Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Authorization in a Service-Oriented Environment

lumberj
April 24, 2014
Programming
1
300

Authorization in a Service-Oriented Environment

In a SOA environment users can interact with multiple parts of your system, and the rules for authorization become dispersed across applications. The task of maintaining rules becomes complex. The challenge compounds further in a heterogeneous environment, with services built in different languages. In this talk, I focus on the topic of authorization, specifically how we can scale and grow our services with confidence. I’ll walk through a new framework we've developed to approach this problem.

lumberj

April 24, 2014
Tweet

Other Decks in Programming

See All in Programming
二郎系ラーメンのコールで学ぶ AST 解析
memory1994
PRO
7
1.7k
1BRC--Nerd Sniping the Java Community
gunnarmorling
0
340
try!Swift Tokyo 2024 参加報告 LT
akidon0000
1
220
冗長なエラーログを削減し、スタックトレースを手に入れる / Reducing Verbose Error Logs and Obtaining Stack Traces
upamune
0
560
Ruby GitHub Packages
bkuhlmann
0
630
大規模Reactアプリのリアーキテクチャ~8万行のTanStack Query移行の軌跡~
kj455
4
960
Prepare for Jakarta EE 11 - Performance and Developer Productivity
ivargrimstad
0
780
『Railsオワコン』と言われる時代に、なぜブルーモ証券はRailsを選ぶのか
free_world21
0
190
Code Reviews
bkuhlmann
4
890
Elm Form Validation
bkuhlmann
0
510
Goのmultiple errorsについて (2024年4月版)
syumai
3
710
スキーマ駆動開発による品質とスピードの両立 - 私達は何故、スキーマを書くのか
kentaroutakeda
0
170

Featured

See All Featured
The Invisible Side of Design
smashingmag
294
49k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
21
1.6k
Done Done
chrislema
178
15k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
34
8.9k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
227
16k
Web development in the modern age
philhawksworth
202
10k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
18
6.9k
The World Runs on Bad Software
bkeepers
PRO
61
6.7k
The Straight Up "How To Draw Better" Workshop
denniskardys
227
130k
KATA
mclloyd
15
12k
Atom: Resistance is Futile
akmur
259
25k
Practical Orchestrator
shlominoach
182
9.7k

Transcript

  1. Service Oriented Authorization [email protected]

  2. Hi, I’m Alan @lumberj @alan_mit

  3. [email protected]

  4. None

  5. A little bit of background…

  6. What is authorization?

  7. Authentication => Identity

  8. Authentication => Identity Authorization => Access

  9. Types of Authorization

  10. Types of Authorization * Role Base Access Control (RBAC) *

    Attribute Based Access Control (ABAC) * Access Control Lists (ACL) * Rule Based Access Control …. http://www.evolllution.com/opinions/cybersecurity-access-control/

  11. What is “Service Oriented Architecture”?

  12. What is “Service Oriented Architecture”? “A loosely-coupled architecture designed to

    meet the business needs of the organization.” http://msdn.microsoft.com/en-us/library/bb833022.aspx

  13. "Components that scale individually" -- Brian Morton Services and Rails:

    The Shit They Don't Tell You

  14. Part 1: Motivation

  15. Why “Service Oriented Architecture”? http://msdn.microsoft.com/en-us/library/bb833022.aspx

  16. • Reusability • Allocate resources as necessary • Loose coupling

    • Encapsulated concerns • Change out libraries or platforms (i.e., pluggability) • Codebase that scales across teams • Distributed development (i.e., parallel development)

