Data Entitlement with WSO2 Enterprise Middleware Platform
-
Upload
wso2 -
Category
Technology
-
view
1.332 -
download
2
description
Transcript of Data Entitlement with WSO2 Enterprise Middleware Platform
Data Entitlements with the WSO2 Enterprise Middleware Platform
Manoj Fernando Director - Solutions Architecture
About WSO2
• Providing the only complete open source componentized cloud platform
– Dedicated to removing all the stumbling blocks to enterprise agility
– Enabling you to focus on business logic and business value
• Recognized by leading analyst firms as visionaries and
leaders – Gartner cites WSO2 as visionaries in all 3 categories of
application infrastructure
– Forrester places WSO2 in top 2 for API Management
• Global corporation with offices in USA, UK & Sri Lanka – 200+ employees and growing
• Business model of selling comprehensive support &
maintenance for our products
150+ globally positioned support customers
Agenda
• A Classic Use Case
• Need for Data Entitlements
• Data Entitlements - A Traditional Approach
• Challenges and benefits
• Features provided by WSO2 Identity Server
• XACML – Policy Based Access Control
• Using WSO2 Middleware Platform to implement our sample use case
• Mediator Flow
• Summary
• Q&A
A Classic Use Case
Who should provide
entitlements?
DB
Sales Database
Sales
Managers
Sales Team A
Application X
Application Y
Access to ALL sales data
Access to only
sales data
belonging to
specific sales
group
Sales Team B
Need for Data Entitlements
• A responsibility shared between business logic and data layers?
• Use cases often talk about permissions, so who should handle it?
“User with permission X has to be able to read and modify asset Y”.
• But many would agree with the idea of globally manageable application permissions.
• Permissions are not just based on user roles (anymore).
• Growing demand for a unified entitlements framework for all types of applications.
Primary Purpose
Is to provide total transparency to multiple applications when accessing shared assets, so that enterprise-wide data access policies will take effect at the point of data
being queried or manipulated by users.
Data Access Layer – a place for data entitlements?
• Primary purpose is to provide loose coupling between data and application logic.
• A natural choice to place data entitlements logic.
• Data Access components are language specific, hence it falls short to meet the exact expectation on enterprise entitlements within a heterogeneous environment.
• No standard as such to govern enterprise-wide entitlements policies when using DAL.
Business Application A
Business Application B
Data Access Layer
Enterprise Data
Permissions Data
Data Entitlements – A Traditional Approach
Presentation Business Application
Data Access Layer
Data exchange
Data Entitlements
System
Entitlements Repo
Request for permitted access
Response with Filter Meta-data
Au
tho
rized Item
s
Query
Req
uest fo
r da
ta Fi
lter
ed D
ata
(1)
(2)
(3)
(4)
(5)
(6)
Challenges in putting up an Enterprise Data Entitlements System
• Often viewed as an unnecessary task, specially when system designers tend to think around ‘siloed’ applications.
• Usually requires a significant amount of ‘re-wiring’ to the permissions handling logic of existing applications.
• Must be driven by standards!
• Some believe that using an external entitlements system is counterproductive in maintaining ‘lightweight-ness’ of the applications.
• No SOA, No use of data entitlements?
Benefits
• Usually the benefits are more long term than short term.
• Helps organizations adapt to changing business needs, and data security requirements easier.
• Centralized management of platform level policies.
• Ideal for heterogeneous systems – Unified access model to entitlements data.
• Service mindset – everything is a service, including entitlements.
Is SOA/Middleware the foundation for Data Entitlements?
• Seldom you will see that an enterprise using applications developed on a single technology.
• SOA brings the real power of data entitlements into the platform by providing standards driven, loosely coupled architecture.
• Works well with other cross cutting requirements such as enterprise logging, transport and message level security, etc.
• A key enabler for cross-application integration scenarios.
A Conceptual SOA driven Data Entitlements
Application A
Application B
Entitlements Service
Data Service
Data Access Service
Entitlements Store
Entitlements Query Based on User attribute
(i.e. Role)
Request
Request for Filtered Data Filter
Builder
Response
Response
User Group A
User Group B
User Group X
Building an entitlements system with WSO2 Identity Server - Features
• Provides a fully fledged Policy Based Access Control (PBAC) platform.
• Fine-grained policy based access control via XACML
• Advanced entitlement auditing and management
• Entitlement management for any REST or SOAP calls
• Role based access control (RBAC)
XACML – Terminology
XACML stands for eXtensible Access Control Markup Language.
Policy Enforcement Point (PEP)
• Point which intercepts user's access request to a resource, makes a decision request to the PDP to obtain the access decision (i.e. access to the resource is approved or rejected), and acts on the received decision.
