Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

new PIPs needed for supporting IOTA CAs #15

Open
msalle opened this issue Jul 27, 2016 · 1 comment
Open

new PIPs needed for supporting IOTA CAs #15

msalle opened this issue Jul 27, 2016 · 1 comment

Comments

@msalle
Copy link
Member

msalle commented Jul 27, 2016
edited
Loading

For supporting IOTA CAs (see http://wiki.eugridpma.org/Main/IOTASecuredInfraAP) Argus must be able to authorize users based on the combination VO + CA or more specifically, on VO + AP. In short, the IOTA-profile CAs are only allowed for VOs that do sufficient identity vetting, such as the WLCG VOs.
For expressing this efficiently in Argus policies we need to provide new PIPs to set at least the two new attributes

  1. ca-policy-oid
  2. ca-policy-names

Attribute 1. can be obtained from the certificate, and matched in a PAP policy against the OIDs

  • 1.2.840.113612.5.2.2.1 / policy-igtf-classic
  • 1.2.840.113612.5.2.2.3 / policy-igtf-slcs
  • 1.2.840.113612.5.2.2.5 / policy-igtf-mics
  • 1.2.840.113612.5.2.2.6 / policy-igtf-iota

However, since not all CAs provide them reliably, we also need attribute 2 which will indicate in which .info files in the /etc/grid-security/certificates directory the subject DN of the end-entity-certificate issuing CA is found. Furthermore, we need to retrieve the issuer DN of only the end-entity certificate. We cannot obtain that from the unsorted multivalued attribute http://dci-sec.org/xacml/attribute/subject-issuer, but can use the single-valued http://authz-interop.org/xacml/subject/subject-x509-issuer attribute. Hence we suggest using the following attributes:

  1. http://authz-interop.org/xacml/subject/ca-policy-oid
    see https://www.ogf.org/documents/GFD.205.pdf §6.2.3
  2. http://authz-interop.org/xacml/subject/subject-x509-issuer
    see https://www.ogf.org/documents/GFD.205.pdf §6.1.4
  3. http://authz-interop.org/xacml/subject/ca-policy-names
    a new attribute, string type, multiplicity 0..N

We suggest implementing two new PIPs, the first of which sets attributes 1 & 2 and the second one using attribute 2 to set attribute 3.

The PAP policy using the information should then for each permit on FQAN or VO also include a match on ca-policy-names. For this reason we suggest adding two new .info files, called

  • policy-aspen-birch-cedar.info
  • policy-aspen-birch-cedar-dogwood.info

which will include the 'normal' classic, mics, slcs and iota IGTF policy files. This way, these new policy names can be used in the PAP policies instead of having to reference all 3 or 4 policies separately. E.g. for the WLCG VOs one could reference just policy-aspen-birch-cedar-dogwood
msalle added a commit to msalle/argus-pep-server that referenced this issue Jul 27, 2016
@msalle
Adding two new PIPs
1e0cbb0 
Adding X509ExtractorPIP and PolicyNamesPIP with corresponding
*IniConfigurationParser classes and *Test classes.
PolicyNamesPIP makes use of a sub package policynamespip for a caching the info
files.
This solves argus-authz#15.
@msalle msalle mentioned this issue Aug 5, 2016
Merged
msalle added a commit to msalle/argus-pep-server that referenced this issue Jan 12, 2017
@msalle
Adding two new PIPs
9899b24 
Adding X509ExtractorPIP and PolicyNamesPIP with corresponding
*IniConfigurationParser classes and *Test classes.
PolicyNamesPIP makes use of a sub package policynamespip for a caching the info
files.
This solves argus-authz#15.
@msalle
Copy link
Member Author

msalle commented Feb 5, 2019

Hi Andrea,
this has now long been released, both in UMD4 and http://argus-authz.github.io/repo/stable/el7/RPMS/repoview/. Probably good to update the 1_7 branch (i.e. to merge the iota-ca-support branch) and to make the relevent tags...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
Argus Backlog
Status: No status
Milestone
No milestone
Development

No branches or pull requests
1 participant
@msalle