Argus is an authorisation framework developed in EGEE-III and the primary authorisation service used in the EGI infrastructure. It is based on XACML2, consisting of separate PAP, PDP and PEP components. The PEP is split into a separate PEP-server and PEP-client part. The PEP-server and client communicate with each other via a proprietary binary protocol (`Hessian’). The Policy Administration Point (PAP) provides the tools to author authorisation policies, organise them in the local repository and configure policy distribution among remote PAPs. The Policy Decision Point (PDP) implements the authorisation engine, and is responsible for the evaluation of the authorisation requests against the XACML policies it retrieves from the PAP. The Policy Enforcement Point Server (PEP Server) ensures the integrity and consistency of the authorisation requests received from the PEP clients. Lightweight PEP client libraries (Java and C) are also provided to ease the integration and interoperability with other EMI services or components.
Ownership: maintained by INFN (Java based components) and Nikhef (C-based components)
Licence: Apache-2.0 licence
Features
The PAP provides fine-grained and hierarchical authorisation decisions. It is currently used with X.509-based credential attributes (such as subject- and issuer-DN) as input, but is adaptable for use with other types of
attributes. It can be used for community-based authorisation via VOMS attributes. Authorisation decisions based on a specific combination of VO, CA and authentication profile is on the roadmap, in the form of a PIP. The PEP-server provides a plugin type of framework via PIPs and Obligation Handlers (OHs), such as an obligation handler for mapping to a local Unix account.
Supported standards
- SAML2-XACML2 (PAP and PDP only)
- X.509
- VOMS
User Interfaces and APIs
- Libraries: Java and C libraries exist for communicating with the PEPd (using the Hessian binary web service protocol).
- Command line: pap-admin, pepcli
- External plugins: LCMAPS plugin (PEP client), gsi-callout library (for use in e.g. gsissh or GridFTP).
Support for Virtual Organisations
- Hierarchical organisation
- Virtual communities, delegated administration of the groups
Dependencies on other technologies
voms-java
canl-java
numerous Java libraries such as opensaml.
Operatioanl overview
Sites typically install one Argus service consisting of a PAP, PDP and PEPd on one host. The PAPs can be deployed in a hierarchical way: site, NGI (National Grid Initiative) and central (e.g. Europe). The site’s Argus PAP instance can import policies from an NGI Argus instance, which in turn can import policies from a central Argus-PAP. Together with CERN, EGI runs such a European central PAP that is used for centrally suspending users.
Expected level of support
Argus Java-based components (e.g. PAP, PDP and PEP server) are currently maintained by INFN; Argus C-based (PEP C-based client library, gsi-callout plugin, pepcli) components are currently maintained by Nikhef.