Introducing a Security Access Control Engine Inside Openldap

Introducing a Security Access Control Engine Inside Openldap

Introducing a Security Access Control Engine Inside OpenLDAP The OpenLDAP RBAC Accelerator November 13, 2015 LDAPCon, Edinburgh Session Objective • Convince you that using an LDAP Server as a security Policy Decision Point (PDP) is a good idea. LDAPCon, Edinburgh 2015 2 Introductions Shawn McKinney • Systems Architect http://events.linuxfoundation.org/events/apachecon-core-europe • PMC Apache Directory Project • Engineering Team LDAPCon, Edinburgh 2015 3 Agenda • Idea & Rationale • Specs & Requirements • Implementation • Standardization • Demo Benchmarks IMAGE FROM: HTTP://EVENTS.LINUXFOUNDATION.ORG/EVENTS/APACHECON-NORTH-AMERICA LDAPCon, Edinburgh 2015 4 Hit a Wall with Policy Enforcement Need a Policy Decision Point implementation for every platform. We wanted one of these that runs natively… and had to build a PDP as well. OpenLDAP LM LDAPCon, Edinburgh 2015 5 Started With An Idea • Proposed by Ted Cheng in 2012 • Move the PDP into the LDAP server • Utilize the natural strengths of LDAP protocol Image from: http://www.clker.com/clipart-6937.html • Simpler client-side bindings OpenLDAP LM 6 Rationale Because I haven’t convinced you yet. LDAPCon, Edinburgh 2015 7 But First A quick lesson on how we integrate security systems into applications… LDAPCon, Edinburgh 2015 8 Access Control System Composition 1. Policy Enforcement Point (PEP) 2. Policy Decision Point (PDP) 3. Database (DB) LDAPCon, Edinburgh 2015 9 Policy Enforcement Point • Invoked by the apps for security checks. • TheThe SecuritySecurity System’sSystem’s Gatekeeper.Gatekeeper. • Requires platform specific bindings. • Best to reduce impact to the host machine. LDAPCon, Edinburgh 2015 10 Database • Invoked by PDPs to store security stuff. • TheThe SecuritySecurity System’sSystem’s LongLong--termterm Memory.Memory. • Must be reliable, consistent and fast. LDAPCon, Edinburgh 2015 11 Policy Decision Point • Invoked by PEP and dependent on the DB. • TheThe SecuritySecurity System’sSystem’s Brain.Brain. • Authenticates with passwords and keys. • Authorizes using attributes and permissions. • Audit trail. LDAPCon, Edinburgh 2015 12 Three Composition Types • Type 1 – PDP runs in-process to PEP, with out- of-process DB • Type 2 – PDP runs out-of-process to PEP, with out-of-process DB • Type 3 – PDP runs out-of-process to PEP, with in-process DB LDAPCon, Edinburgh 2015 13 Type 1 Process Communication • PEP and PDP on one tier • DB on another LDAPCon, Edinburgh 2015 14 More on Type 1 Composition • The PEP and PDP run in-process and the DB is out-of- process. • Policy decisions occur synchronously inside the client process. • Combines the PEP and PDP into a single component. • Most open-source security frameworks are this type. – Tomcat JDBC Realm – Apache Fortress – Spring Security – Apache Shiro LDAPCon, Edinburgh 2015 15 Pros/Cons of Type 1 Advantages Disadvantages • Simple – only security • More code exposed to the framework and DB required client (making deployment • Widely available harder) • Works well for single • More load on the client deployments of stand-alone • More memory consumed apps on the client • Many options for database • More network io traffic on usage. the client • Fewer platforms supported LDAPCon, Edinburgh 2015 16 Type 2 Process Communication • All on separate tiers LDAPCon, Edinburgh 2015 17 More on Type 2 Composition • The PEP, PDP and DB all run out-of-process from one another. • More complex than a Type 1 PDP. • Obtained as separate COTS – CA Siteminder, Tivoli Access Manager, Oracle Access Manager • Or OSS products: – OpenAM, Shibboleth, and CAS LDAPCon, Edinburgh 2015 18 Pros/Cons of Type 2 Advantages Disadvantages • Less network traffic on client • More security processes to maintain due to PEP, PDP and DB • Less cpu consumed on client all running separately (increasing • Less memory consumed on management burden) client • Poor response time due to extra network hops • Less code exposed to client • Poor throughput due to PDP (making deployment simpler) reliance on heavyweight • More platforms supported communication protocols xml/json over http. LDAPCon, Edinburgh 2015 19 Type 3 Process Communication • PEP on one tier • PDP and DB on another LDAPCon, Edinburgh 2015 20 More on Type 3 Composition • The PDP and DB run in-process and the PEP is out-of-process. • Not widely available today. LDAPCon, Edinburgh 2015 21 Pros/Cons of Type 3 Advantages Disadvantages • All of Type 2’s • Fewer options for database • Embedded database speed usage gain • Poor throughput due to • Embedded database reliance on heavyweight reliability gain communication protocols xml/json over http. LDAPCon, Edinburgh 2015 22 Benefits of the LDAPv3 Protocol • Compact and efficient wire protocol (fast) • Supports robust replication and high availability