Fortress Open Source IAM on LDAPv3


Published on

Published in: Technology, Education
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Fortress Open Source IAM on LDAPv3

  1. 1. Fortress Open Source IAM on LDAPv3 Shawn McKinney November 18, 2013
  2. 2. Agenda l  Product Overview l  Technical Introduction l  RBAC SoD Demo l  Commander l  En Masse l  Multitenancy l  Next Steps l  Wrap-up 2
  3. 3. Product Overview 1 2 3 Fortress Core ANSI RBAC SDK Sentry RBAC Policy Enforcer EnMasse RBAC Policy Server October 2011 October 2011 October 2012 4 5 6 Commander Web Administration Perimeter Web Access Mgmt Patroller Audit Monitoring October 2013 April 2014 October 2014 ROADMAP 3
  4. 4. Fortress Introduction l  ANSI INCITS 359-2004 compliant IAM system l  Policy Decision Points l  l  l  Java APIs (Fortress Core) REST services (En Masse) Policy Administration Points l  Java APIs (Fortress Core) REST services (EnMasse) l  RBAC Web Management (Commander) l  l  Privileged Identity Management 4
  5. 5. Fortress Introduction (continued) l  Policy Enforcement Points l  l  l  Sentry Java EE Platform Security Sentry Other Platforms (in development) Audit Trail l  l  l  Authentication – tracks who is accessing the system Authorization – tracks who did what, when and where Administration – tracks historical changes to the data 5
  6. 6. Fortress System Architecture RBAC Accelerator Apache DS LDAPv3 OR LDAPv3 Java VM OpenLDAP Either LDAP Server works LDAPv3 Extended Ops HTTP/S Legend Fortress Fortress RBAC Enforcement APIs will also call accelerator LDAP HTTP Applications 6 Fortress Core APIs Java App #2 HTTP/S Java VM Other App LDAPv3 Any Platform RBAC policy enforcement on any platform use accelerator RBAC policy administration and interrogation use Standard LDAPv3 protocols
  7. 7. ANSI RBAC INCITS 359 1.  2.  3.  4.  RBAC0: Users, Roles, Perms, Sessions RBAC1: Hierarchical Roles RBAC2: Static Separation of Duties RBAC3: Dynamic Separation of Duties Demo this capability 7
  8. 8. Dynamic Separation of Duties Demo 1 2 3 One and only one may be active Role 1 Assignment Role 2 Assignment Role 3 Assignment
  9. 9. Dynamic Separation of Duties Demo Fine AuthZ Granularity Users: •  User1 is assigned to ROLE_TEST1, ROLE_TEST2, and ROLE_TEST3 •  User2 is assigned to ROLE_TEST2 •  User3 is assigned to ROLE_TEST3 Permissions: •  Page1.Button1 is granted to ROLE_TEST1 •  Page1.Button2 is granted to ROLE_TEST1 •  Page1.Button3 is granted to ROLE_TEST1 •  Page2.Button1 is granted to ROLE_TEST2 •  Page2.Button2 is granted to ROLE_TES2 •  Page2.Button3 is granted to ROLE_TEST2 •  Page3.Button1 is granted to ROLE_TEST3 •  Page3.Button2 is granted to ROLE_TEST3 •  Page3.Button3 is granted to ROLE_TEST3 Dynamic Separation of Duties: •  Set of roles is [ROLE_TEST1, ROLE_TEST2, ROLE_TEST3] •  DSD Set Cardinality is 1 •  Only one Role can be active in Session Wicket Buttons Wicket Links Fortress RBAC PEP Wicket Pages Apache Wicket Spring Page-level Security Coarse Java EE Coarse-grained Security Fortress RBAC Proxy Tomcat Java Virtual Machine Fortress RBAC PDP
  10. 10. Where to get RBAC Demo l  Source l  l Tutorial & other ANSI RBAC write-ups l  l  l fortressdemo1/blob/master/README.txt 10
  11. 11. Commander Introduction l  RBAC Web Administration l  Uses the Fortress Core APIs l  Communicate via HTTP or LDAPv3 protocols l  Secured by Fortress, Java EE and Spring l  Full audit trail l  Extensible – add new pages quickly l  Uses Apache Wicket UI framework 11
  12. 12. Commander System Architecture Apache DS OR LDAPv3 LDAPv3 Java VM OpenLDAP Either LDAP Server works LDAP HTTP Commander can use either HTTP or LDAPv3 protocol LDAPv3 O R HTTP/S Commander HTTP/S 12 Java VM Fortress Core APIs Fortress Core APIs EnMasse HTTP/S HTTP protocol aids in firewall traversals Java VM Legend Fortress LDAPv3
  13. 13. Commander Demo l  View RBAC demo audit trail l  View RBAC management capabilities l  Enable REST communication with En Masse l  Run Commander Selenium automated test l  View wireshark trace 13
  14. 14. Where to get Commander l  Source l  l  Quickstart l  l p=openldap-fortresscommander.git;a=summary Maven l %7C1%7Ccommander 14
  15. 15. En Masse Introduction l  RBAC Policy Server l  Firewall Friendly l  120+ RESTful services l  Multitenant process and services l  Secured using Fortress RBAC enforcement l  Binds directly to Fortress entity model l  Uses Fortress Core to communicate LDAPv3 l  Uses Apache CXF for RESTful processing 15
  16. 16. En Masse System Architecture LDAPv3 Java VM Apache DS OpenLDAP OR LDAPv3 Either LDAP Server works LDAPv3 Apps may use any REST lib or Fortress APIs to connect with En Masse Fortress Core APIs EnMasse HTTP/S HTTP/S HTTP/S Legend Fortress Fortress Core APIs Java App HTTP/S 16 Java VM Other App Any Platform REST HTTP/S LDAP HTTP Applications Java VM HTTP protocol less efficient than LDAP but aids in firewall traversals
  17. 17. Where to get En Masse l  Source l  l  Quickstart l  l p=openldap-fortress-enmasse.git;a=summary Maven l %7C1%7Ca%3A%22enmasse%22 17
  18. 18. Introduction 18
  19. 19. Multitenant LDAP Data Structure l  l  l  Leverage LDAP's natural affinity to partition data by client organization. Each tenant has its own complete copy of DIT segregated by organizational unit Reduced cost due to fewer servers to maintain 19
  20. 20. Multitenant Programming Model l  l  Client’s id is passed to Fortress in factory initialization Lifecycle of ‘Manager’ object processes data on behalf of the client id passed during initialization l  AnyMgr: l  createInstance(tenantId); // Instantiate the AccessMgr implementation. AccessMgr accessMgr = AccessMgrFactory.createInstance( “Client123” ); 20
  21. 21. Multitenant Demo l  Load demo users Client 1, 2 & 3 l  Run test-full Client 1, 2 & 3 21
  22. 22. Where to get Fortress Multitenancy l  Source l  l p=openldap-fortress-core.git;a=summary Binaries <dependency> <groupId>us.joshuatreesoftware</groupId> <artifactId>fortress</artifactId> <version>RC-1.0-33</version> </dependency> 22
  23. 23. Next Steps l  RBAC Accelerator l  OpenLDAP overlay l  RBAC Policy Decision Point l  Web Access Management/SSO l  RBAC Policy-Enhance Standard (RPE) l  l  l  INCITS 494-2011 Support for dynamic attributes Attribute-based Access Control (ABAC) l  Maybe 23
  24. 24. Thanks!