of VOs as endorsed by virtue of EGI SPG and OMB decisions.
# EGI Combined Adequacy Assurance Model (CAM) reference configuration # for LCMAPS-plugins-vo-ca-ap. For instructions, see # https://wiki.nikhef.nl/grid/Lcmaps-plugins-vo-ca-ap # Reference configuation follows https://documents.egi.eu/document/2930 # and associated implementation guidance as for the EGI SPG processes # /atlas file:policy-egi-core.info file:policy-egi-cam.info /cms file:policy-egi-core.info file:policy-egi-cam.info /lhcb file:policy-egi-core.info file:policy-egi-cam.info /alice file:policy-egi-core.info file:policy-egi-cam.info /* file:policy-egi-core.info # # for non-VOMS enabled credentials, supports only core policy trust anchors: "-" file:policy-egi-core.info
Other example vo-ca-ap-file
A more elaborate (and NOT realistic) example:
# NOT-realistic example vo-ca-ap file, DO NOT USE IN PRODUCTION # VO A can be used only with IGTF classic /vo_a file:policy-igtf-classic.info # VO B can be used with IGTF classic, or a CERN CA specified either using DN or with its info file /vo_b file:policy-igtf-classic.info, "/DC=ch/DC=cern/CN=CERN Grid Certification Authority",\ file:CERN-Root-2.info # Test VO, can only be used with two Example CAs /testvo "/DC=org/O=example/CN=First Example Certificate Authority", \ "/DC=org/O=example/CN=The Other Example Certificate Authority" # Any other VO should only allowed for Classic and MICS /* file:policy-igtf-classic.info, file:policy-igtf-mics.info # Non-VOMS proxies only allowed for Classic "-" file:policy-igtf-classic.info
Software
The current version is 0.0.2-1 and can be found in the Official EGI UMD-3 and UMD-4 repos.
- release tar-balls
- Nikhef signed RPMs use epel5, epel6 or epel7 for RH5, RH6 and RH7 compatible.
- Debian packages