xacml for developers - updates, new tools, & patterns for the eager #iam developer
DESCRIPTION
In this presentation I introduce the basics of Attribute-based Access Control, XACML, and why it matters to developers. I also focus on the latest XACML TC profiles - the REST profile and the JSON profile that make integration easier and faster.TRANSCRIPT
#CISNapa - @davidjbrossard - @axiomatics 1
XACML for Developers
Updates, New Tools, & Patterns for the Eager #IAM Developer
#CISNapa - @davidjbrossard - @axiomatics 2
eXtensible Access Control Markup Language
What is XACML?
Not guacamole
De facto standard
Defined at OASIS
#CISNapa - @davidjbrossard - @axiomatics 3
One of the several standards in the #IAM family
XACML in the IAM spectrum
SAMLSPML
LDAPRBACABAC…
SCIMOpenIDOauth
WS-*
#CISNapa - @davidjbrossard - @axiomatics 4
In a web 3.0 world where it’s about small appsand your data…
Why XACML?
Quick, call the plumber:
1-800-GO-XACML
it’s time to get leaks under control
#CISNapa - @davidjbrossard - @axiomatics 7
Authorization should really be about…
When?What? How?Where?Who? Why?
#CISNapa - @davidjbrossard - @axiomatics 8
A car retail company has a web application that users can access to create, view, and approve
purchase orders, in accordance with policy rules
Example Scenario: Managing Purchase Orders
#CISNapa - @davidjbrossard - @axiomatics 9
Attributes
Resource attributes
Resource type
PO amount
PO location
PO creator
PO Status
Subject attributes
Identity
Department
Location
Approval limit
Role
Action attributes
Action type
Environment attributes
Device type
IP address
Time of day
Profile designed by Sven Gabriel from The Noun ProjectInvisible designed by Andrew Cameron from The Noun Project
Wrench designed by John O’Shea from The Noun ProjectClock designed by Brandon Hopkins from The Noun Project
PO Id
#CISNapa - @davidjbrossard - @axiomatics 10
A simple rule
Anyone in the purchasing department
can create purchase orders
#CISNapa - @davidjbrossard - @axiomatics 11
A manager in the purchasing department can approve purchase orders
up to their approval limit
if and only if the PO location and the manager location are the same
if and only if the manager is not the PO creator
A richer rule
#CISNapa - @davidjbrossard - @axiomatics 13
What does XACML contain?
XACML
ReferenceArchitecture
Policy Language
Request / Response Protocol
#CISNapa - @davidjbrossard - @axiomatics 14
XACML Architecture & Flow
DecidePolicy Decision Point
ManagePolicy Administration Point
SupportPolicy Information PointPolicy Retrieval Point
EnforcePolicy Enforcement Point
Access Document #123
Access Document #123
Can Alice access Document #123? Yes, Permit
Load XACML policies
Retrieve user role, clearance and document classification
#CISNapa - @davidjbrossard - @axiomatics 15
What does XACML contain?
XACML
ReferenceArchitecture
Policy Language
Request / Response Protocol
#CISNapa - @davidjbrossard - @axiomatics 16
3 structural elementsPolicySetPolicyRule
Root: either of PolicySet or PolicyPolicySets contain any number of PolicySets & PoliciesPolicies contain RulesRules contain an Effect: Permit / DenyCombining Algorithms
Language Elements of XACML
#CISNapa - @davidjbrossard - @axiomatics 17
Root Policy Set
PolicySet
Policy
Rule
Effect=Permit
Rule
Effect = Deny
PolicySet
Policy
Rule
Effect = Permit
Sample XACML Policy
#CISNapa - @davidjbrossard - @axiomatics 18
Language Structure: Russian dolls
PolicySet, Policy & Rule can contain
TargetsObligationsAdvice
Rules can containConditions
Policy Set
Policy
Rule
Effect=Permit
Target
Target
Target
Obligation
Obligation
Obligation
Condition
#CISNapa - @davidjbrossard - @axiomatics 19
What does XACML contain?
