parviz dousti it consulting engineer computing service carnegie mellon university oct. 1 st 2012
TRANSCRIPT
S3 Authorization Framework“Managing Access in Student Information System at
Carnegie Mellon University”
Parviz Dousti
IT Consulting EngineerComputing Service
Carnegie Mellon University
Oct. 1st 2012
BackgroundStudent Services Suite (S3)
A Brownfield development of SIS Completely new Authorization
Had a Discovery Project to answer:Have a Central Authorization System?Use an Open Source Solution?Buy a Product?Write our own?
RequirementsModularized :Complete Independence from the
ApplicationConfigurable: i.e. not hard-codedFlexible and Powerful: Capable of Handling Complex
User Stories in SISTime based authorizations
e.g. add/drop periodQuantity/Amount based authorization
e.g. refundingRelation based authorization.
Department Admins Access to Students of a Certain Program Advisor – Advisee relation. Original Creator of a Memo
Framework Design GoalsPowerful (RBAC, ABAC, filtering)Encapsulated, isolatedReusableSimpleScalable, fast
High Level Architecture
Authorization Vocabulary Permission:
User/Group can do Action on a Resource [based on Qualifier(s)] Examples:
AcademicAdmins can Update /cmu/s3/admin/course_grades [if course belongs to their department]
Entities(Abstract)
Qualifier
User
Resource
Action Permission
Group
Entities(Implemented)
Qualifier (33)
User
Resource:Action (199)
Permission
Group (61)
Qualifier Values
S3 Authz Building blocks
Developer Business OwnerResourceQualifier
UsersGroupsQualifier ValuesPermissions
ResourcesIdentifier of any “thing” to be protectedAdheres to standard form:
<cmu namespace>:<system>:<resource type>:<resource>=<action>
For example:
urn:mace:cmu:edu:andrew:s3:admin:screen:students:grades=view
More on QualifiersFixed Attribute and custom QualifiersMay use user’s inherit attributes or affiliationsMay use existing authorization tables in SISCan be combined in a Boolean expressionNot all are meaningful for a permission
Custom QualifiersImplemented as simple Java classes
public class IsEnrolled implements Qualifier { public boolean isSatisfied(String userId, Map ctx) {
return dao.isEnrolled(ctx.get(“studentId”));}
}
Fixed-Attribute Qualifierspublic class StudentDeptAR implements AttributeRetriever {
public AttributeSet fetchAttributes(Map ctx) {Student student = dao.fetchStudent(
ctx.get(“studentId”);AttributeSet as = new AttributeSet(); as.setAttribute1(student.getDepartment());return as;
}}
API// APIpublic interface AuthorizationEngine {
boolean isAuthorized(String userId, String resource, Map<String, Object> context);
}
// Example callcontext.put(“studentId”, “northrop”);
authzEngine.isAuthorized(“dl2b”, “screen:student:grades=view”, context);
Evaluating Design GoalsPowerful (RBAC, ABAC, filtering)
Yes! groups + qualifiersEncapsulated, isolated
Yes! authz engine + resource + custom qualifiersReusable
Yes! qualifiers applied to any resourceSimple
Yes! must only “tag” resources + write qualifiersScalable, fast
Yes! optimizations for caching and aggregating calls
Some UI Screenshots
Authorization Console
Thanks To:
Darleen LaBarbera- VP for Campus Affairs, Carnegie Mellon University
Ben Northrop - Distinguished Technical Consultant, Summa
Questions?