authzforce - open source next-gen access control framework for the enterprise, ow2con'16, paris
TRANSCRIPT
2 OPEN
This
do
cu
me
nt
ma
y n
ot
be
rep
rod
uc
ed
, mo
difi
ed
, ad
ap
ted
, pu
blis
he
d, t
ran
slate
d, i
n a
ny
wa
y, in
wh
ole
or i
n
pa
rt o
r disc
lose
d t
o a
th
ird p
art
y w
itho
ut
the
prio
r writ
ten
co
nse
nt
of T
ha
les
- ©
Th
ale
s 2
015
All
righ
ts re
serv
ed
.
July 2016 Thales / Template : 87204467-DOC-GRP-EN-002
Next-Gen Access Control Framework
▌ Overview
▌ ABAC and XACML
▌ Deep dive in AuthZForce
▌ AuthZForce Tomorrow…
4 OPEN
This
do
cu
me
nt
ma
y n
ot
be
rep
rod
uc
ed
, mo
difi
ed
, ad
ap
ted
, pu
blis
he
d, t
ran
slate
d, i
n a
ny
wa
y, in
wh
ole
or i
n
pa
rt o
r disc
lose
d t
o a
th
ird p
art
y w
itho
ut
the
prio
r writ
ten
co
nse
nt
of T
ha
les
- ©
Th
ale
s 2
015
All
righ
ts re
serv
ed
.
July 2016 Thales / Template : 87204467-DOC-GRP-EN-002
Overview
▌ History
From SunXACML to AuthZForce
▌ Licensing
Community Edition (CE)
Enterprise Edition (EE)
6 OPEN
This
do
cu
me
nt
ma
y n
ot
be
rep
rod
uc
ed
, mo
difi
ed
, ad
ap
ted
, pu
blis
he
d, t
ran
slate
d, i
n a
ny
wa
y, in
wh
ole
or i
n
pa
rt o
r disc
lose
d t
o a
th
ird p
art
y w
itho
ut
the
prio
r writ
ten
co
nse
nt
of T
ha
les
- ©
Th
ale
s 2
015
All
righ
ts re
serv
ed
.
July 2016 Thales / Template : 87204467-DOC-GRP-EN-002
Attribute Based Access Control
Identity Based
• Based on user identity
• Unmanageable at large scale
Role based
• Role hierarchy • Separation of
duties • Issue with
context notion • Role number
explosion
Attribute based
• Finer granularity and flexibility
7 OPEN
This
do
cu
me
nt
ma
y n
ot
be
rep
rod
uc
ed
, mo
difi
ed
, ad
ap
ted
, pu
blis
he
d, t
ran
slate
d, i
n a
ny
wa
y, in
wh
ole
or i
n
pa
rt o
r disc
lose
d t
o a
th
ird p
art
y w
itho
ut
the
prio
r writ
ten
co
nse
nt
of T
ha
les
- ©
Th
ale
s 2
015
All
righ
ts re
serv
ed
.
July 2016 Thales / Template : 87204467-DOC-GRP-EN-002
Attribute Based Access Control
Identity Based
• Based on user identity
• Unmanageable at large scale
Role based
• Role hierarchy • Separation of
duties • Issue with
context notion • Role number
explosion
Attribute based
• Finer granularity and flexibility
8 OPEN
This
do
cu
me
nt
ma
y n
ot
be
rep
rod
uc
ed
, mo
difi
ed
, ad
ap
ted
, pu
blis
he
d, t
ran
slate
d, i
n a
ny
wa
y, in
wh
ole
or i
n
pa
rt o
r disc
lose
d t
o a
th
ird p
art
y w
itho
ut
the
prio
r writ
ten
co
nse
nt
of T
ha
les
- ©
Th
ale
s 2
015
All
righ
ts re
serv
ed
.
