Post on 18-Nov-2014
description
License CC-BY-SA 1
Fortress Open Source IAM on LDAPv3
Shawn McKinney
November 18, 2013
Agenda
l Product Overview l Technical Introduction l RBAC SoD Demo l Commander l En Masse l Multitenancy l Next Steps l Wrap-up
2
License CC-BY-SA
Product Overview
3
License CC-BY-SA
Fortress Core
ANSI RBAC SDK
Sentry RBAC Policy Enforcer
EnMasse RBAC Policy Server
Commander Web Administration
Perimeter Web Access Mgmt
Patroller Audit Monitoring
1 2
4 5
3
6
October 2011 October 2011 October 2012
October 2013 April 2014 October 2014
ROADMAP
Fortress Introduction
l ANSI INCITS 359-2004 compliant IAM system l Policy Decision Points
l Java APIs (Fortress Core) l REST services (En Masse)
l Policy Administration Points l Java APIs (Fortress Core) l REST services (EnMasse) l RBAC Web Management (Commander)
l Privileged Identity Management
4
License CC-BY-SA
Fortress Introduction (continued)
l Policy Enforcement Points l Sentry Java EE Platform Security l Sentry Other Platforms (in development)
l Audit Trail l Authentication – tracks who is accessing the
system l Authorization – tracks who did what, when and
where l Administration – tracks historical changes to the
data
5
License CC-BY-SA
Fortress System Architecture
6
License CC-BY-SA
LDAPv3
OpenLDAP
Fortress Core APIs
Java App #2 HTTP/S
LDAPv3
Apache DS
Fortress LDAP HTTP
Applications
Legend
RBAC Accelerator
Other App HTTP/S
LDAPv3 Extended Ops
Java VM
Java VM
Any P
latform
O R
Either LDAP Server works
RBAC policy enforcement on any platform use accelerator
RBAC policy administration and interrogation use Standard LDAPv3 protocols
Fortress RBAC Enforcement APIs will also call accelerator
LDAPv3
ANSI RBAC INCITS 359
1. RBAC0: Users, Roles, Perms, Sessions
2. RBAC1: Hierarchical Roles
3. RBAC2: Static Separation of Duties
4. RBAC3: Dynamic Separation of Duties
7
License CC-BY-SA
Demo this capability
Dynamic Separation of Duties Demo
2
3
Role 1
Assignment
Role 2
Assignment
Role 3
Assignment
One and only one may be active
1
Java Virtual Machine
Tomcat
Java EE Coarse-grained Security
Dynamic Separation of Duties Demo
Fortress RBAC Proxy
Fortress RBAC PDP
Users: • User1 is assigned to ROLE_TEST1,
ROLE_TEST2, and ROLE_TEST3 • User2 is assigned to ROLE_TEST2 • User3 is assigned to ROLE_TEST3 Permissions: • Page1.Button1 is granted to ROLE_TEST1 • Page1.Button2 is granted to ROLE_TEST1 • Page1.Button3 is granted to ROLE_TEST1 • Page2.Button1 is granted to ROLE_TEST2 • Page2.Button2 is granted to ROLE_TES2 • Page2.Button3 is granted to ROLE_TEST2 • Page3.Button1 is granted to ROLE_TEST3 • Page3.Button2 is granted to ROLE_TEST3 • Page3.Button3 is granted to ROLE_TEST3 Dynamic Separation of Duties: • Set of roles is [ROLE_TEST1,
ROLE_TEST2, ROLE_TEST3] • DSD Set Cardinality is 1 • Only one Role can be active in Session
Spring Page-level Security
Apache Wicket
Fortress RBAC PEP
Wicket Buttons
Wicket Links
Wicket Pages
Fine
Aut
hZ G
ranu
larit
y
Coarse
Where to get RBAC Demo
l Source l https://github.com/shawnmckinney/fortressdemo1
l Tutorial & other ANSI RBAC write-ups l http://symas.com/ansi-rbac-intro/ l http://symas.com/rbac-security-enforcement-
inside-wicket/ l https://github.com/shawnmckinney/
fortressdemo1/blob/master/README.txt
10
License CC-BY-SA
Commander Introduction
l RBAC Web Administration l Uses the Fortress Core APIs l Communicate via HTTP or LDAPv3 protocols l Secured by Fortress, Java EE and Spring l Full audit trail l Extensible – add new pages quickly l Uses Apache Wicket UI framework
11
License CC-BY-SA
Commander System Architecture
12
License CC-BY-SA
Fortress Core APIs
Commander
HTTP/S
LDAPv3 HTTP/S
LDAPv3
OpenLDAP
LDAPv3
Apache DS
Fortress LDAP HTTP
Legend
O R
Fortress Core APIs
EnMasse
HTTP/S
LDAPv3
O R
Java VM
Java VM
Java VM
Commander can use either HTTP or LDAPv3 protocol
Either LDAP Server works
HTTP protocol aids in firewall traversals
Commander Demo
l View RBAC demo audit trail l View RBAC management capabilities l Enable REST communication with En Masse l Run Commander Selenium automated test l View wireshark trace
13
License CC-BY-SA
Where to get Commander
l Source l http://www.openldap.org/devel/gitweb.cgi?
