You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

 Argus  is an authorisation framework developed in EGEE-III and the primary authorisation service used in the EGI infrastructure. It is based on XACML2, consisting of separate PAP, PDP and PEP components. The PEP is split into a separate PEP-server and PEP-client part. The PEP-server and client communicate with each other via a proprietary binary protocol (`Hessian’). The Policy Administration Point (PAP) provides the tools to author authorisation policies, organise them in the local repository and configure policy distribution among remote PAPs. The Policy Decision Point (PDP) implements the authorisation engine, and is responsible for the evaluation of the authorisation requests against the XACML policies it retrieves from the PAP. The Policy Enforcement Point Server (PEP Server) ensures the integrity and consistency of the authorisation requests received from the PEP clients. Lightweight PEP client libraries (Java and C) are also provided to ease the integration and interoperability with other EMI services or components.


  • Ownership: maintained by INFN (Java based components) and Nikhef (C-based components)

  • Licence: Apache-2.0 licence


Features

The PAP provides fine-grained and hierarchical authorisation decisions. It is currently used with X.509-based credential attributes (such as subject- and issuer-DN) as input, but is adaptable for use with other types of 

attributes. It can be used for community-based authorisation via VOMS attributes. Authorisation decisions based on a specific combination of VO, CA and authentication profile is on the roadmap, in the form of a PIP. The PEP-server provides a plugin type of framework via PIPs and Obligation Handlers (OHs), such as an obligation handler for mapping to a local Unix account.

Supported standards

  • SAML2-XACML2 (PAP and PDP only)
  • X.509
  • VOMS

User Interfaces and APIs

  • Libraries: Java and C libraries exist for communicating with the PEPd (using the Hessian binary web service protocol).
  • Command line: pap-admin, pepcli
  • External plugins: LCMAPS plugin (PEP client), gsi-callout library (for use in e.g. gsissh or GridFTP).

Support for Virtual Organisations







  • No labels