July 2016 Thales / Template : 87204467-DOC-GRP-EN-002
Attribute Based Access Control
Identity Based
• Based on user identity
• Unmanageable at large scale
Role based
• Role hierarchy • Separation of
duties • Issue with
context notion • Role number
explosion
Attribute based
• Finer granularity and flexibility
10 OPEN
This
do
cu
me
nt
ma
y n
ot
be
rep
rod
uc
ed
, mo
difi
ed
, ad
ap
ted
, pu
blis
he
d, t
ran
slate
d, i
n a
ny
wa
y, in
wh
ole
or i
n
pa
rt o
r disc
lose
d t
o a
th
ird p
art
y w
itho
ut
the
prio
r writ
ten
co
nse
nt
of T
ha
les
- ©
Th
ale
s 2
015
All
righ
ts re
serv
ed
.
July 2016 Thales / Template : 87204467-DOC-GRP-EN-002
Features ▌ XACML 3.0 compliant
▌ Multi Tenant API
REST
- CRUD - Policy versionning
JAVA
▌ Extensible Architecture
Datatypes
Functions
Combining Algorithms
Providers
- Attributes - Policies
Filters
- Request - Result
Cache
▌ OASIS Profiles
Officially supported
- RBAC - REST - Multiple Decision (Repeated attribute categories only)
Experimental support
- Additional Combining Algorithms V1 - DLP/NAC (20%)
▌ Extras
Fast Infoset PDP Clustering
XML attack protection Circular policy reference security
11 OPEN
This
do
cu
me
nt
ma
y n
ot
be
rep
rod
uc
ed
, mo
difi
ed
, ad
ap
ted
, pu
blis
he
d, t
ran
slate
d, i
n a
ny
wa
y, in
wh
ole
or i
n
pa
rt o
r disc
lose
d t
o a
th
ird p
art
y w
itho
ut
the
prio
r writ
ten
co
nse
nt
of T
ha
les
- ©
Th
ale
s 2
015
All
righ
ts re
serv
ed
.
July 2016 Thales / Template : 87204467-DOC-GRP-EN-002
Code to product
▌ Continuous integration
GitLab (internal)
OW2 Tuleap (external)
Jenkins
Sonar
Nexus
Maven central deployment
▌ Code validation
PMD
FindBugs
▌ Wiki
http://authzforce.ow2.org
▌ Ticketing system
JIRA
▌ Conventions
Keepachangelog.com
Semantic Versioning
12 OPEN
This
do
cu
me
nt
ma
y n
ot
be
rep
rod
uc
ed
, mo
difi
ed
, ad
ap
ted
, pu
blis
he
d, t
ran
slate
d, i
n a
ny
wa
y, in
wh
ole
or i
n
pa
rt o
r disc
lose
d t
o a
th
ird p
art
y w
itho
ut
the
prio
r writ
ten
co
nse
nt
of T
ha
les
- ©
Th
ale
s 2
015
All
righ
ts re
serv
ed
.
July 2016 Thales / Template : 87204467-DOC-GRP-EN-002
Code to product
▌ Continuous integration
GitLab (internal)
OW2 Tuleap (external)
Jenkins
Sonar
Nexus
Maven central deployment
▌ Code validation
PMD
FindBugs
▌ Wiki
http://authzforce.ow2.org
▌ Ticketing system
JIRA
▌ Conventions
Keepachangelog.com
Semantic Versioning
13 OPEN
This
do
cu
me
nt
ma
y n
ot
be
rep
rod
uc
ed
, mo
difi
ed
, ad
ap
ted
, pu
blis
he
d, t
ran
slate
d, i
n a
ny
wa
y, in
wh
ole
or i
n
pa
rt o
r disc
lose
d t
o a
th
ird p
art
y w
itho
ut
the
prio
r writ
ten
co
nse
nt
of T
ha
les
- ©
Th
ale
s 2
015
All
righ
ts re
serv
ed
.
