gLite 3.2
glite-ARGUS - Update to version 3.2.2-2.sl5
|
Date |
15.04.2010 |
Priority |
Normal |
Description
glite-ARGUS
New version of glite-ARGUS
This update fixes two security vulnerabilities.Please read the advisories from the GSVG:
Advisory 55971.
Advisory 59718.
Documentation
Documentation can be found on the Argus Wiki site:
https://twiki.cern.ch/twiki/bin/view/EGEE/AuthorizationFramework
This site contains instructions on how to install, configure,
and administer the system.
Pre-Installation Steps
If you are upgrading from version 1.0.0:
- Export your existing policies using the command: pap-admin
list-policies > policies
Post-Installation Steps
Following installation most deployers should:
- If your PERMIT policies doesn't contain an obligation, update
them like described here:
https://twiki.cern.ch/twiki/bin/view/EGEE/SimplifiedPolicyLanguage#The_obligation_stanza
- If you are upgrading from 1.0.0, import your updated policies
using the command: pap-admin add-policies-from-file policies
- Add some basic policies to the policy administration point by
means of the pap-admin policy management commands (described in
the wiki).
- Once policies have been added the PDP should be restarted.
This forces the PDP to reload policies from the PAP. Note, you
would not do this in a production environment.
- Finally, use one of the PEP command line tools to issue some
test requests.
Notes for Release 1.1.0
- Support for SSL client authentication on all services.
- The mapping obligation handler now correctly leverages posix
syscalls to do mapping.
- The mapping is now resolved only when an appropriate
obligation is defined in the policy that determines the
authorization decision.
- The PDP administrative client now provides a command to force
the policy refresh from the PAP
- The PEPD administrative client now provides a command to
clear the PDP response cache.
- The PAP, PDP, PEPD shutdown hooks are now protected by a
password.
- pap-admin commands now accept certificate subjects in openssl
and
rfc2253 format and correctly does the translation (to
rfc2253 format).
- Implements the XACML Grid WN Authorization Profile v1.0 https://edms.cern.ch/document/1058175
Patch #3767: [ yaim-core ] yaim-core 4.0.12 SL5/x86_64
New release of yaim core containing a set of bug fixes and new
features:
- Can now configure the GSI callout to call the ARGUS PEP
client.
- Avoid mistakenly removing all the services from gLiteservices
file.
- Fix GLOBUS_TCP_PORT_RANGE setting on the SL5 tarball UI.
- Correct unset for shell functions in
clean-grid-env-funcs.sh
- Make config_bdii_only return non zero in case of error
- Fixes for installing the UI tarball on CernVM.
- Allow general use of the 'nickname' field in the VOMSES
settings.
- Add yaim core RPM dependency on perl
- Allow use of pool accounts with up to 4 digits
- Fix grid-env.sh manipulation when running a single yaim
function
- Fix gridmap dir group on WMS
- Change the CE_INBOUNDIP and CE_OUTBOUNDIP defaults in
site-info.def to be valid and imply the correct (upper)
case.
- Call setup-openssl for VDT 1.10.
This update fixes various bugs. For the full list of bugs, please see list below.
Fixed bugs
Number | Description |
#3767 |
[ yaim-core ] yaim-core 4.0.12 SL5/x86_64 |
#59458 |
[ARGUS] The Argus mapping mechanism should use posix syscalls to resolve user/group mappings |
#59709 |
[ARGUS] PEPd should allow only cert-chain as Subject attribute |
#59710 |
[ARGUS] The Argus PEPD should do the mapping only if is requested by an obligation |
#59915 |
[ARGUS] pap-admin <cmd> --pivot <id> --after params should be replaced by --after id or --before id |
#60041 |
[ARGUS] Add client-cert authn support to PEPd |
#60042 |
[ARGUS] allow PAP entity ID to be set |
#60043 |
[ARGUS] PAP should support openssl and RFC2253 formatted DNs in config files |
#60046 |
[ARGUS] PDP CLI should have an option to force a policy refresh |
#60088 |
[ARGUS] Encoded DNs are not lower cases and properly percent-encoded when links are created in the grid map directory |
#60383 |
[ARGUS] PEPd command line tool should offer option to invalidate the PEPd response cache |
#60433 |
[ yaim-argus ] configuration should conform YAIM convention |
#60444 |
[ yaim-argus ] PAP, PDP and PEPd daemons /etc/init.d scripts must check for root user |
#60655 |
[ARGUS] add client authN to pepcli |
#60671 |
[ARGUS] pap-admin should not require PAP_HOME |
#61077 |
[ARGUS] PAP shutdown hook protected by password |
#61079 |
[ARGUS] PDP and PEPd shutdown hook protected by password |
#61081 |
[yaim-argus] pepd config changes for release 1.1 |
#61128 |
[yaim-argus] config doc correction and update |
Updated rpms
The RPMs can be updated using yum via
Service reconfiguration after update
Service must be reconfigured.
Service restart after update
Service must be restarted.
How to apply the fix
- Update the RPMs (see above)
- Update configuration (see above)
- Restart the service if necessary (see above)
|
|