You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by el...@apache.org on 2014/10/27 12:58:18 UTC
svn commit: r1634512 - in /directory/site/trunk: content/fortress/overview.mdtext content/fortress/quick-start.mdtext content/fortress/user-guide.mdtext templates/fortress/page.html

Author: elecharny
Date: Mon Oct 27 11:58:18 2014
New Revision: 1634512

URL: http://svn.apache.org/r1634512
Log:
Updated the user guides and added an overview page

Added:
    directory/site/trunk/content/fortress/overview.mdtext
    directory/site/trunk/content/fortress/quick-start.mdtext
Removed:
    directory/site/trunk/content/fortress/user-guide.mdtext
Modified:
    directory/site/trunk/templates/fortress/page.html

Added: directory/site/trunk/content/fortress/overview.mdtext
URL: http://svn.apache.org/viewvc/directory/site/trunk/content/fortress/overview.mdtext?rev=1634512&view=auto
==============================================================================
--- directory/site/trunk/content/fortress/overview.mdtext (added)
+++ directory/site/trunk/content/fortress/overview.mdtext Mon Oct 27 11:58:18 2014
@@ -0,0 +1,139 @@
+Title: Fortress Overview
+Notice: Licensed to the Apache Software Foundation (ASF) under one
+    or more contributor license agreements.  See the NOTICE file
+    distributed with this work for additional information
+    regarding copyright ownership.  The ASF licenses this file
+    to you under the Apache License, Version 2.0 (the
+    "License"); you may not use this file except in compliance
+    with the License.  You may obtain a copy of the License at
+    .
+    http://www.apache.org/licenses/LICENSE-2.0
+    .
+    Unless required by applicable law or agreed to in writing,
+    software distributed under the License is distributed on an
+    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+    KIND, either express or implied.  See the License for the
+    specific language governing permissions and limitations
+    under the License.
+
+# Fortress Overview
+
+## What is it?  
+
+Fortress is a standards-based and open source IAM system that provides ANSI RBAC (INCITS 359) management and enforcement capabilities to networked applications and systems. 
+
+Included in Fortress packages:
+
+* RBAC Core APIs
+* RBAC Web Management UI
+* RBAC Web Policy Server
+* RBAC Policy Enforcement
+* Directory Services with [OpenLDAP](http://www.openldap.org) (powered w/Memory-Mapped DB) or [ApacheDS](http://directory.apache.org)
+
+It is released under terms of the Apache License 2.0. 
+
+## What can it do currently?
+
+A demo outlining this capability using embedded Apache Tomcat Server and Realm RBAC Policy Enforcement contained within QUICKSTART packages. 
+
+Features include...
+
+* RBAC Management via APIs, services and Web pages
+* Password Management via APIs, services and self-service Web pages
+* Interrogation of centralized audit for management and enforcement activites via APIs, services and Web pages
+* Policy enforcement plug-ins to enforce policies in Java, Spring, Linux and Windows platforms
+* Documented Install Guide and freely available [Fortress Quickstart](quick-start.html) packages to demonstrate all of the above
+* Multi-tenant segregation of data into directory.
+* Directory replication to satisfy mission critical requirements like high availability and disaster recovery.
+* Documented utiliites to run Fortress functions from command line interpeter.  
+* Callback routines used to automate custom data loading requirements using the fortress Ant XML scripting tool to facilitate bulk loading and auto installs.
+* Automatic, configurable, and extensible junit test suite to certify Fortress IAM into new system environments.
+* Javadoc API guide 
+* Customizable Samples to show common API usages
+
+## What technologies at play?
+
+Fortress products run on open system hardware and software platforms supporting LDAPv3, HTTP/S & Java technologies. Functionality that extend beyond LDAPv3 is realized via OpenLDAP/ApacheDS specific features. With the advent of EnMasse & Commander products, [Apache Tomcat](http://tomcat.apache.org/, or preferred Java servlet container is used to process HTTP communications between endpoints.  Fortress provides downloadable packages called QUICKSTARTS which include instructions for first-time install and use of these products.
+
+## What standards apply?
+
+The following technology standards are applied within Fortress...
+
+### ANSI Role-Based Access Control (INCITS 359) 
+
+There is more to compliance than assigning users to groups and applying ACL policies within directories or databases.  [RBAC](http://csrc.nist.gov/groups/SNS/rbac/documents/draft-rbac-implementation-std-v01.pdf) systems provide selective Role activation/deactivation, role hierarchies, and constraints over separation of duty.  The [RBAC](http://csrc.nist.gov/groups/SNS/rbac/documents/draft-rbac-implementation-std-v01.pdf) component provides APIs to add, update, delete, and search the directory data.  Fortress provides everything that is needed to exploit the full power of this ANSI specification.
+
+More info can be found on [Intro to ANSI RBAC Page](http://iamfortress.org/Intro%20to%20Rbac)
+
+### [Java EE Platform](http://java.net/projects/javaee-spec/pages/Home) (tm) Security
+
+Used for SSL, X.509 mutual authentication, form-based container authentication, coarse-grained authorization, SSO and more.  Works within compliant Java Web apps like EnMasse policy server.  Java EE security is good because its declarative controls keep the development and integration costs low.  At the same time, it provides adequate network system security and the business apps run fast due to caching maintained within the app server container.  This reduces costs because of fewer round-trips between the application and policy servers.
+
+### Administrative Role-Based Access Control ([ARBAC02](http://profsandhu.com/journals/tissec/p113-oh.pdf))
+
+The ARBAC model explains how [RBAC](http://csrc.nist.gov/groups/SNS/rbac/documents/draft-rbac-implementation-std-v01.pdf) can be extended with organizational controls to govern policies regarding the security administration process. ARBAC helps by allowing administrative tasks be delegated to end users who fall outside typical datacenter operations.  Cost savings is realized through lower overhead due to delegation while at same time maintaining a firm grip on compliance.
