1
|
|
2
|
- 1. Requirement and Solution
- 2. Authentication and Authorisation Definitions
- 3. Authentication Process
- 4. Authentication Example
- 5. Authentication Session
- 6. More Authentication Session Examples
- 7. Authorisation Types
- 8. Article On Simple Authorisation
- 9. Simple Authorisation in Catalyst
- 10. CPAN Lattice-Based Access Control Example
- 14. Role Based Access Control
- 14.1. Academic Papers
- 14.2. Emerging Standards and Implementations
- 14.3. Existing Security Implementations
- 14.4. Perl Implementations
- 14.5. RBAC Design
- 14.6. RBAC Example
- 15. Further Information
|
3
|
- Controlling user access to applications and the data within them
|
4
|
- Authentication is the validation of a userid that is used by a user or
batch process
- Authorisation is checking that a userid is allowed to perform certain
operations on an object
can <user> "fred" do <operation>
"delete" on <object> "/home/fred/somefile.txt"
of <object_type> "file"
|
5
|
- user/batch process requests access for <userid> using
<credential> from a server
- server validates credential (e.g. password or key challenge certificate)
against userid and returns an <authentication_token> (e.g. a cookie or hash token) which is
linked server side to the userid, typically in a session store
- user/batch process supplies the authentication token along with
subsequent requests to the server
- on receiving a request the server
- validates the authentication token
- checks the linked userid has authorisation to perform the given request
|
6
|
- use Authen::Simple::Passwd;
- my $passwd = Authen::Simple::Passwd
->new(path => '/etc/passwd');
- if ( $passwd->authenticate( $username, $password ) ) {
- # successfull
authentication
- }
|
7
|
- Once authenticated, you'll need a session to persist that, otherwise
you'd need to ask for the userid/password every time
- Using Authen::Simple with Apache gives us an implicit session
|
8
|
- These modules on CPAN give examples of how to authenticate and have that
persisted in an authentication session
- CGI::Application::Plugin::Authentication
- CGI::Application::Plugin::Session
- Catalyst::Manual::Tutorial::Authentication
- Catalyst::Plugin::Authentication
- Catalyst::Plugin::Authorization::Roles
|
9
|
- simple
- authenticated user has full access to system
- auth'd user has roles which each grant full access to a sub-system,
either as a process ('can
register new users') or data ('can amend customer records')
- the role acts effectively as a grouping mechanism
- Lattice-Based Access Control (LBAC)
- users (subjects) mapped to objects (resources, computers, applications)
- Role-Based Access Control (RBAC)
- users have hierarchical roles which have permissions that grant
operations
e.g. user "fred" has role "sysadmin" which
has permission "security_edit" which grants operations
"read" and "write" on security objects
instead user "fred" might have role "root"
which inherits from role "sysadmin" those permissions
- RBAC with Access Control List extension
- users have roles which have permissions with a precedence that grant operations on matched
objects
e.g. user "jo" has role "editor" which has
permission "food_recipes"
which grants operations "read", "write",
"delete" to objects
"of type 'document' with file path matching
'/home/recipes/*'“
- enterprise framework, e.g. PERMIS storing permissions via OpenLDAP
and authenticating against
Windows ADS BBC SSO or Shibboleth
- complex
|
10
|
- The user-role assignment may be inherent in the authorisation system,or
might be read externally, say from an ADS server via LDAP
- The object matching might involve callouts to more sophisticated
checking code plugins that query other systems
- Authorisation is usually applied at application level to check actions
- It can also be applied at database level to filter all access to data
the user is allowedto see, either by a database view or by using a
relational database object wrapper layerto provide an additional safety
net, e.g.
DBIx::Class::Schema::RestrictWithObject
|
11
|
- "Elements of Access Control" at perl.com by Vladi
Belperchinov-Shabanski, Feb 13 2008 http://www.perl.com/pub/a/2008/02/13/elements-of-access-control.html
- Some nice examples of reading users and groups from file or database
- Policy configuration syntax
- Policy parser
- User group storage and mapping
- User group loading
- Policy match function
- Data fences
- I won't go through it now but worth reading on-line
|
12
|
- user <-many--many-> role
- role has meaning in your application code
- Catalyst::Plugin::Authorization::Roles
|
13
|
- WE::Util::Permissions
- Uses a single file of permission rules queried via a Perl interface
- User or group matches rules which link operations to matched objects
- In the terminology of the author, operations are "processes",
objects are "pages“
- Part of a wider web file editing framework
- I wrote a very similar authorisation handler in C for the Open
University many years ago although Perl's obviously much better at
tokenising text files and handling data!
|
14
|
- Based on these tokens
- user list of users
- group list of groups
- process operation like “delete”
- Page file path or regexp or glob
|
15
|
- Use globbing for matching and allow the "admin" group to have
rights for all processes. There is no page restriction, so the rights
are valid for all objects
|
16
|
- The members of the group "news" are allowed to do the
following operations in all objects below
"/News/":"edit", "change-folder",
"new-doc", "rm-doc", "release" and
"publish".A regular expression match is used here (there is no
"! match" directive).
|
17
|
|
18
|
- You have to provide user and group handling ("The semantics of
users, groups, processes and pages are usually defined in another
layer")
- No admin interface to create rules
- "There is currently no way to specify a token with spaces or
slashes.”
- “Diagnostics is poor. Unrecognized tokens won't cause errors or
warnings.”
- No precedence other than rule order (e.g. how do I deny a tree except
for a sub-tree which is allowed).
- No plugin methods matching/precedence caclulation.
