CIS13: Externalized Authorization from the Developer’s Perspective

XACML for Developers

Updates, New Tools, & Pa:erns for the Eager #IAM Developer

#CISNapa -‐ @davidjbrossard -‐ @axiomaIcs 1

eXtensible Access Control Markup Language

2

What is XACML?

Not guacamole

De facto standard

Defined at OASIS

#CISNapa -‐ @davidjbrossard -‐ @axiomaIcs

One of the several standards in the #IAM family

XACML in the IAM spectrum

SAML SPML

LDAP RBAC ABAC…

SCIM OpenID Oauth

WS-‐*


In a web 3.0 world where it’s about small apps and your data…

Why XACML?

Quick, call the plumber:

1-‐800-‐GO-‐XACML

it’s Ime to get leaks under control


What’s A:ribute-‐based Access Control?



In the olden days, authorizaIon was about

Who?

6

AuthorizaIon should really be about…

When? What? How? Where? Who? Why?

7 #CISNapa -‐ @davidjbrossard -‐ @axiomaIcs

A car retail company has a web applicaIon that users can access to create, view, and approve

purchase orders, in accordance with policy rules

8

Example Scenario: Managing Purchase Orders


A:ributes

Resource a>ributes

Resource type

PO amount

PO loca2on

PO creator

PO Status

Subject a>ributes

Iden2ty

Department

Loca2on

Approval limit

Role

AcBon a>ributes

Ac2on type

Environment a>ributes

Device type

IP address

Time of day

Profile designed by Sven Gabriel from The Noun Project Invisible designed by Andrew Cameron from The Noun Project

Wrench designed by John O’Shea from The Noun Project Clock designed by Brandon Hopkins from The Noun Project

PO Id


A simple rule

Anyone in the purchasing department can create purchase orders


A manager in the purchasing department can approve purchase orders

§  up to their approval limit

§  if and only if the PO locaIon and the manager locaIon are the same

§  if and only if the manager is not the PO creator

11

A richer rule


XACML 101 – The Basics

12 #CISNapa -‐ @davidjbrossard -‐ @axiomaIcs

13

What does XACML contain?

XACML

Reference Architecture

Policy Language

Request / Response Protocol


XACML Architecture & Flow

14

Decide Policy Decision Point

Manage Policy AdministraBon Point

Support Policy InformaBon Point Policy Retrieval Point

Enforce Policy Enforcement Point


Access Document #123

Access Document #123

Can Alice access Document #123? Yes, Permit

Load XACML policies

Retrieve user role, clearance and document classificaIon

15


XACML


Policy Language



"   3 structural elements " PolicySet "   Policy "  Rule

"   Root: either of PolicySet or Policy " PolicySets contain any number of PolicySets & Policies

"   Policies contain Rules "   Rules contain an Effect: Permit / Deny "   Combining Algorithms

16

Language Elements of XACML


Root Policy Set

PolicySet

Policy

Rule

Effect=Permit

Rule

Effect = Deny

PolicySet

Policy

Rule

Effect = Permit


Sample XACML Policy

18

Language Structure: Russian dolls

" PolicySet, Policy & Rule can contain "   Targets "   ObligaIons "   Advice

"   Rules can contain "   CondiIons

Policy Set

Policy

Rule

Effect=Permit

Target

Target

Target

ObligaIon

ObligaIon

ObligaIon

CondiIon


19


XACML


Policy Language



•  Subject User id = Alice Role = Manager

•  AcIon AcIon id = approve

•  Resource Resource type = Purchase Order PO #= 12367

•  Environment Device Type = Laptop

20

Structure of a XACML Request / Response

XACML Request XACML Response

Can Manager Alice approve Purchase Order 12367? Yes, she can

•  Result Decision: Permit Status: ok

The core XACML specificaIon does not define any specific transport / communicaIon protocol: -‐ Developers can choose their own. -‐ The SAML profile defines a binding to send requests/responses over SAML asserIons


So what’s in it for the developer?


#1 A single authorizaIon model & framework



#1.a working across all layers

#1.b and across different technology stacks

Java

C

ObjecIve-‐C

C++

C#

PHP

Python

(Visual) Basic

Perl

Ruby

JavaScript

Visual Basic .NET

Lisp

Pascal

Delphi/Object Pascal

Share of programming languages (Feb 2013)


#2 A rich language to express many scenarios

ACLs

RBAC

Whitelists

SegregaBon-‐of-‐Duty

RelaBon-‐based

Trust ElevaBon

Device-‐based

Break the glass

Privacy protecBon

ABAC

Rich business flows

Data redacBon


"  The REST profile of XACML "  OASIS XACML profile "  Designed by Remon Sinnema of EMC2

