Presentation is loading. Please wait.

Presentation is loading. Please wait.

Kuali IAM and Security Aaron Godert Sr. Software Architect/Engineer Kuali Rice Development Manager Cornell University.

Published byGwenda Dawson Modified over 9 years ago

Similar presentations

Presentation on theme: "Kuali IAM and Security Aaron Godert Sr. Software Architect/Engineer Kuali Rice Development Manager Cornell University."— Presentation transcript:

1 Kuali IAM and Security Aaron Godert Sr. Software Architect/Engineer Kuali Rice Development Manager Cornell University

2 Outline Kuali Overview Kuali Rice Kuali Nervous System (KNS) Kuali Enterprise Workflow (KEW) Kuali Identity Management (KIM) Security technologies Protecting against vulnerabilities

3 Kuali Overview Kuali Foundation Community source projects Administrative applications –Kuali Finance –Kuali Research Administration –Kuali Student –Kuali Endowment The foundation: Kuali Rice

4 The Organization

5 Foundation Partners Boston University Bradley University Colorado State University Cornell University Florida State University Indiana University Marist College Massachusetts Institute of Technology Michigan State University San Joaquin Delta Community College University of Arizona University of British Columbia University of California- President's Office University of California- Berkeley University of California-Davis University of California-Irvine University of California-Santa Barbara University of Hawaii University of Maryland University of Southern California

6 The Level of Contribution Contributing “tendered” developers or money for hiring “tendered” developers –3+ FTEs at 100% –Contributing developers are working under the supervision of the Project Manager –Virtual reporting Subject Matter Experts provide requirements and functional guidance (20% - 80%) –Councils and committees

7 The Scale of Kuali Large scale administrative web applications Millions of LOCs 1000s of business processes and transactions Must support 1000s of simultaneous users

8 Distributed Development Teams The systems are broken down into modules Each module has a team Each team is made up of resources from different institutions –Balanced view on functionality –Changes in institutional commitments won’t jeopardize a whole module Communication is virtual with periodic face-to- faces

9 The Challenge Ensuring consistent development practices around security within a Kuali application and across the suite Consolidating and isolating pieces of the application that deal with IAM and security Make security part of the core –90%/10% –We want 90% of the developers focusing on functionality –We want to eliminate the potential for introducing security vulnerabilities

10 Project Governance: Our Ally for IAM and Security Foundation Board of Directors Each project has its own board of directors Each project has its own functional council (lead SMEs) Each project has its development team and reporting structure Kuali Technical Council - one technical governing body –Sets technical standards and ensures consistent practices –Sets security standards across projects

11 Kuali Technical Council (KTC) Each institution has one voting member Spans all Kuali projects All development teams must follow the technical standards put forth by the KTC Architecture and Development Standards Document –Standards for transport security –Standards for authn –Standards for authz –Standards for encryption protocols –Revisit every six months Consulted with security experts at each institution Accepting contributions from community - Kuali Contributions Guidelines document –Security requirements

12 The Kuali Architecture

13 Kuali Technology Stack Uses all open source software and libraries that are ECL compliant –Java EE - Servlets, JSPs, JSTL, POJOs –Spring Framework –HTML, XML –CAS, Acegi –JUnit –WS-Sec Kuali Rice helps us to employ these technologies consistently across all of the Kuali applications

14 Kuali Rice What is Kuali Rice? Kuali: a humble kitchen wok; Malaysian origins Rice: it is what it is –Sits on the bottom of a dish –Not a very tasty meal by itself –Better with some substance on top KFS - Beef KRA - Chicken KS - Seafood Rice is the foundation to a hearty software product

15 The Goals of Rice The board vision for Kuali is a plug and play module by module approach to software Kuali started as financials, but has evolved into a suite of administrative software (KFS, KRA, KS) A lot of functionality in Kuali systems –Keeping the Kuali code base as small as possible without impacting quality is key Highly productive development environment –For Kuali projects –For non-Kuali projects

