LCMAPS C PEP plugin

From PDP/Grid Wiki
Revision as of 08:57, 28 August 2012 by Msalle@nikhef.nl (talk | contribs) (→‎Further reading)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

The LCMAPS C PEP plugin is the LCMAPS plugin to interact with the Argus PEPd server.

Description

The LCMAPS C PEP plugin is typically used in the gLExec-on-workernode scenario. It utilizes the Argus PEP-C library to contact the PEP daemon, sending the user credentials and, if applicable, the pilot job credentials and extra information to the PEP daemon.

The PEP daemon will process the request and query the PDP, PAP, EES chain for a policy decision. The PEP daemon will return a Permit statement with a Unix account. The Unix account must be composed of a Unix User ID and Unix Group ID. Optionally Unix Secondary GIDs may be returned. All of these IDs must be returned in numerical form. The results will then be published in the LCMAPS framework.

The plug-in will use the credentials loaded in the LCMAPS framework for the primary authorization decision. The returned Unix account will reflect this identity . Additionally to this identity, in a multi-user pilot job scenario, the X509_US ER_PROXY environment variable is read to add information about the identity that executes the pilot job framework and triggered the execution of this plug-in. This probably with the use of gLExec.

Options

Option Description Mandatory? Valid Input Example
pep-daemon-endpoint-url The endpoint URL of the PEP daemon. This directive can be used multiple times for failover (in order) Yes An URL (max. 256 chars) --pep-daemon-endpoint-url https://pepd.example.org:8154/authz
resourceid XACML request resource-id value* Yes, XOR(1) An URI (max 512 chars) --resourceid http://authz-interop.org/xacml/resource/resource-type/wn
resourcetype XACML request resource-id value (short notation). Set the XACML request resource-id value to http://authz-interop.org/xacml/resource/resource-type/<value> Yes, XOR(1) se, ce, rb, wn --resourcetype wn
actionid XACML request action-id value* Yes, XOR(2) An URI (max 512 chars) --actionid http://glite.org/xacml/action/execute
actiontype XACML request action-id value (short notation). Set the XACML request action-id value to http://authz-interop.org/xacml/action/action-type/<value> Yes, XOR(2) execute-now, queue, access --actiontype execute-now
check-certificates force the PEP-C library to do SSL validation checks, regardless of its default setting No n/a --check-certificates
no-check-certificates force the PEP-C library to ignore SSL validation checks No n/a --no-check-certificates
capath Sets the CA path to the directory with CA certificates and CRL files No A path, it's max. length is equal to the system limit --capath /etc/grid-security/certificates/
cafile A file with a CA certificate or set of certificates No A file path, it's max. length is equal to the system limit --cafile /etc/grid-security/certificate/123dasd.0
pep-certificate-mode Use implicit user proxy, explicit file or no client certificate at all No implicit, explicit, none --pep-certificate-mode implicit
certificate Certificate to use to contact PEPd No A file path, it's max. length is equal to the system limit --certificate /etc/grid-security/hostcert.pem
key Private key file used to contact PEPd No A file path, it's max. length is equal to the system limit --key /etc/grid-security/hostkey.pem
pass Password for the certificate's private key file No A password string --pass supersecretpassword
passfile Password file for the certificate private key No A file path, it's max. length is equal to the system limit --passfile /root/secretpassfile
pep-c-debug Enable verbose logging in the libpepc library No n/a --pep-c-debug
profile Selects the attribute profile in which the attributes are sent (both can be received and processed) No http://authz-interop.org/profile/1.1 or http://glite.org/xacml/profile/grid-wn/1.0 --profile http://authz-interop.org/profile/1.1 or --profile http://glite.org/xacml/profile/grid-wn/1.0
ssl-cipher-list Specify the cipher list to be used for the SSL session. This is required on systems that use libcurl build against libnss such as RH 6 and derivatives when talking to older Argus servers. No String containg SSL ciphers to use --ssl-cipher-list "DEFAULT:-ECDH"
use-pilot-proxy-as-cafile Use the pilot proxy also as --cafile option, necessary for NSS based SSL (RH6 and alike). No n/a --use-pilot-proxy-as-cafile

The valid XACML values for the resourceid and actionid are defined in the document XACML Grid Worker Node Authorization Profile, Version 1.0 for the new default profile. The previously used profile is defined in the document An XACML Attribute and Obligation Profile for Authorization Interoperability in Grids.

When an https end point is used for the PEP daemon, client-side authentication can be enabled by specifying a file with a certificate chain and a file with the associated private key. If an https end point is specified but no certificate or key is provided, an anonymous secure connection is established. The server identity is always verified using the trust anchor repository specified by the --capath or --cafile options. If neither of these is specified, the plugin will use the directory referred to by the X509_CERT_DIR environment variable, or fall back to /etc/grid-security/certificates. If neither directory can be found, the system default trust anchor store is used.

Notes

Environment

X509_USER_PROXY The value of the X509_USER_PROXY environment holds the path to the proxy certificate. This is not the primary identity on which the authorization decision is based on. This proxy certificate identifies the Pilot Job executor. This identity is responsible for pulling a pilot job payload associated with a proxy onto a Worker Node during a job execution.
X509_CERT_DIR Used to look for trust anchors in case of using https to connect to the Argus PEPd server.

Further reading

See the man page lcmaps_plugins_c_pep(8) for more information on the supported profiles.