July 2016 Thales / Template : 87204467-DOC-GRP-EN-002
Alternatives
▌ SunXACML
Low/zero activity
▌ OpenAZ
Low/zero activity
Multi-tenancy issues
▌ Balana
No REST API
▌ Axiomatics
Proprietary
14 OPEN
This
do
cu
me
nt
ma
y n
ot
be
rep
rod
uc
ed
, mo
difi
ed
, ad
ap
ted
, pu
blis
he
d, t
ran
slate
d, i
n a
ny
wa
y, in
wh
ole
or i
n
pa
rt o
r disc
lose
d t
o a
th
ird p
art
y w
itho
ut
the
prio
r writ
ten
co
nse
nt
of T
ha
les
- ©
Th
ale
s 2
015
All
righ
ts re
serv
ed
.
July 2016 Thales / Template : 87204467-DOC-GRP-EN-002
Projects
▌ Internal
CYRIS for Outlook 365
▌ Collaborative
Easi Clouds
OpenCloudWare
FI-WARE
CHOReVOLUTION
AU2EU
5G-ENSURE
16 OPEN
This
do
cu
me
nt
ma
y n
ot
be
rep
rod
uc
ed
, mo
difi
ed
, ad
ap
ted
, pu
blis
he
d, t
ran
slate
d, i
n a
ny
wa
y, in
wh
ole
or i
n
pa
rt o
r disc
lose
d t
o a
th
ird p
art
y w
itho
ut
the
prio
r writ
ten
co
nse
nt
of T
ha
les
- ©
Th
ale
s 2
015
All
righ
ts re
serv
ed
.
July 2016 Thales / Template : 87204467-DOC-GRP-EN-002
Roadmap
▌ Administration Dashboard
▌ JSON Support
▌ Data Storage
Other backends than flat files
▌ Performance testing
Fully integrated with CI
▌ OW2 Collaboration opportunities ?
17 OPEN
This
do
cu
me
nt
ma
y n
ot
be
rep
rod
uc
ed
, mo
difi
ed
, ad
ap
ted
, pu
blis
he
d, t
ran
slate
d, i
n a
ny
wa
y, in
wh
ole
or i
n
pa
rt o
r disc
lose
d t
o a
th
ird p
art
y w
itho
ut
the
prio
r writ
ten
co
nse
nt
of T
ha
les
- ©
Th
ale
s 2
015
All
righ
ts re
serv
ed
.
July 2016 Thales / Template : 87204467-DOC-GRP-EN-002
Roadmap
▌ Administration Dashboard
▌ JSON Support
▌ Data Storage
Other backends than flat files
▌ Performance testing
Fully integrated with CI
▌ OW2 Collaboration opportunities ?
▌ AppHub deployment
▌ CII Badge ?
19 OPEN
This
do
cu
me
nt
ma
y n
ot
be
rep
rod
uc
ed
, mo
difi
ed
, ad
ap
ted
, pu
blis
he
d, t
ran
slate
d, i
n a
ny
wa
y, in
wh
ole
or i
n
pa
rt o
r disc
lose
d t
o a
th
ird p
art
y w
itho
ut
the
prio
r writ
ten
co
nse
nt
of T
ha
les
- ©
Th
ale
s 2
015
All
righ
ts re
serv
ed
.
July 2016 Thales / Template : 87204467-DOC-GRP-EN-002
XACML Architecture
PEP
PDP
AuthZ Request (XACML)
Policy Enforcement Point
Policy Decision Point
PIP
PRP
Policy Information Point
PAP Policy Administration Point
Policy Repository Point
PIPPIP
20 OPEN
This
do
cu
me
nt
ma
y n
ot
be
rep
rod
uc
ed
, mo
difi
ed
, ad
ap
ted
, pu
blis
he
d, t
ran
slate
d, i
n a
ny
wa
y, in
wh
ole
or i
n
pa
rt o
r disc
lose
d t
o a
th
ird p
art
y w
itho
ut
the
prio
r writ
ten
co
nse
nt
of T
ha
les
- ©
Th
ale
s 2
015
All
righ
ts re
serv
ed
.