16 Rice Goals Continued A common and consistent architecture –Allow developers to understand other rice enabled projects –Infrastructure would not need to be reinvented on each project - focus on functionality! –Rice team can focus on IT standards, like SOA, that will benefit the entire Kuali software suite –Adoption of other Kuali modules feasible Generic enough for non-Kuali applications Consistent security practices

17 Rice Modules KEWKuali Enterprise Workflow KNSKuali Nervous System KSBKuali Service Bus KENKuali Enterprise Notification KIM Kuali Identity Management KOM Kuali Organization Management

18 Rice and Security Security aspects are isolated to reusable pieces within Rice An application development framework called the Kuali Nervous System (KNS) - AuthZ, ACL, automatic integration with the modules below KIM will provide a set of fully functional user interfaces for managing Identity and Access Management –Consistent service API for IdM throughout applications Workflow (KEW) provides audit features as well as approval policies

19 KNS Overview Provides reusable code, shared services, integration layer, and a development strategy Provides a common look and feel through screen drawing framework A document (business process) centric model with workflow as a core concept

20 Understanding the KNS Paradigm ENTITY_T Entity (POJO) ORM Mappin g Data Dictionary Lookups and Inquiries Maintenance Documents Transactional Documents Workflow (KEW)

21 KNS Security Driven off of the Data Dictionary feature Provides plug-points for authorization checking –Implementers can write their own authorization code in Java –Configure to use that code in XML within the Data Dictionary Provides XML based ACL configuration for initiation of documents Provides XML based field-level security configuration

22 KNS Security - Module Level Kuali breaks down functionality into modules –Modules organize documents (business processes) –Examples: KFS GL documents, KFS Chart, etc Each module has a “ModuleAuthorizer” interface to abide by –Contains certain core permissions checking methods canInitiate, canLookup, canInquire –Each module implements an instance of this Java interface –Policies there get applied to all functionality in the module –Security formula looks at one’s roles in the context of the system (KIM)

23 KNS Security - Document Level Documents roughly correlate to business processes Document security has a formula: –Your role in the context of the document (initiator, approver, etc) –Your roles in the context of the system (KIM) –The state of the document Each document has a “Document Authorizer” for applying this formula –Many documents follow a similar authorization pattern and can leverage inheritance of a parent “Document Authorizer” which implements the interface –Typically, documents override specific permission checking methods and inherit the rest ACL or “Initiation” checks are configured based on group membership (KIM) and declared in Data Dictionary files

24 Document Authorizer Sample

25 Wiring up Document Security org.kuali.module.financial. document.CashManagementDocument org.kuali.module.financial. rules.CashManagementDocumentRule org.kuali.module.financial.document. authorization.CashManagementDocumentAuthorizer

26 Wiring up Document Security Contd. … groupA groupB …

27 KNS Security - Field Level Read-only fields Hidden fields Masked fields - for displaying sensitive data (or not) Encrypted fields - for storing sensitive data Multiple levels of validation –Protection against XSS Primarily driven from the Data Dictionary files for a given entity

28 KNS Field Level Authorization … groupA …

29 KNS Field Validation … 9 false …

30 KNS Persistence of Data We use an object-relational-mapper –Apache OJB; moving to JPA/Hibernate –Adds a layer of abstraction which handles proper data escaping automatically –Guards against SQL injection (OWASP recommends an ORM) –Allows the framework to handle the encryption protocol for storing data (not the developer)

31 KNS Encryption Service We have one service in our stack <bean id="encryptionService" class="org.kuali.core.service.impl.DemoGradeEncryptionSvcImpl" /> Uses DES out of the box We document this and state a warning to stdout saying this is “insufficient” for production and that implementers should use AES

32 KNS ORM and Encryption Uses a built in conversion class which calls the encryption service to –Encrypt on storing data –Decrypt on retrieving data <class-descriptor class="org.kuali.module.financial.bo.Payee” table="FP_DV_PAYEE_T">... <field-descriptor name="taxIdNumber" column="DV_TAX_ID_NBR" jdbc-type="VARCHAR" index="true" conversion="org.kuali.core.util.OjbKualiEncryptDecryptFieldConversion" />...

