180 likes | 349 Views
Authorization Models. Radia Perlman Radia.Perlman@sun.com. Important problems. Something that is understandable for someone to manage the policy Something that is efficient for a system to check policy checking if A is allowed to do X when A asks to do X
E N D
Authorization Models Radia PerlmanRadia.Perlman@sun.com
Important problems • Something that is understandable for someone to manage the policy • Something that is efficient for a system to check policy • checking if A is allowed to do X when A asks to do X • checking everything A is allowed to do • checking who is allowed to do X • Updating policy (including revocation) must be comprehensible, efficient, and timely
Stake in the ground • Basically, most models map to groups and ACLs
ACLs • Associated with each resource is an ACL • set of (Who, what they can do) • Note: “resource” can be a set of resources, all with a common ACL • Can be fancier • other things like time of day, IP addresses from which things must be accessed
What is who? • Any Boolean combination of • Individuals • Groups • “Roles” • Groups and roles are also any Boolean combination of individuals, groups, and roles • Which means groups can be arbitrarily nested
Nested groups Sun employees Sun-CA Sun-MA Sun-MPK Sun-SJC
Roles vs Groups • Mostly in the literature used interchangeably • Possible distinctions • Roles have to be explicitly invoked, and might be mutually exclusive, and might require authentication, vs groups: always a member of all groups you are a member of • Roles have names (like “administrator”) that are local to a resource
Attributes • Can be treated like a group • “over 21” can be “set of people over 21” • “paid member of ACM” can be “set of people who have paid ACM membership”
Models around “what is A allowed to do” • Really not “centrally controlled” • Only within a “scope” • Just like ACL on a file • Alice: read, write • Bob: read • Carol: read, write, delete
Proving membership • Could have some things in your (name/key) cert • Or could have a separate credential • Such as a cert vouching: • (public key, attribute/group name) • (name, attribute/group name) • Or knowledge of a group secret • Or coming from an IP address in the US • Note: authorization doesn’t necessarily imply you have to identify yourself
X.509 attribute cert model • Attribute, like “clearance”, has an OID • You need a separate PMI (privilege management infrastructure) starting with a SOA (start of authority) to vouch for the attribute • You’d say “I trust US navy” for clearance
Name-based model • Hierarchical name • Name of attribute implies who is trusted to assert it • gov.US.navy.clearance is a totally different attribute from gov.Russia.KGB.clearance
Name based trust chains, both for identity and authorization
Bottom-Up Model • Each arc in name tree has parent certificate (up) and child certificate (down) • Name space has CA for each node • “Name Subordination” means CA trusted only for a portion of the namespace • Cross Links to connect Intranets, or to increase security • Start with your public key, navigate up, cross, and down
Intranet abc.com nj.abc.com ma.abc.com alice@nj.abc.com bob@nj.abc.com carol@ma.abc.com
Extranets: Crosslinks xyz.com abc.com
Extranets: Adding Roots root xyz.com abc.com
Conclusion • Groups, ACLs, Identities have been around for years • Can do anything that the other models do