[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Admin right's delegation use case plus processing steps...
This note includes a short description of a use case and the detailed processing of the associated access control decision request. The model it uses, differentiates between access-policy statement and admin-policy statement, and the equivalent access-decision query and admin-decision query. It also uses distinct levels of delegation that are traversed until an explicit decision is determined or until no more potential delegation levels are left to consider. A separate email gives more detail of the motivation behind that choice. It also very loosly uses an indentation scheme to depict data structures to avoid the use of page after page of xml... hopefully the notation won't cause too much confusion and won't leave too much ambiguity...(...no warm body should ever be exposed to xml...) Note also that the xacml policy statements for this example have been simplified: no explicit PolicySet/Policy/Rule just a "policy statement", and no additional conditions - simple matching on the target yields Permit. Looking forward to a white board on Monday... Enjoy, Frank ------------------------------------------------------------------------------- * Use case Consider a resource "ABC" with a local PEP, local PDP and local PAP, subject to its company XYZ's policy. It is configured such that it will call out for all its authorization decisions to another central PDP authorization service. Some request come from foreign administrative domains, like the ACME corporation, and there is an agreement between XYZ and ACME, that the complete authorization policy to access a subset of XYZ's resources for ACME's employees is managed/administered by ACME's own admins. When these ACME's employees want to access XYZ's resource, they will first go to ACME's own Community Authorization Service (CAS), who provides them with policy statements/assertions that are to be presented to XYZ's resources with the access request. To make this all work, consider the following: * XYZ's resource ABC bootstrap configuration The resource ABC's local PAP has only one admin-policy statement: AdminPolicyStatement Id=XYZ-Admin-PS-0 Target Admins group==xyz-admins@xyz-attribute-authority@x509 Subjects anySubject Resources anyResource Actions anyAction IssuingAdmin self which essentially states that for any access control decision a PDP should be consulted with an admin identity that has an xyz-admins group membership asserted by xyz-attribute-authority. Furthermore, the resource is also pre-configured with the following attribute assertion: AttributeStatement Id=XYZ-AS-1 name=pdp-admin1@x509 group=xyz-admins issuer=xyz-attribute-authority@x509 Lastly, it is also preconfigured to trust x509 asserted names from some root CAs. * XYZ's admin-policy statements concerning the ACME corporation XYZ's centralized PDP has many access-policy statements in its PAP, but an arrangement has been made with the ACME corporation to outsource the access control policy for its employees. This is expressed in the following admin-policy statement: AdminPolicyStatement Id=XYZ-Admin-PS-1 Target Admins group==acme-admins@acme-attribute-authority@509 Subjects group==acme-employees@acme-attribute-authority@509 Resources Request.Resource.name==xyz:abc Actions Request.Action.name==read IssuingAdmin name=pdp-admin1@x509 which states that any ACME administrator with a valid acme-admins@acme-attribute-authority group membership assertion is allowed to administer the read access on resource abc for all ACME employees that can provide a acme-employees@acme-attribute-authority group membership assertion. * ACME's CAS issued access-policy statement The ACME admins run a Community Authorization Service (CAS), that provides their employees with a (temporary) access-policy assertion that should allow them access to read XYZ's resource xyz:abc. Such a statement for ACME's employee "john" looks like: AccessPolicyStatement Id=ACME-Access-PS-1 Target Subjects Request.Subject.name==john@x509 Resources Request.Resource.name==xyz:abc Actions Request.Action.name==read IssuingAdmin name=cas-admin@x509 which states that the cas-admin allows subject john to read XYZ's resource ABC. * ACME's attribute assertions Furthermore, both john and the cas-admin have attribute assertions from the acme-attribute-authority: AttributeStatement Id=ACME-AS-1 name=cas-admin@x509 group=acme-admins issuer=acme-attribute-authority@x509 AttributeStatement Id=ACME-AS-2 name=john@x509 group=acme-employees issuer=acme-attribute-authority@x509 * ACME's employee john's access of XYZ's resource ABC When john requests to read XYZ's resource abc, he presents all the authorization and attribute assertions that he has: ACME-Access-PS-1, ACME-AS-1 and ACME-AS-2. The resource's PEP prepares a request context with the following content: Request Subject category=access-subject name=john@x509 group=acme-employees@acme-attribute-authority Subject name=cas-admin@x509 group=acme-admins@acme-attribute-authority Resource.name=abc Action.name=read AccessPolicyStatements ACME-Access-PS-1 * Processing and evaluation by resource's local PDP ** Preprocessing The access-policy statement ACME-Access-PS-1 in the Request context will (logically) be moved to the local PAP and treated as any other policy statement. The processing procedure guarantees that the pushed policy statements will be considered at the right time. Furthermore, all the Subject statements from the Request context will be logically grouped in a "possible-admin-subjects" set, with the already present bootstrap Subject statements. So, the possible-admin-subjects includes the subject info from the AttributeStatement XYZ-AS-1, ACME-AS-1, and ACME-AS-2, or in other words it is a list of attribute info for pdp-admin1@x509, cas-admin@x509 and john@x509. ** zero-level processing At the zero'th level, there is an implicit understanding that self has empowered itself to administer the