33 Kuali Enterprise Workflow (KEW) Facilitates routing and approval of business processes throughout an organization Provides re-usable routing rules across business processes –Binds business data to approvers (Persons and Groups) Provides hooks for client applications to handle workflow lifecycle events of business processes End users interact with central workflow GUIs for all client applications

34 Workflow Approvals as Security Sometimes functionality requires delegation of management Workflow fits perfectly with this - it allows loosened restrictions on initiation (no ACL) But requires approval for change to take effect Almost all data changes in Kuali applications require approval

35 Workflow Approvals Diagram

36 Audit Capability KEW provides a “route log” feature Every business process transaction has this route log which is an audit trail This feature is built into KEW and automatically happens

37 Action List

38 Route Log

39 Security of Integration with KEW Client applications can integrate with KEW in a couple ways: –Java API - in the same JVM –Through web services - remotely SSL Digital signatures –Over the KSB using it’s security mechanisms

40 Kuali Service Bus (KSB) 1.Enables applications and Spring beans (i.e. services) registered on the bus to interact with other applications and services 2.Provide (a)synchronous communication 3.Provide flexible security 4.Provide Quality of Service (QoS) 5.Keep it simple (light weight)

41 KSB Security Bus level: option to digitally sign, encrypt Service level security through Acegi –Service level, method level –User proxying through standard security models (i.e. CAS, Kerberos) –Security context passed along (user, authn token, roles) –Services can call authn/authz authority to validate context

42 KSB Security Diagram

43 Kuali Identity Management (KIM) Currently being built Goals: –Satisfy requirements of all Kuali applications –Consistent service APIs for all applications to use in their “Authorizers” Java web services –Consolidated management of IdM data backed by workflow, built using the KNS –Pluggable service layer - support pluggin in other products (Shibboleth, CAS, Grouper, LDAP, etc)

44 KIM Model Namespaces - scoping for applications –Examples: KFS, KRA, Common, etc Entity - person, service, system, etc –Entity Types allow for arbitrarily defining these –Entity Attributes - meta-data about a person Service backing this will allow LDAP integration Scoped to Namespace; can define defaults for a Namespace Principal - An entity needs at least one to authenticate –Multiple principals per Entity instance Group - simply groups entities or other groups –Can have arbitrary meta-data attributes

45 KIM Model Contd. Permissions –Actions in an application; scoped to namespace –Can be arbitrarily defined at runtime - canSave, canView, etc Roles –Aggregate permissions; can be across a Namespace Role “Student Concierge” has permissions in KRA, KS, etc Can be qualified: –“Student Concierge” for group “All Freshmen” –“Student Concierge” for student “Alice I. Wonderland” –Roles are given to Entities and Groups (applies authz)

46 KIM Services

47 Safeguarding Against Vulnerabilities XSS –Multiple layers of heavy automated validation –Runtime requirement - it must be in place –Stance on Javascript SQL injection –ORM does escaping –No direct interface to JDBC from the request object Leverage well-known products with communities (Acegi, JA-SIG CAS, etc) Periodic code scans A watchful eye on OWASP

48 Questions? KNS Documentation: –https://test.kuali.org/confluence/display/KULDOC/Kuali+Nervous+Systemhttps://test.kuali.org/confluence/display/KULDOC/Kuali+Nervous+System

Download ppt "Kuali IAM and Security Aaron Godert Sr. Software Architect/Engineer Kuali Rice Development Manager Cornell University."

Similar presentations

Kuali Rice Bootcamp: Hands-On Exercises Colorado State University, January 22 - 26, 2008 Aaron Godert - Cornell University Rice Development Manager.

Kuali Rice Bootcamp: Hands-On Exercises Colorado State University, January , 2008 Aaron Godert - Cornell University Rice Development Manager.
CASE STUDIES Indiana University University of California, Davis University of Maryland San Joaquin Delta College University of Arizona University of Washington.

