Authorization in a Service-Oriented Environment

7e511d706bbf8980211504de6fcc0bba?s=47 lumberj
April 24, 2014

Authorization in a Service-Oriented Environment

In a SOA environment users can interact with multiple parts of your system, and the rules for authorization become dispersed across applications. The task of maintaining rules becomes complex. The challenge compounds further in a heterogeneous environment, with services built in different languages. In this talk, I focus on the topic of authorization, specifically how we can scale and grow our services with confidence. I’ll walk through a new framework we've developed to approach this problem.

7e511d706bbf8980211504de6fcc0bba?s=128

lumberj

April 24, 2014
Tweet

Transcript

  1. Service Oriented Authorization acohen@climate.com

  2. Hi, I’m Alan @lumberj @alan_mit

  3. acohen@climate.com

  4. None
  5. A little bit of background…

  6. What is authorization?

  7. Authentication => Identity

  8. Authentication => Identity Authorization => Access

  9. Types of Authorization

  10. Types of Authorization * Role Base Access Control (RBAC) *

    Attribute Based Access Control (ABAC) * Access Control Lists (ACL) * Rule Based Access Control …. http://www.evolllution.com/opinions/cybersecurity-access-control/
  11. What is “Service Oriented Architecture”?

  12. What is “Service Oriented Architecture”? “A loosely-coupled architecture designed to

    meet the business needs of the organization.” http://msdn.microsoft.com/en-us/library/bb833022.aspx
  13. "Components that scale individually" -- Brian Morton Services and Rails:

    The Shit They Don't Tell You
  14. Part 1: Motivation

  15. Why “Service Oriented Architecture”? http://msdn.microsoft.com/en-us/library/bb833022.aspx

  16. • Reusability • Allocate resources as necessary • Loose coupling

    • Encapsulated concerns • Change out libraries or platforms (i.e., pluggability) • Codebase that scales across teams • Distributed development (i.e., parallel development)
  17. What is “Service Oriented Authorization?

  18. Reusability

  19. Loose Coupling

  20. Scalability

  21. Rails Business Logic Library Library Library Your app…

  22. Rails Business Logic Library Library Library The important bits

  23. Rails Business Logic Library Library Library $$$

  24. Rails Business Logic Library Library Library Authorization is part of

    your business Authz Rules
  25. What does authorization look like today?

  26. None
  27. None
  28. Does this approach align with our definition of “Service Oriented

    Authorization”?
  29. None
  30. RULES APPLICATION!?

  31. So, what?

  32. user.can?(:manage, @some_data) Business logic

  33. Implementation Details

  34. MONO

  35. MONO

  36. MONO

  37. Part 2: Goals

  38. Goals Reusability Scalability Loose Coupling

  39. Rails Business Logic Library Library Library Your app…

  40. Rails Your app on services… Grower (JS) Grower (Mobile) Agent

    (JS) Employee (JS) Rails
  41. Rails Heterogeneous. Grower (JS) Grower (Mobile) Agent (JS) Employee (JS)

    Rails
  42. Reusability Code that doesn’t require you to predict the future.

    i.e., it’s flexible
  43. Loose Coupling De-couple the access decision (user.can?) from the access

    policy (can :manage, …)
  44. None
  45. Scalability An authorization framework that scales with our applications

  46. XACML

  47. XACML Did you just say XML??

  48. "The XACML model supports and encourages the separation of the

    access decision from the point of use.”
  49. “When access decisions are baked into client applications (or based

    on local machine userids and Access Control Lists (ACLs)), it is very difficult to update the decision criteria when the governing policy changes.”
  50. “When the client is decoupled from the access decision, authorization

    policies can be updated on the fly and affect all clients immediately.”
  51. --Wikipedia (http:// en.wikipedia.org/wiki/XACML)

  52. http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.pdf <?xml version="1.0" encoding="UTF-8"?> Policy mlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" mlns:xacml="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" mlns:xsi="http://www.w3.org/2001/XMLSchema-instance" mlns:xf="http://www.w3.org/2005/xpath-functions" mlns:md="http:www.med.example.com/schemas/record.xsd"

    PolicyId="urn:oasis:names:tc:xacml:3.0:example:policyid:2" Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining- thm:deny-overrides"> <PolicyDefaults> <XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</XPathVersion> </PolicyDefaults> <Target/> <VariableDefinition VariableId="17590035"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-less-or-equal"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:date-one-and-only"> <AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-date" DataType="http://www.w3.org/2001/XMLSchema#date"/> </Apply> <Apply
  53. "Make things as simple as possible, but not simpler." –

    Albert Einstein
  54. "Just use JSON." – Albert Einstein

  55. Part 3: Authorization

  56. Part 3: Authorization Show me the code

  57. { "resource": "TestNamespace::TestResource", "action": ["read", "update"], "description": "", "effect": "allow",

    "conditions": [ { "equal": { "user::role": ["admin"] } } ] }
  58. { "resource": "TestNamespace::TestResource", ! } What is the resource?

  59. { “action”:["read", "update"], } What is the action?

  60. { "conditions":[ { "equal": { … } }, ! {

    "not_equal": { … } } ] } What are the conditions?
  61. { “conditions":[ { "equal": { "user::role": ["admin"] } } ]

    } What are the conditions?
  62. { "effect": "allow" } What is the effect?

  63. Something is missing…

  64. Application Authorization Rules ???

  65. Authorize! http://www.tfw2005.com/boards/attachments/radicons-customs/27253833d1315568855-dotm-voyager-ironhide-canons-transformer-ironhide-3-.jpg

  66. Hi, I am IronHide http://www.tfw2005.com/boards/attachments/radicons-customs/27253833d1315568855-dotm-voyager-ironhide-canons-transformer-ironhide-3-.jpg

  67. Application Authorization Rules IronHide

  68. IronHide is a … service

  69. IronHide is a … library

  70. Where are the rules?

  71. Where are the rules? Wherever we want

  72. Does it meet our goals? Reusability Scalability Loose Coupling

  73. Does it meet our goals? Loose Coupling: Authorization rules are

    not part of our application code
  74. Does it meet our goals? Reusability: Language agnostic (JSON)

  75. Does it meet our goals? Scalability: Decoupled from backing store

    (i.e., it’s as scalable as you want)
  76. Status It’s still a work in progress

  77. Status Not yet in production

  78. Status We still need to standardize (and name) the policy

    language
  79. Status And test!

  80. Demo

  81. gem install iron_hide ! Source & Documentation: http://bit.ly/1k17NHs ! Sample

    App: http://bit.ly/1lxB00B ! CouchDB Adapter: http://bit.ly/1k17NHs Questions?
  82. None