p=openldap-fortress-commander.git;a=summary
l Quickstart l http://iamfortress.org/download
l Maven l http://search.maven.org/#search%7Cga
%7C1%7Ccommander
14
License CC-BY-SA
En Masse Introduction
l RBAC Policy Server l Firewall Friendly l 120+ RESTful services l Multitenant process and services l Secured using Fortress RBAC enforcement l Binds directly to Fortress entity model l Uses Fortress Core to communicate LDAPv3 l Uses Apache CXF for RESTful processing
15
License CC-BY-SA
En Masse System Architecture
16
License CC-BY-SA
LDAPv3
OpenLDAP
Fortress Core APIs
Java App HTTP/S
HTTP/S
LDAPv3
Apache DS
Fortress LDAP HTTP
Applications
Legend
Java VM
Java VM
Fortress Core APIs
EnMasse
HTTP/S
LDAPv3
Java VM
REST
Other App HTTP/S
HTTP/S
Any P
latform
O R
Either LDAP Server works
Apps may use any REST lib or Fortress APIs to connect with En Masse
HTTP protocol less efficient than LDAP but aids in firewall traversals
Where to get En Masse
l Source l http://www.openldap.org/devel/gitweb.cgi?
p=openldap-fortress-enmasse.git;a=summary l Quickstart
l http://iamfortress.org/download l Maven
l http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22enmasse%22
17
License CC-BY-SA
Introduction
18
License CC-BY-SA
Multitenant LDAP Data Structure
l Leverage LDAP's natural affinity to partition data by client organization.
l Each tenant has its own complete copy of DIT segregated by organizational unit
l Reduced cost due to fewer servers to maintain
19
License CC-BY-SA
Multitenant Programming Model
l Client’s id is passed to Fortress in factory initialization
l Lifecycle of ‘Manager’ object processes data on behalf of the client id passed during initialization l AnyMgr:
l createInstance(tenantId);
20
License CC-BY-SA
// Instantiate the AccessMgr implementation. AccessMgr accessMgr = AccessMgrFactory.createInstance( “Client123” );
Multitenant Demo
l Load demo users Client 1, 2 & 3 l Run test-full Client 1, 2 & 3
21
License CC-BY-SA
Where to get Fortress Multitenancy
l Source l http://www.openldap.org/devel/gitweb.cgi?
p=openldap-fortress-core.git;a=summary l Binaries <dependency>
<groupId>us.joshuatreesoftware</groupId>
<artifactId>fortress</artifactId>
<version>RC-1.0-33</version>
</dependency>
22
License CC-BY-SA
Next Steps
l RBAC Accelerator l OpenLDAP overlay l RBAC Policy Decision Point
l Web Access Management/SSO l RBAC Policy-Enhance Standard (RPE)
l INCITS 494-2011 l Support for dynamic attributes
l Attribute-based Access Control (ABAC) l Maybe
23
License CC-BY-SA
License CC-BY-SA 24
Thanks!