JISC Middleware Security Workshop 20/10/05© 2005 University of Kent.1 The PERMIS Authorisation Infrastructure David Chadwick [email protected].

JISC Middleware Security Workshop 20/10/05 © 2005 University of Kent. 1

The PERMIS Authorisation Infrastructure

David Chadwick

[email protected]


What is PERMIS?• It is an authorisation infrastructure that takes care of all aspects

of authorisation Setting authorisation policies for computer resources i.e.

specifying who is allowed to do what to which resources Allocating credentials to users (as attributes or roles e.g.

professor, RA, PhD student etc.) Supports Distributed Credential Management (many trusted

people can be empowered to allocate credentials to users) Supports Dynamic Delegation of Authority i.e. allowing a user

with a specific credential to give it to someone else as and when he wants to (without reference to a higher authority) if the Delegation Policy allows it

Makes access control decisions i.e. does the policy allow this user to do what he is asking to do?

Supports Hierarchical Role Based Access Controls, where superior roles automatically inherit the privileges of subordinate roles

Very secure, since policies and credentials are digitally signed


PERMIS Authorisation System

Initiator Target

SubmitAccessRequest

PresentAccessRequest

decisionrequest/response

ApplnPEP

AuthenticationService

LDAPDirectories

Retrieve Policy and Role ACs (pull)

PKI

RetrieveRole ACs

(push)

PDP

The PERMIS Java API

STS

getcredsrequest/response

SAML Wrapper

GGF OGSA SAML Authz protocol

PUSH

UserCredentials

UserCredentials


Creating Authorisation Policies• Policies are specified in XML so that they can be

understood by the PERMIS PDP (Policy Decision Point)

• Policies are digitally signed by their creator so that they cannot be tampered with, and so that the PDP knows it has a genuine policy

• Use the Policy Editor tool, a GUI that allows you create simple PERMIS policies easily– Hides XML from creator– Displays policy in natural language– Signs and stores policy in creator’s LDAP entry


Policy Editor


A Simple Policy

• All staff in the department can write files to laser printer x, Jim the administrator can write files, delete any files from the print queue, pause the printing, and resume the printing at the laser printer x. No-one else is allowed access to the printer.




Allocating Credentials to Users• Credentials are stored as digitally signed attribute

certificates (ACs) in LDAP directories– So that PERMIS PDP knows they are genuine– Allows distributed management. Different managers at

different sites can allocate different credentials to the same or different users. Think of Plastic Cards!

• Three tools provided to do this• Bulk loader

– script to search LDAP, find entries, add ACs to them• Attribute Certificate Manager

– Graphical Interface for creating ACs and storing in LDAP• Delegation Issuing Service

– Web service for issuing ACs


Distributed Managementof Credentials

LDAPDirectory

Policy

ADF

The PERMIS PMI APIPERMIS API Implementation

LDAPDirectory

LDAPDirectoryAttribute Certificates

The Boss (Source of Authority)

Trusted Site Managers

Push Mode

Pull Mode

Application Gateway

LDAPDirectory




What Applications are Supported “out of the box”

• Any Globus Toolkit v3.3 and v4 application (configured authorisation service)

• Any Shibboleth enabled application or portal (commands to plug into httpd.conf)

• Any Apache web site (commands to plug into httpd.conf)

• For other applications you need to write the PEP and call PERMIS via its Java API


Futures

• More sophisticated RBAC features such as Separation of Duties (DyCOM project)

• Dynamic Recognition of Authority

• Secure Audit Web Service

• Simple SAM– PERMIS for Shibboleth sites that don’t want

strong cryptographic protection of their policies


Dynamic Delegation of Authority

Additional Info


Delegating Credentials in X.509 (2001)

Bill

Alice

Bob

SOA

AA

IssuesAC to

IssuesAC to

EndEntity

AC

Points to issuer

Points toholder


Bill

Alice

Bob

SOA

AA

EndEntity

IssuesAC to

IssuesAC to

DelegationIssuing

Service (DIS)

IssuesAC to

AC

Points to issuer

Points toholder

Points to Issued OnBehalf Of

The X.509 (2005) Delegation Service

PolicyDelegationPolicy


CredentialLDAPserver

AuthenticateDIS Client

(SSL)

DIS PEP

IssueACWeb serviceinterface

publishAC

PERMIS RBAC

CredentialValidationService

PDP

SignAC

Delegation Issuing web Service

Request

Authorisation DelegationIssuingPolicy

PolicyIssuer’sAC

Issue AC-holder-attributes-validity time


DIS Web ServiceAuthenticatione.g. SSL or Un/Pw

Apache

Webbrowser

Web ServiceInterface

Demonstration - Browser Access to DIS

DelegationIssuingPolicy

LDAP


Demonstration - Apache with PERMIS RBAC Authorisation

Apache Server

ApacheAuthentication

mod_permis JNI

connector PDP

The PERMIS API

CVSCredential

LDAPServer Pull ACs

LDAPDirectory

Authzn Policy

Userrequest

PERMISProtectedResource

JISC Middleware Security Workshop 20/10/05© 2005 University of Kent.1 The PERMIS Authorisation Infrastructure David Chadwick [email protected].

Documents

university of kent

delegation policy

creatordisplays policy

stores policy

different credentials

policy editor tool

authorisation policiespolicies

different users