 |
 |
Cheers for these tips. I'll try it here at L'pool. Steve On 02/24/2014 03:11 PM, Ewan MacMahon wrote: >> -----Original Message----- >> From: Testbed Support for GridPP member institutes [mailto:TB- >> [log in to unmask]] On Behalf Of Orlin Alexandrov >> Sent: 24 February 2014 13:29 >> >> We have tested the NGI server with Ewan MacMahon now and He can certainly >> see the policy on the Oxford site argus server. >> We've also done some successful test including additional banned DNs on >> NGI level. >> >> Anyone interested in joining the testing process please let me know. >> > And I've got to the bottom of the remaining concern I had with > this, which was an extra time delay within a site ARGUS. > > So, a quick recap on how ARGUS' three main bits work: > > - The Policy Administration Point (PAP) is where policy is set up. > That includes local configuration like which accounts are and are > not allowed to use glExec, for example. The central user suspension > list(s) plug in here - your site ARGUS goes and gets policy from the > UK NGI one and adds it to its own. In the case of a DN being suspended, > that's a very simple policy that says "If you see this DN, I don't care > what the question is, the answer is 'NO'". > > - The Policy Enforcement Point (PEP) which is the little server that > client machines talk to when they want a decision making. It doesn't > actually make them, for that it talks to... > > - The Policy Decision Point (PDP) which looks at what it's being asked > to authorise, consults the policy, and makes the decision. > > So, there are a couple of time-outs that are relevant here; firstly, > in the PAP configuration it has a polling interval that tells it how > often to go and check the UK NGI Argus server for new policy. This > defaults to once every four hours, which is too long. It should be set > to something shorter, let's say about an hour for now. Secondly, the > PDP has a 'retention interval' for which it will cache a result, so > it's possible for it to remember an authorisation for a while even > after a new policy has been downloaded, during which time a DN could > appear to be suspended by policy, but actually still be allowed to > log in to things. That period is also set to four hours by default, > and that needs to be much shorter; there isn't an upstream recommendation > for this at the moment, but I'm experimenting with twenty minutes on > the Oxford site ARGUS. > > So, it all works, but it's important to shorten the PAP polling interval > and the PDP retention interval so that changes to the central policies > actually take effect within a reasonable space of time. > > There's a rundown of the general structure of ARGUS here: > https://twiki.cern.ch/twiki/bin/view/EGEE/AuthorizationFramework > and the documentation on everything to do with central banning configuration > (not all of which is directly relevant to a site ARGUS) is here: > http://wiki.nikhef.nl/grid/Argus_Global_Banning_Setup_Overview > > Ewan -- Steve Jones [log in to unmask] System Administrator office: 220 High Energy Physics Division tel (int): 42334 Oliver Lodge Laboratory tel (ext): +44 (0)151 794 2334 University of Liverpool http://www.liv.ac.uk/physics/hep/