Using ANSI Role-Based Access Control

italiansaucySoftware and s/w Development

Dec 13, 2013 (3 years and 9 months ago)

337 views

© Copyright 2013 Pivotal. All rights reserved.

CON2381


Using ANSI Role
-
Based Access Control
to Secure Java Enterprise Applications


Shawn McKinney, Principal, JoshuaTree Software


John Field, Solutions Architect, Pivotal

23 September 2013 11:30a

JavaOne

Hilton
-

Golden Gate 6/7/8

San Francisco CA

© Copyright 2013 Pivotal. All rights reserved.

Agenda


RBAC intro


Common RBAC misconceptions


How to implement


Where to enforce


Demo Fortress RBAC


Wrap
-
up


© Copyright 2013 Pivotal. All rights reserved.

INCITS 359 RBAC components

1.
RBAC0: Core
Users, Roles, Perms,
Sessions

2.
RBAC1:
Hierarchical Roles

3.
RBAC2: SSD
Static Separation of Duties

4.
RBAC3: DSD
Dynamic Separation of
Duties

© Copyright 2013 Pivotal. All rights reserved.

Common RBAC Misconceptions

© Copyright 2013 Pivotal. All rights reserved.

"A ROLE is just a 'group of users', à la Unix, right ?"

Common RBAC Misconceptions

False



A group is a collection of entities, which may be a user.


But a role is a many
-
to
-
many mapping between users and
permissions.

© Copyright 2013 Pivotal. All rights reserved.

"...Well then a role is just a collection of permissions?"

Common RBAC Misconceptions

False

Again, a role is a many
-
to
-
many mapping between users and
permissions.

© Copyright 2013 Pivotal. All rights reserved.

"Our Java/JEE/Spring /LDAP ACL/Unix/DB checker can handle RBAC
already"

Common RBAC Misconceptions

Perhaps… but only if it can do this:


Perform
selective role activation

in support of
principle of
least privilege

during logon.


Perform updates and interrogations of user access to roles
and permissions in real
-
time.


© Copyright 2013 Pivotal. All rights reserved.

"It’s an
academic

model and will never work in the
real world
"

Common RBAC Misconceptions

False


RBAC in use for decades


Check out:

http://csrc.nist.gov/groups/SNS/rbac/case_studies.html


© Copyright 2013 Pivotal. All rights reserved.

"The whole point is to reduce the number of entitlements being managed
by our security administrators"

Common RBAC Misconceptions

False


Common API and data model used for policy enforcement,
administration and review functions.


Ensures best practices followed for regulatory compliance purposes.


Disparate apps plug into enterprise systems because they behave the
same semantically.


Simplifies application security integration.


© Copyright 2013 Pivotal. All rights reserved.

"Only works when user population performs the same repetitive job tasks
and not good for complex jobs, i.e. knowledge
-
based workers"

Common RBAC Misconceptions

False


Roles may carry a set of rules governing when to assign and
or activate.


Every application and system needs RBAC regardless of
user type.

© Copyright 2013 Pivotal. All rights reserved.

“Our application/work center uses over 100 Roles. Therefore RBAC isn’t
helping anything."

Common RBAC Misconceptions

False


If you have over 100 Roles for a single application you did
something wrong.


Take a look at how you define and enforce the security
policy. Are you using the Role as if it were a Permission?


© Copyright 2013 Pivotal. All rights reserved.

“RBAC doesn’t help enough with managing what our administrators do"

Common RBAC Misconceptions

True


You need a privileged identity
management strategy for that.


There has not been a big push in
this area.


Administrative Role
-
Based Access
Control (ARBAC)


© Copyright 2013 Pivotal. All rights reserved.

"... is not a Panacea"

Common RBAC Misconceptions

True


Will not be a cure for all past ills


Will provide a base upon which to build a successful IAM
strategy going forward.


Will provide the tools in which to repair applications that use
broken security models.

© Copyright 2013 Pivotal. All rights reserved.

“Nothing’s going on there anymore. It’s obsolete"


Common RBAC Misconceptions

False


R&D ongoing in RBAC space


New standards, products, techniques being created.


RBAC Base Standard (ANSI 359
-
2011) update


RBAC Implementation and Interoperability (RIIS)


2011


RBAC Policy
-
Enhance Standard (RPE)


494
-
2011


© Copyright 2013 Pivotal. All rights reserved.

“Nobody’s been able to implement it yet because the spec is too complex."

