Introduction
Liverpool uses an ARGUS server, hepgrid9.ph.liv.ac.uk, for user authentication from the CEs and WNs. A requirement came down from above to implement central banning and this is how we went about it. Most of this came from Ewan's TB_SUPPORT email (title: NGI Argus requests for NGI_UK) and from this description here:http://wiki.nikhef.nl/grid/Argus_Global_Banning_Setup_Overview
Central Banning Architecture
The ban policies flow from the central WLCG server through the NGI one and down to the site. This is a feature of ARGUS.
Setup at Liverpool
When we build (or change) our ARGUS server, we use a script (argus.pol.sh) to load our argus policies from a file (argus.pol). The script looks like this now we've added central banning:
#!/bin/bash
/usr/bin/pap-admin rap
/usr/bin/pap-admin apf /root/scripts/argus.pol
pap-admin add-pap ngi argusngi.gridpp.rl.ac.uk "/C=UK/O=eScience/OU=CLRC/L=RAL/CN=argusngi.gridpp.rl.ac.uk"
pap-admin enable-pap ngi
pap-admin set-paps-order ngi default
pap-admin set-polling-interval 3600
/etc/init.d/argus-pdp reloadpolicy
/etc/init.d/argus-pepd clearcache
touch /root/scripts/done_argus.pol.sh
The first few lines just load our standard site policies. The last bit flushes some buffers. The middle bit is the part you need.
Basically, it adds polices from the NGI ARGUS server. We've also reduced the polling interval. When you run the script, you'll connect the local ARGUS server to the NGI one and periodically download the remote (central) banning policies.
Note: Ewan thinks the caching delay is too much - it was 4 hours. So we changed /etc/argus/pdp/pdp.ini, setting "retentionInterval = 21", i.e. 21 minutes.
After running the script, it's best to restart the Java daemons.
Testing
It's best to tell Ewan and Orlin about this as they can send tests over. To check if your site "looks" OK, try this:pap-admin lp --all
And you should see the "remote" policies, e.g.
ngi (argusngi.gridpp.rl.ac.uk:8150):
resource ".*" BLAH BLAH BLAH