Is there support for C# policy enforcement points?

[ro...@selinc.com]

Hi,

Is there any support for policy enforcement points in C#? If not, how 
difficult would it be to create it?

Thanks,

Roger Alexander.

Re: Is there support for C# policy enforcement points?

[Shawn McKinney <sm...@apache.org>]

> On Feb 21, 2017, at 11:42 AM, roger_alexander@selinc.com wrote:
> 
> Thanks for the reply. In my particular situation, I have to provide 
> support for both C# and Java. So I was thinking of providing an API that 
> would wrap all the AAA stuff behind a network interface that both Java and 
> C# clients could use -- is this even feasible? I should point out that 
> there will not be a web server or servlet container involved. The AAA 
> piece would be a plain old Java application.

Back to what was said before.  It would be a lot of work (weeks if not months) to re-implement Fortress functionality inside C# — unless you had something like the openldap accelerator overlay that offloads all of the processing required onto another tier -- the ldap server itself.  The overlay helps because it separates the functionality between the policy enforcement point (PEP) and the policy decision point (PDP).  In the accelerator case the openldap server is the PDP (heavy lift), the C# client is the merely a PEP.

***

From the Java side, you simply use the fortress apis as written, no container, or overlay is needed.  We already did that work for you inside the SDK.

Re: Is there support for C# policy enforcement points?

[ro...@selinc.com]

Shawn,

Thanks for the reply. In my particular situation, I have to provide 
support for both C# and Java. So I was thinking of providing an API that 
would wrap all the AAA stuff behind a network interface that both Java and 
C# clients could use -- is this even feasible? I should point out that 
there will not be a web server or servlet container involved. The AAA 
piece would be a plain old Java application.

Thanks,

Roger.






From:   Shawn McKinney <sm...@apache.org>
To:     fortress@directory.apache.org
Date:   02/21/2017 05:39 AM
Subject:        Re: Is there support for C# policy enforcement points?




> On Feb 20, 2017, at 5:04 PM, roger_alexander@selinc.com wrote:
> 
> Is there any support for policy enforcement points in C#? If not, how 
> difficult would it be to create it?

Welcome Roger,

the short answer is ?no? there isn?t a C# interface for the RBAC system 
management APIs and it would be a significant effort to create one.

There is a glimmer of light however, and it has to do with the OpenLDAP 
accelerator overlay.  To learn more about it, check out a youtube video of 
a presentation I gave at last year?s apachecon:

https://urldefense.proofpoint.com/v2/url?u=https-3A__www.youtube.com_watch-3Fv-3DMqcb-5FT8WMMM-26t-3D1822s&d=DQIFaQ&c=zVFQZQ67ypsA9mYKSCqWmQHiVkCCaN-Gb60_N6TVnLk&r=iat1tmf0Sit93_IOdRawtzLRj38d7h-hYx9EdHSfZmg&m=080DtJFSm9gxDh79hv6NRlPZDhZpo2WWAUZvCSZ5JB4&s=3_W54JPR6FBDKXGke6158qa4nBXaxYc6sPRBzFavavY&e= 


The existing code for the accelerator is comprised of the following:

1. OpenLDAP slapo-rbac overlay (serverside)
2. rbac accelerator java bindings (clientside)
3. rbac accelerator C bindings (clientside)

This source code has not yet been released, but will be ? soon (a week or 
two). 

So, if you are willing to wait a bit, are using openldap server, can use 
C, and can tolerate some bugs -- you?re in luck. 

After watching the video you?ll understand it is much easier to create 
client bindings because most of the code resides on the server.  The 
client is merely formatting the extended LDAP messages to/from the server.

This means if you wanted to code your own C# bindings connecting to the 
rbac accelerator, it would be a much smaller task, than creating something 
like another fortress.

Hope this helps,
Shawn

Re: Is there support for C# policy enforcement points?

[Shawn McKinney <sm...@apache.org>]

> On Feb 20, 2017, at 5:04 PM, roger_alexander@selinc.com wrote:
> 
> Is there any support for policy enforcement points in C#? If not, how 
> difficult would it be to create it?

Welcome Roger,

the short answer is ‘no’ there isn’t a C# interface for the RBAC system management APIs and it would be a significant effort to create one.

There is a glimmer of light however, and it has to do with the OpenLDAP accelerator overlay.  To learn more about it, check out a youtube video of a presentation I gave at last year’s apachecon:

https://www.youtube.com/watch?v=Mqcb_T8WMMM&t=1822s

The existing code for the accelerator is comprised of the following:

1. OpenLDAP slapo-rbac overlay (serverside)
2. rbac accelerator java bindings (clientside)
3. rbac accelerator C bindings (clientside)

This source code has not yet been released, but will be — soon (a week or two).  

So, if you are willing to wait a bit, are using openldap server, can use C, and can tolerate some bugs -- you’re in luck.  

After watching the video you’ll understand it is much easier to create client bindings because most of the code resides on the server.  The client is merely formatting the extended LDAP messages to/from the server.

This means if you wanted to code your own C# bindings connecting to the rbac accelerator, it would be a much smaller task, than creating something like another fortress.

Hope this helps,
Shawn