Difference between revisions of "Argus Global Banning Setup Overview"
From PDP/Grid Wiki
Jump to navigationJump to search| Line 1: | Line 1: | ||
= Introduction = | = Introduction = | ||
| − | This page is a *DRAFT*. Furthermore, this page is not intended to give a full overview of how to install an Argus service. | + | This page is a *DRAFT*. Furthermore, this page is not intended to give a full overview of how to install an Argus service, see instead [https://twiki.cern.ch/twiki/bin/view/EGEE/ArgusEMIDeployment https://twiki.cern.ch/twiki/bin/view/EGEE/ArgusEMIDeployment] for information on general setup. |
= Architecture / Components = | = Architecture / Components = | ||
| Line 9: | Line 9: | ||
= Setup = | = Setup = | ||
== Configuring a PAP == | == Configuring a PAP == | ||
| − | An Argus PAP can be configured using either the pap-admin cli tool, see [https://twiki.cern.ch/twiki/bin/view/EGEE/AuthZPAPCLI https://twiki.cern.ch/twiki/bin/view/EGEE/AuthZPAPCLI] or directly via the ini files <tt>pap_authorization.ini</tt> (for the ACL) and <tt>pap_configuration.ini</tt> (for setting remote PAPs), both located in <tt>etc/argus/pap</tt>. | + | An Argus PAP can be configured using either the <tt>pap-admin</tt> cli tool, see [https://twiki.cern.ch/twiki/bin/view/EGEE/AuthZPAPCLI https://twiki.cern.ch/twiki/bin/view/EGEE/AuthZPAPCLI] or directly via the ini files <tt>pap_authorization.ini</tt> (for the ACL) and <tt>pap_configuration.ini</tt> (for setting remote PAPs), both located in <tt>etc/argus/pap</tt>. |
| − | For setting the policies, the pap-admin is the only option. | + | For setting the policies, the <tt>pap-admin</tt> is the only option. |
When using YAIM to configure Argus, it will be left without any policy. | When using YAIM to configure Argus, it will be left without any policy. | ||
Revision as of 11:59, 23 August 2013
Introduction
This page is a *DRAFT*. Furthermore, this page is not intended to give a full overview of how to install an Argus service, see instead https://twiki.cern.ch/twiki/bin/view/EGEE/ArgusEMIDeployment for information on general setup.
Architecture / Components
- Central wLCG instance
- for the purpose of this wiki an Argus PAP is sufficient (no PDP or PEPd)
- NGI Argus instance
- unless all its sites run an Argus, a full Argus (with PDP and PEPd) is needed.
- Site services
- Site either runs its own Argus, or defines local mapping rules combined with NGI-based banning.
Setup
Configuring a PAP
An Argus PAP can be configured using either the pap-admin cli tool, see https://twiki.cern.ch/twiki/bin/view/EGEE/AuthZPAPCLI or directly via the ini files pap_authorization.ini (for the ACL) and pap_configuration.ini (for setting remote PAPs), both located in etc/argus/pap.
For setting the policies, the pap-admin is the only option.
When using YAIM to configure Argus, it will be left without any policy.
Central wLCG Argus
- The Central wLCG Argus needs to be configured to have a policy which *only* bans (/deny entries) subjects and/or FQANs.
- In addition it needs to have an appropriate ACL which permits all the NGI Argus PAPs read access to its policy.
