Upload
truongthuan
View
220
Download
5
Embed Size (px)
Citation preview
Next Generation Directory-Based User Management for Cloud
Infrastructure
March 10, 2018
SCaLE 16X, Pasadena
1
Introduction
Shawn McKinney • Software Architect • PMC Apache Directory Project • Engineering Team
SCaLE 16X, Pasadena 2018 2
Session Objective
Think about how to implement user access controls on machines running in the cloud.
3 SCaLE 16X, Pasadena 2018
I had to keep guessing at the channel; I had to discern, mostly by inspiration, the signs of hidden banks; I watched for sunken stones; When you have to attend to things of that sort, to the mere incidents of the surface, the reality—the reality, I tell you—fades. The inner truth is hidden. Joseph Conrad, Heart of Darkness
https://en.wikipedia.org/wiki/File:VingtAnnees_286.jpg SCaLE 16X, Pasadena 2018
Inspiration
Session Agenda • History of Unix
• Building Blocks
• Security Model
• Data Model
• Solution
• Demo
Image from: HTTP://EVENTS.LINUXFOUNDATION.ORG/EVENTS/APACHECON-NORTH-AMERICA 5 SCaLE 16X, Pasadena 2018
Knowing the path forward means understanding where we’ve been.
History
6 SCaLE 16X, Pasadena 2018
History
https://upload.wikimedia.org/wikipedia/commons/7/77/Unix_history-simple.svg 7
Soup of the Day
RFC
23
07
PAM
NSS sudo
su
dns
users
POSIX
Security
NSS
8 SCaLE 16X, Pasadena 2018
Building Blocks
9 SCaLE 16X, Pasadena 2018
The Wheel
• Let’s not reinvent
10 SCaLE 16X, Pasadena 2018
Operating System AIX
The Idm engine bolts into chassis
11 SCaLE 16X, Pasadena 2018
Cloud Infrastructure
runs on the highways
12 SCaLE 16X, Pasadena 2018
Basic Building Blocks
1. POSIX security controls
2. Directory services
13
Best practices
SCaLE 16X, Pasadena 2018
Advanced Building Blocks
3. Mediation relatively new practice
14 SCaLE 16X, Pasadena 2018
Building Blocks Conceptual
15 SCaLE 16X, Pasadena 2018
Building Block Actual
16 SCaLE 16X, Pasadena 2018
Building Blocks - AuthN
17 SCaLE 16X, Pasadena 2018
Pluggable Authentication Module
• Authentication
• Coarse-grained Authorization
18
Just an authN service
SCaLE 16X, Pasadena 2018
Building Blocks - AuthZ
19 SCaLE 16X, Pasadena 2018
sudo
20
Just an authZ service
Building Blocks – Reporting
21 SCaLE 16X, Pasadena 2018
Name Service Switch
• Used by unix processes to lookup user and group info
22
Just a lookup service
SCaLE 16X, Pasadena 2018
What is LDAP
23
Building Blocks - LDAP
System of record
• Users
• Passwords
• Groups
24
Just a
SCaLE 16X, Pasadena 2018
Building Blocks - Mediator
• Keeps things in synch between the machines and LDAP as things change.
25 SCaLE 16X, Pasadena 2018
Mediator 1. Machine added to network, notifies mediator
2. Based on policies stored in DB
3. Updates ldap accordingly
1 3
2
26 SCaLE 16X, Pasadena 2018
Mediator == IdM
1. Provisioning
2. Parameterized Roles
3. Organizational Controls
4. Self-service
5. Approvals
6. Workflow
27
Requirements
SCaLE 16X, Pasadena 2018
Resources & Connectors 28
28
Users & Accounts 29
Provisioning 30
SCaLE 16X, Pasadena 2018
Governance
• High-level business processes, business rules, policies, organizational structures
• Combines with low-level identity management processes like data synchronization, system integration, data formats, data transformation, network protocols
defined:
SCaLE 16X, Pasadena 2018 31
Governance Controls
• Access Certifications
• Approvals & Notifications
• Audit Trail
• Organizational Controls
• …
32
for example:
SCaLE 16X, Pasadena 2018 32
Governance Controls (continued) • Policy Rules (limits)
• Remediation
• Role – Catalogs
– Constraints
– Controls
– Lifecycles
33
SCaLE 16X, Pasadena 2018 33
Open Source IdM Products
1. midPoint
2. Apache Syncope
3. Æ-DIR
4. OpenIDM
5. WSO2 Identity Server
34
lacking standards
SCaLE 16X, Pasadena 2018
midPoint Introduction
Requires
• Java version 8
• Java servlet container
• Relational database
Uses
• Spring Framework
– component wiring
• Apache Wicket
– user interface
• ConnId
– common connectors
(any)
SCaLE 16X, Pasadena 2018 35
midPoint as the Mediator
Bypass GUI, communicate directly with REST APIs Via the Model
SCaLE 16X, Pasadena 2018 36
Security Model
amsouth --------- m1001 m1002 m1003 …
afnorth --------- m2010 .....
aspac --------- m3100 …
Requirements
37 SCaLE 16X, Pasadena 2018
Three Kinds of Security Checks 1. Authentication with LDAP
2. Coarse-grained authZ - memberOf target machine – (i.e. LDAP group name == hostname)
3. Medium-grained authZ. memberOf at least one: – Admin - root access
– User - typical user access
– Auditor - read-only access to entire machine.
