Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards...

Next Generation Directory-Based User Management for Cloud

Infrastructure

March 10, 2018

SCaLE 16X, Pasadena

Introduction

Shawn McKinney • Software Architect • PMC Apache Directory Project • Engineering Team

SCaLE 16X, Pasadena 2018 2

Session Objective

Think about how to implement user access controls on machines running in the cloud.

3 SCaLE 16X, Pasadena 2018

I had to keep guessing at the channel; I had to discern, mostly by inspiration, the signs of hidden banks; I watched for sunken stones; When you have to attend to things of that sort, to the mere incidents of the surface, the reality—the reality, I tell you—fades. The inner truth is hidden. Joseph Conrad, Heart of Darkness

https://en.wikipedia.org/wiki/File:VingtAnnees_286.jpg SCaLE 16X, Pasadena 2018

Inspiration

Session Agenda • History of Unix

• Building Blocks

• Security Model

• Data Model

• Solution

• Demo

Image from: HTTP://EVENTS.LINUXFOUNDATION.ORG/EVENTS/APACHECON-NORTH-AMERICA 5 SCaLE 16X, Pasadena 2018

Knowing the path forward means understanding where we’ve been.

History

https://upload.wikimedia.org/wikipedia/commons/7/77/Unix_history-simple.svg 7

Soup of the Day

NSS sudo

Security

Building Blocks

The Wheel

• Let’s not reinvent

Operating System AIX

The Idm engine bolts into chassis

Cloud Infrastructure

runs on the highways

Basic Building Blocks

1. POSIX security controls

2. Directory services

Best practices

SCaLE 16X, Pasadena 2018

Advanced Building Blocks

3. Mediation relatively new practice

Building Blocks Conceptual

Building Block Actual

Building Blocks - AuthN

Pluggable Authentication Module

• Authentication

• Coarse-grained Authorization

Just an authN service

Building Blocks - AuthZ

Just an authZ service

Building Blocks – Reporting

Name Service Switch

• Used by unix processes to lookup user and group info

Just a lookup service

What is LDAP

Building Blocks - LDAP

System of record

• Users

• Passwords

• Groups

Just a

Building Blocks - Mediator

• Keeps things in synch between the machines and LDAP as things change.

Mediator 1. Machine added to network, notifies mediator

2. Based on policies stored in DB

3. Updates ldap accordingly

Mediator == IdM

1. Provisioning

2. Parameterized Roles

3. Organizational Controls

4. Self-service

5. Approvals

6. Workflow

Requirements

Resources & Connectors 28

Users & Accounts 29

Provisioning 30

Governance

• High-level business processes, business rules, policies, organizational structures

• Combines with low-level identity management processes like data synchronization, system integration, data formats, data transformation, network protocols

defined:

Governance Controls

• Access Certifications

• Approvals & Notifications

• Audit Trail

• Organizational Controls

• …

for example:

Governance Controls (continued) • Policy Rules (limits)

• Remediation

• Role – Catalogs

– Constraints

– Controls

– Lifecycles

Open Source IdM Products

1. midPoint

2. Apache Syncope

3. Æ-DIR

4. OpenIDM

5. WSO2 Identity Server

lacking standards

midPoint Introduction

Requires

• Java version 8

• Java servlet container

• Relational database

• Spring Framework

– component wiring

• Apache Wicket

– user interface

• ConnId

– common connectors

midPoint as the Mediator

Bypass GUI, communicate directly with REST APIs Via the Model

Security Model

amsouth --------- m1001 m1002 m1003 …

afnorth --------- m2010 .....

aspac --------- m3100 …

Requirements

Three Kinds of Security Checks 1. Authentication with LDAP

2. Coarse-grained authZ - memberOf target machine – (i.e. LDAP group name == hostname)

3. Medium-grained authZ. memberOf at least one: – Admin - root access

– User - typical user access

– Auditor - read-only access to entire machine.

Four Types of Control Groups

1. Machine Sets

2. Machines

3. Security Roles

4. sudo Roles

Mediator

m1set --------- m1001 m1002 m1003 …

m2set --------- m2010 m2020 m2030 …

m3set --------- m3100 m3200 m3300 …

1. Machine Sets

Used by mediator to compute policies

2. Machines

Used by PAM

3. Security Roles

Sudo needs this

4. sudo Roles

Sudo needs this

m1set --------- m1001 m1002 m1003 …

m2set --------- m2010 m2020 m2030 …

m3set --------- m3100 m3200 m3300 …

User, role and machine set

auditor

Policy Combiner

The mediator can do this

Pick Two

Data Model

LDAP Data Model

Employ standard object schemas

1. RFC2307bis

– posixAccount

– posixGroup

2. sudoRole

3. groupOfNames

RFC2307bis

Covered here before

• LDAPCon 2015, Edinburg

• DBIS: Directory-Based Information Services

• Mark R. Bannister

• link to slides

• link to paper

Use RFC2307bis LDAP Schema

LDAP Data Model

Hierarchical

Machine Set M1

dn: cn=m1set, ou=Groups, ...

description: Machine Set 1

member: cn=m1001,...

