directory-fortress mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Shawn McKinney <smckin...@apache.org>
Subject Enhanced ARBAC02 checking in Apache Fortress REST
Date Sat, 16 Mar 2019 18:26:08 GMT
This topic was brought up recently here.  There’s a ticket to track its progress:
https://issues.apache.org/jira/browse/FC-265

And a new readme created to explain usage:
https://github.com/apache/directory-fortress-enmasse/blob/master/README-SECURITY-MODEL.md

The document is not the best, but it begins to explain how it works.  Will need to be worked
on some more to make it a proper document that someone can use to setup and use these checks.

There have been some key changes to how Fortress passes and uses security credentials.  Some
of this was work that was started many years ago, only just now getting completed.

1. Stop passing/accepting administrator’s RBAC session in the payload of the request.  This
is true of all services EXCEPT for those under Access and DelAccess managers, where the session
is a normal part of the API’s public interface, i.e. method parameters. 

2. Use the credentials passed inside the HTTP Basic Auth header as basis for the admin RBAC
session.  The realm already supports passing the caller’s RBAC session to the application,
in this case Fortress Rest.  Now on service invocation, the runtime will grab the caller’s
RBAC session from the HTTP Servlet interface, i.e. HttpServletRequest.getUserPrincipal().toString(),
which is then deserialized and synthesized into core.model.Session via realm API.

3. Use that RBAC session to enforce downstream ARBAC02 checks:

a. Administrative permission check - does the caller have an ADMIN role that contains a permission
that corresponds with the service being called, e.g. addUser.

b. ARBAC02 range check - on specific services, i.e. de/assignUser, grant/revokePermission,
ensure caller has ADMIN role containing range with authority of target role.

c. ARBAC02 org check - on specific services, ensure the caller has ADMIN role containing user
or perm OU matching the target entity being changed.

See the readme above for more description on how the ARBAC checks work.

The ARBAC02 checks are turned off by default in the Apache Fortress REST runtime.  To enable,
add this to fortress.properties file:
is.arbac02=true

***

The code has all been checked into the Core and Rest repos.  All the tests pass for each of
the components so this shouldn’t effect users who don’t specifically enable it.

—Shawn


Mime
View raw message