  17. What is “Service Oriented Authorization?

  18. Reusability

  19. Loose Coupling

  20. Scalability

  21. Rails Business Logic Library Library Library Your app…

  22. Rails Business Logic Library Library Library The important bits

  23. Rails Business Logic Library Library Library $$$

  24. Rails Business Logic Library Library Library Authorization is part of

    your business Authz Rules

  25. What does authorization look like today?

  26. None
  27. None

  28. Does this approach align with our definition of “Service Oriented

    Authorization”?
  29. None

  30. RULES APPLICATION!?

  31. So, what?

  32. user.can?(:manage, @some_data) Business logic

  33. Implementation Details

  34. MONO

  35. MONO

  36. MONO

  37. Part 2: Goals

  38. Goals Reusability Scalability Loose Coupling

  39. Rails Business Logic Library Library Library Your app…

  40. Rails Your app on services… Grower (JS) Grower (Mobile) Agent

    (JS) Employee (JS) Rails

  41. Rails Heterogeneous. Grower (JS) Grower (Mobile) Agent (JS) Employee (JS)

    Rails

  42. Reusability Code that doesn’t require you to predict the future.

    i.e., it’s flexible

  43. Loose Coupling De-couple the access decision (user.can?) from the access

    policy (can :manage, …)
  44. None

  45. Scalability An authorization framework that scales with our applications

  46. XACML

  47. XACML Did you just say XML??

  48. "The XACML model supports and encourages the separation of the

    access decision from the point of use.”

  49. “When access decisions are baked into client applications (or based

    on local machine userids and Access Control Lists (ACLs)), it is very difficult to update the decision criteria when the governing policy changes.”

  50. “When the client is decoupled from the access decision, authorization

    policies can be updated on the fly and affect all clients immediately.”

  51. --Wikipedia (http:// en.wikipedia.org/wiki/XACML)

  52. http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.pdf <?xml version="1.0" encoding="UTF-8"?> Policy mlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" mlns:xacml="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" mlns:xsi="http://www.w3.org/2001/XMLSchema-instance" mlns:xf="http://www.w3.org/2005/xpath-functions" mlns:md="http:www.med.example.com/schemas/record.xsd"

    PolicyId="urn:oasis:names:tc:xacml:3.0:example:policyid:2" Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining- thm:deny-overrides"> <PolicyDefaults> <XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</XPathVersion> </PolicyDefaults> <Target/> <VariableDefinition VariableId="17590035"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-less-or-equal"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-one-and-only"> <AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-date" DataType="http://www.w3.org/2001/XMLSchema#date"/> </Apply> <Apply

  53. "Make things as simple as possible, but not simpler." –

    Albert Einstein

  54. "Just use JSON." – Albert Einstein

  55. Part 3: Authorization

  56. Part 3: Authorization Show me the code

  57. { "resource": "TestNamespace::TestResource", "action": ["read", "update"], "description": "", "effect": "allow",

    "conditions": [ { "equal": { "user::role": ["admin"] } } ] }

  58. { "resource": "TestNamespace::TestResource", ! } What is the resource?

  59. { “action”:["read", "update"], } What is the action?

  60. { "conditions":[ { "equal": { … } }, ! {

    "not_equal": { … } } ] } What are the conditions?

  61. { “conditions":[ { "equal": { "user::role": ["admin"] } } ]

    } What are the conditions?

  62. { "effect": "allow" } What is the effect?

  63. Something is missing…

  64. Application Authorization Rules ???

  65. Authorize! http://www.tfw2005.com/boards/attachments/radicons-customs/27253833d1315568855-dotm-voyager-ironhide-canons-transformer-ironhide-3-.jpg

  66. Hi, I am IronHide http://www.tfw2005.com/boards/attachments/radicons-customs/27253833d1315568855-dotm-voyager-ironhide-canons-transformer-ironhide-3-.jpg

  67. Application Authorization Rules IronHide

  68. IronHide is a … service

  69. IronHide is a … library

  70. Where are the rules?

  71. Where are the rules? Wherever we want

  72. Does it meet our goals? Reusability Scalability Loose Coupling

  73. Does it meet our goals? Loose Coupling: Authorization rules are

    not part of our application code

  74. Does it meet our goals? Reusability: Language agnostic (JSON)

  75. Does it meet our goals? Scalability: Decoupled from backing store

    (i.e., it’s as scalable as you want)

  76. Status It’s still a work in progress

  77. Status Not yet in production

  78. Status We still need to standardize (and name) the policy

    language

  79. Status And test!

  80. Demo

  81. gem install iron_hide ! Source & Documentation: http://bit.ly/1k17NHs ! Sample

    App: http://bit.ly/1lxB00B ! CouchDB Adapter: http://bit.ly/1k17NHs Questions?
  82. None