Versions Compared

Old Version 30

changes.mady.by.user Greg Jansen

Saved on

compared with

New Version 31

changes.mady.by.user Greg Jansen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • This authorization provider will delegate authorization decisions to a XACML PDP.
  • Policies might be stored in the repository tree (see JCR 2.0 16.3 and JBossLDAPPolicyLocator as an example)
  • ?? Standard and customized XACML attribute mappings could be stored in the repository. (JCR query, data type, attribute ID)
    • Write an "attribute finder" based on relative JCR XPath.
  • ModeShape Question: How best to store policies within the repository? (normal nodes/properties or possibly behind the AccessManager API)

Option: Internal PDP vs. External

  • Use JCR API for attribute lookups
  • Less penalty for light authZ requests (i.e. use more attribute lookups based on Fedora object model)
  • ??

Possible Components

  • JBoss XACML Engine
  • JBoss SAML PDP endpoint (takes SAML payload + XACML request over SOAP)
  • Security attributes source (typically configured at container level, e.g. Shibboleth)
    • Can we contain this variability using Principals? Installers configure or write their own serializable Principal objects, based on their attribute source?
  • Some useful reference implementations of Fedora authorization policy

Requirements

  • Support a fedora admin container role - Reasonable performance is important when intercepting every request. In addition to performance optimizations, the PEP should allow a bypass method for requests considered pre-authorized for all repository actions by virtue of some container role.
  • Repository admin should be able to update access policy on his/her items
  • Content owner should be able to update access policy on his/her items
    • Who is the content owner? Is this a feature of the RBAC profile (owner as role) or a general authorization feature? Or both? (I think owner is probably a role)
    • If we define a Fedora owner property, then we have to restrict updates to it as well.
  • Support permission of specific actions, such as patch SPARQL update, as well as generic actions, like create, read, update and delete.
    • Fedora API may not be granular enough in all cases, modifyDatastreams is in the API, but some of the datastreams might be restricted.
  • Access should be controlled when an item is searched.
    • Need specifics here.  What metadata is protected on these items? How will we facilitate end-user authorization requests without providing some metadata?
  • Access should be controlled when resource is requested directly
  • Allow resources to be protected at the jcr node level
    • Do we want policy language to reflect the Fedora API or the Fedora object model?
      • The object model. The object model is the common set of notions for the entire repository. It is entirely plausible that parties will introduce new APIs, and we don't want to incur or inflict the cost of rewriting au th code. (  A. Soroka )
  • Allow users to authenticate via Shibboleth, CAS, LDAP.
    • Yes, but this should be a container concern.  It would be great if LDAP user metadata could be packaged as SAML for the PEP.
  • Support for users granting permissions to applications via OAuth. (see below)
  • Support for decision caching (JBoss XACML decision cache)

XACML Authorization Extension: Content Roles and Policies

Assigning Content Roles

This is an optional approach to Fedora authorization in which users (security principals) are assigned named content roles on Fedora objects. The roles assigned in the tree of Fedora objects can be used in authorization mechanisms to confer broad access privileges. These authorization mechanisms (implementations of the AuthorizationProvider interface) can easily retrieve content roles specific to a Fedora object or JCR path.

Fedora defines some useful conventions for content roles:

  • owner Owner - This is a read/write role that also allows the user to assign roles to others.
  • Content roles are stored on a Fedora object mixin node - authorization mechanism must enforce edit privileges on this node.
  • Content roles are inherited from higher up in the tree of Fedora objects.
  • New roles may be added lower in the tree of Fedora objects.
  • Role inheritance can be blocked at any point in the tree.
  • Content roles have no effect on the privileges granted to user roles (originating in container auth) or conferred by other means.

 

...

  • .
  • Roles can be assigned to any security principal that is available in the Fedora security context.
    • This can include things like a user, a named IP range, LDAP group or organizational affiliation

...

    • .
    • Can

Reference Profile: Role-Based Access Control (RBAC)

One way to implement XACML authorization is to write policies around user roles, i.e. recognizable sets of permissions. This separates the determination of user roles from the policies that determine permitted actions. Fedora 4 beta ships with a RBAC reference profile. It consists of a set of role-based XACML policies and metadata conventions for assigning roles within the repository on the basis of the authenticated request attributes.

Requirements
  • Role assignment can
    • be based of Shibboleth supplied x.520
    attributes (
    • headers
    • Are there useful CAS attributes other than username? Do CAS implementations use LDAP, for instance?
    )
    • You can also assign roles to the Everyone principal, present in every Fedora security context.
  • A query can retrieve all content roles assigned to an object or a principal.

Role-Based Policy Set

Fedora provides a reference set of XACML policies formulated around content roles. These policies are written per role, so you can add whichever role/policy combinations you need to your repository.

  • Do we support policies with additive permissions?
  • Support for inheritance of roles assigned in the repository tree.
  • Support for override of inherited roles at any object level.
  • Support for policies with additive permissions (role B policy has all permissions of role A policy)  
  • Examples Provide examples of custom attributes being used in policies (a publication flag or embargo date, for instance)
  • Support for indexing all the roles assigned to an object (Sequencer that updates a derived property in JCR?)

Authorization Example: Modify Datastreams

Inputs:

  • REST path (and translated as JCR path)
  • list of datastreams to delete
  • new datastreams as Multipart

JCR operations:

  • zero or more remove node calls
  • zero or more create node calls

Authorization metadata (has permission for all above JCR calls):

  • user principals (user, group)
  • roles assigned to principals (for RBAC, possibly stored in Mode's AccessControlManager ACL)
    • coming from the object above the datastream or higher up
  • Just enforcing who can modify datastreams means determining node type and checking for that specific permission with respect to the role.
  • Restricting by datastream name or other metadata?

REST API-Based Authorization

...