Difference between revisions of "Argus Global Banning Setup Overview"
From PDP/Grid Wiki
Jump to navigationJump to search (Created page with "= Introduction = This page is a *DRAFT*. Furthermore, this page is not intended to give a full overview of how to install an Argus service. = Architecture / Components = ; [[...") |
|||
| Line 8: | Line 8: | ||
= Setup = | = Setup = | ||
| + | == Configuring a PAP == | ||
| + | An Argus PAP can be configured using either the pap-admin cli tool, see [https://twiki.cern.ch/twiki/bin/view/EGEE/AuthZPAPCLI https://twiki.cern.ch/twiki/bin/view/EGEE/AuthZPAPCLI] or directly via the ini files <tt>pap_authorization.ini</tt> (for the ACL) and <tt>pap_configuration.ini</tt> (for setting remote PAPs), both located in <tt>etc/argus/pap</tt>. | ||
| + | |||
| + | For setting the policies, the pap-admin is the only option. | ||
| + | |||
| + | When using YAIM to configure Argus, it will be left without any policy. | ||
| + | |||
== Central wLCG Argus == | == Central wLCG Argus == | ||
| + | * The Central wLCG Argus needs to be configured to have a policy which *only* bans (/deny entries) subjects and/or FQANs. | ||
| + | * In addition it needs to have an appropriate ACL which permits all the NGI Argus PAPs read access to its policy. | ||
| + | |||
| + | === Configuring the ACL in the PAP === | ||
| + | |||
| + | |||
== NGI Argus == | == NGI Argus == | ||
Revision as of 11:56, 23 August 2013
Introduction
This page is a *DRAFT*. Furthermore, this page is not intended to give a full overview of how to install an Argus service.
Architecture / Components
- Central wLCG instance
- for the purpose of this wiki an Argus PAP is sufficient (no PDP or PEPd)
- NGI Argus instance
- unless all its sites run an Argus, a full Argus (with PDP and PEPd) is needed.
- Site services
- Site either runs its own Argus, or defines local mapping rules combined with NGI-based banning.
Setup
Configuring a PAP
An Argus PAP can be configured using either the pap-admin cli tool, see https://twiki.cern.ch/twiki/bin/view/EGEE/AuthZPAPCLI or directly via the ini files pap_authorization.ini (for the ACL) and pap_configuration.ini (for setting remote PAPs), both located in etc/argus/pap.
For setting the policies, the pap-admin is the only option.
When using YAIM to configure Argus, it will be left without any policy.
Central wLCG Argus
- The Central wLCG Argus needs to be configured to have a policy which *only* bans (/deny entries) subjects and/or FQANs.
- In addition it needs to have an appropriate ACL which permits all the NGI Argus PAPs read access to its policy.
