how i built an access management
play

How I Built an Access Management System Using Apache Directory - PowerPoint PPT Presentation

Jun 02, 2023 •280 likes •1.32k views

How I Built an Access Management System Using Apache Directory Fortress Shawn McKinney Nov 18, 2016 ApacheCon EU, Seville Session Objectives Learn about some access management specifications Take an unflinching look at an open source

  1. Graph Stored Flat in the Tree 1. Roles all at same e depth th 2. Use a multi-oc occur curring g paren ent t attribute ute

  2. Use Simple Directed Graph • http://jgrapht.org/ • A simple directed graph . A simple directed graph is a directed graph in which neither multiple edges between any two vertices nor loops are permitted. • http://jgrapht.org/javadoc/org/jgrapht Image from: https://code.google.com/p/fluentdot/wiki/DemoSimpleDirectedGraph /graph/SimpleDirectedGraph.html ApacheCon EU, Seville 2016 36

  3. What About Firewalls? (LDAPv3 protocol isn’t always allowed) • Core API can transmit using either LDAPv3 or HTTP. ApacheCon EU, Seville 2016 37

  4. Audit • Use OpenLDAP access log to record events: – Authentication – Check Access – Edits – Interrogations ApacheCon EU, Seville 2016

  5. Authorization Events ApacheCon EU, Seville 2016 39

  6. Administration Events 40

  7. Authorization API 41

  8. Configuration • Must be capable of retrieving properties from multiple data locations – File, directory, system properties, other • Can be extended or replaced later if need be ApacheCon EU, Seville 2016 42

  9. Use Apache Commons Configuration • Application uses façade • Properties may be overwritten at runtime

  10. Local and Remote Config ApacheCon EU, Seville 2016 44

  11. Data Model Questions • How do I represent the physical data model? • How do I represent the logical data model? • How do I support multitenancy? ApacheCon EU, Seville 2016 45

  12. Logical RBAC Model 46

  13. Logical Model

  14. Physical RBAC Model Hierarch chica cal Roles (RBAC1) 1) • Users • Roles • Permissions • Constraints Session on (RBAC0 C0) Segrega regati tion on of Duties Perm(RBA (RBAC0 C0) (RBAC2 C2 and 3) 48

  15. Physical Model - Permissions Roles es here is efficient t at runtime ApacheCon NA, Vancouver 2016 49

  16. Multitenancy Image from: https://directory.apache.org/fortress/user-guide/2.1-fortress-multitenancy.html ApacheCon EU, Seville 2016 50

  17. Multitenancy Defined ApacheCon EU, Seville 2016 51

  18. Multitenant DIT ApacheCon EU, Seville 2016 52

  19. Multitenant Object Model • Client’s id is passed in factory initialization • Lifecycle of object processes data on behalf of the client id passed during initialization – AnyMgr: • createInstance(tenantId); // Instantiate the AccessMgr implementation. AccessMgr accessMgr = AccessMgrFactory.createInstance(“Client123”);

  20. Web & Realm run in separate contexts ApacheCon EU, Seville 2016 54

  21. Caching Need it for: • Hierarchical Roles • Static Separation of Duty datasets • Dynamic Separation of Duty datasets • Organizational Structures ApacheCon EU, Seville 2016 55

  22. Use Ehcache Hide it behind a Facade 56

  23. Implementation Intro to Apache e Fortress ress Image from: http://sploid.gizmodo.com/fascinating-photos-reveal-how-they-built-the-sr-71-blac-1683754944 ApacheCon EU, Seville 2016 57

  24. Project Guidelines • Open Source with permissive license • High Quality and Well Maintained • Diverse and Active Community • Accepted and Transparent Dev Processes • Extensible and Supportable for Many Years ApacheCon EU, Seville 2016 58

  25. Project Advantages • Established Project Methodologies • Well defined and understood specifications. • Well understood technology base to build on. • 3 rd time implementing solution of this type. – Practice makes perfect ApacheCon EU, Seville 2016 59

  26. Project Dev Processes Need a sponsor that provides: • Source Code Management • Bug Tracking • Mailing Lists • Build Servers • Binary Code Distribution • Automated Testing ApacheCon EU, Seville 2016 60

  28. Overview • Sub-project of Apache Directory • Written in Java • Four Components: – Core – Java APIs + utilities – Realm – Java EE policy enforcement – Web – Administrative UI – Rest – APIs over HTTP interface ApacheCon EU, Seville 2016 62