access rights for any target. With the request context, the resource's PDP will evaluate a zero-level authorization decision by only considering the access-policy statements that have been issued by "self", i.e. where issuing-admin==self. This returns an "Indeterminate" as there only is a local admin-policy statement XYZ-Admin-PS-0 issued by self and no access-policy statement issued by self. Note that the newly added ACME-Access-PS-1 has been issued by the acme-admin and is therefor not considered. As the result was indeterminate, the local PDP will now look if a next level delegation would yield an explicit permission. ** first delegation level processing The processing consists of two steps. First, those subjects from the possible-admin-subjects list are determined, that have been empowered by self to administer the Request context under consideration. For each subject in the possible-admin-subjects list, a admin-authorization decision is evaluated from all admin-policy statement that are issued by self. The Request context for this evaluation is the exact same as the one under consideration, except that the possible-admin-subjects' subject information is added as the admin-subject for each authorization decision. If this decision yields Permit, then the possible-admin-subjects' subject is authorized by self to admin the rights for that particular target: a first-level delegated admin. If the possible-admin-subjects did not include a single subject that was empowered as a delegated admin, then processing stops, and a result of "Indeterminate" will be returned to the local PEP. So, the only admin-policy statement issued by self is XYZ-Admin-PS-0. The list of possible admin-subjects is pdp-admin1@x509, cas-admin@x509 and john@x509. For each of these possible admin-subjects, their attributes are added to the Request context, and an authorization decision is evaluated with the admin-policy statement XYZ-Admin-PS-0. The only subject that yields Permit is pdp-admin1@509 If first-level admins were found, then the next step is for each of these first-level admins to evaluate the authorization decision for the access-policy statements issued by that particular first-level admin, and to combine those individual decisions. For each first-level admin, with the Request context, only those access-policy statements are considered that are issued by that particular first-level admin. So, the only "real" access-policy statements, ACME-Access-PS-1, is not issued by pdp-admin1@509, and should therefor not be considered. However, the equivalent of the local evaluation of an access-policy statement issued by a certain subject, is the evaluation of that same authorization decision query by an external PDP that is identified by that same subject. In other words, the Request context can be forwarded to XYZ's centralized PDP if it authenticates itself as pdp-admin1@509. The authorization query with the forwarded Request context will result in a Indeterminate response, because the centralized PDP/PAP does not have any explicit access control policy statements concerning subjects from ACME for XYZ's resource ABC. It has outsourced that responsibility to ACME. As a result, a next delegation level has to be considered. * generic "next" level processing Within the processing context, there is a set of subjects with attribute information that are collected from the Request context and from locally maintained subject-attribute assertions. Each of these subjects is a potential admin-subject. For each delegation level, a new set of admin-subjects are found that are empowered by the previous level admin-subjects to administer rights for the target under consideration. In other words, only those admin-policy statements issued by the previous level admin-subjects are considered. If none of these admin-subjects is found, "Indeterminate" will be returned to the PEP. Then for each of those admin-subjects, an authorization decision is evaluated for that target while only considering those access-policy statements that were issued by that particular admin-subject. The individual decisions are combined through a deny-overrides combinator. If the combined result yields an explicit decision of "Permit" or "Deny", then that is returned to the PEP. A combined result of Indeterminate will start processing of the next delegation level. All the admin-subjects that were used for this level can be removed from the set of potential admin-subjects for the next levels. * Second level processing The previous level admin-subject was pdp-admin1@509. For each of the remaining potential admin-subjects, cas-admin@x509 and john@x509, we have to look for admin-policy statements issued by the previous admin-subject pdp-admin1@509. The only local admin-policy statement is issued by cas-admin@x509, and can therefor not be considered. Following the analogy in the previous level, the equivalent of local evaluation of a admin-policy statement issued by pdp-admin1@509, is the use of a remote PDP that authenticates itself as pdp-admin1@509. An admin-authorization decision query to XYZ's central PDP will yield Indeterminate for subject john@x509, but will yield Permit for cas-admin@x509. Note that this "admin-authorization" query has the admin-subject added to the Request context. Next is the authorization decision evaluation based on those access-policy statements issued by cas-admin@x509. There is one locally available that came in with the initial request context: ACME-Access-PS-1. Note that XYZ's PDP should not be considered because the associated "issuer" pdp-admin1@509, does not match cas-admin@x509. Finally, an authorization decision is evaluated with the initial request context and with only the access-policy statement issued by CAS for john: this will yield Permit, and the ultimate result is returned to the resource's PEP. QED -- Frank Siebenlist franks@mcs.anl.gov The Globus Alliance - Argonne National Laboratory
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]