gLite > gLite 3.2 > glite-ARGUS > Update to glite-ARGUS 3.2.2-2.sl5  
 
 

 

 

gLite 3.2

glite-ARGUS - Update to version 3.2.2-2.sl5


Date 15.04.2010
Priority Normal

Description



glite-ARGUS

New version of glite-ARGUS


This update fixes two security vulnerabilities.Please read the advisories from the GSVG:
Advisory 55971. Advisory 59718.

Documentation

Documentation can be found on the Argus Wiki site: https://twiki.cern.ch/twiki/bin/view/EGEE/AuthorizationFramework

This site contains instructions on how to install, configure, and administer the system.

Pre-Installation Steps

If you are upgrading from version 1.0.0:

  • Export your existing policies using the command: pap-admin list-policies > policies
Post-Installation Steps

Following installation most deployers should:

  • If your PERMIT policies doesn't contain an obligation, update them like described here: https://twiki.cern.ch/twiki/bin/view/EGEE/SimplifiedPolicyLanguage#The_obligation_stanza
  • If you are upgrading from 1.0.0, import your updated policies using the command: pap-admin add-policies-from-file policies
  • Add some basic policies to the policy administration point by means of the pap-admin policy management commands (described in the wiki).
  • Once policies have been added the PDP should be restarted. This forces the PDP to reload policies from the PAP. Note, you would not do this in a production environment.
  • Finally, use one of the PEP command line tools to issue some test requests.
Notes for Release 1.1.0
  • Support for SSL client authentication on all services.
  • The mapping obligation handler now correctly leverages posix syscalls to do mapping.
  • The mapping is now resolved only when an appropriate obligation is defined in the policy that determines the authorization decision.
  • The PDP administrative client now provides a command to force the policy refresh from the PAP
  • The PEPD administrative client now provides a command to clear the PDP response cache.
  • The PAP, PDP, PEPD shutdown hooks are now protected by a password.
  • pap-admin commands now accept certificate subjects in openssl and rfc2253 format and correctly does the translation (to rfc2253 format).
  • Implements the XACML Grid WN Authorization Profile v1.0 https://edms.cern.ch/document/1058175
  • Patch #3767: [ yaim-core ] yaim-core 4.0.12 SL5/x86_64

    New release of yaim core containing a set of bug fixes and new features:

    • Can now configure the GSI callout to call the ARGUS PEP client.
    • Avoid mistakenly removing all the services from gLiteservices file.
    • Fix GLOBUS_TCP_PORT_RANGE setting on the SL5 tarball UI.
    • Correct unset for shell functions in clean-grid-env-funcs.sh
    • Make config_bdii_only return non zero in case of error
    • Fixes for installing the UI tarball on CernVM.
    • Allow general use of the 'nickname' field in the VOMSES settings.
    • Add yaim core RPM dependency on perl
    • Allow use of pool accounts with up to 4 digits
    • Fix grid-env.sh manipulation when running a single yaim function
    • Fix gridmap dir group on WMS
    • Change the CE_INBOUNDIP and CE_OUTBOUNDIP defaults in site-info.def to be valid and imply the correct (upper) case.
    • Call setup-openssl for VDT 1.10.
This update fixes various bugs. For the full list of bugs, please see list below.

Fixed bugs

Number Description
 #3767 [ yaim-core ] yaim-core 4.0.12 SL5/x86_64
 #59458 [ARGUS] The Argus mapping mechanism should use posix syscalls to resolve user/group mappings
 #59709 [ARGUS] PEPd should allow only cert-chain as Subject attribute
 #59710 [ARGUS] The Argus PEPD should do the mapping only if is requested by an obligation
 #59915 [ARGUS] pap-admin <cmd> --pivot <id> --after params should be replaced by --after id or --before id
 #60041 [ARGUS] Add client-cert authn support to PEPd
 #60042 [ARGUS] allow PAP entity ID to be set
 #60043 [ARGUS] PAP should support openssl and RFC2253 formatted DNs in config files
 #60046 [ARGUS] PDP CLI should have an option to force a policy refresh
 #60088 [ARGUS] Encoded DNs are not lower cases and properly percent-encoded when links are created in the grid map directory
 #60383 [ARGUS] PEPd command line tool should offer option to invalidate the PEPd response cache
 #60433 [ yaim-argus ] configuration should conform YAIM convention
 #60444 [ yaim-argus ] PAP, PDP and PEPd daemons /etc/init.d scripts must check for root user
 #60655 [ARGUS] add client authN to pepcli
 #60671 [ARGUS] pap-admin should not require PAP_HOME
 #61077 [ARGUS] PAP shutdown hook protected by password
 #61079 [ARGUS] PDP and PEPd shutdown hook protected by password
 #61081 [yaim-argus] pepd config changes for release 1.1
 #61128 [yaim-argus] config doc correction and update

Updated rpms

Name Version Full RPM name Description
glite-ARGUS 3.2.2-2.sl5 glite-ARGUS-3.2.2-2.sl5.x86_64.rpm gLite ARGUS metapackage
glite-authz-pap 1.1.1-2 glite-authz-pap-1.1.1-2.noarch.rpm Argus Authorization Service PAP
glite-authz-pdp 1.1.0-3 glite-authz-pdp-1.1.0-3.noarch.rpm Argus Authorization Service PDP
glite-authz-pep-c 1.3.0-4.sl5 glite-authz-pep-c-1.3.0-4.sl5.x86_64.rpm Argus Authorization Service PEP client library for C
glite-authz-pep-c-cli 1.3.0-3.sl5 glite-authz-pep-c-cli-1.3.0-3.sl5.x86_64.rpm Argus Authorization Service PEP-C command line interface
glite-authz-pepd 1.1.1-2 glite-authz-pepd-1.1.1-2.noarch.rpm Argus Authorization Service PEP Daemon
glite-yaim-argus_server 1.1.0-4 glite-yaim-argus_server-1.1.0-4.noarch.rpm YAIM configuration for Argus 1.1
glite-yaim-core 4.0.12-1 glite-yaim-core-4.0.12-1.noarch.rpm YAIM core package

The RPMs can be updated using yum via

Service reconfiguration after update

Service must be reconfigured.

Service restart after update

Service must be restarted.

How to apply the fix

  1. Update the RPMs (see above)
  2. Update configuration (see above)
  3. Restart the service if necessary (see above)