- But you could use the ideas and code as a basis for your own
authorisation library.Have a look at the code on CPAN.
|
19
|
- This is an evolving area and it is surprising how recently the
standards for it have been written (2001 on)
- NIST "Role Based Access Control (RBAC) and Role Based Security
- “The NIST Model for Role-Based Access Control: Towards A Unified
Standard”
- Proposed NIST Standard for Role-Based Access Control
- ACM Transactions on Information and System Security, Vol. 4, No. 3,
August 2001 by D.F.Ferraiolo et al.
- "Beyond Roles: A Practical Approach to Enterprise User
Provisioning"
|
20
|
- An evolving area. Surprising how recently the standards for it have
been written (2001 on)
- XACML
http://en.wikipedia.org/wiki/XACML
- "OASIS eXtensible Access Control Markup Language (XACML) TC“
- “Core and hierarchical role based access control (RBAC) profile of XACML
v2.0”
- Sun's XACML Open Source impl. in Java
http://sunxacml.sourceforge.net
- Axis2 web service for Apache Maven
http://xacmllight.sourceforge.net/
C/Java providing SOAP stack
- Still a moving target!
|
21
|
- Windows ADS
- Using an LDAP connector to authenticate users and determine group
memberships and permissions,
such as Perl-LDAP http://ldap.perl.org/
- Requires application-side logic to interpret permissions
- OpenLDAP
- "LDAP for Security, Part I“
http://www.linuxjournal.com/article/6789
- Paranoid Penguin "Authenticate with LDAP, Part III“
http://www.linuxjournal.com/article/6936
|
22
|
- PERMIS Privilege Management Infrastructure
- Enterprise-wide, huge, complex
- http://sec.cs.kent.ac.uk/permis/
- http://www.openpermis.org/download.htm
- PERMIS PMI Architecture "Implementing Role Based Access Controls
Using X.509 Attribute Certificates”
- "RBAC POLICIES IN XML FOR X.509 BASED PRIVILEGE MANAGEMENT"
|
23
|
- Shibboleth
- A standards based, open source software package for web single sign-on
across or within organizational
boundaries that can work with PERMIS http://shibboleth.internet2.edu/
- Distributed Access Control System (DACS)
- http://dacs.dss.ca/faq.html
- Written in C, well-designed, modular
- Provides authentication and authorisation
- Doesn't work on Apache 1, which the BBC uses in production :-(
|
24
|
- "A Role-Based Access Control (RBAC) system for PHP“ by Tony Marston
- http://www.tonymarston.net/php-mysql/role-based-access-control.html
- small, well-designed, good for standalone applications
- "Fine Grained Role Based Access Control (RBAC) system" for PHP
- reasonable database design and PHP code
- POSIX ACL – ACLs from Python
- http://pylibacl.sourceforge.net/
- Linux kernel extension "grsecurity“
- http://www.grsecurity.net/index.php
- Unix-based kernel level RBAC, really aimed at Unix files and users
|
25
|
- I know of no solutions in Perl although there are libraries for Python,
Ruby, Java. In principle you could wrap one of them
- We needed one at the BBC so I wrote one called IFL::Authz and hope to
release it to CPAN
- Based on Ferraiolo et al. "Proposed NIST Standard for Role-Based
Access Control"
- This paper has a Functional Specification of an API written in the Z
formal language which I adapted to Perl. Z is nice match for the
mathematical set theory underlying RBAC though there are some errors in
the paper.
|
26
|
- From Ferraiolo http://csrc.nist.gov/rbac/rbacSTD-ACM.pdf
|
27
|
- When defining an RBAC model, the following conventions are useful:
- S = Subject = A person or automated agent
- R = Role = Job function or title which defines an authority level
- P = Permissions = An approval of a mode of access to a resource
- SE = Session = A mapping involving S, R and/or P
- SA = Subject Assignment
- PA = Permission Assignment
- RH = Partially ordered role Hierarchy. RH can also be written: ≥
- A subject can have multiple roles.
- A role can have multiple subjects.
- A role can have many permissions.
- A permission can be assigned to many roles.
- A constraint places a restrictive rule on the potential inheritance of
permissions from opposing roles, thus it can be used to achieve
appropriate segregation of duties. For example, the same person should
not be allowed to both create a login account for someone, and also be
allowed to authorize the procedure.
- A subject may have multiple simultaneous sessions with different
permissions.
|
28
|
- Subject = user "joe“
- Role = "editor“
- Operation = "publish“
- However, at the BBC we're using it to handle sophisticated
authorisation for a CMS system which requires ACLs, so we need object
matching too
- From the Wikipedia article on RBAC:
- "With the concepts of role hierarchy and constraints, one can
control RBAC to create or simulate lattice-based access control (LBAC).
Thus RBAC can be considered a superset of LBAC.
- I.e. RBAC + ACLs = LBAC
- To do this I extended the concept of permission to include within it a
reference to an object, or matches against objects using regexps, globs
or plugin method
- Object = "/home/recipes/*"
|
29
|
|
30
|
|
31
|
|
32
|
|
33
|
|
34
|
- Summary
- There’s a lot to it, evolving standards
- Choice of library depends on language, platform, whether it’s
enterprise, any special requirements
- Authentication and Authorisation
- At the simplest, use roles
- Then look at a lattice
- More complex may require RBAC
- Links
- Slides at http://miltonkeynes.pm.org
- Sandhu, R., Ferraiolo, D.F. and Kuhn, D.R. (July 2000). "The NIST
Model for Role Based Access Control: Toward a Unified Standard" (PDF). 5th
ACM Workshop Role-Based Access Control: 47-63.
- Thank you. Any Questions?
|