The PERMIS Authorisation Infrastructure David Chadwick D.W.Chadwick@kent.ac.uk JISC Middleware Security Workshop 20/10/05 © 2005 University of Kent. 1 What is PERMIS? • It is an authorisation infrastructure that takes care of all aspects of authorisation Setting authorisation policies for computer resources i.e. specifying who is allowed to do what to which resources Allocating credentials to users (as attributes or roles e.g. professor, RA, PhD student etc.) Supports Distributed Credential Management (many trusted people can be empowered to allocate credentials to users) Supports Dynamic Delegation of Authority i.e. allowing a user with a specific credential to give it to someone else as and when he wants to (without reference to a higher authority) if the Delegation Policy allows it Makes access control decisions i.e. does the policy allow this user to do what he is asking to do? Supports Hierarchical Role Based Access Controls, where superior roles automatically inherit the privileges of subordinate roles Very secure, since policies and credentials are digitally signed 2 JISC Middleware Security Workshop 20/10/05 © 2005 University of Kent. PERMIS Authorisation System Authentication Service Appln PEP PUSH Initiator Submit Access Request Present Access Request Target GGF OGSA SAML Authz protocol SAML Wrapper Retrieve Role ACs (push) getcreds request/response decision request/response The PERMIS Java API User Credentials STS PDP PKI User CredentialsLDAP Retrieve Policy Directories and Role ACs (pull) JISC Middleware Security Workshop 20/10/05 © 2005 University of Kent. 3 Creating Authorisation Policies • Policies are specified in XML so that they can be understood by the PERMIS PDP (Policy Decision Point) • Policies are digitally signed by their creator so that they cannot be tampered with, and so that the PDP knows it has a genuine policy • Use the Policy Editor tool, a GUI that allows you create simple PERMIS policies easily – Hides XML from creator – Displays policy in natural language – Signs and stores policy in creator’s LDAP entry JISC Middleware Security Workshop 20/10/05 © 2005 University of Kent. 4 Policy Editor JISC Middleware Security Workshop 20/10/05 © 2005 University of Kent. 5 A Simple Policy • All staff in the department can write files to laser printer x, Jim the administrator can write files, delete any files from the print queue, pause the printing, and resume the printing at the laser printer x. No-one else is allowed access to the printer. JISC Middleware Security Workshop 20/10/05 © 2005 University of Kent. 6 JISC Middleware Security Workshop 20/10/05 © 2005 University of Kent. 7 JISC Middleware Security Workshop 20/10/05 © 2005 University of Kent. 8 Allocating Credentials to Users • Credentials are stored as digitally signed attribute certificates (ACs) in LDAP directories – So that PERMIS PDP knows they are genuine – Allows distributed management. Different managers at different sites can allocate different credentials to the same or different users. Think of Plastic Cards! • Three tools provided to do this • Bulk loader – script to search LDAP, find entries, add ACs to them • Attribute Certificate Manager – Graphical Interface for creating ACs and storing in LDAP • Delegation Issuing Service – Web service for issuing ACs JISC Middleware Security Workshop 20/10/05 © 2005 University of Kent. 9 Distributed Management of Credentials LDAP Directory Attribute Certificates LDAP Directory Push Mode Application Gateway LDAP Directory The PERMIS PMI API Trusted Site Managers PERMIS API Pull Mode Implementation LDAP Directory JISC Middleware Security Workshop 20/10/05 Policy ADF The Boss (Source of Authority) © 2005 University of Kent. 10 JISC Middleware Security Workshop 20/10/05 © 2005 University of Kent. 11 JISC Middleware Security Workshop 20/10/05 © 2005 University of Kent. 12 What Applications are Supported “out of the box” • Any Globus Toolkit v3.3 and v4 application (configured authorisation service) • Any Shibboleth enabled application or portal (commands to plug into httpd.conf) • Any Apache web site (commands to plug into httpd.conf) • For other applications you need to write the PEP and call PERMIS via its Java API JISC Middleware Security Workshop 20/10/05 © 2005 University of Kent. 13 Futures • More sophisticated RBAC features such as Separation of Duties (DyCOM project) • Dynamic Recognition of Authority • Secure Audit Web Service • Simple SAM – PERMIS for Shibboleth sites that don’t want strong cryptographic protection of their policies JISC Middleware Security Workshop 20/10/05 © 2005 University of Kent. 14 Dynamic Delegation of Authority Additional Info JISC Middleware Security Workshop 20/10/05 © 2005 University of Kent. 15 Delegating Credentials in X.509 (2001) Points to issuer SOA Bill AC Issues AC to Points to holder AA Alice Issues AC to End Entity JISC Middleware Security Workshop 20/10/05 Bob © 2005 University of Kent. 16 The X.509 (2005) Delegation Service Points to holder AC SOA Points to issuer Bill Issues Points to Issued On Behalf Of AC to Issues AC to AA Delegation Policy Alice Issues AC to End Entity Delegation Policy Issuing Service (DIS) Bob JISC Middleware Security Workshop 20/10/05 © 2005 University of Kent. 17 Delegation Issuing web Service Authenticate DIS Client (SSL) Issue AC -holder -attributes -validity time Web service interface Policy Issuer’s AC Credential Validation Service PERMIS RBAC Request DIS PEP Authorisation PDP IssueAC publishAC Credential LDAP server JISC Middleware Security Workshop 20/10/05 Delegation Issuing Policy Sign AC © 2005 University of Kent. 18 Demonstration - Browser Access to DIS LDAP Web browser Authentication e.g. SSL or Un/Pw Delegation Issuing Policy DIS Web Service Web Service Interface Apache JISC Middleware Security Workshop 20/10/05 © 2005 University of Kent. 19 Demonstration - Apache with PERMIS RBAC Authorisation Apache Server User request Apache Authentication PERMIS Protected Resource mod_ permis Credential LDAP Server JISC Middleware Security Workshop 20/10/05 LDAP Directory Authzn Policy The PERMIS API JNI connector CVS PDP Pull ACs © 2005 University of Kent. 20