Role based access control

Role Based Access Control
Peter Edwards
peter@dragonstaff.co.uk

Birmingham.pm
Perl Technical Talk
22nd October 2008

Peter and Léon Brocard at Google Dev Day

1
Role Based Access Control 12/22/12

Contents
 1. Requirement and Solution
 2. Authentication and Authorisation Definitions
 3. Authentication Process
 4. Authentication Example
 5. Authentication Session
 6. More Authentication Session Examples
 7. Authorisation Types
 8. Article On Simple Authorisation
 9. Simple Authorisation in Catalyst
 10. CPAN Lattice-Based Access Control Example
 14. Role Based Access Control
 14.1. Academic Papers
 14.2. Emerging Standards and Implementations
 14.3. Existing Security Implementations
 14.4. Perl Implementations
 14.5. RBAC Design
 14.6. RBAC Example
 15. Further Information

2

Requirement
 Controlling user access to applications and
the data within them

Solution
 Identify each user
 Grant them permissions to work with
applications and data
 Test for that when they use the application

3

Authentication and Authorisation
Definitions
 Authentication is the validation of a userid
that is used by a user or batch process
 Authorisation is checking that a userid is
allowed to perform certain operations on
an object
can <user> "fred" do <operation> "delete" on
<object> "/home/fred/somefile.txt" of <object_type>
"file"

4

Authentication Process
 user/batch process requests access for <userid>
using <credential> from a server
 server validates credential (e.g. password or key
challenge certificate) against userid and returns
an <authentication_token> (e.g. a cookie or hash
token) which is linked server side to the userid,
typically in a session store
 user/batch process supplies the authentication
token along with subsequent requests to the
server
 on receiving a request the server
– validates the authentication token
– checks the linked userid has authorisation to
perform the given request
5

Authentication Example
http://search.cpan.org/perldoc?Authen::Simple

use Authen::Simple::Passwd;

my $passwd = Authen::Simple::Passwd
->new(path => '/etc/passwd');

if ( $passwd->authenticate( $username,
$password ) ) {
# successfull authentication
}
6

Authentication Session
 Once authenticated, you'll need a session to persist that, otherwise
you'd need to ask for the userid/password every time
 Using Authen::Simple with Apache gives us an implicit session

# a mod_perl Authen handler
PerlModule Authen::Simple::Apache
PerlModule Authen::Simple::Passwd
PerlSetVar AuthenSimplePasswd_path "/etc/passwd“
<Location /protected>
PerlAuthenHandler Authen::Simple::Passwd
AuthType Basic
AuthName "Protected Area“
Require valid-user
</Location>

7

More Auth Session Examples
These modules on CPAN give examples of
how to authenticate and have that persisted
in an authentication session
 CGI::Application::Plugin::Authentication
 CGI::Application::Plugin::Session

 Catalyst::Manual::Tutorial::Authentication
 Catalyst::Plugin::Authentication
 Catalyst::Plugin::Authorization::Roles

8

Authorisation Types / 1
simple
 authenticated user has full access to system
 auth'd user has roles which each grant full access to a sub-system, either as
a process ('can register new users') or data ('can amend customer records')
– the role acts effectively as a grouping mechanism
 Lattice-Based Access Control (LBAC)
– users (subjects) mapped to objects (resources, computers, applications)
 Role-Based Access Control (RBAC)
– users have hierarchical roles which have permissions that grant operations
e.g. user "fred" has role "sysadmin" which has permission "security_edit" which
grants operations "read" and "write" on security objects
instead user "fred" might have role "root" which inherits from role "sysadmin"
those permissions
 RBAC with Access Control List extension
– users have roles which have permissions with a precedence that grant operations
on matched objects
e.g. user "jo" has role "editor" which has permission "food_recipes" which grants
operations "read", "write", "delete" to objects "of type 'document' with file path
matching '/home/recipes/*'“
 enterprise framework, e.g. PERMIS storing permissions via OpenLDAP and
authenticating against Windows ADS BBC SSO or Shibboleth
complex

