Download presentation
Presentation is loading. Please wait.
1
Privilege Management and Spocp Presentation at Advance CAMP Authority Architecture – Broomfield, Colorado July 2, 2004 by Roland Hedberg
2
What's SPOCP ● Attribute based 'real-time' authorization server ● Simple query based protocol ● Made to use external information resources ● Uses S-expressions to express policies and requests for permissions. Built around the '<=' operation. ● Returns Yes/No and, if configured so, additional information together with a Yes
3
Place in the chain SQL PROGRAM SPOCP LDAP SPOCPApplication User
4
Where are we right now ? ● Latest version 2.1.4 ● Getting real-time usage experience ● Working on the administrative interface ● Spocpfied applications: Postfix, uPortal, OpenLDAP ● Access modules: Apache, PAM ● Local applications: NyA, LpW,.... ● Non-AuthZ usages: information access, certificate verification, route daemon ● Client libs: C, Java, Python, Perl
5
Heads-up ● Message based 'meta directory tool' – We are building a 'meta directory tool' based on XMPP as message passing system – RDF as format for update information – Spocp as message policy server ● SSH – Implement SPOPC support in auth.c:allowed_user. Investigate generalization of the authorized_keys file possibly in conjunction with a generalized.k5login mechanism in Heimdal. ● Heimdal – SPOCP-support in kadmind through general authorization plugin mechanism. SPOCP-support in the kdc (general ticket policy). Look at generalizing the.k5login file.
6
Administrative interface ● What about it ?
7
Baseline ● Privilege management system interface based on 'roles' – A role is a convenient 'handle' for a set of attribute-values. – Easier to understand and relate to ● 'Roles' are assigned/constructed by administrators, their names (if they have any) are only valid in the context of the privilege management system. ● Access control system based on attribute values and constraints.
8
In Spocp terms ● Role ~= Boundary condition expression – Logical operators 'AND', 'OR' and 'NOT' – Boundary condition = relationship between objects or a constraint ● adm-group := "localgroup:{//uid[1]}:adm:${0}" ● rbl := "rbl:{//ip[1]}:blackholes.mail-abuse.org:${0}" – Link to external information resources ● Access right = S-expression Policy = S-expression [ bcondexp ]
![In Spocp terms ● Role ~= Boundary condition expression – Logical operators AND , OR and NOT – Boundary condition = relationship between objects or a constraint ● adm-group := localgroup:{//uid[1]}:adm:${0} ● rbl := rbl:{//ip[1]}:blackholes.mail-abuse.org:${0} – Link to external information resources ● Access right = S-expression Policy = S-expression [ bcondexp ]](http://images.slideplayer.com/15/4635099/slides/slide_8.jpg "In Spocp terms ● Role ~= Boundary condition expression – Logical operators AND , OR and NOT – Boundary condition = relationship between objects or a constraint ● adm-group := localgroup:{//uid[1]}:adm:${0} ● rbl := rbl:{//ip[1]}:blackholes.mail-abuse.org:${0} – Link to external information resources ● Access right = S-expression Policy = S-expression [ bcondexp ]")
9
The way we plan to do it (the default, there are exceptions) ● Distributed authentication (CWAA) – A framework for authentication between organizations. It is designed to be independent of the authentication system used within a organization – Uses the CMS (Cryptographic Message syntax) protocol – The Authentication server returns a ticket that contains a ID representing the authenticated party – Web apps only ● Distributed authorization (Spocp) – Authorization servers based on affiliation/context – Uses the ID provided by the authN service – Common central Applications publishes the format of the queries they will pose
10
Plugin examples ● System ● Time ● Spocp ● Ipnum ● Gdbm ● LDAPset ● Flatfile ● Difftime ● Localgroup ● RBL ● Regexp ● SQL
11
Example (“ladok på webb”) ● LADOK is a central student administration system – Information about courses – Information about student – Local information ● LpW is a set of modules that universities can use in their student portals
12
LpW -> Spocp queries Query format: (lpw (action )(obj )(subj )) function = “Adresslista”, “Register”, “Uppfolj”,... object = course-ID ID = requestor-ID --------------------------------------------------------------------- Local rule: (lpw (action Adresslista)) => (ref lpw-user) “lpw-user” is a locally defined 'role' base on whatever
13
Example of 'role' definition lpw-user := ldapset: {/lpw/subject/uid[1]} : tonwig1.adm.umu.se ; cn=ladokuser,cn=group,dc=umu,dc=se ; cn=person,dc=umu,dc=se ; \0/uniqueMember & {\1$uid & ${0}}
![Example of role definition lpw-user := ldapset: {/lpw/subject/uid[1]} : tonwig1.adm.umu.se ; cn=ladokuser,cn=group,dc=umu,dc=se ; cn=person,dc=umu,dc=se ; \0/uniqueMember & {\1$uid & ${0}}](http://images.slideplayer.com/15/4635099/slides/slide_13.jpg "Example of role definition lpw-user := ldapset: {/lpw/subject/uid[1]} : tonwig1.adm.umu.se ; cn=ladokuser,cn=group,dc=umu,dc=se ; cn=person,dc=umu,dc=se ; \0/uniqueMember & {\1$uid & ${0}}")
14
Privilege Management and Spocp – Set of UI's ● The end user UI should use roles/groups ● In our case roles/groups will be translated into boundary conditions and/or parts of S- expressions ● The type of permissions are application dependent (functions). ● The owners of the resource defines the delegation order.
15
Our relation to Signet 1.“Privilege Management Recipe” - YES! 2.Privilege Management Toolkit – YES! 3.Internet2 Middleware integration – ? 4.Multi-organizational scenarios - ? 5.Support Group-based PM – YES! 6.Role and PI as EduPerson attributes - ?
Similar presentations
