RE: [higgins-dev] Notes from Feb 27th "Access Control in Higgins" call

["Drummond Reed" <drummond.reed@xxxxxxxxxxxx>]

So Tony, what you are saying (given my very limited understanding of this area) that the STS is acting as the PIP?

 

Isn’t that essentially what the KDC does in Kerberos?

 

=Drummond

 

---

From: higgins-dev-bounces@xxxxxxxxxxx [mailto:higgins-dev-bounces@xxxxxxxxxxx] On Behalf Of Anthony Nadalin
Sent: Tuesday, March 04, 2008 6:22 PM
To: Higgins (Trust Framework) Project developer discussions
Cc: 'Higgins (Trust Framework) Project developer discussions'; higgins-dev-bounces@xxxxxxxxxxx
Subject: Re: [higgins-dev] Notes from Feb 27th "Access Control in Higgins" call

 

Paul, I'm still not sure what problem you are trying to solve.

Today we have the case where a RST request is coming into the IdP/STS (which is/can be a authorization service) asking for a set of claims. In order to make the authorization decision to satisfy the request for claims, the authorization service ( IdP/STS) must ensure that the requestor has presented and proven the claims required for access (access to IdAS) . Logically, the authorization service constructs a table of name/value pairs representing the claims required by the target service (IdAS). The logical requirement table is constructed from the following sources and may be supplemented by additional service resources:
• The address of the EPR for the target service
• The reference properties from the EPR of the target service
• Parameters of the RST
• External access control policies
Similarly, the claim table is a logical table representing the claims and information available for the requestor that the authorization service uses as the basis for its decisions. This logical table is constructed from the following sources:
• Proven claims that are bound to the RST request (both primary and supporting)
• Supplemental authorization context information provided in the request
• External authorization policies

So if there is a match you can access.

Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122

"Paul Trevithick" ---02/28/2008 01:37:13 PM---Attendees

From:	"Paul Trevithick" <paul@xxxxxxxxxxxxxxxxx>
To:	"'Higgins \(Trust Framework\) Project developer discussions'" <higgins-dev@xxxxxxxxxxx>
Date:	02/28/2008 01:37 PM
Subject:	[higgins-dev] Notes from Feb 27th "Access Control in Higgins" call

---

Attendees
=========
Jeff B. - CA
Jim S. - Novell
David K. - IBM
Paul T. - Higgins
Prateek M. - Oracle
Markus S. - Parity
Duane B. - Novell
Phil H. - Oracle
Tom D. - Novell
Mary R. - Higgins
Brian C. - Serena

Agenda
======

1) Use cases
------------
* What sets of use cases are we considering? (e.g. Phil Hunt's IGF cases,
Parity's "VRM" R-card cases, David KM's cases, others?)

2) Motivations
--------------
* Motivations of different groups of higgins developers to get something in
place.
* Perhaps each "interested" group/person should speak for a couple minutes
on what Higgins capabilities they'd like to see in this area

3) Scope
--------
* Policy representation only?
* Policy enforcement?
* Policy authoring?

4) Relationship to other efforts
--------------------------------
* Should we create a Higgins profile of XACML?
* IGF?
* XDI link contracts
* others?

5) Design Choices
-----------------
* Should we keep policy "data" separate from "resource" data in the Context?
In other words should "policy" point to "resources"? or is it the other way
around?
* How is policy expressed in the data model?

6) Implementation Choices
-------------------------
* PEP built into IdAS?
* PEP Context Provider?
* PEP as a Context Provider responsibility

7) Control over what resources?
-------------------------------
* see: http://wiki.eclipse.org/Access_Control_in_IdAS#Requirements point #2

8) Timing/Functionality Tradeoffs
---------------------------------
* Do we want to do something simple and quick AND on a longer, slower track
something more robust?
* Or should we figure out the long term plan and then see how to implement
an initial phase

9) Process Issues
-----------------
* Volunteer to lead this work area?
* Meeting schedules, etc.
* Next steps

Links
=====

[1] http://wiki.eclipse.org/Access_Control_in_IdAS <-- the page Jim created
[2] http://wiki.eclipse.org/Access_Control_Use_Cases <-- add cases here
[3] http://wiki.eclipse.org/Simple_Access_Control_Proposal <-- conversation
starter

Meeting Notes
=============

1) Use Cases and 2) Motivations
--------------------------------
Paul: I'll go first. Parity has a short term need for adding the ability for
the I-Card Manager to query through IdAS a Context Provider to find out for
a given attribute what operations (modify, delete, create, get/read) are
allowed. This is one of the gating implementation tasks that remain to get
r-cards really working [though not the only one].

David: Our primary use cases are related to relationship access control, in
addition to the usual role-based access control. The ability to allow one
person (friend, employee, etc.) to control what another person (friend,
employee, etc.) can access about them.

Phil: We see lots of cases where there was lots of context involved. E.g. a
doctor in  the ER room vs. doctor in <another setting> would have different
access to medical data. Or contexts where a specific event is occurring.

Tom: In use of the self-issued materials in IdAS, we require on the back end
user with sufficient rights to look up a credential. The issues are related
to opening and authorizing contexts as the user-proxy as opposed to as, say
a "system" user or an "administrative" user, etc.

Jim: We know we want to be able to front traditional data stores and access
control is part of that. We need something that can work with systems that
have native access control but also the ability to expose systems that don't
have native access control and overlay access control.

Jeff: We're interested to move Higgins into the XACML area. IGF of course.
Also some relevance of IGF for users to define their own access control.