+
+### IETF Password Policies
+
+OpenLDAP has supported this draft since 2005.  Fortress adds by integrating with its administrative and access control APIs.  These APIs enable outside apps to participate and manipulate OpenLDAP password policies without understanding the specifics of how they work. Fortress provides services for setting up new policies and ensuring password policies are tracked and enforced across all avenues.
+
+### Auditing
+
+Fortress audits use OpenLDAP's slapd access log overlay.  This extended capability stores history of slapd events which are needed for replication.  The events are persisted in OpenLDAP's back-end database, called the [Lightning Memory-Mapped DB](http://www.openldap.org/pub/hyc/mdm-paper.pdf, or in ApacheDS.
+
+The Fortress audits rely on slapd events to track its data exchanges performed within its own APIs.  Change event tracking includes adds, updates, and deletes of Fortress entities.  Read and search events tracked include user authentication, authorization, and policy interrogations.  Full historical data change tracking is maintained and may be searched later with APIs to be used for monitoring, reporting, and undo. The log may be retrieved later to synch with outside database for long-term regulatory and compliance concerns.  
+
+Fortress will soon use its audit trail for *adaptive authorization* to stop bad things before they happen.  For example...
+
+* If there have been more than 1,000 authentication failures during the last 60 seconds, notify members of the support center.  Give them a chance to sort it all out. 
+* If a particular user has failed more than three *authorizations* during the last 5 minutes, bar access for 20 minutes.  Send email to supervisor and business manager over the web resources.
+* If customer withdrawls more than 5,000 pounds in 24 hours, deny further withdrawl for duration of one day. Send notification to customer's email address.
+* If more than 1,000,000 Euros are traded within the portfolio of any one trader or group of traders, during any 4 hour period, prevent further trading until manual unlock performed by risk management group.
+* etc...
+
+### Temporal Constraints 
+
+The Fortress Temporal model allows Users and Roles to carry time and date Constraints which govern when activations may occur. Role constraints are checked on every call into Fortress.  The user constraint applied only at session creation.
+
+
+### ANSI RBAC Policy-Enhanced (INCITS-494-2012)
+
+Not yet.
+
+
+## What security services are available?
+
+Over one hundred services divided across the Manager components.  Some of them (Access, Admin and Review) map back to [ANSI RBAC functional specifications](http://csrc.nist.gov/groups/SNS/rbac/documents/draft-rbac-implementation-std-v01.pdf.  Others (DelAccess, DelAdmin, DelReview) are for the [ARBAC02](http://profsandhu.com/journals/tissec/p113-oh.pdf) model which help manage admnistrative burden for large enterprises.  
+
+Each manager component defined below has a specific purpose and contains a collection of related functions to control the Fortress Entities as they pass through its particular area of the identity lifecycle.  Of late the APIs have been wrapped with REST by En Masse Policy Server.  This allows Fortress functionality to be accessed over HTTP protocol using an XML message format.
+
+A description of the managers follow...
+
+* AccessMgr - This object performs runtime access control operations on objects that are provisioned [RBAC](http://csrc.nist.gov/groups/SNS/rbac/documents/draft-rbac-implementation-std-v01.pdf) entities that reside in LDAP directory to maintain policy enforcement.
+* AdminMgr - This object performs administrative functions to provision Fortress RBAC entities into the LDAP directory.  Can be used to build custom application and UIs.
+* AuditMgr - This interface prescribes methods used to search OpenLDAP's slapd access log that contains an audit trail of entity operational state to maintain and verify compliance.
+* DelAcessMgr - This interface prescribes the API for performing runtime delegated access control operations on objects that are provisioned Fortress [ARBAC02](http://profsandhu.com/journals/tissec/p113-oh.pdf) entities that reside in LDAP directory to maintain policy enforcement.
+* DelAdminMgr - This class prescribes the [ARBAC02](http://profsandhu.com/journals/tissec/p113-oh.pdf) DelegatedAdminMgr interface for performing policy administration of Fortress ARBAC entities that reside in LDAP directory.  Can be used to build custom security application and UIs.
+* DelReviewMgr - This class prescribes the [ARBAC02](http://profsandhu.com/journals/tissec/p113-oh.pdf) DelegatedReviewMgr interface for performing policy interrogation of provisioned Fortress [ARBAC02](http://profsandhu.com/journals/tissec/p113-oh.pdf) entities that reside in LDAP directory to maintain and verify compliance.
+* PswdPolicyMgr - This object adheres to [IETF PW policy draft](http://tools.ietf.org/html/draft-behera-ldap-password-policy-10) and is used to perform administrative and review functions on the PWPOLICIES and USERS data sets within Fortress.
+* ReviewMgr - This interface prescribes the administrative review functions on already provisioned Fortress [RBAC](http://csrc.nist.gov/groups/SNS/rbac/documents/draft-rbac-implementation-std-v01.pdf) entities that reside in LDAP directory to maintain and verify compliance.
+
+## Where is it?
+
+Source is managed by Apache's GIT repo:
+
+* [Fortress Core](https://git-wip-us.apache.org/repos/asf/directory-fortress-core.git) - RBAC APIs
+* Fortress Commander - RBAC Web Management UI (Not Yet Available)
+* Fortress En Masse - RBAC Web Policy Server (Not Yet Available)
+* Fortress Realm - RBAC Policy Enforcement (Not Yet Available)
+
+
+## What are the conditions?
+
+This software development toolkit is open source, thus free to use and distribute under terms of the [Apache License 2.0](http://www.apache.org/licenses/LICENSE-2.0.  It was developed and tested on open systems like [Ubuntu](http://www.ubuntu.com/) and [Centos](http://www.centos.org/) and was helped along by the following open source products:
+
+* [The OpenLDAP Project](http://www.openldap.org/project/)
+* [The Apache Software Foundation](http://www.apache.org/)
+* [The Eigenbase Project](http://www.eigenbase.org/)
+* [Ehcache](http://ehcache.org/)
+* and many more

