130 likes | 284 Views
Improving Usability and Expressiveness with Dynamic Policies and Obligations. Dennis Kafura Markus Lorch. Support provided by: Commonwealth Security Information Center Fermi National Accelerator Laboratory IBM. Organization. PRIMA – a privilege-based approach Motivating Example
E N D
Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch Support provided by: Commonwealth Security Information Center Fermi National Accelerator Laboratory IBM April 27, 2005
Organization • PRIMA – a privilege-based approach • Motivating Example • Models • Dynamic Policy • Model • Characteristics • Obligations • Use in PRIMA • XACML, PONDER, SAML April 27, 2005
(2) request temp. permission Admin Cluster ResourceProtocol Emulator Motivating Example:Ad Hoc Collaboration (3) relay created permission Bob University Researcher “protocol emulator”“compute cluster“ Joan Corporate Reseacher “proprietary protocol” (4) request service 1. assign privileges April 27, 2005
Access Rights ACLs Capabilities Rules Privileges Dynamic Policy Resource Policy Characteristics of Rights Management Request-centric Dynamic (delegatable) Decentralized administration Resource-centric Static (fixed assignment) Centralized administration April 27, 2005
PRIMA Models April 27, 2005
Dynamic Policy • Dynamic Policy: the set of validated rights presented with a specific service request. • Discretionary • creates distributed authority • scaleable rights management • Request-specific • Enables least-privilege access • Supports separation of duty April 27, 2005
Obligations (in PRIMA) • Obligations provide additional instructions for and constraints on a decision • Can address mismatch in level of detail between request and policies • Can help maintain appl./system state while keeping PDP stateless and appl. independent April 27, 2005
Obligation Use Case • PEP queries PDP for authZ decision on service request “Can subject X with role y perform action Z?” • Action Z may be a general type action, like execution of a compiled program • PDP has policies that govern exactly what files / memory and other system resources the subject X may access under role y • PDP thus replies with a “Yes, but” answer in the form of “Permit action Z, but only if the obligations localUsername=user01, rootPath=/tmp/data/user01, outgoingNetwork=no can be enforced.” April 27, 2005
Obligation Support - XACML • In XACML Obligations are simple attribute assignments, e.g. rootPath=“/opt”, and semantics of these attributes have to be agreed upon • Obligations can be applied on a per-policy basis and are bound to the effect of the decision (permit or deny) • Standard XACML processing does not provide for the straight forward implementation on rule specific or conditional obligations • Obligations are rendered by the PEP (e.g., there is no attribute designator processing on PDP side for dynamic inclusion of information) April 27, 2005
Obligation Support - Ponder • In Ponder a Policy consists of a single rule • A Policy that will convey an obligation is called a management or obligation policy • A Ponder obligation can be bound to any subject, not just the receiving PEP • A Ponder obligation describes the action that must be taken, of course actions need to be understood by the obligation holder April 27, 2005
Obligation Support - SAML • SAML Authorization Decision Statements do not, by default, provide for obligations to be conveyed • In our work we implemented an “Obligated Authorization Decision Statement” that conveys one or more XACML Obligation constructs with a SAML decision. • New XACML-SAML-2 profile allows for the transmission of XACML decisions (incl. obligations) via SAML messages. No implementation yet (or?) April 27, 2005
Use of Obligations in OSG • OpenScienceGrid effort, a large grid-computing project, uses obligated authorization decision statements (extended SAML statements) • Obligations convey parameters needed to configure the service / execution environment on the PEP before a requested service is rendered • Also allows the SAML AuthZ interface to be used for identity mapping (X500 DN to local uid, gid) • Policies can thus contain fine-grained instructions tailored to the service while the PDP stays application independent April 27, 2005
Summary • Dynamic Policies improve the usability of the authorization system by incorporating the user as an integral part in discovering applicable policies for a specific request. • Obligations improve the expressiveness of authorization decisions by augmenting the boolean response with fine grained (enforcement) instructions. April 27, 2005