F4 alpha 2 |
---|
Table of Contents |
---|
Overview
Excerpt |
---|
Fedora 4 authorization is designed to be fine grained, while at the same time manageable by administrators and end users. Authentication is tied to the servlet container or OAuth tokens, but authorization mechanisms are open to extension and many reference implementations are included. Roles-based access control is an included feature that makes permissions more manageable and at the same time easier for external applications to retrieve, index and enforce. Finer grained security checks have no impact on the performance of requests that have a Fedora administrator role. |
Use Cases
- Researcher control the polices on their own objects
- Distributed authentication and authorization
- University of North Carolina at Chapel Hill
- Unified Authorization
- Setting Individual Permissions
- Yale University
- Fedora managing access conditions
- Programmers use API for access condition support in external systems, i.e. HydraTitle (goal)
- Applications use API for updating access conditions stored in Fedora
- University of Wisconsin - Madison
- Islandora
- Hydra
- Avalon Media System
Container Authentication
User authentication is generally handled by the Servlet container, i.e. Tomcat, JBoss AS, Jetty, etc. Authenticated requests will arrive at Fedora servlets with a non-null values for getRemoteUser() and getUserPrincipal().
...
Info | ||
---|---|---|
| ||
Implementations may configure the servlet container to employ any user authentication mechanism that meets specifications. This is container-specific, but usually includes JAAS, LDAP, CAS, Shibboleth, etc.. |
Additional Security Principals
Access may hinge on additional security principals that are specific to an organization. These principals are often based on Shibboleth, LDAP, CAS, databases and other sources. Additional principals can be included in authorization by implementing a PrincipalFactory. A PrincipalFactory examines Servlet requests and returns a set of additional principals. Examples include a named IP range, an affiliation or group from a Shibboleth header, principals extracted from SAML payloads, etc.. Fedora provides a configurable HeaderPrincipalFactory that extracts principals from headers.
...
Info | ||
---|---|---|
| ||
Fedora ships with this simple principal factory that creates string-based security principals from request headers. This is useful in cases, like the Apache HTTP Shibboleth module, where additional attributes are supplied as request headers. |
OAuth 2.0 User Authentication
This feature allows a user to sign-in via a third-party service, such as Google, Yahoo or Facebook. The result of the OAuth 2.0 authentication flow is a username and access to whatever user account details are within the authorized scope, such as email address. Fedora is then free to use these user details to create a local user account or assign privileges as required for Fedora authorization. (All that this work flow provides is user authentication.)
OAuth Roles
- Client Application - Fedora
- Authorization Service - Google, etc..
- Resource Server - Fedora
OAuth 2.0 Application Authorization
From the OAuth 2.0 specification:
...
Applications can be authenticated by means of token credentials generated through the OAuth 2.0 framework. Subject to the practical limitations explored below, Fedora will be designed such that application authorization can happen within the OAuth workflow. While OAuth is supported and encouraged, applications can still use container-level authentication, obtaining a container role and matching access. Therefore OAuth support is not required of all Fedora client applications.
OAuth Roles
- Client Application - custom front end, fedora proxy, or message-driven service
- Authorization Service - Fedora
- Resource Server - Fedora
OAuth Token Scopes
scope | authorizer | definition |
---|---|---|
forward credentials | fedoraAdmin role | ability to forward end-user credentials in headers |
fedora administrator | fedoraAdmin role | ability to act in the fedoraAdmin role |
* on behalf of X | fedoraUser X | ability to forward end-user X user principal |
read only | both | may only read data |
until time T | both | authorizes for a limited time T |
* for future consideration: A user with the fedoraUser role could grant tokens within a scope that is limited by their own user id credentials. The application would be able to act on their behalf. One token per app user is the OAuth model we commonly see. Otherwise an app would have to track which token to use within some smaller context.
FAQ
- Are OAuth mitigated operations subject to the access restrictions imposed on the user who authorized the token? (or the on-behalf-of user)
- Then ACL restrictions on the user would need to apply equally to the token-based requests they have authorized.
- Can an OAuth tokens be used as principals and assigned access roles within the repository?
- Yes, access tokens may be assigned roles within the repository. This is especially useful for limited application access to a subtree.
- How are scopes combined?
- Each scope imposes additional limitations upon the access granted to the token. So "read only" and "fedora administrator" combine to make a token that can read all the data in the repository. It doesn't make much sense to combine "on-behalf-of" with "fedora administrator" or "forward credentials" since the result token would effectively only have on-behalf-of X access.
Forwarding Security Credentials
Since applications often act on behalf of end users with extended security attributes, such as those from Shibboleth, the ability to forward credentials to a central point of authorization is key. Regardless of the approach used for authentication of third-party applications, these applications will need to forward security attributes on behalf of end users for authorization. An example of this pattern is the X-Forwarded-For header often used in web proxies, which we can use to forward the end-user IP address.
...
- In servlet container authentication, forwarding with require the container role of fedoraProxy.
- In OAuth token authentication, the token must include the scope forward credentials.
Access Roles API
The access roles API is a Fedora module that you manage the assignment of access roles throughout the repository tree. For details, please see the Access Roles Module.
Fedora Policy Enforcement Point (PEP)
Fedora includes an extension point that allows installers to build their own enforcement logic for all Fedora actions. A PEP enforces appropriate access for fedora users and their proxies, i.e. applications acting on their behalf. The PEP interface is simple, for details please see Policy Enforcement Points. Some policy enforcement points may be roles-aware, meaning that they leverage role assignments from the Access Roles API.
...
Info | ||
---|---|---|
| ||
The XACML PEP forwards authorization requests to a XACML policy decision point. It is aware of access roles and may also make determinations on the basis of a wide range of Fedora object and datastream properties. Policy sets may be customized for different part of the repository tree. For detail please see the XACML PEP. |
Authorization for Non-Node REST API
These endpoints in the REST API will require the fedoraAdmin container role or the fedora administrator OAuth token scope:
...
* or OAuth token with equivalent scope
Code Repository
The Fedora AuthN/AuthZ modules are in development here:
...