  29. Project History http://en.wikipedia.org/wiki/Apache_Fortress

  30. History (cont) 25 Prior Releases http://mvnrepository.com/artifact/ 1 us.joshuatreesoftware http://mvnrepository.com/artifact/ 2 org.openldap http://mvnrepository.com/artifact/ 3 org.apache.directory.fortress ApacheCon EU, Seville 2016 64

  31. Page Views 1.0.0 1.0-RC42 ApacheCon EU, Seville 2016 65

  32. Maven Downloads ApacheCon EU, Seville 2016 66

  33. Open HUB ApacheCon NA, Vancouver 2016 67

  34. Open HUB Details

  35. https://directory.apache.org/fortress/downloads.html Project Releases

  36. Bug Tracking 70

  37. Static Code Analysis Excel celle lent t rule compli lianc ance SonarQube code scans run nightly: • Fortress Core: https://analysis.apache.org/dashboard/index/211987 • Fortress Realm: https://analysis.apache.org/dashboard/index/212344 • Fortress Web: https://analysis.apache.org/dashboard/index/212576 • Fortress Rest: https://analysis.apache.org/dashboard/index/212372 ApacheCon EU, Seville 2016 71

  38. Mailing List http://mail-archives.apache.org/mod_mbox/directory-fortress/ ApacheCon EU, Seville 2016

  39. http://mail-archives.apache.org/mod_mbox/directory-fortress/ Low Med activ ivity ity activity ty Crickets ckets Mailing List chirp rping

  40. Notability Concerns ApacheCon EU, Seville 2016 74

  41. Notability Concerns ApacheCon EU, Seville 2016 75

  42. Notability Concerns (cont) ApacheCon EU, Seville 2016 76

  43. Components 1. Core – Java SDK 2. Realm – Java EE Policy Enforcement 3. Rest – HTTP Interface 4. Web – HTML Interface ApacheCon EU, Seville 2016 77

  44. Either er Any y directo ctory ry is is is possib ible le Supporte rted Core System Architecture

  45. Testing

  46. Integration Tests • Full test coverage of the APIs • Positive and Negative Use Cases • No manual testing ApacheCon EU, Seville 2016 80

  47. Automated Testing https://builds.apache.org/view/All/job/dir-fortress-core-docker-test/org.apache.directory.fortress$fortress-core/

  48. Core Benchmarks • Jmeter tests for various scenarios – Fortress createSession, checkAccess – Accelerator createSession, checkAccess ApacheCon EU, Seville 2016 82

  49. Rest System Or Or Architecture Use any 3 rd rd party ty rest t lib or Fortr tress ess Core to connect nect with th Fortr tress ess Rest

  50. Or Or Web System Architecture Opti tion on to use eith ther er HTTP P or LDAPv3 Pv3 proto tocol ol

  51. Demo ApacheCon EU, Seville 2016 85

  52. Menu 1. Learn about some – - wicket-sam ample Basic integration - RBAC0 – - role-engi ginee eeri ring-sam ample Intermediate - RBAC1 – - apache-fortre tress-dem emo Advanced - RBAC2 & 3 2. Testing on - manual or selenium – Fortress Web - junit – “ ” Rest - ad ad-hoc – “ ” Console - sys-admin stuff – “ ” Command Line Interface 3. Have fun with – - setting g up, running, g, verifyi ying Multi-tenancy & / or Benchmarking ApacheCon EU, Seville 2016 86

  53. Apache Fortress Demo • Three Pages and Three Customers • One role for every page to customer combo • Users may be assigned to one or more roles • At most one role may be activated Pages Customer 123 Customer 456 Customer 789 Page One PAGE1_123 PAGE1_456 PAGE1_789 Page Two PAGE2_123 PAGE2_456 PAGE2_789 Page Three PAGE3_123 PAGE3_456 PAGE3_789 ApacheCon EU, Seville 2016 87

  54. Demo 1 Usage Policy • Both super and power users may access everything. • But power users are limited to one role activation at a time. • Super users are not restricted. Super & Power Customer 123 Customer 456 Customer 789 Users Page1 True True True Page2 True True True Page3 True True True ApacheCon EU, Seville 2016 88