sudo
PAM
38 SCaLE 16X, Pasadena 2018
Four Types of Control Groups
1. Machine Sets
2. Machines
3. Security Roles
4. sudo Roles
Mediator
PAM
sudo
39 SCaLE 16X, Pasadena 2018
m1set --------- m1001 m1002 m1003 …
m2set --------- m2010 m2020 m2030 …
m3set --------- m3100 m3200 m3300 …
1. Machine Sets
Used by mediator to compute policies
40 SCaLE 16X, Pasadena 2018
2. Machines
Used by PAM
41 SCaLE 16X, Pasadena 2018
3. Security Roles
Sudo needs this
42 SCaLE 16X, Pasadena 2018
4. sudo Roles
Sudo needs this
43 SCaLE 16X, Pasadena 2018
m1set --------- m1001 m1002 m1003 …
m2set --------- m2010 m2020 m2030 …
m3set --------- m3100 m3200 m3300 …
User, role and machine set
admin
auditor
user
Policy Combiner
The mediator can do this
44 SCaLE 16X, Pasadena 2018
Pick Two
45 SCaLE 16X, Pasadena 2018
Data Model
46 SCaLE 16X, Pasadena 2018
LDAP Data Model
Employ standard object schemas
1. RFC2307bis
– posixAccount
– posixGroup
2. sudoRole
3. groupOfNames
47 SCaLE 16X, Pasadena 2018
RFC2307bis
48
Covered here before
• LDAPCon 2015, Edinburg
• DBIS: Directory-Based Information Services
• Mark R. Bannister
• link to slides
• link to paper
49 SCaLE 16X, Pasadena 2018
Use RFC2307bis LDAP Schema
50 SCaLE 16X, Pasadena 2018
LDAP Data Model
Hierarchical
51 SCaLE 16X, Pasadena 2018
Machine Set M1
dn: cn=m1set, ou=Groups, ...
description: Machine Set 1
member: cn=m1001,...
member: cn=m1002,...
member: cn=m1003,...
… 52 SCaLE 16X, Pasadena 2018
Machine M1001
dn: cn=m1001, ou=Groups,…
objectClass: posixGroup
description: Machine Group M1001
member: uid=curly,ou=People,…
member: uid=frank,ou=People,…
member: uid=marla,ou=People,… …
53 SCaLE 16X, Pasadena 2018
Security Role M1Admin dn: cn=m1admin, ou=Groups, ...
objectClass: posixGroup
description: Admin Machine Set 1
cn: m1admin
member: uid=curly,ou=People,...
member: uid=frank,ou=People,...
member: uid=marla,ou=People,... …
54 SCaLE 16X, Pasadena 2018
sudo LDAP Schema objectclass ( 1.3.6.1.4.1.15953.9.2.1
NAME 'sudoRole' SUP top STRUCTURAL
DESC 'Sudoer Entries'
MUST ( cn )
MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser
$ sudoRunAsGroup $ sudoOption
$ sudoNotBefore $ sudoNotAfter
$ sudoOrder $ description )
)
55 SCaLE 16X, Pasadena 2018
sudo M1Admin dn: cn=admin access to m1,ou=sudo,dc=example,dc=com
objectClass: sudoRole
cn: admin access to m1
sudoUser: %m1admin
sudoHost: m1001
sudoHost: m1002
sudoHost: m1003
sudoHost: m1004
56 SCaLE 16X, Pasadena 2018
Solution
57 SCaLE 16X, Pasadena 2018
System Architecture
58
High-level Design
59
Mediator --->
SCaLE 16X, Pasadena 2018
Client Machines
Script runs during machine instantiation:
1. Binds PAM, sudo and NSS into the LDAP server.
2. Calls mediator to add or remove from machine set.
SCaLE 16X, Pasadena 2018
IdM ‘Server’ 1. MidPoint - mediator
– html & http admin services
2. PostGreSQL – master database – users, roles, orgs, svcs
3. OpenLDAP – security database – users, groups
– posixAccount, posixGroup
61
Deployment
62
IdM machine#1 --->
<-dev machine#1
<-test machine#2
<-prod machine#3
IdM machine#2 --->
IdM machine#3 --->
hyper visor ---> …
Demo 63
63 SCaLE 16X, Pasadena 2018c
Demo Scenario
Manage users and unix machines running in the cloud.
64
64 SCaLE 16X, Pasadena 2018c
User-Role-Machine
m1001 m1002 m1003 m2010 m2020 m2030 m3100 m3200 m3300
Curly Admin Admin Admin
Moe Auditor Auditor Auditor
Larry User User User
Demo User to Role to Machine <----- Set 1------> <-------Set 2 ------> <----- Set 3 ----->
65 SCaLE 16X, Pasadena 2018
Demo Environment 66
66 SCaLE 16X, Pasadena 2018
Demo Environment
Google Apps connector
HCM connector (peoplesoft)
Open
67
SCaLE 16X, Pasadena 2018 67
Wrap-up
• Questions
68 SCaLE 16X, Pasadena 2018
Contact
https://iamfortress.net
https://symas.com
@shawnmckinney Twitter:
Website:
Email:
Project: https://directory.apache.org/fortress
Blog:
69 SCaLE 16X, Pasadena 2018