Argus Global Banning Setup Overview

From PDP/Grid Wiki
Revision as of 11:56, 23 August 2013 by Msalle@nikhef.nl (talk | contribs)
Jump to navigationJump to search

Introduction

This page is a *DRAFT*. Furthermore, this page is not intended to give a full overview of how to install an Argus service.

Architecture / Components

Central wLCG instance
for the purpose of this wiki an Argus PAP is sufficient (no PDP or PEPd)
NGI Argus instance
unless all its sites run an Argus, a full Argus (with PDP and PEPd) is needed.
Site services
Site either runs its own Argus, or defines local mapping rules combined with NGI-based banning.

Setup

Configuring a PAP

An Argus PAP can be configured using either the pap-admin cli tool, see https://twiki.cern.ch/twiki/bin/view/EGEE/AuthZPAPCLI or directly via the ini files pap_authorization.ini (for the ACL) and pap_configuration.ini (for setting remote PAPs), both located in etc/argus/pap.

For setting the policies, the pap-admin is the only option.

When using YAIM to configure Argus, it will be left without any policy.

Central wLCG Argus

  • The Central wLCG Argus needs to be configured to have a policy which *only* bans (/deny entries) subjects and/or FQANs.
  • In addition it needs to have an appropriate ACL which permits all the NGI Argus PAPs read access to its policy.

Configuring the ACL in the PAP

NGI Argus

Site

Site runs own Argus

Site runs no Argus