July 2016 Thales / Template : 87204467-DOC-GRP-EN-002
XACML
21 OPEN
This
do
cu
me
nt
ma
y n
ot
be
rep
rod
uc
ed
, mo
difi
ed
, ad
ap
ted
, pu
blis
he
d, t
ran
slate
d, i
n a
ny
wa
y, in
wh
ole
or i
n
pa
rt o
r disc
lose
d t
o a
th
ird p
art
y w
itho
ut
the
prio
r writ
ten
co
nse
nt
of T
ha
les
- ©
Th
ale
s 2
015
All
righ
ts re
serv
ed
.
July 2016 Thales / Template : 87204467-DOC-GRP-EN-002
XACML Request
XACML Request
….
Category subject
Category x
Attribute Y Attribute Type (string, date, integer, …)
Category resource
Category action
Attribute Y
Attribute Value (romain, 1970-01-01, …)
Attribute ID (subject-id, subject-role, …)
Category n
22 OPEN
This
do
cu
me
nt
ma
y n
ot
be
rep
rod
uc
ed
, mo
difi
ed
, ad
ap
ted
, pu
blis
he
d, t
ran
slate
d, i
n a
ny
wa
y, in
wh
ole
or i
n
pa
rt o
r disc
lose
d t
o a
th
ird p
art
y w
itho
ut
the
prio
r writ
ten
co
nse
nt
of T
ha
les
- ©
Th
ale
s 2
015
All
righ
ts re
serv
ed
.
July 2016 Thales / Template : 87204467-DOC-GRP-EN-002
Scenario
subject-id=charles resource-id=MissionManager mission-id=47 action-id=update
PEP
PDP
MissionManager
LDAP Mission Database
Get members of mission 47 ?
Charles wants to update mission information with id=47 hosted on MissionManager service
23 OPEN
This
do
cu
me
nt
ma
y n
ot
be
rep
rod
uc
ed
, mo
difi
ed
, ad
ap
ted
, pu
blis
he
d, t
ran
slate
d, i
n a
ny
wa
y, in
wh
ole
or i
n
pa
rt o
r disc
lose
d t
o a
th
ird p
art
y w
itho
ut
the
prio
r writ
ten
co
nse
nt
of T
ha
les
- ©
Th
ale
s 2
015
All
righ
ts re
serv
ed
.
July 2016 Thales / Template : 87204467-DOC-GRP-EN-002
Scenario
subject-id=charles resource-id=MissionManager mission-id=47 action-id=update
PEP
PDP
MissionManager
LDAP Mission Database
Get members of mission 47 ?
<Rule RuleId="update_Mission" Effect="Permit"> <Description>update_Mission_Rule</Description> <Target> <AnyOf> <AllOf> <Match MatchId="string-equal> <AttributeValue DataType="string">update</AttributeValue> <AttributeDesignator AttributeId="action-id" Category=“Action” DataType="string"/> </Match> </AllOf> </AnyOf> </Target> <Condition> <Target> <AnyOf> <AllOf> <Match MatchId="string-equal> <AttributeValue DataType="string"> Mission_Manager </AttributeValue> <AttributeDesignator AttributeId=“subject-role" Category=“Subject” DataType="string"/> </Match> <Match MatchId="string-equal> <AttributeValue DataType="string"> Activity_Manager </AttributeValue> <AttributeDesignator AttributeId=“subject-role" Category=“Subject” DataType="string"/> </Match> <Match MatchId=" string-at-least-one-member-of” > <AttributeValue DataType="string"> subject-id </AttributeValue> <AttributeDesignator AttributeId=“mission-member " Category=“Resource” DataType="string"/> </Match> </AllOf> </AnyOf> </Target> </Condition> </Rule>