Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

of

Attribute-Based Access Control in Symfony Slide 1 Attribute-Based Access Control in Symfony Slide 2 Attribute-Based Access Control in Symfony Slide 3 Attribute-Based Access Control in Symfony Slide 4 Attribute-Based Access Control in Symfony Slide 5 Attribute-Based Access Control in Symfony Slide 6 Attribute-Based Access Control in Symfony Slide 7 Attribute-Based Access Control in Symfony Slide 8 Attribute-Based Access Control in Symfony Slide 9 Attribute-Based Access Control in Symfony Slide 10 Attribute-Based Access Control in Symfony Slide 11 Attribute-Based Access Control in Symfony Slide 12 Attribute-Based Access Control in Symfony Slide 13 Attribute-Based Access Control in Symfony Slide 14 Attribute-Based Access Control in Symfony Slide 15 Attribute-Based Access Control in Symfony Slide 16 Attribute-Based Access Control in Symfony Slide 17 Attribute-Based Access Control in Symfony Slide 18 Attribute-Based Access Control in Symfony Slide 19 Attribute-Based Access Control in Symfony Slide 20 Attribute-Based Access Control in Symfony Slide 21 Attribute-Based Access Control in Symfony Slide 22 Attribute-Based Access Control in Symfony Slide 23 Attribute-Based Access Control in Symfony Slide 24 Attribute-Based Access Control in Symfony Slide 25 Attribute-Based Access Control in Symfony Slide 26 Attribute-Based Access Control in Symfony Slide 27 Attribute-Based Access Control in Symfony Slide 28 Attribute-Based Access Control in Symfony Slide 29 Attribute-Based Access Control in Symfony Slide 30 Attribute-Based Access Control in Symfony Slide 31 Attribute-Based Access Control in Symfony Slide 32 Attribute-Based Access Control in Symfony Slide 33 Attribute-Based Access Control in Symfony Slide 34 Attribute-Based Access Control in Symfony Slide 35 Attribute-Based Access Control in Symfony Slide 36 Attribute-Based Access Control in Symfony Slide 37 Attribute-Based Access Control in Symfony Slide 38 Attribute-Based Access Control in Symfony Slide 39 Attribute-Based Access Control in Symfony Slide 40 Attribute-Based Access Control in Symfony Slide 41 Attribute-Based Access Control in Symfony Slide 42 Attribute-Based Access Control in Symfony Slide 43 Attribute-Based Access Control in Symfony Slide 44 Attribute-Based Access Control in Symfony Slide 45 Attribute-Based Access Control in Symfony Slide 46 Attribute-Based Access Control in Symfony Slide 47 Attribute-Based Access Control in Symfony Slide 48 Attribute-Based Access Control in Symfony Slide 49 Attribute-Based Access Control in Symfony Slide 50 Attribute-Based Access Control in Symfony Slide 51 Attribute-Based Access Control in Symfony Slide 52 Attribute-Based Access Control in Symfony Slide 53 Attribute-Based Access Control in Symfony Slide 54 Attribute-Based Access Control in Symfony Slide 55 Attribute-Based Access Control in Symfony Slide 56 Attribute-Based Access Control in Symfony Slide 57 Attribute-Based Access Control in Symfony Slide 58 Attribute-Based Access Control in Symfony Slide 59 Attribute-Based Access Control in Symfony Slide 60 Attribute-Based Access Control in Symfony Slide 61 Attribute-Based Access Control in Symfony Slide 62 Attribute-Based Access Control in Symfony Slide 63 Attribute-Based Access Control in Symfony Slide 64 Attribute-Based Access Control in Symfony Slide 65 Attribute-Based Access Control in Symfony Slide 66 Attribute-Based Access Control in Symfony Slide 67 Attribute-Based Access Control in Symfony Slide 68 Attribute-Based Access Control in Symfony Slide 69 Attribute-Based Access Control in Symfony Slide 70 Attribute-Based Access Control in Symfony Slide 71 Attribute-Based Access Control in Symfony Slide 72 Attribute-Based Access Control in Symfony Slide 73 Attribute-Based Access Control in Symfony Slide 74 Attribute-Based Access Control in Symfony Slide 75 Attribute-Based Access Control in Symfony Slide 76 Attribute-Based Access Control in Symfony Slide 77 Attribute-Based Access Control in Symfony Slide 78 Attribute-Based Access Control in Symfony Slide 79 Attribute-Based Access Control in Symfony Slide 80 Attribute-Based Access Control in Symfony Slide 81 Attribute-Based Access Control in Symfony Slide 82 Attribute-Based Access Control in Symfony Slide 83 Attribute-Based Access Control in Symfony Slide 84
Upcoming SlideShare
What to Upload to SlideShare
Next
Download to read offline and view in fullscreen.

2 Likes

Share

Download to read offline

Attribute-Based Access Control in Symfony

Download to read offline

Here at Veruscript, we have many edge case scenarios where we need fine-grained access controls in our academic journal publishing platform.

Therefore performing authorisation to a resource by analysing any number of arbitrary attributes allows for the application to scale appropriately. Known as Attribute-Based Access Control (ABAC), these attributes are evaluated regardless of context; This could be username, role, organisation, domain, time-of-day, country, is the Queen of England, because the sky is blue, etc.

It is why Security Voters are the recommended way to check for user permissions in Symfony applications. Security Voters provide a mechanism that has a small learning curve to set up these fine-grained restrictions in Symfony applications using attributes.

In the simplest case, only a minimal amount of setup and configuration is required, the main advantage over ACLs. In the most complex case, policies can be added or modified without significant changes to the codebase.

The talk will compare different access control paradigms: ABAC, RBAC and ACL, and will look into detail one specification for ABAC - Extensible Access Control Markup Language (XACML) and how this might be implemented in Symfony, for those considering a more "enterprise" use of Security Voters.

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

Attribute-Based Access Control in Symfony

  1. 1. How to approach authorisation within your Symfony or PHP application. Adam Elsodaney Attribute-Based Access Control in Symfony Symfony UK Meetup 30 August 2018
  2. 2. This presentation is split into 4 parts …maybe 5.
  3. 3. Out-of-the-box Symfony SecurityBundle Access Control 0
  4. 4. There are 2 steps to securing a resource.
  5. 5. Authentication is enforced with Firewalls Authorisation is enforced with Access Controls
  6. 6. That’s easy! Path Role String, Regular Expression String, RoleInterface, Hierarchical
  7. 7. …but not finely-grained.
  8. 8. Access Control Lists ACL Role-Based Access Control RBAC Attribute-Based Access Control ABAC There are many types of access control paradigms depending on your needs
  9. 9. RBAC 1
  10. 10. Implementing RBAC: Probably the most common variant of authorization is role-based access control (RBAC). As the name implies, • Users are assigned roles • Roles are assigned permissions. • Users inherit the permission for any roles they have been assigned. • Actions are validated for permissions. “ https://martinfowler.com/articles/web-security-basics.html
  11. 11. Bob Associate Editor USER ROLE Users have roles
  12. 12. Associate Editor ROLE Reject Article Submission PERMISSION Approve Article Submission PERMISSION Roles have permissions
  13. 13. Reject Article Submission PERMISSION Approve Article Submission PERMISSION Users inherit the permissions for any roles they have been assigned Bob USER
  14. 14. Reject Article Submission PERMISSION Approve Article Submission PERMISSION Reject Article Submission Leave Feedback Approve Article Submission Actions are validated for permissions
  15. 15. Bob Associate Editor USER ROLE Reject Article Submission PERMISSION Approve Article Submission PERMISSION Reject Article Submission Leave Feedback Approve Article Submission Action Role Code String, RoleInterface, Hierarchical Permission String
  16. 16. Editor-in-Chief ROLE Associate Editor ROLE Reviewer ROLE Author ROLE Journal Admin ROLE System Admin ROLE In some cases, roles inherit the permissions from other roles via a hierarchy…
  17. 17. …and/or permissions inherit the permissions from other roles via a hierarchy. Reject Article Submission PERMISSION Approve Article Submission PERMISSION Make Decision on Submission PERMISSION Do WTH you want with submissions PERMISSION Leave abusive Linus- Torvalds-style comments PERMISSION Administrate journal PERMISSION Like Sylius RBAC
  18. 18. $ composer require sylius/rbac $ composer require sylius/rbac-bundle Install for Symfony apps Install for non-Symfony apps
  19. 19. Consider RBAC When • Permissions are relatively static. • Roles in your policies actually map reasonably to roles within your domain, rather than feeling like contrived aggregations of permissions. • There isn't a terribly large number of permutations of permission, and therefore roles that will have to be maintained. • You have no compelling reason to use one of the other options. “ https://martinfowler.com/articles/web-security-basics.html
  20. 20. Shortcomings of RBAC 1. Cannot grant permissions per-resource, only by resource type. 2. Does not scope resource properties.
  21. 21. ACL (Symfony ACL) 2
  22. 22. How to Use Access Control Lists (ACLs): In complex applications, you will often face the problem that access decisions cannot only be based on the person (Token) who is requesting access, but also involve a domain object that access is being requested for. This is where the ACL system comes in. “ https://symfony.com/doc/3.4/security/acl.html