CASE STUDIES Indiana University University of California, Davis University of Maryland San Joaquin Delta College University of Arizona University of Washington.
Kuali Identity Management: Introduction and Implementation Options Jasig - Spring 2010 Wednesday, March 10, 2010 8:30 am.

Kuali Identity Management: Introduction and Implementation Options Jasig - Spring 2010 Wednesday, March 10, :30 am.
Evolution of the Kuali Rice Project Charter, Governance and Roadmap.

Evolution of the Kuali Rice Project Charter, Governance and Roadmap.
Kuali Technology Mark Norton – Nolaria Consulting Zachary Naiman – Member Liaison, Kuali Foundation.

Kuali Technology Mark Norton – Nolaria Consulting Zachary Naiman – Member Liaison, Kuali Foundation.
Introduction to Kuali Rice ITANA Screen2Screen: Kuali on Campus May 2009 Eric Westfall – Kuali Rice Project Manager.

Introduction to Kuali Rice ITANA Screen2Screen: Kuali on Campus May 2009 Eric Westfall – Kuali Rice Project Manager.
Spring, Hibernate and Web Services 13 th September 2014.

Spring, Hibernate and Web Services 13 th September 2014.
Kuali Rice at Indiana University Important Workflow Concepts Leveraged in Production Environments July 29-30, 2008 Eric Westfall.

Kuali Rice at Indiana University Important Workflow Concepts Leveraged in Production Environments July 29-30, 2008 Eric Westfall.
Copyright © 2008 Accenture All Rights Reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture. Andrew Stone Common Security.

Copyright © 2008 Accenture All Rights Reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture. Andrew Stone Common Security.
Kuali IAM and Security Aaron Godert Sr. Software Architect/Engineer Kuali Rice Development Manager Cornell University.

Kuali IAM and Security Aaron Godert Sr. Software Architect/Engineer Kuali Rice Development Manager Cornell University.
Evolution of the Kuali Rice Project Charter, Governance and Roadmap

Evolution of the Kuali Rice Project Charter, Governance and Roadmap
Pragmatic Application Building: Step by Step Jay Sissom Principal Systems Analyst Indiana University

Pragmatic Application Building: Step by Step Jay Sissom Principal Systems Analyst Indiana University
© 2004, The Trustees of Indiana University 1 OneStart Workflow Basics Brian McGough, Manager, Systems Integration, UITS Ryan Kirkendall, Lead Developer.

© 2004, The Trustees of Indiana University 1 OneStart Workflow Basics Brian McGough, Manager, Systems Integration, UITS Ryan Kirkendall, Lead Developer.
Kuali Student Architecture Overview February 2011

Kuali Student Architecture Overview February 2011
Open source administration software for education software development simplified KRAD Kuali Application Development Framework.

Open source administration software for education software development simplified KRAD Kuali Application Development Framework.
Kuali Foundation Open Board Meeting – Kuali Days VII November 19, 2008, 1:00-2:00pm PT.

Kuali Foundation Open Board Meeting – Kuali Days VII November 19, 2008, 1:00-2:00pm PT.
Introduction to Kuali Rice Presented at Internet2 April 2009 Eric Westfall – Kuali Rice Project Manager Bill Yock – Vice Chair, Kuali Rice Board of Directors.

Introduction to Kuali Rice Presented at Internet2 April 2009 Eric Westfall – Kuali Rice Project Manager Bill Yock – Vice Chair, Kuali Rice Board of Directors.
Technical Overview of Kuali Rice UC Davis, Information & Educational Technology January 2009.

Technical Overview of Kuali Rice UC Davis, Information & Educational Technology January 2009.
James Smith, University of Arizona Barbara Sutton, Cornell University

James Smith, University of Arizona Barbara Sutton, Cornell University
Architecting and Building KRA using Kuali Rice Terry Durkin, KRA DM/Lead Developer (Indiana University) Bryan Hutchinson, KRA DM/Lead Developer (Cornell)

Architecting and Building KRA using Kuali Rice Terry Durkin, KRA DM/Lead Developer (Indiana University) Bryan Hutchinson, KRA DM/Lead Developer (Cornell)

Similar presentations

Ads by Google