Difference: NGI_ITCentralBanning (7 vs. 8)

Revision 82014-01-31 - GiuseppeMisurelli

Line: 1 to 1
 
META TOPICPARENT name="WebHome"

EGI central banning setup for NGI_IT sites

Line: 10 to 10
  The solution is based on the Argus service able to deal with ban policy for certificate DNs. A three level hierachy for Argus (EGI, NGI and site levels) allows to centrally (EGI level) define banning policy inherited by both NGI and site levels.
Changed:
<
<		To take into account sites without Argus, the central banning setup considers the two following scenarios
>
>		To take into account sites without Argus, the central banning setup considers the two scenarios Site with Argus, Site without Argus.
 
Line: 19 to 19
 

Enabling site Argus to read NGI Argus policy

In order to download the ban policy from the NGI Argus you have to ask to the NGI granting read access for your Argus's DN.

Changed:
<
<		Please submit a ticket to the NGI_IT support unit using the following template
>
>		Please submit a ticket to the Central Support support unit using the following template
 
Changed:
<
<
Assign To NGI_IT
Subject Enable Argus server for site "SITENAME"
>
>
Assign To Central Support
Subject Enable Argus server for "YOUR_SITE_NAME"
 
Description Please add the following Argus DN: "DN of your Argus server"

Once your Argus is granted with the proper privileges, sites can add the NGI_IT Argus as a remote Policy Administration Point (PAP).

Line: 66 to 66
 Site without Argus server can download the ban policy file publicly available here and integrate it with local site policy.

Such file will comprise the list of EGI and/or NGI banned DNs and needs to be stored in the CREAM CE ban file located at /etc/lcas/ban_users.db

Changed:
<
<		Site can cron the download to have it schedelued in the background. The following snippet can be considered as a proof of concept of the cron:
>
>		Sites can cron the download from their CEs to have it schedelued in the background.

The following snippet is a proof of concept that ignores local site policy previously defined:

 
cat /etc/cron.d/fetch-banlist
Line: 76 to 77
  0 * * * * root (sleep $(($RANDOM\%40+10))) && http_status=$(curl -sL -w '\%{http_code}' --connect-timeout 60 --capath /etc/grid-security/certificates/ --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem https://repo-cnaf.cnaf.infn.it/pub/banlist/ban_users.db -o /dev/null); [ $http_status -eq 200 ] && (curl -s --connect-timeout 60 --capath /etc/grid-security/certificates/ --cert /etc/grid-security/hostcert.pem --key /etc/grid-security/hostkey.pem https://repo-cnaf.cnaf.infn.it/pub/banlist/ban_users.db -o /etc/lcas/ban_users.db)
Added:
>
>

Ask for support

For support requests, sites can open a ticket using our local ticketing system.

Please assign ticket to Central Support department and subject Central ban for YOUR_SITE_NAME

View topic | History: r9 < r8 < r7 < r6 | More topic actions...
 
This site is powered by the TWiki collaboration platformCopyright © 2008-2021 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback