E5: Predix Security with ACS & UAA (Predix Transform 2016)
9 likes2,756 views
Predix Security provides user account management, authentication, and authorization services through UAA and ACS. UAA handles user accounts, login/authentication through OIDC/SAML, and groups/scopes. ACS implements attribute-based access control by discovering attributes of subjects and resources, and evaluating policies based on attribute matches to determine access permissions. It supports dynamic roles, hierarchical attributes for inheritance, and fine-grained authorization beyond what is possible with OAuth scopes alone. The technology stack is open source and built on standards like OAuth 2.0, OIDC, SAML, and uses technologies like Cassandra, PostgreSQL, Spring, and Cloud Foundry.
E5: Predix Security with ACS & UAA (Predix Transform 2016)
- 1. E5: Predix Security with ACS/UAA Dario Amiri, Senior Software Architect, GE Digital @darioamiri
- 2. 2PREDIX TRANSFORM Agenda User Account and Authentication (UAA)1 Access Control Service (ACS)2
- 3. 3PREDIX TRANSFORM User Account and Authentication UAA features include • User account management • OIDC and SAML initiated login • OIDC and SAML federation of external identity providers • All OAuth 2.0 grant types • Device authentication
- 4. 4PREDIX TRANSFORM User Account Management • SCIM-based RESTful API • User native accounts – Credentials stored in UAA • User shadow accounts – Federated identities • Manage user privileges – Group membership – Coarse-grained – Tied to user login session
- 5. 5PREDIX TRANSFORM User Authentication • OpenID Connect (OIDC) – Built on top of OAuth 2.0 framework – Easier to implement • Security Assertion Markup Language (SAML) – Ubiquitous in the enterprise – You better know what you’re doing
- 6. 6PREDIX TRANSFORM OIDC/OAuth Concepts • Resource Owner – I.e. a user • Client – Application or service identity – Can act on it’s own or on behalf of a user (i.e. resource owner) • Grant type – A procedure for authorizing a client or user – client_credentials authorizes a client acting on it’s own – authz_code authorizes a client to act on behalf of a user
- 7. 7PREDIX TRANSFORM Authorities vs. groups vs. scopes • Authorities – What privileges a client has when it acts on it’s own • Groups – What privileges a user potentially has – Effective privileges are still limited by the client scopes … app_client authorities: clients.secret scopes: scim.read scim.read scim.write [email protected] GroupsUsersClients
- 8. 8PREDIX TRANSFORM Authorities vs. groups vs. scopes • Client scopes – What a user can do through a specific client – Inner join of user groups and client scopes produces … • Access token scope – Holds the effective privileges during a login session app_client authorities: clients.secret scopes: scim.read scim.read scim.write [email protected] GroupsUsersClients
- 9. 9PREDIX TRANSFORM Authorities vs. groups vs. scope app_client authorities: clients.secret scopes: scim.read scim.read scim.write [email protected] GroupsUsersClients scope: clients.secret scope: scim.read Tokens client_credentials authz_code OAuth Grant Type
- 10. 10PREDIX TRANSFORM Authorities vs. groups vs. scope app_client authorities: clients.secret scopes: scim.* scim.read scim.write [email protected] GroupsUsersClients scope: clients.secret scope: scim.read scim.write Tokens client_credentials authz_code OAuth Grant Type
- 11. 11PREDIX TRANSFORM Service-to-service authentication • OAuth 2.0 client credentials grant – Restrict allowed grant type to client_credentials – Set client authorities as necessary to access Predix services – <service>.zones.<instance>.user – Restrict unnecessary authorities service consumer (client) web service (resource server) uaa (authorization server) trust 3.api request + token 1.client id + secret 2.token 4.data
- 12. 12PREDIX TRANSFORM Login service - OIDC • OpenID Connect (OIDC) http://openid.net/specs/openid-connect-core- 1_0.html – Supported by virtually all web frameworks and reverse proxies – Uses authz_code or implicit grant – Basically OAuth but the access token represents a user identity session management token verification web app (client) web service (resource server) uaa (authorization server) trust browser 1.request 2.oauth 3.login 7.api request + token 5.code 6.token 4.code 8.data 9.response
- 13. 13PREDIX TRANSFORM Login service - SAML • Security Assertion Markup Language (SAML)http://saml.xml.org/saml- specifications – Ubiquitous in the enterprise – Complicated to use – SAML IdP metadata: http://<uaa hostname>/saml/idp/metadat a session management web app (client) uaa (authorization server)trust browser 1.request 2.saml request 3.login 4.saml response 5.response
- 14. 14PREDIX TRANSFORM Federating external IdP with SAML • Download your SAML SP metadata from UAA – https://<uaa hostname>/saml/metadata – Send this to the IdP’s administrator • Obtain SAML IdP metadata from IdP administrator • Create/configure IdP in UAA – Use the scripts – Read the documentation
- 15. 15PREDIX TRANSFORM Federating external IdP with SAML session management token verification web app (client) web service (resource server) uaa (authorization server) trust browser 1.request 2.oauth 4.login 9.api request + token 7.code 8.token 6.code 10.data 11.response saml idp 3.saml request 5.saml response
- 16. 16PREDIX TRANSFORM Federating external IdP with SAML • Federate with multiple identity providers • IdP discovery based on user domain – [email protected] authenticates with the ge.com idp – [email protected] authenticates with the tesla.com idp • Mapping of SAML attributes to JWT properties
- 17. 17PREDIX TRANSFORM Best Practices • Read the documentation • Initiate user login using OpenID Connect (OIDC) • Use client credentials grant for devices – Give each device a client id and secret – Use JWT Bearer Profile for certificate-based authentication • Consider using the GE shared UAA • Use the new dashboard when it becomes available
