Download presentation
Presentation is loading. Please wait.
Published byRandall Long Modified over 9 years ago
1
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt jbernhardt@talend.com Zsolt Beothy-Elo zbeothy-elo@talend.com
2
2 © Talend 2014 Agenda ➜ Security Basics Access Management Role Based Access Control (RBAC) ➜ XACML Entities Policy Structure Request / Response Protocol Role Based Access Control (RBAC) Profile ➜ Hands-on
3
3 © Talend 2014 Security Basics
4
4 © Talend 2014 Access Control Definitions ➜ Subject Individual or group of individuals Human user, technical system user Role ➜ Privilege Right to perform a specific action on a resource ➜ Action Read, write, execute, etc. ➜ Resource Information file, database, etc. Process calculation, transformation, etc.
5
5 © Talend 2014 Access Management ➜ Security Policy Management Security Evaluation Identification of available resources Determination of protection needs Identification of possible access channels Security Assessment Evaluation of correct Security Policy enforcement ➜ Authorization Process Installation of adequate authorization solutions ➜ Privilege Management Assigning privileges to certain users
6
6 © Talend 2014 Role Based Access Control (RBAC) ➜ ANSI Standard since 2004 ➜ Role: Business function within a defined context ➜ All privileges of a user depend an the assigned roles 0..n 1 1 Resource Action Privilege User Role Group 0..n Session
7
7 © Talend 2014 XACML
8
8 © Talend 2014 XACML ➜ eXtensible Access Control Markup Language Policy Language XML Schema Definition Policy Evaluation Semantics Request / Response Protocol Profiles (SAML, RBAC, etc.) ➜ Authorization (OASIS) Standard Current Version is 3.0 Implemented Version is 2.0 ➜ Generic / Non-domain specific access control Web Services, Network Access, etc. ➜ Fine-grained access control Attribute Based Access Control (ABAC) ➜ Several Custom Extension Points
9
9 © Talend 2014 XACML Entities
10
10 © Talend 2014 Policy Repository XACML Entities Service Consumer Policy Enforcement Point (PEP) Policy Decision Point (PDP) Policy Administration Point (PAP) Service Provider
11
11 © Talend 2014 Service Consumer Policy Repository XACML Entities PEP Policy Decision Point Policy Administration Point Service Provider
12
12 © Talend 2014 XACML Policy Set ➜ Policy Set Restricted to a defined target Policy (Reference) Container Supports Distributed Policy Management ➜ Combining Algorithms Final result determination 7 predefined algorithms Deny overrides, first applicable, etc. Custom extension possible ➜ Obligations Additional instructions for PEP PolicySet Policy Combining Algorithm Policy PolicySet Reference PolicySet Target Policy Reference Obligations
13
13 © Talend 2014 XACML Policy ➜ Target Subject Attributes of the Requestor (e.g. User-Role) Resource Resource Identifier (e.g. Service-Name) Action Operation to be performed (e.g. Execute) Environment Additional context information (e.g. Time) ➜ Rule Effect if applicable Allow or Deny Additional target restrictions Fine grained conditions Can include complex functions Custom functions possible Policy Target Rule Subject Resource Action Environment Rule Combining Algorithm Effect Target Condition Obligations
14
14 © Talend 2014 XACML Policy <Policy PolicyId="policy-001" RuleCombiningAlgId="...:rule-combining-algorithm:deny-overrides"> Optional text that explains the purpose of the policy admin <SubjectAttributeDesignator DataType=".../XMLSchema#anyURI" AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" />...... Rule combining algorithm Attribute from request Scope of this policy
15
15 © Talend 2014 XACML Policy Rule Optional text that explains the purpose of this rule {http://services.talend.org/ReservationService}ReservationServiceProvider <ResourceAttributeDesignator DataType=".../XMLSchema#string" AttributeId="urn:cxf:apache:org:wsdl:service-id" /> execute <ActionAttributeDesignator DataType=".../XMLSchema#string" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" /> Rule Effect Scope of this Rule Service Name match Default WS Operation
16
16 © Talend 2014 XACML Request ➜ Subject Attributes ➜ Resource Attributes ➜ Action Attributes ➜ Environment Attributes Request Subject (1..n) Attribute (0..n) Resource (1..n) Attribute (0..n) Action Attribute (0..n) Environment Attribute (0..n) Content Attribute ID DataType Issuer Value (0..n)
17