requirements (safe) • Rich data model (good) • Relatively easy to code (cheap) LDAPCon, Edinburgh 2015 23 Pros/Cons of Type 3 using LDAP Advantages Disadvantages • All of Type 3’s • Less options for database • Less i/o traffic due to LDAP’s usage BER protocol. • Poor throughput due to reliance on heavyweight communication protocols (xml/json/http) LDAPCon, Edinburgh 2015 24 Specs & Requirements Because you’re still not convinced. Image from: http://www.cockpitseeker.com/aircraft/ LDAPCon, Edinburgh 2015 25 High-Level System Requirements • Security - Access control checking that is platform independent. • Authentication – Had to work with various SSO protocols, i.e. SAML, OpenID Connect • Authorization – Must be standards-based. • Administration – Not needed (covered by Apache Fortress) • Audit - Record of system ops inside persistent data store. • Service-based SLA - Maintain service level agreements for security, performance, and reliability. LDAPCon, Edinburgh 2015 26 Access Control Requirements • Policy Database that can be centralized and federated • Fine-grained permissions • Common functional and object models LDAPCon, Edinburgh 2015 27 Other Key Requirements • Centralized Audit Trail and Reporting API • Password Policy Control • Lockout Procedures based on Time & Date • Session persistence and replication LDAPCon, Edinburgh 2015 28 Audit • System • Principal Identity Compliance • Date Assurance • Resource • Resource Identity • Operation Objectivity • Result LDAPCon, Edinburgh 2015 29 Password Policies 1. A configurable limit on failed authentication attempts. 2. A counter to track the number of failed authentication attempts. 3. A time frame in which the limit of consecutive failed authentication attempts. 4. The action to be taken when the limit is reached. 5. An amount of time the account is locked (if it is to be locked) 6. Password expiration. 7. Expiration warning 8. Grace authentications 9. Password history 10. Password minimum age 11. Password minimum length 12. Password Change after Reset 13. Safe Modification of Password https://tools.ietf.org/html/draft-behera-ldap-password-policy-10 LDAPCon, Edinburgh 2015 30 Temporal Constraints Applies to User and Role • Time of Day activations • Day of Week • Begin and End Date • Lockout Periods 31 Persistent or Transient Session? Each has its own benefits… Transient Persistent 1. Less processing on server 1. Less data to transfer over 2. Less data stored wire 3. More flexibility in terms of 2. Less processing on client attributes managed 3. Supports session timeout and concurrency controls LDAPCon, Edinburgh 2015 32 Non-Functional Requirements • Fault Tolerant Business • Highly Available Requirements • Multitenant • Full Audit Trail User Requirements • Highly Performant System Requirements LDAPCon, Edinburgh 2015 33 Non-Functional Requirements • Optimized for Performance • Low latency – < 1ms • High throughput – > 100,000 TPS http://americandigest.org/sidelines/2010/04/flying_the_blac.html LDAPCon, Edinburgh 2015 34 Specifications LDAPCon, Edinburgh 2015 35 Why Use Functional Specifications? • Saves the trouble (and risk) of deciding ‘what’ to do. • Instead we get to focus on ‘how’ to do it. • Difference between being handed a blank sheet of paper or a coloring book. LDAPCon, Edinburgh 2015 36 Which Functional Specifications • Protocols Must Be Standards-Based: – Role-Based Access Control (RBAC) - ANSI INCITS 359 – Attribute-Based Access Control (ABAC) – Use INCITS 494 Instead? – IETF Password Policies (Draft) – Must cooperate with others like OAuth2, SAML 2.0, OpenID Connect, UMA, etc. LDAPCon, Edinburgh 2015 37 Role-Based Access Control (RBAC) LDAPCon, Edinburgh 2015 38 Role-Based Access Control (RBAC) • RBAC0RBAC0 --– Users,Users, Roles, Roles, Perms, Perms, Sessions Sessions Support this one • RBAC1 – Hierarchical Roles • RBAC2 – Static Separation of Duties (SSD) • RBAC3 – Dynamic Separation of Duties (DSD) ANSI INCITS 359 http://csrc.nist.gov/groups/SNS/rbac/ LDAPCon, Edinburgh 2015 39 ANSI RBAC Functional Model Three standard interfaces: 1. Administrative – CRUD 2. Review – policy interrogation Implement 3. SystemSystem –– policypolicy enforcementenforcement this one LDAPCon, Edinburgh 2015 40 System RBAC Interface public interface AccelMgr { Link to AccelMgr javadoc Session createSession( User user, boolean isTrusted ); List<Permission> sessionPermissions( Session session ); List<UserRole> sessionRoles( Session session ); void addActiveRole( Session session, UserRole role ); Fortress AccelMgr void dropActiveRole( Session session, UserRole role ); User getUser( Session session ); APIs map to the boolean checkAccess( Session session, Permission perm); INCITS 359 specs } http://git-wip-us.apache.org/repos/asf/directory-fortress-core.git Link to INCITS 359 spec

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    73 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us