XACML_dilemmas

advertisement
An answer to your common XACML
dilemmas
Asela Pathberiya
Senior Software Engineer
WSO2



Founded in 2005 by acknowledged leaders in XML, Web
Services Technologies & Standards and Open Source
Producing entire middleware platform 100% open source
under Apache license
Business model is to sell comprehensive support &
maintenance for our products

Venture funded by Intel Capital and Quest Software.

Global corporation with offices in USA, UK & Sri Lanka

150+ employees and growing
What are we going to cover




What is XACML?
Why is XACML important for your
organization?
What are the disadvantages of
XACML?
How can WSO2 Identity Server help
you to overcome those disadvantages?
ETag Group
ETag group is a trading company, which is
established in 2001.
Application System
ETag group deployed their 1st Application System
in 2005.
Authentication
Application System included an authentication
mechanism
Authentication
Some functions and data in the Application System
must not be accessed by all employees in the
company.
Therefore authentication is not enough..!!!
Authorization
ETag group wanted to build an authorization
logic for their Application System.
Role Based Access Control (RBAC)
Set of people who has same set of privileges, put
in to a role and assign permission for that role.
Role Based Access Control (RBAC)
Growth of ETag Group
Effect of company growth




No. of Application Systems were increased.
For each application system, authorization
logics were needed to implemented.
Authorization logics became more complex
Authorization logics were needed to be
updated frequently
Maintaining of authorization logics became a
tricky task
Meeting
Decided implement a new authorization system
ETag Common Authorization
System (ECAS)


Denis was asked to lead
“ECAS” project
“ECAS” project must fulfill
following six requirements as
decided in the board meeting.
Externalized
Authorization system is not bound to an application. Each
application must be able to query a single authorization
system for all authorization queries
Policy based
Authorization logics can be modified frequently
without any source code changes.
Standardized
Even business managers and external people
must be aware of the technology which is used
to design this.
Attribute Based
"X resource can be accessed by the Users who
are from etag.com domain and whose age is not
less than 18 years old”
Fine-grained
Need to achieve the fine grain without defining a
large number of static combinations in the
source code or database
Real Time
“Can user, Bob transfer X
amount from current
account Y between 9.00am
to 4.00pm”
Externalized
 Policy based
 Standardized
 Attribute based
 Fine-grained
 Dynamic

Authorization Solution
XACML
XACML is standard for eXtensible Access Control
Markup Language
Standard which is ratified by OASIS
standards organization
The first meeting 21st March 2001
XACML 1.0 - OASIS Standard – 6 February 2003
XACML 1.1 – Committee Specification – 7th
August 2003
XACML 2.0 – OASIS Standard – 1 February 2005
Policy language implemented using
XML
Externalization is provided by
XACML Reference architecture
Attribute Based Access Control
(ABAC)
Fine-grained authorization
Fine-grained authorization with higher level of
abstraction by means of policy sets policies and
rules.
Real time evaluation
XACML Implementation for ECAS
Denis was really happy as he
found the solution for all
requirements
Denis thought to start to
implement XACML based
authorization system for ECAS
project
Meeting
“Denis, It is hard to implement a XACML
solution from the scratch”
“It is better to find an existing implementation and
plug it in to ECAS project “
Meeting
“We need a closer look on XACML... Let have a
review on it”
Disadvantages






Performances of XACML based authorization
system would be less than the existing system
Complexity of defining and managing XACML
policies
How to integrate current authorization logics in
to new system as XACML policies.
How to provide a standard interface to
communicate with with PDP.
PDP would be able to handle lager number of
(10000 -100000) policies
How to achieve reliability and High availability.
XACML Implementations
An Open source XACML
Implementation
"Open source XACML solution, WSO2 identity
Server, Just download and can run the PDP with
out any configuration. how fast is that..? I do
not want to write mail asking for evaluation
copies"
"I can just write simple XACML policy and
try this out... Nice web based UI. "
WSO2 Identity Server
WSO2 Identity Server
Performance bottleneck



There would be less performance than the
traditional authorization systems.
It is a trade-off for the advantages, offered
But WSO2 Identity Server team has identify this
performance bottleneck and has provided a
solution to overcome this to a greater extent.
Caching technologies
Thrift protocol for PDP – PEP communication
Caching
Load Test Figures

Environment
Intel(R) Xeon(R) CPU X3440 @ 2.53GHz processor, 4 GB RAM, OS Debian 6.0 (64bit) - with a single instance of Identity Server
[-Xms1024m -Xmx2024m -XX:MaxPermSize=1024m]

Policy Complexity
L1: 10 rules per policy while one rule dealing with 1 attribute
L2: 100 rules per policy while one rule dealing with more than 10
attributes

Requests
one million XACML requests.
XACML requests are randomly retrieved from a pool where 10 000
different requests are available

Resources
http://people.wso2.com/~asela/xacml_load_test/
Load Test Result - Caching
Load Test Result - Thrift
Complexity of defining and
managing XACML policies
Web based UI as PAP for defining and managing
XACML policies.
XACML Policy Editors
Two policy editors, Basic and Advance.
Integrating current authorization
logics
Standard interface for PDP and PAP
All PDP and PAP functionality has been exposed
as Web services
Handling large number of policies
Policy distribution
 On demand Policy Loading

Reliability and High Availability
PDP clustering
Listing entitled resources for user
What we discussed Today




Identified XACML as a standard way of
implementing authorization
How XACML answers the authorization
requirements of your organization
What are the negative points of XACML
How WSO2 Identity Server has provided an
answer for them
References
www.oasis-open.org/committees/xacml
http://xacmlinfo.com/
http://blog.facilelogin.com
Q and A
Customers
WSO2 Engagement Model
QuickStart
Development
Support
Development
Services
Production
Support
Turnkey Solutions
WSO2 Mobile Services Solution
WSO2 FIX Gateway Solution
WSO2 SAP Gateway Solution
Thank You...!!!
Contact Us…
bizdev@wso2.com
Download