Policy Decision Point (PDP)
• Point which evaluates access requests against authorization policies before issuing access decisions
XACML - Terminology (Cont…)
Policy Administration Point (PAP)
• Point which manages access authorization policies
Policy Information Point (PIP)
• The system entity that acts as a source of attribute values (i.e. a resource, subject, environment, etc.)
Policy Retrieval Point (PRP)
• Point where the XACML access authorization policies are stored, typically a database or the file system.
XACML - Policy Based Access Control (PBAC)
• Fine-grained access control policies based on subject, resource, environment and action attributes
• Portable and reusable policies enforceable across multiple platforms
• All aspects of access request are identified by attributes
• Optional Rules Engine Integration
PEP (Policy
Enforce. Point)
PDP (Policy Decision
Point)
PIP (Policy
Information Point)
Policy Store
PAP (Policy
Administration Point)
Attribute Store
Requester
XACML Request
XACML Response
XAML Policy (Policy Retrieval Point –
PRP)
Manage
Data service
XACML 2.0/3.0 Support on WSO2 Identity Server
• Policy decision processing and attribute caching
• Policy distribution to various Policy Decision Points (PDPs)
• Multiple Policy Information Point (PIP) support
• Friendly UI for Policy editing (PAP)
• High performance network protocol (over Thrift) for PEP/PDP interaction
• Policy Administration Point (PAP) to manage multiple Policy Decision Points (PDP)
Back to our sample scenario…
How to leverage WSO2
middleware platform for this?
DB
Sales Store
Sales
Managers
Sales Team A
Application X
Application Y
Access to ALL sales data
Access to only
sales data
belonging to
specific sales
group
Sales Team B
… and our requirement
• Should provide a unified service interface for querying sales info
• Caller applications need not worry about entitlements (they just query for sales info).
• The policy enforcer needs to acquire entitlements for a common user attribute (i.e. username)
• The policy decision maker should return the list of entitlements (or claims) back to the enforcer.
• The enforcer should build the data filtering logic based on the claims and append that to the service call.
• The filtered data set is returned back to caller.
Putting it altogether
ESB
DSS
IS
Entitlements Mediator
Request
+ wsse:UsernameToken
XACML response
with Advices
XACML
request
XACML Policy
Build dynamic query
Using advices (claims)
fault
Response
Dynamic
Query DB
App A
App B
App X
getSalesInfo
Sales Datastore
DB Enterprise User Store
getSalesInfo + entitlements based filtering
Filtered Response PEP
PIP
PDP
PAP
(1)
(2)
(3)
(4)
(5)
(6)
(7)
ESB Mediation Flow
Authenticate User
Call Entitlements
Mediator
Permit? Extract Claims
Build Dynamic
Query
Call Data Service
Send Response
Return Fault
Yes
No
XACML Policy – Making claims be passed with Response
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="CustomerServiceSales"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
Version="1.0">
<Target></Target>
<Rule Effect="Permit" RuleId="Rule1">
… </Rule>
<AdviceExpressions>
<AdviceExpression AdviceId="customerService" AppliesTo="Permit">
<AttributeAssignmentExpression AttributeId="employee.role">
<AttributeDesignator AttributeId="http://wso2.org/claims/role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</AttributeAssignmentExpression>
</AdviceExpression> </AdviceExpressions>
</Policy>
In this example we are enforcing that employee role (a PIP entry) is
embedded on to the XACML response
XACML Policy ruleset goes here (omitted)
Claims to Data Service Filter
• Claims received by the Entitlements Mediator exist in the MessageContext object.
• A Class Mediator can be used to extract these claims from the MessageContext and construct the filter logic.
• The ESB Sequence can thereby append the filter logic into a placeholder for filtering (i.e. If you use WSO2 DSS, you can specify this placeholder as a QUERY_STRING type, and use validation logic to avoid potential SQL injection scenarios).
Summary
• Middleware plays a pivotal role in establishing an enterprise grade data entitlements system.
• WSO2 Identity Server provides all necessary features to implement a fully fledged data entitlements system supported by WSO2 ESB for mediating the service calls, and WSO2 DSS for exposing your data as services.
Resources
Blog post
- http://manoj-fernando.blogspot.com/
References
- WSO2 Identity Server : http://docs.wso2.org/display/IS450/WSO2+Identity+Server+Documentation
- XACML : https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml
Q&A
Engage with WSO2
• Helping you get the most out of your deployments
• From project evaluation and inception to development
and going into production, WSO2 is your partner in
ensuring 100% project success
lean . enterprise . middleware