application of urns to authorization - terena

Use cases of URNs in EntitlementsURNs for adding hierarchies

URN handling problemsThe future

Application of URNs to Authorizationand some other exotic uses

Victoriano Giralt

Central Computing FacilityUniversity of Málaga

Zagreb, January 31st, 2006

Application of URNs to AuthZ



Contents

1 Use cases of URNs in EntitlementsExpenses Authorization ControlMobile phone number usage control

2 URNs for adding hierarchiesObject classificationClassifications use cases

3 URN handling problems

4 The future




Expenses Authorization ControlMobile phone number usage control

Outline




4 The future





Expenses Authorization Control(state: production)

irisUserEntitlement = urn:mace:rediris.es:uma.es:entitlement:applAccess:SolicitudGasto:LEVEL

Asigns access rights to the designated application:

Function

Usage

Advantages

entitlementthe URN describes a right for a user or role








Function

Usage

Advantages

applAccess

kind of right, access to an application in thiscase.








Function

Usage

Advantages

SolicitudGastoapplication the right is granted on.








Function

Usage

Advantages

LEVELgranted access level, application specific:RUG, ROU, RGE







Function

Usage

Advantages

LDAP searchThe application does a standard directorysearch to find out if the user that has beenauthenticated has the right to use it and theaccess level that has been granted to her.







Function

Usage

Advantages

Query via web service

The application queries a web service with userand application identifier as inputs and obtainsthe access level or the absence of the right touse.







Function

Usage

Advantages

Future: PAPIWe are preparing a migration path for ourapplications, such that, once the user has beenauthenticated by PAPI, the assertion will carryapplication specific AuthZ information derivedfrom the entitlements stored in the user’s entry inthe directory.







Function

Usage

Advantages

Unique authorization point

All of an object’s authorizations, both explicit andimplicit, are centrally kept in a directory entry.







Function

Usage

Advantages

A sole authorization modelURN allow us to express all authorization in acommon form, with application specificsemantics.







Function

Usage

Advantages

Agent-Function-Qualifier

Who can do What on Which object





Mobile phone number usage control(a more complicated case)

irisUserEntitlement = urn:mace:rediris.es:uma.es:entitlement:attrAccess:mobile:VALUE

User to application

The problem

Examples

BUT ...

Personal management of permissions

The user grants permissions on his datato applications.May we use entitlements?Is it unorthodox?A new irisUserPrivateAttribute?







User to application

The problem

Examples

BUT ...

Attribute access controlDifferent applications may want to use anattribute, the user can decide if shepermits the use of the attribute or not, forthe ends of each of them.







User to application

The problem

Examples

BUT ...

mobileThis attribute can be used for severalapplications, like:

+ changing forgotten passwords

+ sending marks

+ sending notices







User to application

The problem

Examples

BUT ...

VALUE = passwordChange

The user allows the SMS gateway to usehis mobile phone number for thepassword change function. From anotherpoint of view, the user authorizes the useof his mobile phone number for starting apassword change.







User to application

The problem

Examples

BUT ...

VALUE = marksThe user authorizes the use of her mobilephone number for accessing her marksand for sending them to such number.







User to application

The problem

Examples

BUT ...

VALUE = maySpam

The user allows the use of his mobilephone number for sending notices fromthe University.







User to application

The problem

Examples

BUT ...

irisUserEntitlementHolds permissions granted to the object(user).







User to application

The problem

Examples

BUT ...

irisUserPrivateAttributeHolds access permissions that the object(user) grants on her attributes.







User to application

The problem

Examples

BUT ...

A new irisUserPrivateAttribute?Should we migrate to a URN basedmodel? Would it work?




Object classificationClassifications use cases

Outline




4 The future





Object classificationof hierarchies and sparse trees

We have had the opportunity of designing our enterprisedirectory from scratch very recently, learning from many others’successes and mistakes.

Shallow trees

Hierarchies

Virtual views

Few one level branchesReal world usage has shown us that,storing objects inside a flat structure, witha few branches for storing similar objecttypes, just one level beneath theorganization root, is more practical,requiring fewer administration.







Shallow trees

Hierarchies

Virtual views

Organizations DO have hierarchies

Regardless of internal directory structure,there is an organizational hierarchy formany of the objects stored in it.Therefore, there is a need for presentingentries in a hierarchical form.







Shallow trees

Hierarchies

Virtual views

Several hierarchies for the same setOften, the same type of objects has to bepresented with a different structure. Thisis difficult to solve with traditionalapproaches. It is quite easy to do usingclassification codes stored as URNs.





Use cases for classificationsdifferent views of the same tree

Classifications describe hierarchies using variable lengthcodes, adding a new code element for each new level. Codeelements size is fixed for each classification.

