Security Chapter – Architecture & Focus on Authorization PDP Cyril Dangerville (TS), Chapter Architect, Authorization PDP GE owner 7 July 2016

Security Chapter’s Architecture Overview

Identity Management - Architecture

Authorization PDP - Architecture

PEP Proxy - Architecture

Authorization PDP Status

Sprint Provided FILAB image for R4 – Scripts for image creation (helping FILAB team to fix some issue with verification script) Technical roadmap for R5 (~10 features planned) Bug fixing Answered 2 tickets in helpdesk New security feature (recommended by XACML spec): enabling admins to control/limit the use of Policy References (prevent stack overflow / denial of service): – Policy1 -> Policy2 -> Policy3 ->...

Sprint & Finish updating the Academy course New security feature: configuration parameter for admins to control/limit the use of Variable References in XACML Policies (prevent stack overflow / denial of service) – Variable v1 (expression)  Variable v2 ... New feature: policy versioning with support of Version in policy reference: – Policy P1  Policy P2,v0.1 (latest version used by default)

Sprint Admin tool to migrate an existing Authzforce installation in to later version (significant changes in conf and API) - Decided by Thales to make the life of admins easier and keep up with the new release updates New security features: – Policy quota: New configuration parameter for admins to control max number of policies per domain – Policy versioning: new config parameter for admins to control max number of versions per policy

Sprint New feature: Extended Indeterminate (type of PDP decision like Permit, Deny and NotApplicable)  completed full XACML 3.0 Core compliance (mandatory features) A few “optional” features remain in XACML Core spec but not used so far, e.g. XPath functions

Sprint Applied changes to FIWARE developer guidelines – Fixed Docker image according to FIWARE guidelines (automated build, tags) – Github badges – Github webhook for mirroring to FIWARE repo – Readthedocs: FIWARE style New feature: API enhancement: – FastInfoset support (standard binary XML, optimizing size and parsing/serializing) New features: extension mechanisms for: – Pluggable XACML datatype – Pluggable XACML function Demo done for the Sprint Meeting FIWARE Hackathon with StartupYard (Prague). Contact: Nikola Rafaj.

Sprint Fixed issues reported by Quality Assurance: – Doc issues: Missing/wrong links (e.g. Docker, tutorial…) Missing API section in Open Spec wiki Some part of PAP API (attribute providers update) is not documented Instructions for installing Java dependency not valid in some cases New features: extension mechanisms: – Pluggable XACML policy/rule combining algorithm – Pluggable XACML request filter (e.g. used for Multi Decision Profile)

Sprint Fixed remaining issues reported by Quality Assurance – Software bugs: Policy still visible in PAP API after deleting last remaining version of the policy – Doc issues: Missing information on PAP API - Attribute providers management operation New features: extension mechanisms for: – Pluggable XACML Result filter (for developers to customize processing of the XACML response) Updated documentation on the new features

Sprint Perf testing: implemented XACML dataset generator + Jmeter config for testing performances of Authzforce server or other AuthorizationPDP GE-compliant implementation if any Joined open source community “OpenAz” around XACML tools and libraries, for potential contributions

Planned for Publish Authzforce (GEri) to the official list of XACML implementations on OASIS XACML Technical Committee’s homepage New Feature: REST Profile of XACML 3.0 PRIORITY: provide some support to FIWARE QA team for non- functional/performance testing (with the test dataset generator made in Sprint 5.3.3)

Planned for & New Feature: Pluggable Data Store, for storing policies, PDP configurations, etc. in custom data stores (currently limited to flat file database) Deliverables: D1.7.2.b FIWARE GE Open SpecificationsOpen Specifications 80% done - TODO: add REST Profile of XACML 3.0 compliance in wiki API spec (sources) API spec sources D1.7.3.b Software release R5

Current release in Github/Docker/catalogue: TODO: after last feature implemented…… Github: tag new release Github Docker: synchronized with Github (linked from catalogue, Docker Hub)linked from catalogueDocker Hub Manuals on ReadTheDocs (source): install guide, programmers guide Manuals (source): FILAB image R5: update install/verif scripts after final release done in Github FILAB image R5install/verif scripts Update course on FIWARE academy Catalogue : update version/doc/tutorials/download links Catalogue

External contributions OASIS XACML TC: Contributed tools for XACML (policy conversion) Reported issues in XACML 3.0 core spec Add Authzforce to OASIS XACML TC homepage, section “Available XACML implementations” - PENDING OpenAz membership: Apache project (open source community) around XACML tools & libraries OW2: : only for the PDP core engine, i.e. Java library (≠ FIWARE GEri, i.e. server with RESTful API)