#3 Developer-‐friendly APIs

XML over HTTP XML over HTTP


JSON over HTTP JSON over HTTP

#3. Developer-‐friendly APIs (cont’d)

Drop the…

Use curl, Perl, and Python with the REST API

curl -‐X POST -‐H 'Content-‐type:text/xml' -‐T xacml-‐request.xml h:p://foo:8443/asm-‐pdp/pdp


"  Use the JSON profile of XACML "   Idea

"  Remove the verbose aspects of XACML "  Focus on the key points "  Make a request easy to read

#4 Simplified request/response


#4 Sample XACML Before JSON (cont’d)

<xacml-‐ctx:Request ReturnPolicyIdList="true" CombinedDecision="false" xmlns:xacml-‐ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-‐17"> <xacml-‐ctx:A:ributes Category="urn:oasis:names:tc:xacml:1.0:subject-‐category:access-‐subject" > <xacml-‐ctx:A:ribute A:ributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-‐id" IncludeInResult="true"> <xacml-‐ctx:A:ributeValue DataType="h:p://www.w3.org/2001/XMLSchema#string">Alice</xacml-‐ctx:A:ributeValue> </xacml-‐ctx:A:ribute> </xacml-‐ctx:A:ributes> <xacml-‐ctx:A:ributes Category="urn:oasis:names:tc:xacml:3.0:a:ribute-‐category:environment" > </xacml-‐ctx:A:ributes> <xacml-‐ctx:A:ributes Category="urn:oasis:names:tc:xacml:3.0:a:ribute-‐category:resource" > <xacml-‐ctx:A:ribute A:ributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-‐id" IncludeInResult="true"> <xacml-‐ctx:A:ributeValue DataType="h:p://www.w3.org/2001/XMLSchema#string">hello</xacml-‐ctx:A:ributeValue> </xacml-‐ctx:A:ribute> </xacml-‐ctx:A:ributes> <xacml-‐ctx:A:ributes Category="urn:oasis:names:tc:xacml:3.0:a:ribute-‐category:acIon" > <xacml-‐ctx:A:ribute A:ributeId="urn:oasis:names:tc:xacml:1.0:acIon:acIon-‐id" IncludeInResult="true"> <xacml-‐ctx:A:ributeValue DataType="h:p://www.w3.org/2001/XMLSchema#string">say</xacml-‐ctx:A:ributeValue> </xacml-‐ctx:A:ribute> </xacml-‐ctx:A:ributes> </xacml-‐ctx:Request>

Can Alice Say

Hello?


#4 Sample XACML using JSON (cont’d)

{"subject": {"a:ribute":[{ "a:ributeId":"username", "value":"alice"}]},

"resource": {"a:ribute":[{ "a:ributeId":"resource-‐id", "value":"hello"}]},

"acIon": {"a:ribute":[{ "a:ributeId":"acIon-‐id", "value":"say"}]}}


#4 JSON & XML Side-‐by-‐side comparison

0

10

20

30

40

50

Word count

XML

JSON

0

200

400

600

800

1000

1200

1400

Char. Count

XML

JSON


Size of a XACML request

"  Natural language authoring "  AxiomaIcs Language for AuthorizaIon (ALFA) "  Research iniIaIve from TSSG "  And many more coming…

#5 Easy authoring tools


Provide the right tools for

Easy Authoring Of XACML policies

#5 AxiomaIcs Language For AuthZ (cont’d)

Plugs into Eclipse IDE

High-‐level syntax

Auto-‐complete

AutomaBc TranslaBon to XACML 3.0 #CISNapa -‐ @davidjbrossard -‐ @axiomaIcs 33

Wrapping up

Benefits for the developer


"  One consistent authorizaIon model "  Many different applicaIons "  Decide once, enforce everywhere

Benefits of using XACML #1


"  Adios endless if, else statements "  Hello simple if(authorized())



0

5000

10000

15000

20000

25000

30000

10 20 30 40 50 60 70 80 90 100 110 120 130 140 150 160 170

Developer Happiness Increase

Number of if / else statements terminated

Developer Happiness Index

"  Security potholes are a thing of the past "  XACML is the concrete that fills in the cracks in your authorizaIon wall



"   Let developers do what they know best "  Offload audiIng, info security to security architects & auditors by externalizing authorizaIon



Happy developer

Happy auditor


Next steps?

Download XACML SDK

Download ALFA plugin

Download Eclipse

Code in your favorite language

QuesIons? Contact us at [email protected] Q&A

CIS13: Externalized Authorization from the Developer’s Perspective

Technology

Transcript of CIS13: Externalized Authorization from the Developer’s Perspective