Common RBAC Misconceptions

False


RBAC has been (largely) ignored by commercial IAM
vendors, but not due to technical complexity.


RBAC has been working within infrastructure products (e.g.
operating systems & databases) for years.


Now making a comeback in off
-
the
-
shelf IAM products…
check out Fortress


© Copyright 2013 Pivotal. All rights reserved.

Common RBAC Misconceptions

Extra Credit

© Copyright 2013 Pivotal. All rights reserved.

"We can't use it for fine
-
grained authorization"

Common RBAC Misconceptions

False


INCITS 359
-
2011 RBAC Base standard describes a many
-
to
-
many mapping between objects and operations which
allows instance data to be mapped.


INCITS 494
-
2012 RBAC Policy Enhanced with attribute
modifiers on permissions specifically to provide support for
fine
-
grained authorization.

© Copyright 2013 Pivotal. All rights reserved.

“Does not support attributes... so we use attribute
-
based access control
instead."


Common RBAC Misconceptions

False


RBAC Base standard, 359
-
2011, updated to support more
granular authorizations, i.e. support for attributes on
permissions.


RBAC Policy
-
Enhanced Standard, 494
-
2011, provides
support for dynamic constraints implemented in runtime.


© Copyright 2013 Pivotal. All rights reserved.

“Role
-
Role Static SoD is just too simple to work. It only works at the role
level and the toxic relationships are always between permissions."

Common RBAC Misconceptions (extra credit)

False


INCITS 494
-
2012 RBAC Policy Enhanced, section 5.4.2.2
Permission
-
permission (Static), specifically deals with this
use case.


Or, use traditional INCITS 359 and use Static SoD in
conjunction with Hierarchical Roles. Do not directly assign
roles that have toxicity directly to Users.


© Copyright 2013 Pivotal. All rights reserved.

How to Implement RBAC Engine

Three steps to ANSI RBAC

© Copyright 2013 Pivotal. All rights reserved.

Step 1
-

Stack

How to Implement RBAC Engine

Choose a network and database stack

© Copyright 2013 Pivotal. All rights reserved.

Step 2
-

Design a simple RBAC data model

How to Implement RBAC Engine


Follow ANSI INCITS 359


Five basic elements

1.
User
-

human or machine entity

2.
Role
-

a job function within organization

3.
Object
-

maps to system resources

4.
Operation
-

executable image of
pgm

5.
Permission
-

approval to perform an Operation on one or more
Objects


© Copyright 2013 Pivotal. All rights reserved.

Step 3
-

Design a simple RBAC software model

How to Implement RBAC Engine


Follow ANSI INCITS 359


Three standard interfaces

1.
Administrative
-

CRUD

2.
Review
-

policy interrogation

3.
System
-

policy enforcement


Implementation may be swapped in future with another
RBAC engine without impacting dependent applications


© Copyright 2013 Pivotal. All rights reserved.

JVM

Tomcat

Java EE Security (Tomcat Realm)

Fortress Demo

Fortress RBAC Proxy

Fortress

RBAC

PDP

Users
:


user1: assigned role_test1, role_test2,
role_test3


user2: assigned role_test2


user3: assigned to role_test3

Perms
:


page1.button1: granted to role_test1


page1.button2: granted to role_test1


page1.button3: granted to role_test1


page2.button1: granted to role_test2


page2.button2: granted to role_test2


page2.button3: granted to role_test2


page3.button1: granted to role_test3


page3.button2: granted to role_test3


page3.button3: granted to role_test3

Dynamic SoD
:


Role Set: [role_test1, role_test2, role_test3]


cardinality = 2 (only two of three may activate)

Spring Page Security (Java EE Pre
-
authentication Filter)

Apache Wicket

Fortress RBAC PEP

Wicket Buttons

Wicket Links

Wicket Base Page

Fine

Coarse

Granularity

© Copyright 2013 Pivotal. All rights reserved.

Where to download

Fortress Demo

http://iamfortress.org/WicketRbac

© Copyright 2013 Pivotal. All rights reserved.

John Field

Where to Enforce

© Copyright 2013 Pivotal. All rights reserved.

