Fortress Open Source IAM on LDAPv3
1 like3,727 views
This document summarizes a presentation on Fortress Open Source IAM on LDAPv3. The presentation covers an overview of the Fortress product, including its core components and roadmap. It then provides technical introductions to Fortress architecture, implementation of ANSI RBAC standards, and components like Commander for administration and En Masse for RESTful services. Demos of RBAC capabilities like dynamic separation of duties and multitenancy are described. Next steps discussed include an RBAC accelerator, policy decision point, and support for additional standards.
![Dynamic Separation of Duties Demo
Fine
AuthZ Granularity
Users:
• User1 is assigned to ROLE_TEST1,
ROLE_TEST2, and ROLE_TEST3
• User2 is assigned to ROLE_TEST2
• User3 is assigned to ROLE_TEST3
Permissions:
• Page1.Button1 is granted to ROLE_TEST1
• Page1.Button2 is granted to ROLE_TEST1
• Page1.Button3 is granted to ROLE_TEST1
• Page2.Button1 is granted to ROLE_TEST2
• Page2.Button2 is granted to ROLE_TES2
• Page2.Button3 is granted to ROLE_TEST2
• Page3.Button1 is granted to ROLE_TEST3
• Page3.Button2 is granted to ROLE_TEST3
• Page3.Button3 is granted to ROLE_TEST3
Dynamic Separation of Duties:
• Set of roles is [ROLE_TEST1,
ROLE_TEST2, ROLE_TEST3]
• DSD Set Cardinality is 1
• Only one Role can be active in Session
Wicket Buttons
Wicket Links
Fortress RBAC
PEP
Wicket Pages
Apache Wicket
Spring Page-level Security
Coarse
Java EE Coarse-grained Security
Fortress RBAC Proxy
Tomcat
Java Virtual Machine
Fortress
RBAC
PDP](https://image.slidesharecdn.com/fortress-ldapcon2013-v2-131119095241-phpapp02/85/Fortress-Open-Source-IAM-on-LDAPv3-9-320.jpg)
Fortress Open Source IAM on LDAPv3
- 1. Fortress Open Source IAM on LDAPv3 Shawn McKinney November 18, 2013
- 2. Agenda l Product Overview l Technical Introduction l RBAC SoD Demo l Commander l En Masse l Multitenancy l Next Steps l Wrap-up 2
- 3. Product Overview 1 2 3 Fortress Core ANSI RBAC SDK Sentry RBAC Policy Enforcer EnMasse RBAC Policy Server October 2011 October 2011 October 2012 4 5 6 Commander Web Administration Perimeter Web Access Mgmt Patroller Audit Monitoring October 2013 April 2014 October 2014 ROADMAP 3
- 4. Fortress Introduction l ANSI INCITS 359-2004 compliant IAM system l Policy Decision Points l l l Java APIs (Fortress Core) REST services (En Masse) Policy Administration Points l Java APIs (Fortress Core) REST services (EnMasse) l RBAC Web Management (Commander) l l Privileged Identity Management 4
- 5. Fortress Introduction (continued) l Policy Enforcement Points l l l Sentry Java EE Platform Security Sentry Other Platforms (in development) Audit Trail l l l Authentication – tracks who is accessing the system Authorization – tracks who did what, when and where Administration – tracks historical changes to the data 5
- 6. Fortress System Architecture RBAC Accelerator Apache DS LDAPv3 OR LDAPv3 Java VM OpenLDAP Either LDAP Server works LDAPv3 Extended Ops HTTP/S Legend Fortress Fortress RBAC Enforcement APIs will also call accelerator LDAP HTTP Applications 6 Fortress Core APIs Java App #2 HTTP/S Java VM Other App LDAPv3 Any Platform RBAC policy enforcement on any platform use accelerator RBAC policy administration and interrogation use Standard LDAPv3 protocols
- 7. ANSI RBAC INCITS 359 1. 2. 3. 4. RBAC0: Users, Roles, Perms, Sessions RBAC1: Hierarchical Roles RBAC2: Static Separation of Duties RBAC3: Dynamic Separation of Duties Demo this capability 7
- 8. Dynamic Separation of Duties Demo 1 2 3 One and only one may be active Role 1 Assignment Role 2 Assignment Role 3 Assignment
