Add to collection(s) Add to saved
  1. No category

Grouper after Groups Enabling Net+ Services with PAP, PEP, and

advertisement 
Grouper after Groups
Enabling Net+ Services with PAP, PEP, and PDP...Oh My!
October 3rd, 2012
Bill Thompson
IAM Architect, Unicon
Chris Hyzer
Grouper Developer, University of Pennsylvania
Grouper after Groups
Contents
•
•
•
•
•
•
2 – © 2012 Internet2
XACML – Policy, Rules, and the P*P
Grouper as PAP, PDP, PEP
Access Management Strategies
Penn Example
Grouper PEP POCs (Shiro, Spring, .NET)
NET+ Services and Grouper
XACML and P*P
• XML + Request/Response – subject
allowed action on resource?
• Policy Administration Point (PAP) is used to
write policies.
• Policy Decision Point (PDP) evaluates
policies in the context of an access request
• Policy Enforcement Point (PEP) intercepts
access requests and carries out the
decisions of the PDP
2 – © 2012 Internet2
XACML and P*P
2
Request
Access
Requestor
Request
PDP
Response
1
Policy
PAP
2 – © 2012 Internet2
Response
Response
Request
PEP
Context
handler
Attributes
Subjects
PIP
XACML and P*P
2
Request
Access
Requestor
Grouper WS
Request
PDP
Response
Policy
PAP
2 – © 2012 Internet2
Grouper UI
Response
Response
Request
PEP
Application
1
Plugin or
Grouper Client
Context
handler
Grouper WS
7 – © 2012 Internet2
Grouper as “Policy” Administration Point
• Grouper Loader
• Include/Exclude Groups / Composites
• Grouper Inheritance
• Groups
• Roles
• Actions
• Resources
2 – © 2012 Internet2
Example policies
• Active faculty members can login to the
grading application
• System XYZ can view ad hoc attributes /
people in the institution community
database
• Active IT support staff can manage
applications that they work on
2 – © 2012 Internet2
Example policy in Grouper #1
Loader
• Active faculty members can login to the
grading application
Payroll
System
2 – © 2012 Internet2
Includes
Includes
Faculty
SOR
Faculty
Grading
Faculty
Role
Login
permission
Action:
assign
WS has
permission
Excludes
Excludes
Institution community
groups
Application groups
and permissions
Example policy in Grouper #2
WS get
• System XYZ can view ad hoc attributes / people
members
in the institution community database
Payroll system
Faculty
Loader
Student system
Students
Col
Col
permission
RowGroup
permission
permission
Col
Col
permission
ColSet
permission
permission
Action: select
System
entity
Institution community groups
2 – © 2012 Internet2
WS get
permissions
App groups / permissions
Example policy in Grouper #3
• Active IT support staff can manage applications
that they work on
Col
Col
permission
App1
permission
permission
Loader
Payroll system
IT
IT
org
ITorg
org
userA
Composite
Intersection
Institution community groups
2 – © 2012 Internet2
Action(s):
restartTomcat
restartApache
deploy
viewLogs
all
WS get
permissions
App
Support
Role
App groups / permissions
Grouper as “Policy” Decision Point
• Is in Group/Role? Has permissions?
–
–
–
–
Determined via loader, grouper config, inheritance,...
Effective membership
Effective permissions
Available for caching
• Has permission based on context?
–
–
–
–
Grouper Limits
Only available at time of request
Access through Web Service API
XACML-like yes/no response to PDP request
5 – © 2012 Internet2
Grouper as “Policy” Enforcement Point
• Grouper connectors for Kuali Rice, uPortal, Atlassian
• Proof-of-concept connectors for Shiro, Spring, and .NET
– Application developers can focus language/platform specific
authorization API
5 – © 2012 Internet2
Grouper POC Connectors for Authorization APIs
• Apache Shiro
–
–
Grouper group membership to Shiro hasRole
Grouper permissions to Shiro hasPermission
• Spring Security
–
Grouper group to GrantedAuthority
• .NET
–
Grouper group to .NET hasRole
• Jasig CAS
–
Course-grained access control via PersonDirectory Grouper
plugin
https://github.com/Unicon/iam-labs
5 – © 2012 Internet2
Grouper Connectors for Spring Security
Config:
<intercept-url pattern="/secure/extreme/**" access="hasRole('ss-app:supervisor')" />
<intercept-url pattern="/secure/**" access="hasRole('ss-app:user')" />
<intercept-url pattern="/**" access="hasRole('ss-app:user')" />
Code:
<sec:authorize ifAllGranted="ss-app:supervisor">
<p>You are a supervisor! You can therefore see the <a
href="extreme/index.jsp">extremely secure page</a>.</p>
</sec:authorize>
Annotations:
@PreAuthorize("hasRole('ROLE_USER')")
public void create(Contact contact);
5 – © 2012 Internet2
Grouper Connector for Apache Shrio
Config:
[urls]
/shiro-cas = casFilter
/user/** = user
/** = anon
Code:
<shiro:hasRole name="shiro-app:admin">
<shiro:hasPermission name="payroll:run">
<shiro:lacksRole/>
<shiro:hasAnyRoles/>
<shiro:hasPermission/>
<shiro:lacksPermission/>
5 – © 2012 Internet2
Grouper Connectors for .NET
Config:
<authorization>
<allow roles="Admin"/>
<deny users="*"/>
</authorization>
Code:
if (User.IsInRole("Administrator"))...
Annotations:
[Authorize(Roles = "Administrator")]
public ActionResult Index()
5 – © 2012 Internet2
Grouper POC Connectors...need more work.
•
•
•
•
Caching
Scoping for applications
Permission name transformation
Invalidating cache (change log listener + call back to app via
https)
• Permissions could also be put in to Spring granted authorities
5 – © 2012 Internet2
Access Management Strategies
• ChangeLog/PSP
– propagate memberOf/eduPersonEntitlement via LDAP (consumed
directly or via SAML)
• ChangeLog
– propagate change notification, then sync (pull into) application specific
authorization data store
• Grouper Connectors for Authorization APIs
– read/cache group/permissions from Grouper upon initial access
• Grouper as PDP for permission with Limits
– Web Services call for each access decision
5 – © 2012 Internet2
Net+ Services Authorization Models
• PAP at Grouper
• PDP via Grouper effective membership/permissions
• PEP via Connectors, propagation via LDAP/SAML, or notify and pull
via Grouper WS, PSP propagate via service specific APIs or SCIM?
• Standard APIs for groups, people, and permissions provisioning
5 – © 2012 Internet2
Questions/Discussion
• Is it useful to describe Grouper in terms of P*P in the way it has
been presented? or does it confuse the matter?
• Should Grouper project support/sponsor the connectors in the
respective frameworks?
• Enterprise Access Management strategy for Net+ enablement?
5 – © 2012 Internet2
Grouper after Groups
Enabling Net+ Services with PAP, PEP, and PDP...Oh My!
Chris Hyzer
Grouper Developer, University of Pennsylvania
mchyzer@isc.upenn.edu
Bill Thompson
IAM Architect, Unicon
wgthom@unicon.net
https://github.com/Unicon/iam-labs
http://www.internet2.edu/grouper/
https://spaces.internet2.edu/display/groupertrain/Grouper+Training
Related documents
lite-ui-permissions-part3
lite-ui-permissions-part3
Introduction to Grouper Client
Introduction to Grouper Client
Ch8
Ch8
dev-permissions
dev-permissions
PPT 2100 KB
PPT 2100 KB
IAM Overview and Self
IAM Overview and Self
Download
advertisement