… 52 SCaLE 16X, Pasadena 2018

Machine M1001

dn: cn=m1001, ou=Groups,…

objectClass: posixGroup

description: Machine Group M1001

member: uid=curly,ou=People,…

member: uid=frank,ou=People,…

member: uid=marla,ou=People,… …

Security Role M1Admin dn: cn=m1admin, ou=Groups, ...

objectClass: posixGroup

description: Admin Machine Set 1

cn: m1admin

member: uid=curly,ou=People,...

member: uid=frank,ou=People,...

member: uid=marla,ou=People,... …

sudo LDAP Schema objectclass ( 1.3.6.1.4.1.15953.9.2.1

NAME 'sudoRole' SUP top STRUCTURAL

DESC 'Sudoer Entries'

MUST ( cn )

MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser

$ sudoRunAsGroup $ sudoOption

$ sudoNotBefore $ sudoNotAfter

$ sudoOrder $ description )

sudo M1Admin dn: cn=admin access to m1,ou=sudo,dc=example,dc=com

objectClass: sudoRole

cn: admin access to m1

sudoUser: %m1admin

sudoHost: m1001

sudoHost: m1002

sudoHost: m1003

sudoHost: m1004

Solution

System Architecture

High-level Design

Mediator --->

Client Machines

Script runs during machine instantiation:

1. Binds PAM, sudo and NSS into the LDAP server.

2. Calls mediator to add or remove from machine set.

IdM ‘Server’ 1. MidPoint - mediator

– html & http admin services

2. PostGreSQL – master database – users, roles, orgs, svcs

3. OpenLDAP – security database – users, groups

– posixAccount, posixGroup

Deployment

IdM machine#1 --->

<-dev machine#1

<-test machine#2

<-prod machine#3

IdM machine#2 --->

IdM machine#3 --->

hyper visor ---> …

Demo 63

63 SCaLE 16X, Pasadena 2018c

Demo Scenario

Manage users and unix machines running in the cloud.

64 SCaLE 16X, Pasadena 2018c

User-Role-Machine

m1001 m1002 m1003 m2010 m2020 m2030 m3100 m3200 m3300

Curly Admin Admin Admin

Moe Auditor Auditor Auditor

Larry User User User

Demo User to Role to Machine <----- Set 1------> <-------Set 2 ------> <----- Set 3 ----->

Demo Environment 66

Demo Environment

Google Apps connector

HCM connector (peoplesoft)

Wrap-up

• Questions

Contact

https://iamfortress.net

https://symas.com

smckinney@symas.com

@shawnmckinney Twitter:

Website:

Email:

Project: https://directory.apache.org/fortress

Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards...

Documents

Transcript of Next Generation Directory-Based User Management for … 5. WSO2 Identity Server 34 lacking standards...

WSO2 Product Release webinar - WSO2 Message Broker 2.2.0

Building Services with WSO2 Microservices Framework for Java

An Introduction to WSO2 Microservices Framework for Java

WSO2 Advantage Webinar WSO2 BAM2 Integration with mule esb

WSO2Con USA 2017: WSO2 Partner Program – Engaging with WSO2

WSO2 Platform Overview - WSO2 Meetup 01 - 16th Oct 2014

Solving DEBS Grand Challenge with WSO2 CEPdocs.huihoo.com/wso2/Solving-DEBS-Grand-Challenge-with-WSO2-… · Solving DEBS Grand Challenge with WSO2 CEP Srinath Perera, Suhothayan

TRYSIL · 100365 113928 100006 110018 4x 113104 1x 150687 4x 128765 123451 6 AA-1989489-3. 16x 16x 16x 16x 16x 27 8x 8x 110519 118331 112996 101345 117434 119030 100365 112108 128642

WSO2 Product Release webinar - WSO2 Carbon 4.3

Runtime Governance with WSO2 Governance Registry integrated with WSO2 BAM and WSO2 CEP

WSO2 Microservices Framework for Java - Product Overview

Platform as a Service for Private Clouds: WSO2 Stratos · WSO2 Stratos 1.0 alpha • WSO2 Stratos is WSO2’s Platform-as-a-Service – A complete SOA and Java Development platform

WSO2 Product Release Webinar: WSO2 API Manager 2.0

WSO2 Product Release Webinar: WSO2 Identity Server 5.2.0

BRIMNES - ikeabg.azureedge.net · 2 16x 101345 16x 118331 112996 16x 119030 118224 109567 8x 16x 100365 107091 4x 110519 16x 158933 4x 4x 130508 130509 3

WSO2Con ASIA 2016: Building Services with WSO2 Application Server and WSO2 Microservices Framework for Java

Building Services with WSO2 Application Server and WSO2 Microservices Framework for Java

Wso2 product release webinar wso2 carbon 4.3

WSO2 Governance Registry and WSO2 API Manager Integration

TRAK231 TRASS · 8x S70969 Ø8x28 16x S30211 16x S30212 Ø15x12 8x S34701 Ø4x14 12x S30157 Ø4x30 12x S31411 Ø2,5x22 16x S30096 Ø3,5x15 16x S32604 Ø4,5x16 6x S34654 Ø4x24 14x