9

Authorisation Types / 2
 The user-role assignment may be inherent in the
authorisation system,or might be read externally,
say from an ADS server via LDAP
 The object matching might involve callouts to
more sophisticated checking code plugins that
query other systems
 Authorisation is usually applied at application
level to check actions
 It can also be applied at database level to filter all
access to data the user is allowedto see, either by
a database view or by using a relational database
object wrapper layerto provide an additional
safety net, e.g.
DBIx::Class::Schema::RestrictWithObject
10

Article On Simple Authorisation
 "Elements of Access Control" at perl.com by
Vladi Belperchinov-Shabanski, Feb 13 2008
http://www.perl.com/pub/a/2008/02/13/elements-of-acce
Some nice examples of reading users and groups
from file or database
 Policy configuration syntax
 Policy parser
 User group storage and mapping
 User group loading
 Policy match function
 Data fences
I won't go through it now but worth reading on-line

11

Simple Authorisation in Catalyst
 user <-many--many-> role
 role has meaning in your application code
 Catalyst::Plugin::Authorization::Roles

use Catalyst qw/
Authentication
Authentication::Store::ThatSupportsRoles
Authorization::Roles
/;
sub delete : Local {
my ( $self, $c ) = @_;
$c->assert_user_roles( qw/admin/ );
# only admins can delete
$c->model("Foo")->delete_it();
}
12

CPAN Lattice-Based Access
Control Example
 WE::Util::Permissions
 Uses a single file of permission rules queried via
a Perl interface
 User or group matches rules which link
operations to matched objects
 In the terminology of the author, operations are
"processes", objects are "pages“
 Part of a wider web file editing framework
 I wrote a very similar authorisation handler in C
for the Open University many years ago although
Perl's obviously much better at tokenising text
files and handling data!
13

WE::Utils::Permissions File Format

Based on these tokens
– user list of users
– group list of groups
– process operation like “delete”
– Page file path or regexp or glob

14

WE::U::P File Examples / 1
 Use globbing for matching and allow the "admin" group
to have rights for all processes. There is no page
restriction, so the rights are valid for all objects
! match: glob
group admin
process *

 The chiefeditors have rights for the processes "release",
"publish" and "edit". Here too, there are no page
restrictions

group chiefeditor
process release publish edit

15

WE::U::P File Examples / 2
 The members of the group "news" are allowed to do the
following operations in all objects below "/News/":"edit",
"change-folder", "new-doc", "rm-doc", "release" and
"publish".A regular expression match is used here (there
is no "! match" directive).

! match: regexp
group news
page /News/.*
process edit change-folder new-doc rm-doc release publish

 At end of file this rule denies anything not already
permitted,similarly to Apache "DENY from all" directive
or /etc/hosts.deny "ALL: ALL"
! match: glob
group *
process !*
16

WE::U::P Querying
use WE::Util::Permissions;

my $perm = WE::Util::Permissions->new(-file =>
$permissionsfile);

$perm->is_allowed(-user => "some_user", -process
=> "access");
$perm->is_allowed(-group => [qw( editor admin )],
-process => "delete", -page => 'a/b/foo.html');

# get subset of users from list provided who are
allowed process (operation) 'publish' on page
(object) '/home/index.txt‘
$perm->get_all_users([qw( janet john )], 'publish',
'/home/index.txt');
17

WE::U::P Caveats
 You have to provide user and group handling
("The semantics of users, groups, processes and
pages are usually defined in another layer")
 No admin interface to create rules
 "There is currently no way to specify a token
with spaces or slashes.”
 “Diagnostics is poor. Unrecognized tokens won't
cause errors or warnings.”
 No precedence other than rule order (e.g. how do
I deny a tree except for a sub-tree which is
allowed).
 No plugin methods matching/precedence
caclulation.
But you could use the ideas and code as a basis
for your own authorisation library.Have a look at
the code on CPAN.
18