Classificationsbranch

Classification root

Classification entry

dn: dc=classif,dc=uma,dc=esobjectClass: topobjectClass: organizationalUnitobjectClass: dcObjectdc: classifou: classif








Classification root


dn: dc=umaLoc-1.0,dc=classif,dc=uma,dc=esobjectClass: topobjectClass: organizationalUnitobjectClass: dcObjectdc: umaLoc-1.0ou: umaLoc-1.0








Classification root


dn: copaCode=a01b01c01d03e05,dc=umaLoc-1.0,dc=classif,dc=uma,dc=esobjectClass: topobjectClass: copaAreacopaName: Director’s officecopaCode: a01b01c01d03e05description: The office of the director ofthe Polytechnic School






A person’s entry can hold as many classification codes asneeded in order to place her in different hierarchies.irisClassifCode = urn:mace:rediris.es:uma.es:classif:umaLoc:1.0:a01b01c01d03e05

Classification

Version

Code

Name of the classificationThis allows to know which classificationthe code belongs to.umaLoc: Geographical locationumaOrg: Organizational roleslevels have fewer nodes






A person’s entry can hold as many classification codes asneeded in order to place her in different hierarchies.irisClassifCode = urn:mace:rediris.es:uma.es:classif:umaOrg:1.0:a1b1c1d1e1

Classification

Version

Code

Name of the classificationThis allows to know which classificationthe code belongs to.umaLoc: Geographical locationumaOrg: Organizational roleslevels have fewer nodes







Classification

Version

Code

Classification versionThe versioning information is important inorder to know that object entries are up todate when presenting them using oneprecise classification.







Classification

Version

Code

Entry’s classification code

The code places the entry in an exactlocation in the University premisses.







Classification

Version

Code


a01:Campus “El Ejido”







Classification

Version

Code


a01b01:Campus “El Ejido”

Polytechnic School







Classification

Version

Code


a01b01c01:Campus “El Ejido”

Polytechnic SchoolAdministration Building







Classification

Version

Code


a01b01c01d03:Campus “El Ejido”


Third floor







Classification

Version

Code


a01b01c01d03e05:Campus “El Ejido”


Third floorDirector’s office






Once the persons’ entries hold various classification codes it ispossible to overlay different hierarchical views over anotherwise shallow directory. This view can be navigated usingdata stored in the directory.

Main entry

Virtual viewAvailable views defined at rootThe root entry holds an attribute withvirtual views that can be overlayed on thedirectory.copaMainNav: dc=umaLoc-vv1,

dc=vviews,dc=uma,dc=escopaMainNav: dc=umaOrg-vv1,

dc=vviews,dc=uma,dc=es







Main entry

Virtual viewInformation for presenting the view

Virtual view entries have attributes thathold all information that a program needsfor doing searches that present theobjects according to the desired hierachy.







Main entry


Search base for retrieving a classification.copaClassifBase:

dc=umaLoc-1.0,dc=classif,dc=uma,dc=es







Main entry


URN prefix of the classification codes.copaPrefix:

urn:mace:rediris.es:uma.es:classif:umaLoc:1.0







Main entry


Object class for the classificationelements.

copaAreaObjectClassName:copaArea







Main entry


Attribute of the classification entries thatholds the codes.

copaCodeAttr:copaCode

Example value:a01b01c01d03e05







Main entry


Attribute of the classification entries thatholds the printable name of the code.

copaPrintAttr:copaName

Example value:Director’s office







Main entry


Attribute of the object entries that holdsthe classification codes.

copaCodeResourceAttr:irisClassifCode




Outline




4 The future




On URN handling problemsor, more precisely, their absence

URNs usage problems are more perceived than real

Searching for URNs

Entitlementprocessing

URN processing

URN = text string

When properly indexed , LDAP shinesfor its speed in substring searching;regardless of length. (We havebenchmarks to back this).






Searching for URNs


URN processing

Entitlement = multivalued attributeProcessing is not more complex than withany other multivalued attributes.






Searching for URNs


URN processing

URN = text string

Searching for information inside a URN isjust string processing, which mostprogramming languages in use can easilyaccomplish.




Outline




4 The future




The futureis uncertain

We are building an AAI based on the ideas presented here.We have tried hard to apply AAI concepts to applicationsproduced by teams that are far from middleware.

Rule out LDAP?

Our quest for a solution





We are building an AAI based on the ideas presented here.We have tried hard to apply AAI concepts to applicationsproduced by teams that are far from middleware.And many doubts have arisen

Rule out LDAP?

Our quest for a solution






Rule out LDAP?

Our quest for a solutionThe access, NOT the directory

The directory can’t know if theapplication is using the credentialsit should use.Then, applications could useinformation they are notauthorized to.






Rule out LDAP?

Our quest for a solutionCredentials controlApplications SHOULD NOT haveaccess to user credentials.Why? They may abuse them.We have already done that.






Rule out LDAP?

Our quest for a solutionWeb servicesAs an interface betweenapplications and the directory.Attribute access policy enforcingcan be verified.Good for in-house applications.Difficult for third party applications.






Rule out LDAP?

Our quest for a solutionKerberosCan do AuthN.Can do AuthZ?There are kerberized third partyapplications, but not many.






Rule out LDAP?

Our quest for a solutionWeb AAIEasily applied to web applicationswith source.Can be ported to web servers toavoid application modification.Non web applications?


application of urns to authorization - terena

Documents