--
You received this message because you are subscribed to the Google Groups "Cloud Foundry Developers" group.
To view this discussion on the web visit https://groups.google.com/a/cloudfoundry.org/d/msgid/vcap-dev/a077dc2b-2c92-42ee-b03c-80054f6faf5e%40cloudfoundry.org.
To unsubscribe from this group and stop receiving emails from it, send an email to vcap-dev+u...@cloudfoundry.org.
To view this discussion on the web visit https://groups.google.com/a/cloudfoundry.org/d/msgid/vcap-dev/CANNZs1QqOe5zC4LzgONfwOzcqfxLh2Jw2d1L_%3DEhWr6Y_hJA9Q%40mail.gmail.com.
To unsubscribe from this group and stop receiving emails from it, send an email to vcap-dev+u...@cloudfoundry.org.
Few observations & comments:
1) Based on my experience, I thought XACML has kind of become quite prevalent policy standard for building interoperable authorization system - a standard based language for expressing information system authorization policies. Quite a number of I&AM vendors have adopted XACML standard for authorization policies representations. Especially, the fact that XACML also allows support for Attribute-based access control as opposed to traditional fixed “role” assignment (RBAC). RBAC model in the dynamic environment becomes quite restrictive and ad-hoc exercise (manufactured roles engineering etc.). Although, in your document you mentioned that you experienced weakness in XACML standard. I am curious to know what your observations are as far as weaknesses of XACML are concerned.
2) 2) Secondly, there are already few good open source access control engines available (ForgeRock OpenAM, Apache Shiro, & JoshuaTree Fortress). Worth looking into these options versus re-inventing the wheel and unnecessarily huge amount of work.
3) 3) Lastly, fine-grained access control goes beyond merely restricting certain URLs access. Data Visibility is a very key requirement as well in the enterprise environment. Data visibility capability enables granular data level access control whereby for example a manager can see all his/her employees data while employees, on the other hand, can only see their own data. This could be based on role based hierarchies (top-down & bottom-up). Essentially, “Data Visibility” means “who can see what” data. In order to achieve fine-grained “Data Visibility”, one would have to dynamically generate SQL by interpreting the access rules as part of policy definitions in conjunction with the user role. There are two different approaches for accomplishing this - API Callout Approach & Data Guard Approach.
API Callout Approach – This is an intrusive approach whereby the SQL query,
for example, is modified by issuing an API callout at the data layer level to
the XACML based access control system. The data returned is therefore the data
the user is actually authorized to see/update. ForgeRock OpenAM follows this particular approach in order to enforce
granular fine-grained access control.
Data Guard Approach – This is a non-intrusive approach whereby the SQL query,
for example, is intercepted at the data layer level. The query is then processed
against XACML access policies and subsequently modified with the appropriate
where clause. The data returned is therefore the data the user is actually
authorized to see/update. This is a very dynamic and non-intrusive approach
that permits ease of implementing changes and also provides the required
granular control. Commercial products such as Oracle
Identity & Access management provide support for non-intrusive “data Guard”
approach in order to enforce granular fine-grained access control.
Hi Thomas, this is in regards to your comment regarding XCAML being complex and XML based verbose. This is more of a tooling issue. I believe commercial vendors such as Axiomatics etc. have addressed this issue by providing easy-to-use authoring tooling (plug-in into eclipse etc.). As I said before, let us not restrict ourselves to fixed “role” based assignment using RBAC. In the next generation Intercloud and IoT like highly dynamic environment, RBAC model becomes quite restrictive and ad-hoc exercise (manufactured roles engineering etc.).
Hi Dario,
Thank you sharing the proposal on the finer grained authorization services for UAA. I apologize for the delay in getting back with the response. Reviewing the proposal you put out has highlighted some bigger gaps with UAA around basic authorization which need to be addressed before we can move to solve advanced authorization use-cases.
UAA at this time doesn’t process claims about the user which is key to the downstream authorization decisions. We have plans to address these gaps in the coming weeks/months and create a robust framework for handling user claims from external identity providers.One of the other things which is missing in UAA is the concept of policy based token issuance.
We have a route services feature coming up which will allows for the interception of the router calls before they hit the App/Container. We would like to leverage this feature to applying basic authentication and authorization filters for the applications running on the Cloud Foundry platform.
In summary, we would like to start by filling in these basic gaps which exist in UAA today and support basic authorization use cases before moving on to the more advanced ones.I definitely see opportunities for us to collaborate on these topics above in the near future.
We will start by putting out proposal for user claims processing and policy based token issuance for review by the community.
Please feel to reach out further on this topic.
Thanks,
--
You received this message because you are subscribed to the Google Groups "Cloud Foundry Developers" group.
To view this discussion on the web visit https://groups.google.com/a/cloudfoundry.org/d/msgid/vcap-dev/6a283027-8bf9-4bd8-b7a7-e72b0bc0ea8a%40cloudfoundry.org.
To view this discussion on the web visit https://groups.google.com/a/cloudfoundry.org/d/msgid/vcap-dev/d0e40f95-914b-4cef-a0a7-f306ea4e4a07%40cloudfoundry.org.