msalle
commented
5 years ago Hi Andrea, this has now long been released, both in UMD4 and http://argus-authz.github.io/repo/stable/el7/RPMS/repoview/. Probably good to update the 1_7 branch (i.e. to merge the iota-ca-support branch) and to make the relevent tags...
For supporting IOTA CAs (see http://wiki.eugridpma.org/Main/IOTASecuredInfraAP) Argus must be able to authorize users based on the combination VO + CA or more specifically, on VO + AP. In short, the IOTA-profile CAs are only allowed for VOs that do sufficient identity vetting, such as the WLCG VOs. For expressing this efficiently in Argus policies we need to provide new PIPs to set at least the two new attributes
Attribute 1. can be obtained from the certificate, and matched in a PAP policy against the OIDs
However, since not all CAs provide them reliably, we also need attribute 2 which will indicate in which .info files in the /etc/grid-security/certificates directory the subject DN of the end-entity-certificate issuing CA is found. Furthermore, we need to retrieve the issuer DN of only the end-entity certificate. We cannot obtain that from the unsorted multivalued attribute http://dci-sec.org/xacml/attribute/subject-issuer, but can use the single-valued http://authz-interop.org/xacml/subject/subject-x509-issuer attribute. Hence we suggest using the following attributes:
We suggest implementing two new PIPs, the first of which sets attributes 1 & 2 and the second one using attribute 2 to set attribute 3.
The PAP policy using the information should then for each permit on FQAN or VO also include a match on ca-policy-names. For this reason we suggest adding two new .info files, called
which will include the 'normal' classic, mics, slcs and iota IGTF policy files. This way, these new policy names can be used in the PAP policies instead of having to reference all 3 or 4 policies separately. E.g. for the WLCG VOs one could reference just policy-aspen-birch-cedar-dogwood