 |
 |
> -----Original Message----- > From: Testbed Support for GridPP member institutes [mailto:TB- > [log in to unmask]] On Behalf Of Orlin Alexandrov > Sent: 24 February 2014 13:29 > > We have tested the NGI server with Ewan MacMahon now and He can certainly > see the policy on the Oxford site argus server. > We've also done some successful test including additional banned DNs on > NGI level. > > Anyone interested in joining the testing process please let me know. > And I've got to the bottom of the remaining concern I had with this, which was an extra time delay within a site ARGUS. So, a quick recap on how ARGUS' three main bits work: - The Policy Administration Point (PAP) is where policy is set up. That includes local configuration like which accounts are and are not allowed to use glExec, for example. The central user suspension list(s) plug in here - your site ARGUS goes and gets policy from the UK NGI one and adds it to its own. In the case of a DN being suspended, that's a very simple policy that says "If you see this DN, I don't care what the question is, the answer is 'NO'". - The Policy Enforcement Point (PEP) which is the little server that client machines talk to when they want a decision making. It doesn't actually make them, for that it talks to... - The Policy Decision Point (PDP) which looks at what it's being asked to authorise, consults the policy, and makes the decision. So, there are a couple of time-outs that are relevant here; firstly, in the PAP configuration it has a polling interval that tells it how often to go and check the UK NGI Argus server for new policy. This defaults to once every four hours, which is too long. It should be set to something shorter, let's say about an hour for now. Secondly, the PDP has a 'retention interval' for which it will cache a result, so it's possible for it to remember an authorisation for a while even after a new policy has been downloaded, during which time a DN could appear to be suspended by policy, but actually still be allowed to log in to things. That period is also set to four hours by default, and that needs to be much shorter; there isn't an upstream recommendation for this at the moment, but I'm experimenting with twenty minutes on the Oxford site ARGUS. So, it all works, but it's important to shorten the PAP polling interval and the PDP retention interval so that changes to the central policies actually take effect within a reasonable space of time. There's a rundown of the general structure of ARGUS here: https://twiki.cern.ch/twiki/bin/view/EGEE/AuthorizationFramework and the documentation on everything to do with central banning configuration (not all of which is directly relevant to a site ARGUS) is here: http://wiki.nikhef.nl/grid/Argus_Global_Banning_Setup_Overview Ewan