17 © Talend 2014 XACML Request <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string" Issuer="sts@tesbext.sopera.org"> CN=alice,O=Talend,L=CGN,ST=NRW,C=DE <Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="http://www.w3.org/2001/XMLSchema#anyURI" Issuer="sts@tesbext.sopera.org"> manager employee......... Default Subject ID User Roles
18
18 © Talend 2014 XACML Request... <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"> {http://talend.org/greeter}GreeterService#greetMe <Attribute AttributeId="urn:cxf:apache:org:wsdl:service-id" DataType="http://www.w3.org/2001/XMLSchema#string"> {http://talend.org/greeter}GreeterService <Attribute AttributeId="urn:cxf:apache:org:wsdl:operation-id" DataType="http://www.w3.org/2001/XMLSchema#string"> {http://talend.org/greeter}greetMe <Attribute AttributeId="urn:cxf:apache:org:wsdl:endpoint" DataType="http://www.w3.org/2001/XMLSchema#string"> /services/GreeterServiceProvider... Default Resource ID Additional Resource IDs
19
19 © Talend 2014 XACML Request... <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"> execute <Attribute AttributeId="urn:...:xacml:1.0:environment:current-dateTime" DataType="http://www.w3.org/2001/XMLSchema#dateTime"> 2014-03-11T15:44:17.870+01:00 Default Action ID Environment Information
20
20 © Talend 2014 XACML Response ➜ Response encapsulates the authorization decision ➜ Decision Permit : Access allowed Deny : Access denied Indeterminate : Internal Server Error Not Applicable : No matching policy found ➜ Status Additional decision information Example: Error message ➜ Obligation Instructions for PEP Response Result (1..n) Decision Status Obligations
21
21 © Talend 2014 XACML Response ➜ Successful Authorization ➜ No matching Policy available Permit NotApplicable Evaluation successful
22
22 © Talend 2014 XACML RBAC Profile ➜ Role Each Role references a single corresponding Permission ➜ Permission actual permissions associated with a given role, references to Permission s associated with other roles that are junior to the given role ➜ Role Assignment or which roles can be enabled or assigned to which subjects ➜ HasPrivilegesOfRole a in a Permission that supports requests asking whether a subject has a certain role. Role is defined as the Resource
23
23 © Talend 2014 Secondary Policy Primary Policy XACML RBAC Profile Role PolicySet Role PolicySet Privilege PolicySet Privilege PolicySet Privilege Policy Privilege Policy 1 1 0..n Role Admin Role Admin Privileges Role Admin Privileges Role Admin Privilege Service ABC Privilege Service ABC 1 1 0..n
24
24 © Talend 2014 XACML RBAC Policy ➜ Role Policy <PolicySet PolicySetId="org.talend.xacml.role.manager“ PolicyCombiningAlgId="...:policy-combining-algorithm:permit-overrides"> manager <SubjectAttributeDesignator DataType=".../XMLSchema#anyURI" AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" /> org.talend.xacml.permissions.role.manager Role matching Reference to Permission Policy
25
25 © Talend 2014 XACML RBAC Policy ➜ Permission Policy <PolicySet PolicySetId="org.talend.xacml.permissions.role.manager" PolicyCombiningAlgId="...:policy-combining-algorithm:permit-overrides"> <Policy PolicyId="Permissions:for:demo" RuleCombiningAlgId="...:rule-combining-algorithm:permit-overrides">... « Service Name »...... Execute... org.talend.xacml.permissions.role.employee Combination of multiple policy results Role Hierarchy Permissions Empty Target
26
26 © Talend 2014 Big Picture STSLDAP Service Provider Service Consumer PDP 4: Authorization Request 1: Request SAML Token 2: Lookup Claims 3: Invoke Service Policy Store 5: Lookup Policies PEP
27
27 © Talend 2014 Quiz ➜ Access Management includes… Definition of Security Policies Enforcement of Security Policies Privilege Management ➜ Privileges should only be assigned to… Roles and not individual Users ➜ XACML Requests contain information about… Subject, Resource, Action and Environment
28
28 © Talend 2014 Hands-on
29
29 © Talend 2014 Hands-on: CXF PEP ➜ Prepare XACML Policies Role Policy, Permission Policy ➜ Setup Security Infrastructure STS, XKMS, LDAP Install XACML Services ➜ Enable Service Authorization Add Policy Assertion Update Provider Configuration Install Service Provider & Consumer ➜ Perform Tests Use Wireshark to monitor network traffic
30
30 © Talend 2014 Hands-on: Big Picture STSLDAP Service Provider Service Consumer PDP 4: Authorization Request 1: Request SAML Token 2: Lookup Claims 3: Invoke Service Policy Store 5: Lookup Policies PEP
31
31 © Talend 2014 Thank You!
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.