You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by sm...@apache.org on 2019/04/25 15:06:16 UTC
[directory-fortress-enmasse] branch master updated: more
description on security model
This is an automated email from the ASF dual-hosted git repository.
smckinney pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/directory-fortress-enmasse.git
The following commit(s) were added to refs/heads/master by this push:
new 1c9fdf4 more description on security model
1c9fdf4 is described below
commit 1c9fdf43c8e03efe2bafad8f6e38fe0482a3f486
Author: Shawn McKinney <sm...@apache.org>
AuthorDate: Thu Apr 25 10:06:12 2019 -0500
more description on security model
---
README-SECURITY-MODEL.md | 33 ++++++++++++++++++++++++++++-----
README.md | 6 +++++-
2 files changed, 33 insertions(+), 6 deletions(-)
diff --git a/README-SECURITY-MODEL.md b/README-SECURITY-MODEL.md
index 0cb5cbf..51d1ef0 100644
--- a/README-SECURITY-MODEL.md
+++ b/README-SECURITY-MODEL.md
@@ -43,6 +43,21 @@ ________________________________________________________________________________
* Apache Fortress Rest is a JAX-RS Web application that allows the Apache Fortress Core APIs to be called over an HTTP interface.
* It deploys inside of any compliant Java Servlet container although here we'll be using Apache Tomcat.
+ The system architecture of a typical Apache Fortress Rest deployment:
+
+ (*REST/JSON Client*)<---HTTP--->(*Fortress REST*)<---in-process API call--->(*Fortress Core*)<---LDAPv3--->(*Directory Server*)
+
+ * REST/JSON Client is any HTTP interface that supports the message formats.
+ * Fortress Rest is this project's main artifact, a web application archive (.war) file that deploys into servlet containers like Apache Tomcat.
+ * Fortress Core is a set of Java APIs that do the actual work, a one-to-one mapping between a fortress rest service and core api.
+ * Directory Server is OpenLDAP, ApacheDS or any other LDAPv3 server instance.
+
+ The security credentials of the caller are passed into call chain by the *REST/JSON Client* as standard HTTP basic auth headers
+ and verified by the Apache Fortress Realm. This is where the role activation occurs creating an RBAC session.
+
+ This RBAC session is then handled by the container for the duration of the HTTP request, in the standard java.security.Principle format.
+ The user's RBAC session is retrieved from the container using standard Java API conveniently setting the stage for the checks that follow.
+
### Apache Fortress Rest security model includes:
### 1. TLS
@@ -54,11 +69,12 @@ ________________________________________________________________________________
* Apache Fortress Rest uses the [Apache Fortress Realm](https://github.com/apache/directory-fortress-realm) to provide Java EE authentication, coarse-grained authorization mapping the users and roles back to a given LDAP server.
* The policy for Apache Fortress Rest is simple. Any user with the **fortress-rest-user** role and correct credentials is allowed in.
- * The Fortress Rest interface uses HTTP Basic Auth tokens to send the userid/password.
+ * The Fortress Rest interface requires standard HTTP Basic Auth tokens for the userid/password credentials.
+ * See deployment descriptor, [web.xml](src/main/webapp/WEB-INF/web.xml), for settings.
___________________________________________________________________________________
## 3. Apache CXF's **SimpleAuthorizingInterceptor**
-This policy enforcement mechanism maps RBAC roles to a given set of services. The following table shows what roles map to which (sets of) services:
+ This policy enforcement mechanism maps RBAC roles to a given set of services. The following table shows what roles map to which (sets of) services:
| service type | fortress-rest-super-user | fortress-rest-admin-user | fortress-rest-review-user | fortress-rest-access-user | fortress-rest-deladmin-user | fortress-rest-delreview-user | fortress-rest-delaccess-user | fortress-rest-pwmgr-user | fortress-rest-audit-user | fortress-rest-config-user |
| ----------------- | ------------------------ | ------------------------ | ------------------------- | ------------------------- | --------------------------- | ---------------------------- | ---------------------------- | ------------------------ | ------------------------ | ------------------------- |
@@ -72,6 +88,15 @@ This policy enforcement mechanism maps RBAC roles to a given set of services. T
| Audit Manager | true | false | false | false | false | false | false | false | true | false |
| Config Manager | true | false | false | false | false | false | false | false | false | true |
+ * The service to role mapping is performed inside the [FortressServiceImpl](src/main/java/org/apache/directory/fortress/rest/FortressServiceImpl.java) module.
+ * For example, deleteUser:
+ ```
+ @POST
+ @Path("/userDelete/")
+ @RolesAllowed({"fortress-rest-super-user", "fortress-rest-admin-user"})
+ public FortResponse deleteUser...
+ ```
+ * Requires *fortress-rest-super-user* or *fortress-rest-admin-user* to gain entry AND the Java EE role described previously.
___________________________________________________________________________________
## 4. Apache Fortress **ARBAC Checks**
@@ -82,9 +107,7 @@ ________________________________________________________________________________
is.arbac02=true
```
-The ARBAC checks once enabled, perform the following additional security checks:
-
-a. All service invocations, except for AccessMgr and DelAccessMgr, perform an ADMIN permission check automatically corresponding with the exact service/API being called.
+a. All service invocations, perform an ADMIN permission check automatically by invoking *DelAccessMgr.checkAccess*.
For example, the permission with an objectName: **org.apache.directory.fortress.core.impl.AdminMgrImpl** and operation name: **addUser** is automatically checked
during the call to the **userAdd** service.
diff --git a/README.md b/README.md
index 734751c..b276ae7 100644
--- a/README.md
+++ b/README.md
@@ -252,7 +252,11 @@ Run unit test:
___________________________________________________________________________________
## SECTION 7. Integration Test with Fortress Core
- These tests will use Apache Fortress Core test programs to drive the Apache Fortress Rest services.
+ These tests will use the Apache Fortress Core test programs to drive the Apache Fortress Rest services.
+ It works via fortress core's inherent ability to call itself over REST, useful for testing and hopping over firewalls.
+
+(*Fortress Core*)<---HTTP--->(*Fortress REST*)<---in-process API call--->(*Fortress Core*)<---LDAPv3--->(*Directory Server*)
+
See *SECTION 1. Prerequisites* of this document for more info on how to prepare a test env.
1. Point your Apache Fortress Core test env to Apache Fortress REST runtime.