JISC Middleware Security Workshop 20/10/05 © 2005 University of Kent . 1 The PERMIS Authorisation Infrastructure David Chadwick [email protected]
Jan 04, 2016
JISC Middleware Security Workshop 20/10/05 © 2005 University of Kent. 1
The PERMIS Authorisation Infrastructure
David Chadwick
JISC Middleware Security Workshop 20/10/05 © 2005 University of Kent. 2
What is PERMIS?• It is an authorisation infrastructure that takes care of all aspects
of authorisation Setting authorisation policies for computer resources i.e.
specifying who is allowed to do what to which resources Allocating credentials to users (as attributes or roles e.g.
professor, RA, PhD student etc.) Supports Distributed Credential Management (many trusted
people can be empowered to allocate credentials to users) Supports Dynamic Delegation of Authority i.e. allowing a user
with a specific credential to give it to someone else as and when he wants to (without reference to a higher authority) if the Delegation Policy allows it
Makes access control decisions i.e. does the policy allow this user to do what he is asking to do?
Supports Hierarchical Role Based Access Controls, where superior roles automatically inherit the privileges of subordinate roles
Very secure, since policies and credentials are digitally signed
JISC Middleware Security Workshop 20/10/05 © 2005 University of Kent. 3
PERMIS Authorisation System
Initiator Target
SubmitAccessRequest
PresentAccessRequest
decisionrequest/response
ApplnPEP
AuthenticationService
LDAPDirectories
Retrieve Policy and Role ACs (pull)
PKI
RetrieveRole ACs
(push)
PDP
The PERMIS Java API
STS
getcredsrequest/response
SAML Wrapper
GGF OGSA SAML Authz protocol
PUSH
UserCredentials
UserCredentials
JISC Middleware Security Workshop 20/10/05 © 2005 University of Kent. 4
Creating Authorisation Policies• Policies are specified in XML so that they can be
understood by the PERMIS PDP (Policy Decision Point)
• Policies are digitally signed by their creator so that they cannot be tampered with, and so that the PDP knows it has a genuine policy
• Use the Policy Editor tool, a GUI that allows you create simple PERMIS policies easily– Hides XML from creator– Displays policy in natural language– Signs and stores policy in creator’s LDAP entry
JISC Middleware Security Workshop 20/10/05 © 2005 University of Kent. 5
Policy Editor
JISC Middleware Security Workshop 20/10/05 © 2005 University of Kent. 6
A Simple Policy
• All staff in the department can write files to laser printer x, Jim the administrator can write files, delete any files from the print queue, pause the printing, and resume the printing at the laser printer x. No-one else is allowed access to the printer.
JISC Middleware Security Workshop 20/10/05 © 2005 University of Kent. 7
JISC Middleware Security Workshop 20/10/05 © 2005 University of Kent. 8
JISC Middleware Security Workshop 20/10/05 © 2005 University of Kent. 9
Allocating Credentials to Users• Credentials are stored as digitally signed attribute
certificates (ACs) in LDAP directories– So that PERMIS PDP knows they are genuine– Allows distributed management. Different managers at
different sites can allocate different credentials to the same or different users. Think of Plastic Cards!
• Three tools provided to do this• Bulk loader
– script to search LDAP, find entries, add ACs to them• Attribute Certificate Manager
– Graphical Interface for creating ACs and storing in LDAP• Delegation Issuing Service
– Web service for issuing ACs
JISC Middleware Security Workshop 20/10/05 © 2005 University of Kent. 10
Distributed Managementof Credentials
LDAPDirectory
Policy
ADF
The PERMIS PMI APIPERMIS API Implementation
LDAPDirectory
LDAPDirectoryAttribute Certificates
The Boss (Source of Authority)
Trusted Site Managers
Push Mode
Pull Mode
Application Gateway
LDAPDirectory
JISC Middleware Security Workshop 20/10/05 © 2005 University of Kent. 11
JISC Middleware Security Workshop 20/10/05 © 2005 University of Kent. 12
JISC Middleware Security Workshop 20/10/05 © 2005 University of Kent. 13
What Applications are Supported “out of the box”
• Any Globus Toolkit v3.3 and v4 application (configured authorisation service)
• Any Shibboleth enabled application or portal (commands to plug into httpd.conf)
• Any Apache web site (commands to plug into httpd.conf)
• For other applications you need to write the PEP and call PERMIS via its Java API
JISC Middleware Security Workshop 20/10/05 © 2005 University of Kent. 14
Futures
• More sophisticated RBAC features such as Separation of Duties (DyCOM project)
• Dynamic Recognition of Authority
• Secure Audit Web Service
• Simple SAM– PERMIS for Shibboleth sites that don’t want
strong cryptographic protection of their policies
JISC Middleware Security Workshop 20/10/05 © 2005 University of Kent. 15
Dynamic Delegation of Authority
Additional Info
JISC Middleware Security Workshop 20/10/05 © 2005 University of Kent. 16
Delegating Credentials in X.509 (2001)
Bill
Alice
Bob
SOA
AA
IssuesAC to
IssuesAC to
EndEntity
AC
Points to issuer
Points toholder
JISC Middleware Security Workshop 20/10/05 © 2005 University of Kent. 17
Bill
Alice
Bob
SOA
AA
EndEntity
IssuesAC to
IssuesAC to
DelegationIssuing
Service (DIS)
IssuesAC to
AC
Points to issuer
Points toholder
Points to Issued OnBehalf Of
The X.509 (2005) Delegation Service
PolicyDelegationPolicy
JISC Middleware Security Workshop 20/10/05 © 2005 University of Kent. 18
CredentialLDAPserver
AuthenticateDIS Client
(SSL)
DIS PEP
IssueACWeb serviceinterface
publishAC
PERMIS RBAC
CredentialValidationService
PDP
SignAC
Delegation Issuing web Service
Request
Authorisation DelegationIssuingPolicy
PolicyIssuer’sAC
Issue AC-holder-attributes-validity time
JISC Middleware Security Workshop 20/10/05 © 2005 University of Kent. 19
DIS Web ServiceAuthenticatione.g. SSL or Un/Pw
Apache
Webbrowser
Web ServiceInterface
Demonstration - Browser Access to DIS
DelegationIssuingPolicy
LDAP
JISC Middleware Security Workshop 20/10/05 © 2005 University of Kent. 20
Demonstration - Apache with PERMIS RBAC Authorisation
Apache Server
ApacheAuthentication
mod_permis JNI
connector PDP
The PERMIS API
CVSCredential
LDAPServer Pull ACs
LDAPDirectory
Authzn Policy
Userrequest
PERMISProtectedResource