  55. User123 Customer 123 Customer 456 Customer 789 Page1 True False False Page2 True False False Page3 True False False User1 Customer 123 Customer 456 Customer 789 Page1 True True True Page2 False False False Page3 False False False User1_123 Customer 123 Customer 456 Customer 789 Page1 True False False Page2 False False False Page3 False False False ApacheCon EU, Seville 2016 89

  56. Apache Fortress Demo • https://github.com/shawnmckinney/apache- fortress-demo User-tic-tac-toe Customer 123 Customer 456 Customer 789 Page1 False True True Page2 True False False Page3 True False False ApacheCon EU, Seville 2016 90

  57. Demo 2 Role Engineering Sample ApacheCon EU, Seville 2016

  58. Demo 2 Role Engineering Sample 1. Java EE Authentication and Authorization 2. Spring Page-level Authorization 3. RBAC Permission Checks – Links Declarative – Buttons 4. Other RBAC Controls – Dynamic Separation of Duty – Role Switcher ApacheCon EU, Seville 2016 92

  59. Demo 2 Role Engineering Sample https://github.com/shawnmckinney/ role-engineering-sample ApacheCon EU, Seville 2016 93

  60. Demo 2 Role Engineering Sample • Two pages • Each has buttons controlled by RBAC Permissions. • One Role per page. User to Role Buyers Page Sellers Page ssmith True False jtaylor False True Johndoe* True True * DSD constraint limits user from activating both roles simultaneously. ApacheCon EU, Seville 2016 94

  61. Demo 2 Role Engineering Sample Buyer Seller Both Permission ssmith rtaylor johndoe* 1 Item.bid True False True 2 Item.purchase True False True 3 Item.ship False True True 4 Item.search True True True 5 Account.create True True True 6 Auction.create False True True * DSD constraint limits user from activating both roles simultaneously. ApacheCon EU, Seville 2016 95

  62. Demo 3 Web Sample https://github.com/shawnmckinney/ wicket-sample ApacheCon EU, Seville 2016 96

  63. Demo 3 System Architecture IAAS AS Cloud ApacheCon EU, Seville 2016 97

  64. Security Layers with Wicket Sample 1.JSSE Confidenti entiality ty and Itegr grity ty 2.Java EE Security authN N and coarse-grai grained ed authZ 3.Web App Framework fine-gra grained ed authZ ApacheCon EU, Seville 2016 98

  65. Add Web Framework Security add( new SecureIndicatingAjaxButton( "Page1", "Add" ) { @Override protected void onSubmit( ... ) { if( checkAccess( customerNumber ) fine-gra grained ned { authori rizat zation n // do something here: } (progra grammatic) tic) else { target.appendJavaScript( ";alert('Unauthorized');" ); } } }); ApacheCon EU, Seville 2016 99

  66. Demo 3 Web Sample Github link to Wicket Sample Policy File User Page1 Page2 Page3 wsUser1 True False False wsUser2 False True False wsUser3 False False True wsSuperUser True True True ApacheCon EU, Seville 2016

Recommend

Jules Quested-Williams Built for Marketing Built for Marketing 2014 Established in 2008

Jules Quested-Williams Built for Marketing Built for Marketing 2014 Established in 2008

Jules Quested-Williams Built for Marketing Built for Marketing 2014 Established in 2008 Wealth of experience in sales and marketing strategies, people management and change management 25 years in the construction industry Built

895 views • 15 slides
Science is in trouble Information overload Built-in bias Reproducibility issues Access issues

Science is in trouble Information overload Built-in bias Reproducibility issues Access issues

Science is in trouble Information overload Built-in bias Reproducibility issues Access issues Incentives Founding team from Singularity University Anita Schjll Brede Victor Botev Maria Ritola Jacobo Elosua CEO CTO CMO CFO Has built

228 views • 21 slides
Whose Bits Are They, Anyway? Access Controlled Applications Built Around AFS DJ Byrne

Whose Bits Are They, Anyway? Access Controlled Applications Built Around AFS DJ Byrne

Whose Bits Are They, Anyway? Access Controlled Applications Built Around AFS DJ Byrne djbyrne@jpl.nasa.gov Jet Propulsion Laboratory Information Services - File/Web Service Engineer http://fil.jpl.nasa.gov/ SLAC AFS Best Practices Workshop

278 views • 17 slides
Sharon Bowles Built for Marketing Built for Marketing 2014 Established in 2008 by Jules