  23. 23. ACL ACE his hers ACE ACE ACL ACE ACE ACE Access Control Lists (ACL) First, check if the domain object requested has an associated ACL. Each ACL contains one or more Access Control Entries (ACEs) that defines specific permissions for the ACL’s resource.
  24. 24. ACL ACE ACE ACE Second, check the domain as a whole. ACE ACLs can be associated with both objects (entities) and domains (classnames).
  25. 25. Otherwise, deny access.
  26. 26. Using the Symfony ACL 1. Install Bundle $ composer require symfony/acl-bundle 2. Configure 3. Initialise
  27. 27. acl_entries table • id • class • object identity • security identity • field name • ACE order • mask • is granting • granting strategy • audit success • audit failure
  28. 28. As the boss of this website I should be able to edit a particular message posted In order to moderate the content
  29. 29. As the boss of this website I should be able to edit a particular message all messages posted In order to moderate the content
  30. 30. Alternatives to ACLs Using [ACLs] isn't trivial, and for simpler use cases, it may be overkill. If your permission logic could be described by just writing some code (e.g. to check if a Blog is owned by the current User), then consider using voters. A voter is passed the object being voted on, which you can use to make complex decisions and effectively implement your own ACL. Enforcing authorization (e.g. the isGranted() part) will look similar to what you see in this article, but your voter class will handle the logic behind the scenes, instead of the ACL system. “ https://symfony.com/doc/3.4/security/acl.html
  31. 31. ABAC using Symfony Voters 3
  32. 32. Security Voters provide a mechanism to set up fine-grained restrictions in Symfony applications. The main advantage over ACLs is that they are an order of magnitude easier to set up, configure and use. “ http://symfony.com/blog/new-in-symfony-2-6-simpler-security-voters
  33. 33. In Symfony, an authorisation decision will always be based on the following: TOKEN When a user is authenticated (identified) they will receive a token from the firewall to hand over to the access control in the authorisation step. We can get the user’s identity from the token. SET OF ATTRIBUTES Each attribute stands for a certain right the user should have. Eg. Role, Order Number, Email Address,Time of Day RESOURCE Any object for which access control needs to be checked, like an article or a comment object (or a piggy bank object containing bitcoins)
  34. 34. Voter 1 Voter 2 Voter 3 Voter 4 Voter 5 Voter 6 Contains all voters. Some might be supported based on the attributes to vote on. Access Decision Manager
  35. 35. Voter 1 Voter 2 Voter 3 Voter 4 Voter 5 Voter 6 PERMIT DENY Not Supported PERMIT PERMIT ABSTAIN Access Decision Manager
  36. 36. Voter 1 Voter 2 Voter 3 Voter 4 Voter 5 Voter 6 PERMIT DENY Not Supported PERMIT PERMIT ABSTAIN Access Decision Manager Affirmative Strategy grant access as soon as there is one voter granting access PERMIT
  37. 37. Voter 1 Voter 2 Voter 3 Voter 4 Voter 5 Voter 6 PERMIT DENY Not Supported PERMIT PERMIT ABSTAIN Access Decision Manager Consensus Strategy grant access if there are more voters granting access than there are denying PERMIT
  38. 38. Access Decision Manager Unanimous Strategy DENY grant access only if none of the voters have denied access Voter 1 Voter 2 Voter 3 Voter 4 Voter 5 Voter 6 PERMIT DENY Not Supported PERMIT PERMIT ABSTAIN
  39. 39. Built-in Symfony Voters RoleVoter RoleHierarchyVoter All are in the SymfonyComponentSecurityCoreAuthorizationVoter namespace
  40. 40. Built-in Symfony Voters AuthenticatedVoter ExpressionVoter
  41. 41. Creating custom voters First, define what attributes you want to check.
  42. 42. Second, check if your voter should vote on the given subject or attributes.
  43. 43. Third, cast the vote.
  44. 44. Finally, declare the service and it is ready to use. In this example, the customer who make a purchase order did so without creating an account or logging in, but would still need be able to access their order details on the website.
  45. 45. Shortcomings of Symfony Voters 1. Not necessarily runtime capable - Still requires writing code for access rules, unless you implement a Voter that loads its rules from the database.
  46. 46. ABAC via XACML* 4 *Pronounced “X-akamull”, “X-A-C-M-L” or “zakamull”
  47. 47. [What is XACML?] XACML (eXtensible Access Control Markup Language) offers a standardized way to achieve externalized and dynamic authorization. This means that authorization decisions are made by an authorization service at run-time based on policies which determine what actions a user or service can perform on a given information asset and in a specific context. “ https://www.axiomatics.com/100-pure-xacml/