RBAC Enforcements: Reference Model

SELinux

JVM

Geronimo

OpenEJB (EJB)

JACC

Java SecurityManager

LSM Access Vector Table

MAC & RBAC

MAC & RBAC

Tomcat (Servlet)

MAC & RBAC

Application SSB

Application Servlet

Authentication
Provider

JASPIC

Candidate locations for RBAC enablement:

App Framework

App Framework

2

3

4

5

6

Application

Application Framework

JEE Container

JACC Provider

Java Security Manager

Platform

1

© Copyright 2013 Pivotal. All rights reserved.

Offers
m
aximum control, but not always feasible, and may not suffice.

Where to Enforce: (1) Application


Enables targeted,
fine
-
grained

controls in
new

applications.


Addition
of RBAC to
an
existing

app may
imply
refactoring.


Can
be challenging if the original developers have departed
.


Carries a potential risk of code tangling.


Mixing security enforcement code with app business logic.


Benefits of RBAC adoption are only incremental, per app.


Greatest ROI accrues when RBAC is adopted across the enterprise.

© Copyright 2013 Pivotal. All rights reserved.

Enables broad adoption; Maintains appropriate Separation of Concerns

Where to Enforce: (2) Application Framework


Good approach when the application already leverages
an existing development
framework,
such as Wicket or
Spring.


Application
developers can focus on use cases, and stay
out of the security enforcement business
.

© Copyright 2013 Pivotal. All rights reserved.

RBAC Enablement via Application Framework Beans


Wicket:


E.g., RBAC
-
aware page, link, button classes.


Spring Security:


RBAC
-
aware
AccessDecisionManager
,
RoleVoter

beans.


FilterChainProxy

bean.

Where to Enforce: (2) Application Framework

© Copyright 2013 Pivotal. All rights reserved.

Fortress Java Sentry provider for Tomcat Realm

Where to Enforce: (3) JEE Container


Tomcat
Realm

defines the provider interface from the
container managed PEP, to a back
-
end PDP.


E.g. implements interface
org.apache.catalina.Realm


E.g., JDBC database, JNDI directory, or another custom provider.


Fortress Java Sentry provides an RBAC Realm


For both Tomcat 6, and 7.


True RBAC compliance for any application deployed with
container
-
managed security.

© Copyright 2013 Pivotal. All rights reserved.

Configuring Fortress Java Sentry in /
conf
/
server.xml

RBAC Enforcement via Tomcat Realm

<Engine name="Catalina"
defaultHost
="
localhost
”>



<!
--
Fortress Sentry Realm
Configuration
--
>



<Realm
className
="us.jts.sentry.tomcat.Tc7AccessMgrProxy"



debug
="0"
resourceName
="
UserDatabase
"
containerType
="Tomcat7"


realmClasspath
="/opt/pivotal/fortress/sentry
-
1.0
-
RC29/
conf
:




/
opt/pivotal/fortress/sentry
-
1.0
-
RC29/
dist
/fortressSentry
-
1.0
-
RC29.jar"/
>





</Engine>

© Copyright 2013 Pivotal. All rights reserved.

Secure the deployment infrastructure, rather than individual apps.


Where to Enforce: (3) JEE Container


Enables enterprise security architect to drive uniform
adoption,
and
maximize
the
ROI.


Ensures consistent service levels across applications; avoids
redundancy.


Improves Data Center operational processes


Including System Managers, Audit and Regulatory Compliance
.

© Copyright 2013 Pivotal. All rights reserved.

A standards
-
compliant approach for heterogeneous infrastructures.


Where to Enforce: (4) JACC Provider


JSR
-
115 defines the
JACC

standard


Java Authorization Contract for Containers.


Defines a standard security SPI to plug into JEE container.


Covers both the deployment
-
time contract, and run
-
time contract.


Goal: interoperability of provider across different containers.


E.g., WLS, WAS, Geronimo, etc.


Unifies enforcement semantics for Java EE and Java SE.

© Copyright 2013 Pivotal. All rights reserved.

AOP advice enables injection of true RBAC into any compliant provider.

RBAC Enforcement via an Existing JACC


What if we can’t replace the existing JACC provider?


Use Aspect Oriented Programming w/Load
-
Time Weaving
to supplement existing JACC provider with
Advice.


Intercept the
Policy.implies
(
protectionDomain
, permission)
method at
runtime, and add supplementary RBAC check.


If not RBAC, we allow the existing
JACC
implementation
handle the request.

© Copyright 2013 Pivotal. All rights reserved.