Sharon Bowles Built for Marketing Built for Marketing 2014 Established in 2008 by Jules

Sharon Bowles Built for Marketing Built for Marketing 2014 Established in 2008 by Jules Quested-Williams Wealth of experience in sales/marketing strategies, people management and change management 25 years in the construction

208 views • 10 slides
Whose Bits Are They, Anyway? Access Controlled Applications Built Around AFS DJ Byrne

Whose Bits Are They, Anyway? Access Controlled Applications Built Around AFS DJ Byrne

Whose Bits Are They, Anyway? Access Controlled Applications Built Around AFS DJ Byrne djbyrne@jpl.nasa.gov Jet Propulsion Laboratory Information Services - File/Web Service Engineer http://fil.jpl.nasa.gov/ 2004-03-24 SLAC AFS Best

509 views • 21 slides
Identity and Access Management Using Identity Management and Identity Governance to increase

Identity and Access Management Using Identity Management and Identity Governance to increase

Identity and Access Management Using Identity Management and Identity Governance to increase Automation and Security. Identity Management (IAM, IdM) defining and managing the roles and access privileges of individual network users, and the

2.89k views • 13 slides
Built for or Zero o Init itia iativ ive Built f for or Zero O o Ove vervi view Built

Built for or Zero o Init itia iativ ive Built f for or Zero O o Ove vervi view Built

Built for or Zero o Init itia iativ ive Built f for or Zero O o Ove vervi view Built for Zero is a rigorous national change effort working to help a core group of committed communities end veteran and chronic homelessness. Southern

269 views • 8 slides
Micromobility 101 e-Scooter Risk Management Built with integrity, leading through innovation.

Micromobility 101 e-Scooter Risk Management Built with integrity, leading through innovation.

Micromobility 101 e-Scooter Risk Management Built with integrity, leading through innovation. Built with integrity, leading through innovation. Topics for today Regulating Ride Share Companies Restricting Use 2 Electric Kick Scooters

438 views • 16 slides
Modern Web Access Management Zero Trust Security from onpremises to the Cloud Single

Modern Web Access Management Zero Trust Security from onpremises to the Cloud Single

Modern Web Access Management Zero Trust Security from onpremises to the Cloud Single Sign On, Access Controls, Session Management and how to use Access Management to protect applications both on premises and in the Cloud Agenda

529 views • 25 slides
Science is in trouble Information overload Built-in bias Reproducibility issues Access issues

Science is in trouble Information overload Built-in bias Reproducibility issues Access issues

Science is in trouble Information overload Built-in bias Reproducibility issues Access issues Incentives Iris.ai is helping Information overload Built-in bias Reproducibility issues Access issues Incentives Iris.ai 4.0 works with the

381 views • 16 slides
Management the RVR Way A Foundation Built on Knowledge and Trust Working for You Russell Vacation

Management the RVR Way A Foundation Built on Knowledge and Trust Working for You Russell Vacation

Management the RVR Way A Foundation Built on Knowledge and Trust Working for You Russell Vacation Rentals was created by Scott Russell and John Russell to realize their vision of a vacation rental management company that combines a high degree of

163 views • 12 slides
Built-In Self Test Smith Text: Chapter 14.7 Mentor Graphics: LBISTArchitect Process Guide

Built-In Self Test Smith Text: Chapter 14.7 Mentor Graphics: LBISTArchitect Process Guide

Built-In Self Test Smith Text: Chapter 14.7 Mentor Graphics: LBISTArchitect Process Guide Top-down test design flow Source: FlexTest Manual Built-In Self-Test (BIST) Structured-test techniques for logic circuits to improve access to

421 views • 26 slides
The Industry Barge Project Who built it? The consensus is that it was built by the

The Industry Barge Project Who built it? The consensus is that it was built by the

The Industry Barge Project Who built it? The consensus is that it was built by the Portadown Foundry, Portadown, Co Armagh. When was it built? Research to date suggests that it pre-dates 1900, but we are not exactly sure when

631 views • 26 slides
A Paradigm Performance Farming for Water We have built a watershed management product for the

A Paradigm Performance Farming for Water We have built a watershed management product for the

Farming in Americas Breadbasket A Paradigm Performance Farming for Water We have built a watershed management product for the agricultural supply chain, especially the producer and his/her suppliers and customers. It is based in the

353 views • 6 slides
Data Access and File Management vanilladb.org Outline Storage engine and data access