Role Based Access Control
This is an evolving area and it is surprising how
recently the standards for it have been written
(2001 on)
 NIST "Role Based Access Control (RBAC) and Role Ba
 “The NIST Model for Role-Based Access Control: Tow
 Proposed NIST Standard for Role-Based Access Contro
 ACM Transactions on Information and System Security
D.F.Ferraiolo et al.
 "Beyond Roles: A Practical Approach to Enterprise Use

19

Emerging Standards and Implementations
An evolving area. Surprising how recently the
standards for it have been written (2001 on)
 XACML
http://en.wikipedia.org/wiki/XACML
 "OASIS eXtensible
Access Control Markup Language (XACML) TC“
 “Core and hierarchical role based access control (RBAC
 Sun's XACML Open Source impl. in Java
http://sunxacml.sourceforge.net
 Axis2 web service for Apache Maven
http://xacmllight.sourceforge.net/
C/Java providing SOAP stack
 Still a moving target!

20

Existing Security Implementations / 1
 Windows ADS
– Using an LDAP connector to authenticate users and
determine group memberships and permissions, such
as Perl-LDAP http://ldap.perl.org/
– Requires application-side logic to interpret
permissions
 OpenLDAP
– "LDAP for Security, Part I“
http://www.linuxjournal.com/article/6789
– Paranoid Penguin "Authenticate with LDAP, Part III“
http://www.linuxjournal.com/article/6936

21

 PERMIS Privilege Management
Infrastructure
– Enterprise-wide, huge, complex
– http://sec.cs.kent.ac.uk/permis/
– http://www.openpermis.org/download.htm
– PERMIS PMI Architecture "Implementing
Role Based Access Controls Using X.509
Attribute Certificates”
– "RBAC POLICIES IN XML FOR X.509
BASED PRIVILEGE MANAGEMENT"

22

 Shibboleth
– A standards based, open source software package for
web single sign-on across or within organizational
boundaries that can work with PERMIS
http://shibboleth.internet2.edu/
 Distributed Access Control System (DACS)
– http://dacs.dss.ca/faq.html
– Written in C, well-designed, modular
– Provides authentication and authorisation
– Doesn't work on Apache 1, which the BBC uses in
production :-(

23

 "A Role-Based Access Control (RBAC)
system for PHP“ by Tony Marston
– http://www.tonymarston.net/php-mysql/role-
based-access-control.html
– small, well-designed, good for standalone applications
 "FineGrained Role Based Access Control
(RBAC) system" for PHP
– reasonable database design and PHP code
 POSIX ACL – ACLs from Python
– http://pylibacl.sourceforge.net/
 Linux kernel extension "grsecurity“
– http://www.grsecurity.net/index.php
– Unix-based kernel level RBAC, really aimed at Unix
files and users
24

Perl Implementations of RBAC
I know of no solutions in Perl although there are
libraries for Python, Ruby, Java. In principle you
could wrap one of them
 We needed one at the BBC so I wrote one called
IFL::Authz and hope to release it to CPAN
 Based on Ferraiolo et al. "Proposed NIST
Standard for Role-Based Access Control"
This paper has a Functional Specification of an
API written in the Z formal language which I
adapted to Perl. Z is nice match for the
mathematical set theory underlying RBAC
though there are some errors in the paper.
25

RBAC Model
 From Ferraiolo
http://csrc.nist.gov/rbac/rbacSTD-ACM.pdf

26

RBAC Model Detail
 When defining an RBAC model, the following conventions are
useful:
 S = Subject = A person or automated agent
 R = Role = Job function or title which defines an authority level
 P = Permissions = An approval of a mode of access to a resource
 SE = Session = A mapping involving S, R and/or P
 SA = Subject Assignment
 PA = Permission Assignment
 RH = Partially ordered role Hierarchy. RH can also be written: ≥
 A subject can have multiple roles.
 A role can have multiple subjects.
 A role can have many permissions.
 A permission can be assigned to many roles.
 A constraint places a restrictive rule on the potential inheritance of
permissions from opposing roles, thus it can be used to achieve
appropriate segregation of duties. For example, the same person
should not be allowed to both create a login account for someone,
and also be allowed to authorize the procedure.
 A subject may have multiple simultaneous sessions with different
permissions.
27