3) Scope
--------
* policy representation (dump XACML)
* permission on an object
* policy authoring

David: Is policy discovery necessary? There may be security issues. Also,
you put a lot of burden on consuming applications to be able to use it when
there is a wide range of policies.

Jeff: Should this [access control] be included as part of the Higgins
project? I'd hate to slow down Higgins. This is the next layer up the stack,
but maybe it should be in a separate project.

Jim: This seems like a next thing we're doing.

Jeff: True, but if there was a separation each could evolve more quickly.

David: My opinion is this. At the least we need to be able to do permissions
query. The rest of it (e.g. policy management and some of the engine work)
should be transparent to the application.

Paul: Agreed. Does anyone disagree with David's comment?

<silence>

Phil: As the next step, do we just want to create a PEP spot in the Higgins
architecture. We could have policy engines that Higgins could plug into.
Higgins wouldn't have to worry about managing policy.

<there seemed to be general agreement that just adding a PEP integration
interface would be another natural next step beyond what David had proposed>

4) Relationship to other efforts
--------------------------------
Phil: The general thought with XACML is that it needs to be profiled to deal
with identity information. We chose XACML allowed the ability to express
context-based rules as has mentioned.

Prateek: The IGF-AAPML story is around generic requirements for access
control of an identity service. So we distinguish between the end-user (e.g.
"active subject"), and perhaps a "target subject." XACML is a standard
policy representation. There's starting to be a few XACML engines. So
generally the direction of profiling XACML is a good direction to go. The
AAPML/IGF view is more centered on how to express the constraints on access
to identity data specifically.

Tom: I think that XACML was probably able to express what we wanted in terms
of access control. We went to _javascript_ instead of XACML for the jspolicy
context provider. _javascript_ was easier to set up, a language that is widely
known, etc. In the first cut where the administrators have to edit these
policies on their own, _javascript_ seemed like the way to go.

Paul: Without XACML editors, XACML is pretty heavy, is that what you're
saying?

Jim: Some of our [Novell] use cases that we had were beyond access control.
We wanted policy statements that would support attribute transformations,
joining transformations, etc. This *could* include access control type
actions, but our use cases were a superset of strict access control.

Duane: Sun XACML engine is open source and works fairly well. It was easy to
map IdAS objects as XACML resources. There's also a new one on Google code.

6) Implementation Choices
-------------------------
Jim: Some of our design choices hinge on how we represent policy. If we
extend the Higgins data model to include access control semantics, then it
feels natural to build something into IdAS. If it is in the data model such
that it doesn't introduce new elements (i.e. just more nodes or attributes
on attributes; something that IdAS already provides access to), then we may
not need to change IdAS much. We just need to implement the enforcement.

We've talked about provide a stackable CP [Context Provider] in front of a
Context that doesn't know anything about it as an alternative to making
every CP responsible for implementing access control.

Jeff: The CP seemed like a logical place for this innovation.

Markus: Do all CPs have to support it?

Jim: We could provide an "access control" CP so that it can provide PEP in
front of theirs (that doesn't provide that support). This would be common
code that we'd provide so that developers use.

Brian: I have a couple of potential uses for authorization. The first, as
we've been discussing is to control access to the IdAS data model objects.
The second is a general facility for authorization for objects that may be
outside of Higgins. If Higgins makes the investment to build the auth
facilities to control IdAS objects, we've likely built 95% of something that
could be used outside Higgins as well. E.g. authorization of who can use a
BPEL orchestration. E.g. this person is allowed in/out. The usefulness of
such a facility is much wider than just IdAS objects.

David: If we define something in this area, we need to allow partial
implementations by context providers.

Jim: Yes, I think this is a big consideration. We need to allow for partial
support for access control and discovery of what any given CP can provide
it.

8) Timing/functionality Tradeoffs AND
9) Process issues
-------------------------------------

Paul: I'll go first. I'd like to see a full featured access control roadmap
that we can implement in phases. I had thought that we should start with a
simple access control mechanism (as in what I had proposed last week) to
handle simple cases and then adding a second, more comprehensive solution,
on a longer timeframe. I was wrong. Parity will contribute resources to
implementing in the short term some kind of simple support for access
control (e.g. querying attributes as to whether they are permitted to be
deleted, modified, etc.).

Paul: I'd like to ask others on this call for their level of interest,
contribution and potentially leadership.

Jim: I'm very interested in helping and participating. I don't feel like I
have a lot of expertise in this area. I worked on stuff in this area in
IETF, etc.

Phil: I'm certainly interested in participating. To what level has to be
determined. I'm willing to keep working on it with others.

Jeff: I'm willing to work on it too.

Markus: I've been working for a while for this XDI Engine on top of IdAS. It
is a simple way to expose an IdAS Context at an endpoint. This XDI protocol
has a built-in mechanism for access control called "link contracts". So I'll
be interested to expose a CP with access control is to map this technology
and map them to link contracts. I can offer is to keep informing people
about link contracts.

David: I'm interested in helping as well.

Jim: Should we appoint a project mgr lead, then as we identify specific
item.

Jeff: I need to take this information back to my company and see what I can
commit to.

<David mentioned that he needed to check with IBM before committing>

<Tom said he'd like to participate>

<Phil expressed interest in participating, but wanted to check with Oracle>

<Brian said he was interested in participating>

<Paul agreed to lead this work area (e.g. with another call, etc.) for the
time being in the hopes that someone else would step forward to take his
place>


_______________________________________________
higgins-dev mailing list
higgins-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/higgins-dev