  48. 48. http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html
  49. 49. XACML Administration Policy Data PAP • Create, View, Delete policies • Version policies on Update • Evaluate policies before committing Policy Administration Point (PAP) (Very similar to the IAM in Amazon Web Services) policy policy set
  50. 50. XACML Enforcement Flow Symfony Authorization Checker PDP XACML Request PEP Context Data PIP PRP Policy Data Allow Deny XACML Response isGranted() Policy Enforcement Point Policy Information Point Policy Retrieval Point Policy Decision Point time of day server env current user policy policy set sky is blue resource request …
  51. 51. PolicySet Policy PolicySetPolicy Rule Rule Rule Rule Rule Rule Rule Rule Policy Policy Policy Sets contain a collection of Policies. They may also contain or reference other Policy Sets. However, the Decision Point will only evaluate at Policy level. Rules are never evaluated by themselves. XACML 3.0 Policies
  52. 52. Targets and Rules Part of what [the] XACML PDP [Policy Decision Point] needs to do is find a policy that applies to a given request. To do this, XACML provides another feature called a Target. A Target is basically a set of simplified conditions for the Subject, Resource and Action that must be met for a PolicySet, Policy or Rule to apply to a given request. If all the conditions of a Target are met, then its associated PolicySet, Policy, or Rule applies to the request. In addition to being a way to check applicability, Target information also provides a way to index policies, which is useful if you need to store many policies and then quickly sift through them to find which ones apply. “ https://www.axiomatics.com/100-pure-xacml/
  53. 53. Policy A Request Policy B Policy C Policy D Policy E Policy F Policy G A Request must be matched to a Policy This is done using Targets
  54. 54. Policy Rule Rule Rule Rule XACML 3.0 Targets TARGET Subject Resource Action Policies, Policy Sets and Rules only apply if the Target matches. Policy Set TARGET Subject Resource Action Policy Policy Policy Policy Rule Permit TARGET Subject Resource Action
  55. 55. REQUEST POLICY Targets consist of Subject, Resource and Action behaves like Voter::supports() in Symfony TARGET Subject: Bob Resource: CJES Article #3 Action: edit TARGET Subject: Bob Resource: CJES Article Action: edit TARGET Subject: Bob Resource: CJES Article Action: create TARGET Subject:Alice Resource: FNAN Article Action: any
  56. 56. Policy A Request Policy B Policy C Policy D Policy E Policy F Policy G More than one policy may be matched
  57. 57. XACML 3.0 Rule Example * The XACML syntax is more verbose than what you see here.
  58. 58. Understanding XACML combining algorithms If a policy contains multiple rules, and the rules return different decisions e.g. Permit and Deny, what should the policy return? Permit? Deny? Neither? “ https://www.axiomatics.com/blog/understanding-xacml-combining-algorithms/ Policy Rule Rule Rule Rule
  59. 59. XACML 3.0 Rule-Combining and Policy-Combining Algorithms deny-overrides permit-overrides first-applicable behaves like AccessDecisionManager Strategies in Symfony only-one-applicable (policy only) ordered-permit-overrides deny-unless-permit permit-unless-deny ordered-deny-overrides R1 R2 R3 D P D D P P D
  60. 60. XACML 3.0 Policy Example * The XACML syntax is more verbose than what you see here.
  61. 61. Conditions <!-- Only allow logins from 9am to 5pm --> <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-greater-than-or-equal" <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only"> <EnvironmentAttributeSelector DataType="http://www.w3.org/2001/XMLSchema#time" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time"/> </Apply> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">09:00:00</AttributeValue> </Apply> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-less-than-or-equal" <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only"> <EnvironmentAttributeSelector DataType="http://www.w3.org/2001/XMLSchema#time" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time"/> </Apply> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">17:00:00</AttributeValue> </Apply> </Condition> Allow only logins between 9am and 5pm.
  62. 62. Conditions <!-- Only allow logins from 9am to 5pm --> <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-greater-than-or- <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only"> <EnvironmentAttributeSelector DataType="http://www.w3.org/2001/XMLSchema#t AttributeId="urn:oasis:names:tc:xacml:1.0:en </Apply> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">09:00:00</A </Apply> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-less-than-or-equ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only"> <EnvironmentAttributeSelector DataType="http://www.w3.org/2001/XMLSchema#t AttributeId="urn:oasis:names:tc:xacml:1.0:en </Apply> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">17:00:00</A </Apply> </Condition> Allow only logins between 9am and 5pm. Apply Apply and Condition