Data Access and File Management vanilladb.org Outline Storage engine and data access

Data Access and File Management vanilladb.org Outline Storage engine and data access Disk access Block-level interface File-level interface File Management in VanillaCore BlockID Page FileMgr 2 Outline

891 views • 50 slides
Identity and Access Management with the INDIGO IAM service Andrea Ceccanti

Identity and Access Management with the INDIGO IAM service Andrea Ceccanti

Identity and Access Management with the INDIGO IAM service Andrea Ceccanti andrea.ceccanti@cnaf.infn.it EOSC-Hub AAI Tech Talk Europe, Earth, June 15th 2018 INDIGO Identity and Access Management service Flexible authentication support (SAML,

430 views • 24 slides
CSE 143 Streams as C++ Classes Streams are C++ classes Streams have lots of built-in

CSE 143 Streams as C++ Classes Streams are C++ classes Streams have lots of built-in

CSE 143 Streams as C++ Classes Streams are C++ classes Streams have lots of built-in methods We use the . syntax to access member More Stream I/O functions, as usual. inFile.get(ch); // get a character outFile.put(ch); //

209 views • 3 slides
Conference 2018 Shift into the future with predictions for Identity & Access Management BCNET

Conference 2018 Shift into the future with predictions for Identity & Access Management BCNET

Conference 2018 Shift into the future with predictions for Identity & Access Management BCNET Identity & Access Management Community of Practice Panelists: Corey Scholefield Vera Merkusheva Isabel Wong Sabrina da Silva 2 Conference

622 views • 19 slides
Re-think Data Management Software Design Upon the Arrival of Storage Hardware with Built-in

Re-think Data Management Software Design Upon the Arrival of Storage Hardware with Built-in

Re-think Data Management Software Design Upon the Arrival of Storage Hardware with Built-in Transparent Compression 07/2020 1 The Rise of Computational Storage Homogeneous Computing Heterogenous Computing Compute Networking Storage

163 views • 12 slides
CHOICES FOR INDEPENDENCE INDEPENDENT CASE MANAGEMENT ACCESS ~ QUALITY ~COST 1 CASE MANAGEMENT

CHOICES FOR INDEPENDENCE INDEPENDENT CASE MANAGEMENT ACCESS ~ QUALITY ~COST 1 CASE MANAGEMENT

CHOICES FOR INDEPENDENCE INDEPENDENT CASE MANAGEMENT ACCESS ~ QUALITY ~COST 1 CASE MANAGEMENT AGENCY Licensed in accordance with RSA 151:2, I(b), and enrolled as a New Hampshire Medicaid provider to provide targeted case management

399 views • 15 slides
GREENING OF THE KUDAWA WATHURANA ACCESS ROAD 1 Background. The Sinharaja is one of Sri Lankas

GREENING OF THE KUDAWA WATHURANA ACCESS ROAD 1 Background. The Sinharaja is one of Sri Lankas

GREENING OF THE KUDAWA WATHURANA ACCESS ROAD 1 Background. The Sinharaja is one of Sri Lankas last remaining rain forests . An access of 1.6 Km provides entry to the core conservation zone. This road was originally built several decades ago (in

254 views • 4 slides
Water access and management in Palestine: examples of good practices 22/11/2016 RANDA SINIORA

Water access and management in Palestine: examples of good practices 22/11/2016 RANDA SINIORA

CEMOFPSC SEMINAR Womens participation in wa ter access and management: The case of Palestine Water access and management in Palestine: examples of good practices 22/11/2016 RANDA SINIORA General Director at Women Center for Legal

248 views • 4 slides
ASSET+ Introduction Asset+ is a MiFID II compliant system built on a single platform.

ASSET+ Introduction Asset+ is a MiFID II compliant system built on a single platform.

ASSET+ Introduction Asset+ is a MiFID II compliant system built on a single platform. Private client Asset Management business Treasury It is provides a STP management solution designed using latest technology and has a graphics

317 views • 18 slides
Event Management Presentation ISAC has built and is unveiling a new meeting registration system

Event Management Presentation ISAC has built and is unveiling a new meeting registration system

Event Management Presentation ISAC has built and is unveiling a new meeting registration system for both ISAC members and vendors this summer in preparation for its debut during the 2016 ISAC Fall School of Instruction registration on August 17.

257 views • 6 slides

More recommend