Added: directory/site/trunk/content/fortress/quick-start.mdtext
URL: http://svn.apache.org/viewvc/directory/site/trunk/content/fortress/quick-start.mdtext?rev=1634512&view=auto
==============================================================================
--- directory/site/trunk/content/fortress/quick-start.mdtext (added)
+++ directory/site/trunk/content/fortress/quick-start.mdtext Mon Oct 27 11:58:18 2014
@@ -0,0 +1,25 @@
+Title: Quick Start guides
+Notice: Licensed to the Apache Software Foundation (ASF) under one
+    or more contributor license agreements.  See the NOTICE file
+    distributed with this work for additional information
+    regarding copyright ownership.  The ASF licenses this file
+    to you under the Apache License, Version 2.0 (the
+    "License"); you may not use this file except in compliance
+    with the License.  You may obtain a copy of the License at
+    .
+    http://www.apache.org/licenses/LICENSE-2.0
+    .
+    Unless required by applicable law or agreed to in writing,
+    software distributed under the License is distributed on an
+    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+    KIND, either express or implied.  See the License for the
+    specific language governing permissions and limitations
+    under the License.
+
+# Quick-start guides
+
+The Quick Start guides show you how to do base install of Fortress and OpenLDAP:
+
+* [Quick Start Guide for Linux](quick-start/linux/linux.html)
+* [Quick Start Guide for Windows](quick-start/windows/windows.html)
+* [Quick Start Guide for ApacheDS](quick-start/apacheds/apacheds.html)

Modified: directory/site/trunk/templates/fortress/page.html
URL: http://svn.apache.org/viewvc/directory/site/trunk/templates/fortress/page.html?rev=1634512&r1=1634511&r2=1634512&view=diff
==============================================================================
--- directory/site/trunk/templates/fortress/page.html (original)
+++ directory/site/trunk/templates/fortress/page.html Mon Oct 27 11:58:18 2014
@@ -38,8 +38,8 @@
     </ul>
     <h5>Documentation</h5>
     <ul>
-        <!--li><a href="{{base}}fortress/five-minutes-tutorial.html">Five minutes tutorial</a></li-->
-	    <li><a href="{{base}}fortress/user-guide.html">User Guide</a></li>
+        <li><a href="{{base}}fortress/overview.html">Overview</a></li>
+	    <li><a href="{{base}}fortress/quick-start.html">Quick Start</a></li>
         <!--li><a href="{{base}}fortress/gen-docs/latest/apidocs/">JavaDocs</a></li-->
         <!--li><a href="{{base}}fortress/gen-docs/latest/xref/">Cross-Reference</a></li-->
         <!--li><a href="{{base}}fortress/gen-docs/latest/">Generated Reports</a></li-->