RBAC Example
 Subject = user "joe“
 Role = "editor“
 Operation = "publish“
However, at the BBC we're using it to handle
sophisticated authorisation for a CMS system which
requires ACLs, so we need object matching too
 From the Wikipedia article on RBAC:
– "With the concepts of role hierarchy and constraints, one can
control RBAC to create or simulate lattice-based access control
(LBAC). Thus RBAC can be considered a superset of LBAC.
I.e. RBAC + ACLs = LBAC
 To do this I extended the concept of permission to
include within it a reference to an object, or matches
against objects using regexps, globs or plugin method
 Object = "/home/recipes/*"

28

Code Examples - Create Authz / 1
use IFL::Authz;
use IFL::Authz::Config::PerlFile;
# load config
my $authzconfig = IFL::Authz::Config::PerlFile
->new({ configfilepath => "authz.xpl" });
# contains
# store => {
# class => 'IFL::Authz::Serialiser::PerlFile',
# storefilepath = 'authz_schema.xpl',
# },
# objectmatch => { class => 'TestAdminAuthz' },
# relies on plugin TestAdminAuthz.pm which gives
# match_object() that understands rings of power

29

# create authz object
my $authz = IFL::Authz->new({ config =>
$authzconfig });
$authz->begin_transaction;
$authz->add_object_type({ name => 'ring', ops =>
['wear', 'destroy'], precedence => 1 });
$authz->add_user({ user => 'unittest', metadata =>
{ name => 'Ms. Unity Test', country => 'UK' } });
$authz->add_role({ role => 'tester', description =>
'Tester Role' });
$authz->grant_permission({role => 'tester',
description => 'access rings', operations =>
[qw( access read )], allow_deny => 'allow', object
=> { type => 'ring', precedence => 'DEFAULT', id
=> {} } } );
30

$authz->add_role({ role => 'ring_bearer', description
=> 'Ring Bearer Role' });
$authz->grant_permission({ role => 'ring_bearer',
description => 'wear rings', operations =>
[qw( wear )], allow_deny => 'allow', object =>
{ type => 'ring', precedence => 'DEFAULT', id =>
{} } });
$authz->add_inheritance({ role_asc => 'tester',
role_desc => 'ring_bearer' });
$authz->assign_user({ user => 'unittest', role =>
'ring_bearer' });
$authz->end_transaction;
$authz->save;

31

Code Examples - Query Authz / 1
my $session = $authz->create_session({ user =>
'unittest', active_roles => [qw( ring_bearer )] });

# user unittest ops access on object_type ring from
indirect role tester inherited by assigned role
ring_bearer
die unless $authz->check_access({ session =>
$session, operation => 'access', object => { type
=> 'ring' } });

# user unittest ops wear on object_type ring from
assigned role ring_bearer
$session, operation => 'wear', object => { type =>
'ring' } });
32

Code Examples - Query Authz / 2
# not able to destroy 'a pretty ring‘
die if $authz->check_access({ session => $session,
operation => 'destroy', object => { type => 'ring',
id => { name => 'a pretty ring' } } });

# but we can destroy 'the one ring‘
$session, operation => 'destroy', object => { type
=> 'ring', id => { name => 'the one ring' } } });

33

Summary and Links
 Summary
– There’s a lot to it, evolving standards
– Choice of library depends on language, platform, whether it’s
enterprise, any special requirements
– Authentication and Authorisation
– At the simplest, use roles
– Then look at a lattice
– More complex may require RBAC

 Links
– Slides at http://miltonkeynes.pm.org
– Sandhu, R., Ferraiolo, D.F. and Kuhn, D.R. (July 2000). "
The NIST Model for Role Based Access Control: Toward a Unified Standard
" (PDF). 5th ACM Workshop Role-Based Access Control: 47-63.

Thank you. Any Questions?

34

Role based access control

More Related Content

What's hot

Viewers also liked

Similar to Role based access control

More from Peter Edwards

Recently uploaded

In this document

Role based access control