  63. 63. current-time time-one- and-only: time-less-than-or-equal: 17:00:00 Conditions <!-- Only allow logins from 9am to 5pm --> <Condition f="and"> <Apply f="time-greater-than-or-equal" <Apply f="time-one-and-only"> <EnvironmentAttributeSelector DataType="#time" AttributeId="environment:current-time"/> </Apply> <AttributeValue DataType="#time">09:00:00</AttributeValue> </Apply> <Apply f="time-less-than-or-equal" <Apply f="time-one-and-only"> <EnvironmentAttributeSelector DataType=“#time" AttributeId="environment:current-time"/> </Apply> <AttributeValue DataType=#time">17:00:00</AttributeValue> </Apply> </Condition> Condition current-time time-one- and-only: time-greater-than-or-equal: * The XACML markup above has been condensed for brevity 09:00:00 and
  64. 64. current-time time-one- and-only: time-less-than-or-equal: 17:00:00 Conditions $timeGreaterThanOrEq = function($x, $y): bool { return $x >= $y; } $timeLessThanOrEq = function($x, $y): bool { return $x <= $y; } $timeOneAndOnly = function($x): DateTimeInterface { return new DateTimeImmutable($x); } $condition = Functionaltrue([ $timeGreaterThanOrEq( $timeOneAndOnly($env->getCurrentTime()), ’09:00:00’ ), $timeLessThanOrEq( $timeOneAndOnly($env->getCurrentTime()), ’17:00:00’ ), ]); Condition current-time time-one- and-only: time-greater-than-or-equal: 09:00:00 and
  65. 65. What’s a XACML Obligation? The XACML standard defines the concept of obligations which are elements which can be returned along with a XACML decision (either of Permit or Deny) in order to enrich that decision. Obligations are triggered on either Permit or Deny. The Policy Enforcement Point [PEP] must implement and enforce obligations. If it fails to do so, it must deny access to the requested resource (in the case of a Permit). “ https://www.webfarmr.eu/2015/02/tgif-xacml-whats-a-xacml-obligation/
  66. 66. Examples of Obligations • Auditing - Log when an action was performed on a resource. • Security Checkup - Ask the user to review their 2FA details after a remembered login. • Security Lockdown - If credentials entered incorrectly multiple times. • Break-the-Glass Scenario - Medical records may need to be accessed in emergency situations, regardless of what permissions were granted.
  67. 67. Shortcomings of XACML • XACML syntax is very verbose. • Is complex, though it better describes business requirements than ACL when rules are persisted. • Somewhat limited resources, or non-concise. • Perhaps overkill and Enterprise-y™ …?
  68. 68. and the winner is… ABAC using Symfony Voters3
  69. 69. • Symfony Voters solve 80% of your requirements for 20% of the work. SUMMARY • XACML would solve 100% of your requirements, would scale well, is designed for runtime and is enterprise-capable, but the learning curve is steep, and there are no well established tools in PHP. • RBAC is not compatible with single entities. • ACL is compatible with single entities, but is non-trivial.
  70. 70. Thank you for listening Adam Elsodaney LEAD DEVELOPER ACL Demo https://github.com/adamelso/acland Slides github.com/adamelso/symfony-uk-meetup-2018-08-30-access-control adam@veruscript.com @ArchFizz @Veruscript www.veruscript.com Publish high-quality, cost-effective journals with our publishing services
  • hack-club

    Jul. 2, 2021
  • latradia

    Feb. 4, 2021

Here at Veruscript, we have many edge case scenarios where we need fine-grained access controls in our academic journal publishing platform. Therefore performing authorisation to a resource by analysing any number of arbitrary attributes allows for the application to scale appropriately. Known as Attribute-Based Access Control (ABAC), these attributes are evaluated regardless of context; This could be username, role, organisation, domain, time-of-day, country, is the Queen of England, because the sky is blue, etc. It is why Security Voters are the recommended way to check for user permissions in Symfony applications. Security Voters provide a mechanism that has a small learning curve to set up these fine-grained restrictions in Symfony applications using attributes. In the simplest case, only a minimal amount of setup and configuration is required, the main advantage over ACLs. In the most complex case, policies can be added or modified without significant changes to the codebase. The talk will compare different access control paradigms: ABAC, RBAC and ACL, and will look into detail one specification for ABAC - Extensible Access Control Markup Language (XACML) and how this might be implemented in Symfony, for those considering a more "enterprise" use of Security Voters.

Views

Total views

2,411

On Slideshare

0

From embeds

0

Number of embeds

328

Actions

Downloads

27

Shares

0

Comments

0

Likes

2

×