Security Chapter – Architecture & Focus on Authorization PDP Cyril Dangerville (TS), Chapter Architect, Authorization PDP GE owner 7 July 2016.

Slides:



Advertisements
Similar presentations
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Advertisements

Security Chapter, FIWARE Sprint status Chapter Leader: Pascal Bisson Chapter Architect: Cyril Dangerville.
Professional Informatics & Quality Assurance Software Lifecycle Manager „Tools that are more a help than a hindrance”
Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.
XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
Towards Bboogle 3.0.0: a Technical Walkthrough Patricia Goldweic Sr. Software Engineer AR&T, Northwestern University Brian Nielsen Manager, Faculty Support.
● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0.
James Cabral, David Webber, Farrukh Najmi, July 2012.
OData Technical Committee Kick-off July 26, 2012.
Get off on the right foot Included with SOTI JumpStart: Creation and deployment of a single package FileSync and Single lockdown configuration, enabling.
Managing User Desktops with Group Policy
Brent Mosher Senior Sales Consultant Applications Technology Oracle Corporation.
Kuali Rice – ARC / TRC Update May 18, 2010 Eric Westfall – Kuali Rice Project Manager.
Sprint 103 Review / Sprint 104 Planning March 25, 2013.
11 Usage policies for end point access control  XACML is Oasis standard to express enterprise security policies with a common XML based policy language.
EMI is partially funded by the European Commission under Grant Agreement RI Argus Policies Tutorial Valery Tschopp - SWITCH EGI TF Prague.
© 2002 IBM Corporation Confidential | Date | Other Information, if necessary June, 2011 Made available under the Eclipse Public License v Mobile.
Workforce Scheduling Release 5.0 for Windows Implementation Overview OWS Development Team.
GOSS iCM Gary Ratcliffe. 2 Agenda Webinar Programme V10 Overview Version Information Supported Browsers Architectural Changes New Features.
EMI INFSO-RI Argus Policies in Action Valery Tschopp (SWITCH) on behalf of the Argus PT.
Old Dominion University1 eXtensible Access Control Markup Language [OASIS Standard] Kailash Bhoopalam Java and XML.
EMI INFSO-RI Argus The EMI Authorization Service Valery Tschopp (SWITCH) Argus Product Team.
XACML Showcase RSA Conference What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation logic n.
T Iteration Demo Tikkaajat [PP] Iteration
Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.
Copyright © 2010 Obeo, Made available under the Eclipse Public License v SCA Tools (Helios) Release Review Planned Review Date: June 11, 2010.
T Project Review Magnificent Seven Final demonstration
JRA1 Meeting – 09/02/ Software Configuration Management and Integration EGEE is proposed as a project funded by the European Union under contract.
Authorization PDP GE Course (R4) FIWARE Chapter: Security FIWARE GE: Authorization PDP FIWARE GEri: AuthZForce Authorization PDP Owner: Cyril Dangerville,
EMI is partially funded by the European Commission under Grant Agreement RI Argus Policies Tutorial Valery Tschopp (SWITCH) – Argus Product Team.
Security Chapter Demo Sprint meeting – Sprint Cyril Dangerville (TS), Chapter Architect, Authorization PDP GE owner Alvaro Alonso (DIT-UPM), IdM.
Security Chapter Demo Sprint meeting – Chapter Leader – Pascal Bisson Chapter Architect – Cyril Dangerville (presenter)
Review for Eclipse Release Review | © 2012 by Review for Eclipse Committers, made available under the EPL v1.0 1 Review for Eclipse (R4E) 0.11 Release.
ESRIN, 15 July 2009 Slide 1 Web Service Security support in the SSE Toolbox HMA-T Phase 2 FP 14 December 2009 S. Gianfranceschi, Intecs.
Testing and Release Procedures/Tools Cristina Aiftimiei (INFN-CNAF) Mario David (LIP)
Copyright © 2012 Obeo and Petals Link, Made available under the Eclipse Public License v SCA Tools (Juno) Release Review Planned Review Date:
Sprint Demo Meeting Álvaro Alonso and Federico Fernández UPM – DIT Security Chapter. FIWARE.
October 2014 HYBRIS ARCHITECTURE & TECHNOLOGY 01 OVERVIEW.
QA Process within OEM Services Ethan Chang QA Engineer OEM Service, Canonical
Argus EMI Authorization Integration
Security Chapter - Sprint Status
HMA Identity Management Status
Documentation Guidelines
Stress Free Deployments with Octopus Deploy
SOFTWARE TESTING Date: 29-Dec-2016 By: Ram Karthick.
Software Configuration Management
EF Code First (Advanced)
Obligations in the OGSA SAML Authorization Service Interface
B.6 Roadmap 2013 – 2014 SDMX RI User Group Luxembourg, September 2013.
Documentation Guidelines
A gLite Authorization Framework
XACML and the Cloud.
Security Chapter - Sprint Status
OpenOffice.org-Homepage
Description of Revision
Piotr Goryl/Tango Community, S2Innovation Sp. z o.o.,
JD Edwards Support and Oracle Cloud Infrastructure: A Successful Path to Oracle Cloud
What’s changed in the Shibboleth 1.2 Origin
Windows 7 at UNC Brad Sharp Planning Deployment Lessons Learned.
The JSF Tools Project – WTP (internal) release review
Argus The EMI Authorization Service
Groups and Permissions
The COSMO Coding Standards Some Highlights
ETSI MTS#76 Meeting 23-Jan-2019
PyWBEM Python WBEM Client: Overview #2
Introduction to ASP.NET Parts 1 & 2
{Project Name} Organizational Chart, Roles and Responsibilities
Session Abstract This session will provide an overview of the latest improvements and enhancements made to the Ed-Fi ODS/API in 2016, as well as a preview.
What Does it Mean to Get Gold in CII Badging?
Presentation transcript:

Security Chapter – Architecture & Focus on Authorization PDP Cyril Dangerville (TS), Chapter Architect, Authorization PDP GE owner 7 July 2016

Security Chapter’s Architecture Overview

Identity Management - Architecture

Authorization PDP - Architecture

PEP Proxy - Architecture

Authorization PDP Status

Sprint Provided FILAB image for R4 – Scripts for image creation (helping FILAB team to fix some issue with verification script) Technical roadmap for R5 (~10 features planned) Bug fixing Answered 2 tickets in helpdesk New security feature (recommended by XACML spec): enabling admins to control/limit the use of Policy References (prevent stack overflow / denial of service): – Policy1 -> Policy2 -> Policy3 ->...

Sprint & Finish updating the Academy course New security feature: configuration parameter for admins to control/limit the use of Variable References in XACML Policies (prevent stack overflow / denial of service) – Variable v1 (expression)  Variable v2 ... New feature: policy versioning with support of Version in policy reference: – Policy P1  Policy P2,v0.1 (latest version used by default)

Sprint Admin tool to migrate an existing Authzforce installation in to later version (significant changes in conf and API) - Decided by Thales to make the life of admins easier and keep up with the new release updates New security features: – Policy quota: New configuration parameter for admins to control max number of policies per domain – Policy versioning: new config parameter for admins to control max number of versions per policy

Sprint New feature: Extended Indeterminate (type of PDP decision like Permit, Deny and NotApplicable)  completed full XACML 3.0 Core compliance (mandatory features) A few “optional” features remain in XACML Core spec but not used so far, e.g. XPath functions

Sprint Applied changes to FIWARE developer guidelines – Fixed Docker image according to FIWARE guidelines (automated build, tags) – Github badges – Github webhook for mirroring to FIWARE repo – Readthedocs: FIWARE style New feature: API enhancement: – FastInfoset support (standard binary XML, optimizing size and parsing/serializing) New features: extension mechanisms for: – Pluggable XACML datatype – Pluggable XACML function Demo done for the Sprint Meeting FIWARE Hackathon with StartupYard (Prague). Contact: Nikola Rafaj.

Sprint Fixed issues reported by Quality Assurance: – Doc issues: Missing/wrong links (e.g. Docker, tutorial…) Missing API section in Open Spec wiki Some part of PAP API (attribute providers update) is not documented Instructions for installing Java dependency not valid in some cases New features: extension mechanisms: – Pluggable XACML policy/rule combining algorithm – Pluggable XACML request filter (e.g. used for Multi Decision Profile)

Sprint Fixed remaining issues reported by Quality Assurance – Software bugs: Policy still visible in PAP API after deleting last remaining version of the policy – Doc issues: Missing information on PAP API - Attribute providers management operation New features: extension mechanisms for: – Pluggable XACML Result filter (for developers to customize processing of the XACML response) Updated documentation on the new features

Sprint Perf testing: implemented XACML dataset generator + Jmeter config for testing performances of Authzforce server or other AuthorizationPDP GE-compliant implementation if any Joined open source community “OpenAz” around XACML tools and libraries, for potential contributions

Planned for Publish Authzforce (GEri) to the official list of XACML implementations on OASIS XACML Technical Committee’s homepage New Feature: REST Profile of XACML 3.0 PRIORITY: provide some support to FIWARE QA team for non- functional/performance testing (with the test dataset generator made in Sprint 5.3.3)

Planned for & New Feature: Pluggable Data Store, for storing policies, PDP configurations, etc. in custom data stores (currently limited to flat file database) Deliverables: D1.7.2.b FIWARE GE Open SpecificationsOpen Specifications 80% done - TODO: add REST Profile of XACML 3.0 compliance in wiki API spec (sources) API spec sources D1.7.3.b Software release R5

Current release in Github/Docker/catalogue: TODO: after last feature implemented…… Github: tag new release Github Docker: synchronized with Github (linked from catalogue, Docker Hub)linked from catalogueDocker Hub Manuals on ReadTheDocs (source): install guide, programmers guide Manuals (source): FILAB image R5: update install/verif scripts after final release done in Github FILAB image R5install/verif scripts Update course on FIWARE academy Catalogue : update version/doc/tutorials/download links Catalogue

External contributions OASIS XACML TC: Contributed tools for XACML (policy conversion) Reported issues in XACML 3.0 core spec Add Authzforce to OASIS XACML TC homepage, section “Available XACML implementations” - PENDING OpenAz membership: Apache project (open source community) around XACML tools & libraries OW2: : only for the PDP core engine, i.e. Java library (≠ FIWARE GEri, i.e. server with RESTful API)