RBAC Enforcements: Reference Model

SELinux

JVM

Geronimo

OpenEJB (EJB)

JACC

Java SecurityManager

LSM Access Vector Table

MAC & RBAC

MAC & RBAC

Tomcat (Servlet)

MAC & RBAC

Application SSB

Application Servlet

Authentication
Provider

JASPIC

Candidate locations for RBAC enablement:

App Framework

App Framework

2

3

4

5

6

Application

Application Framework

JEE Container

JACC Provider

Java Security Manager

Platform

1

© Copyright 2013 Pivotal. All rights reserved.

Pivotal POC Implementation

SELinux

JVM

Geronimo

OpenEJB (EJB)

JACC

Java SecurityManager

LSM Access Vector Table

MAC & RBAC

MAC & RBAC

Tomcat (Servlet)

MAC & RBAC

Application SSB

Application Servlet

JASPIC

App Framework

App Framework

Authentication
Provider

© Copyright 2013 Pivotal. All rights reserved.

JVM

Geronimo

OpenEJB (EJB)

Java SecurityManager

MAC & RBAC

Tomcat (Servlet)

MAC & RBAC

Application SSB

Application Servlet

PSI
-
Proxy

App Framework

POC Implementation

JACC

PSI
-
PEP

App Framework

PSI
-
Impl

Fortres
s

RBAC

PDP

PSI: Pivotal Security Interceptor



PSI
-
PEP:
Policy Enforcement
Point


AOP Advice on App Framework


PSI
-
Proxy: AOP Advice on JACC


PSI
-
Impl: Uses Fortress client

© Copyright 2013 Pivotal. All rights reserved.

Defining the AOP Advice

RBAC Enforcement via JACC

pointcut

onPolicyImplies
(
ProtectionDomain

pd
, Permission
fcp
):


call
(public
boolean

Policy+.implies
(
ProtectionDomain
, Permission)) &&


args
(
pd
,
fcp
)
;


boolean

around
(
ProtectionDomain

pd
, Permission
fcp
) :
onPolicyImplies
(
pd
,
fcp
)
{


result

=
proceed
(
pd
,
fcp
)
;





if

((!
result
)
&&
permissionType.equals
(”RBAC”))
{



result

=
fortress.checkAccess
(
resource
, operation, principal)
;


}


return

result
;

}

© Copyright 2013 Pivotal. All rights reserved.

Configuring the AOP Advice

RBAC Enforcement via JACC

<
aspectj
>



<
aspects>


<
aspect name="
com.gopivotal.security.pep.Jacc.advice
"
/>


<
/aspects>


<
weaver options="
-
verbose
-
showWeaveInfo
"/>

</
aspectj
>

© Copyright 2013 Pivotal. All rights reserved.

Unified interface enables JACC providers to enforce at the JVM level


Where to Enforce: (5) Java SecurityManager


A compliant JACC provider may delegate any out
-
of
-
scope
request to the existing JVM SecurityManager, if any.


A compliant JACC provider may also be configured as a
Java SE
SecurityManager
.

© Copyright 2013 Pivotal. All rights reserved.

RBAC enablement, even for privileged users and processes

Where to Enforce: (6) Platform


Assurance is only as good as the underlying platform.


Use of RBAC with facilities such as SE Linux can provide a
technical enforcement mechanism for privileged users.


E.g
.
SOD for deployment engineers, system operators, and DBAs.


Centralized policy store, rather than per
-
machine policy
management and audit.

© Copyright 2013 Pivotal. All rights reserved.

Summary


Enterprise applications can use real RBAC now!


There is always more than one way to do it.


80/20 Rule:


Choose container
-
based
enforcement + any other.


Solid Open Source
implementation
available today.

© Copyright 2013 Pivotal. All rights reserved.

“Open Source Identity Access Management Expert Panel”

Come to the
BOF


BOF 2337


Hilton


Golden Gate 6/7/8/


Today @ 5:30 PM

© Copyright 2013 Pivotal. All rights reserved.

about the RBAC standard

Where to find out more


http://profsandhu.com/journals/tissec/ANSI+INCITS+359
-
2004.pdf


http://csrc.nist.gov/groups/SNS/rbac/


http://www.wisegateit.com/resources/downloads
-
rbac


https://blogs.oracle.com/identitythink/entry/whats_wrong_wit
h_the_nist_rbac


© Copyright 2013 Pivotal. All rights reserved.

about Fortress RBAC implementation

Where to find out more


http://iamfortress.org/


http://iamfortress.org/WicketRbac