- 9. Dynamic Separation of Duties Demo Fine AuthZ Granularity Users: • User1 is assigned to ROLE_TEST1, ROLE_TEST2, and ROLE_TEST3 • User2 is assigned to ROLE_TEST2 • User3 is assigned to ROLE_TEST3 Permissions: • Page1.Button1 is granted to ROLE_TEST1 • Page1.Button2 is granted to ROLE_TEST1 • Page1.Button3 is granted to ROLE_TEST1 • Page2.Button1 is granted to ROLE_TEST2 • Page2.Button2 is granted to ROLE_TES2 • Page2.Button3 is granted to ROLE_TEST2 • Page3.Button1 is granted to ROLE_TEST3 • Page3.Button2 is granted to ROLE_TEST3 • Page3.Button3 is granted to ROLE_TEST3 Dynamic Separation of Duties: • Set of roles is [ROLE_TEST1, ROLE_TEST2, ROLE_TEST3] • DSD Set Cardinality is 1 • Only one Role can be active in Session Wicket Buttons Wicket Links Fortress RBAC PEP Wicket Pages Apache Wicket Spring Page-level Security Coarse Java EE Coarse-grained Security Fortress RBAC Proxy Tomcat Java Virtual Machine Fortress RBAC PDP
- 10. Where to get RBAC Demo l Source l l https://github.com/shawnmckinney/fortressdemo1 Tutorial & other ANSI RBAC write-ups l l l http://symas.com/ansi-rbac-intro/ http://symas.com/rbac-security-enforcementinside-wicket/ https://github.com/shawnmckinney/ fortressdemo1/blob/master/README.txt 10
- 11. Commander Introduction l RBAC Web Administration l Uses the Fortress Core APIs l Communicate via HTTP or LDAPv3 protocols l Secured by Fortress, Java EE and Spring l Full audit trail l Extensible – add new pages quickly l Uses Apache Wicket UI framework 11
- 12. Commander System Architecture Apache DS OR LDAPv3 LDAPv3 Java VM OpenLDAP Either LDAP Server works LDAP HTTP Commander can use either HTTP or LDAPv3 protocol LDAPv3 O R HTTP/S Commander HTTP/S 12 Java VM Fortress Core APIs Fortress Core APIs EnMasse HTTP/S HTTP protocol aids in firewall traversals Java VM Legend Fortress LDAPv3
- 13. Commander Demo l View RBAC demo audit trail l View RBAC management capabilities l Enable REST communication with En Masse l Run Commander Selenium automated test l View wireshark trace 13
- 14. Where to get Commander l Source l l Quickstart l l http://www.openldap.org/devel/gitweb.cgi? p=openldap-fortresscommander.git;a=summary http://iamfortress.org/download Maven l http://search.maven.org/#search%7Cga %7C1%7Ccommander 14
- 15. En Masse Introduction l RBAC Policy Server l Firewall Friendly l 120+ RESTful services l Multitenant process and services l Secured using Fortress RBAC enforcement l Binds directly to Fortress entity model l Uses Fortress Core to communicate LDAPv3 l Uses Apache CXF for RESTful processing 15
- 16. En Masse System Architecture LDAPv3 Java VM Apache DS OpenLDAP OR LDAPv3 Either LDAP Server works LDAPv3 Apps may use any REST lib or Fortress APIs to connect with En Masse Fortress Core APIs EnMasse HTTP/S HTTP/S HTTP/S Legend Fortress Fortress Core APIs Java App HTTP/S 16 Java VM Other App Any Platform REST HTTP/S LDAP HTTP Applications Java VM HTTP protocol less efficient than LDAP but aids in firewall traversals
- 17. Where to get En Masse l Source l l Quickstart l l http://www.openldap.org/devel/gitweb.cgi? p=openldap-fortress-enmasse.git;a=summary http://iamfortress.org/download Maven l http://search.maven.org/#search%7Cga %7C1%7Ca%3A%22enmasse%22 17
- 18. Introduction 18
- 19. Multitenant LDAP Data Structure l l l Leverage LDAP's natural affinity to partition data by client organization. Each tenant has its own complete copy of DIT segregated by organizational unit Reduced cost due to fewer servers to maintain 19
- 20. Multitenant Programming Model l l Client’s id is passed to Fortress in factory initialization Lifecycle of ‘Manager’ object processes data on behalf of the client id passed during initialization l AnyMgr: l createInstance(tenantId); // Instantiate the AccessMgr implementation. AccessMgr accessMgr = AccessMgrFactory.createInstance( “Client123” ); 20
- 21. Multitenant Demo l Load demo users Client 1, 2 & 3 l Run test-full Client 1, 2 & 3 21
- 22. Where to get Fortress Multitenancy l Source l l http://www.openldap.org/devel/gitweb.cgi? p=openldap-fortress-core.git;a=summary Binaries <dependency> <groupId>us.joshuatreesoftware</groupId> <artifactId>fortress</artifactId> <version>RC-1.0-33</version> </dependency> 22
- 23. Next Steps l RBAC Accelerator l OpenLDAP overlay l RBAC Policy Decision Point l Web Access Management/SSO l RBAC Policy-Enhance Standard (RPE) l l l INCITS 494-2011 Support for dynamic attributes Attribute-based Access Control (ABAC) l Maybe 23
- 24. Thanks!