XACML
ReferenceArchitecture
Policy Language
Request / Response Protocol
#CISNapa - @davidjbrossard - @axiomatics 20
• SubjectUser id = AliceRole = Manager
• ActionAction id = approve
• ResourceResource type = Purchase OrderPO #= 12367
• EnvironmentDevice Type = Laptop
Structure of a XACML Request / Response
XACML Request XACML Response
Can Manager Alice approvePurchase Order 12367? Yes, she can
• ResultDecision: PermitStatus: ok
The core XACML specification does not define any specific transport / communication protocol:-Developers can choose their own.-The SAML profile defines a binding to send requests/responses over SAML assertions
#CISNapa - @davidjbrossard - @axiomatics 24
#1.b and across different technology stacks
JavaCObjective-CC++C#PHPPython(Visual) BasicPerlRubyJavaScriptVisual Basic .NETLispPascalDelphi/Object Pascal
Share of programming languages (Feb 2013)
#CISNapa - @davidjbrossard - @axiomatics 25
#2 A rich language to express many scenarios
ACLs
RBAC
Whitelists
Segregation-of-Duty
Relation-based
Trust Elevation
Device-based
Break the glass
Privacy protection
ABAC
Rich business flows
Data redaction
#CISNapa - @davidjbrossard - @axiomatics 26
The REST profile of XACMLOASIS XACML profileDesigned by Remon Sinnema of EMC2
#3 Developer-friendly APIs
XML over HTTPXML over HTTP
JSON over HTTPJSON over HTTP
#CISNapa - @davidjbrossard - @axiomatics 27
#3. Developer-friendly APIs (cont’d)
Drop the…
Use curl, Perl, and Python with the REST API
curl -X POST -H 'Content-type:text/xml' -T xacml-request.xml http://foo:8443/asm-pdp/pdp
#CISNapa - @davidjbrossard - @axiomatics 28
Use the JSON profile of XACMLIdea
Remove the verbose aspects of XACMLFocus on the key pointsMake a request easy to read
#4 Simplified request/response
#CISNapa - @davidjbrossard - @axiomatics 29
#4 Sample XACML Before JSON (cont’d)
<xacml-ctx:Request ReturnPolicyIdList="true" CombinedDecision="false" xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" > <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Alice</xacml-ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" > </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" > <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">hello</xacml-ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" > <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">say</xacml-ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes></xacml-ctx:Request>
Can Alice Say
Hello?
#CISNapa - @davidjbrossard - @axiomatics 30
#4 Sample XACML using JSON (cont’d)
{"subject":{"attribute":[{
"attributeId":"username","value":"alice"}]},
"resource":{"attribute":[{
"attributeId":"resource-id","value":"hello"}]},
"action":{"attribute":[{
"attributeId":"action-id","value":"say"}]}}
#CISNapa - @davidjbrossard - @axiomatics 31
#4 JSON & XML Side-by-side comparison
Word count05
1015202530354045
XMLJSON
Char. Count0
200
400
600
800
1000
1200
1400
XMLJSON
Size of a XACML request
#CISNapa - @davidjbrossard - @axiomatics 32
Natural language authoringAxiomatics Language for Authorization (ALFA)Research initiative from TSSGAnd many more coming…
#5 Easy authoring tools
#CISNapa - @davidjbrossard - @axiomatics 33
Provide the right tools for
Easy AuthoringOf XACML policies
#5 Axiomatics Language For AuthZ (cont’d)
Plugs into Eclipse IDE
High-level syntax
Auto-complete
Automatic Translation to XACML 3.0
#CISNapa - @davidjbrossard - @axiomatics 35
One consistent authorization modelMany different applicationsDecide once, enforce everywhere
Benefits of using XACML #1
#CISNapa - @davidjbrossard - @axiomatics 36
Adios endless if, else statementsHello simple if(authorized())
Benefits of using XACML #2
10 20 30 40 50 60 70 80 90 100 110 120 130 140 150 160 170
0
5000
10000
15000
20000
25000
30000 Developer Happiness Increase
Number of if / else statements terminated
Developer Happiness Index
#CISNapa - @davidjbrossard - @axiomatics 37
Security potholes are a thing of the pastXACML is the concrete that fills in the cracks in your authorization wall
Benefits of using XACML #3
#CISNapa - @davidjbrossard - @axiomatics 38
Let developers do what they know bestOffload auditing, info security to security architects & auditors by externalizing authorization
Benefits of using XACML #4
Happy developer
Happy auditor
#CISNapa - @davidjbrossard - @axiomatics 39
Next steps?
Download XACML SDK
Download ALFA plugin
Download Eclipse
Code in your favorite language
Questions?Contact us at [email protected]&A