- 18. 18PREDIX TRANSFORM Why ACS? Limitations of OAuth 2.0 • Scope-based privileges are too coarse-grained • Scopes are tightly coupled to access token – Logout/login required for privilege changes to take effect • Lack of consistent solution for – policy definition – privilege management • Performance not tuned for making fine-grained access control decisions per resource request
- 19. 19PREDIX TRANSFORM What does ACS do? Attribute Based Access Control (ABAC) • Attribute store for – Subjects: entities that do things – Resources: entities that have things done to them • Policy store – How subject and resource attributes combine to determine privileges • Policy evaluation – Given a subject, action, and resource determine if operation is allowed
- 20. 20PREDIX TRANSFORM What are attributes? • A key value pair • Asserted by a trusted entity • Useful for making authorization decisions
- 21. 21PREDIX TRANSFORM What are attributes? • [email protected] is an analyst • [email protected] is a member of the research group role: analyst group: researchers attributes subject [email protected] identifier
- 22. 22PREDIX TRANSFORM What are attributes? • The asset with id 1234 is located at the San Ramon site • The asset with id 1234 belongs to users in the research group site: san-ramon group: researchers attributes resource /assets/1234 identifier
- 23. 23PREDIX TRANSFORM Breaking down policy evaluation • Client sends a request for authorization – Can a subject perform an action on a resource – Java library support today - route service tomorrow • ACS performs – Attribute discovery – Policy evaluation • Client receives – Authorization decision (permit | deny) – Discovered attributes
- 24. 24PREDIX TRANSFORM authorization request [email protected] subject /assets/1234 resource GET action attribute discovery policy evaluation authorization response PERMIT | DENY decision role: analyst group: researchers [email protected] site: san-ramon group: researchers /assets/1234 discovered attributes
- 25. 25PREDIX TRANSFORM authorization response discovered attributes subject.and(resource).haveSame(‘group’) policy condition attribute discovery role: analyst group: researchers [email protected] site: san-ramon group: researchers /assets/1234 discovered attributes Attribute Store authorization request [email protected] /assets/1234GET permit
- 26. 26PREDIX TRANSFORM Implementing RBAC with ACS Hierarchical attributes • Define attributes for roles, groups, etc. – Users can inherit attributes from these – Create an “analyst” subject and assign it attributes – Have “[email protected]” subject inherit attributes from “analyst”
- 27. 27PREDIX TRANSFORM Subject attribute inheritance example org: ge tenancy-id: 11235 org-ge group: research app: apm group-research role: analyst report: asset-performance role-analyst [email protected] org: ge tenancy-id: 11235 group: research app: apm role: analyst report: asset-performance
- 28. 28PREDIX TRANSFORM Resource attribute inheritance example org: ge site: san-ramon /sites/01 group: research /sites/01/assets/21 report: asset-performance /sites/01/assets/21/reports/72 org: ge site: san-ramon group: research report: asset-performance
- 29. 29PREDIX TRANSFORM Dynamic roles Subject roles depend on the resource accessed • Child subject conditionally inherits parent attributes – User X inherits attribute from role Y when accessing resource Z – [email protected] is an analyst for the “san-ramon” site – [email protected] is not an analyst for other sites • Subject attributes are scoped by resource attributes
- 30. 30PREDIX TRANSFORM Scoped attribute inheritance (permit) • Example policy – Allow user access to asset performance report if – The asset belongs to the user’s group – The user is an analyst for the San Ramon site site: san-ramon org: ge tenancy-id: 11235 org-ge group: research app: apm group-research role: analyst report: asset-performance role-analyst [email protected] org: ge tenancy-id: 11235 group: research app: apm role: analyst report: asset-performance org: ge site: san-ramon /sites/01 group: research /sites/01/assets/21 report: asset-performance /sites/01/assets/21/reports/72 org: ge site: san-ramon group: research report: asset-performance
- 31. 31PREDIX TRANSFORM Scoped attribute inheritance (deny) • Example policy – Allow user access to asset performance report if – The asset belongs to the user’s group – The user is an analyst for the San Ramon site site: san-ramon org: ge tenancy-id: 11235 org-ge group: research app: apm group-research role: analyst report: asset-performance role-analyst [email protected] org: ge tenancy-id: 11235 group: research app: apm org: ge site: cincy-oh /sites/02 group: research /sites/02/assets/33 report: asset-performance /sites/02/assets/33/reports/51 org: ge site: cincy-oh group: research report: asset-performance
- 32. 32PREDIX TRANSFORM Technology stack runtime Apache Cassandra PostgreSQL java spring titan db spring data apache tinkerpop cloud foundry platform uaa • Apache 2 license • We’re on github: https://github.com/predix/acs
- 33. 33PREDIX TRANSFORM Five Lessons to Take Away 1. Use UAA to manage, federate, and authenticate 2. Understand OAuth 2.0, OIDC, SAML 3. Know Authorities vs. Groups vs. Scope 4. Use ACS to address limitations of OAuth 5. Read the UAA and ACS documentation
- 34. General Electric reserves the right to make changes in specifications and features, or discontinue the product or service described at any time, without notice or obligation. These materials do not constitute a representation, warranty or documentation regarding the product or service featured. Illustrations are provided for informational purposes, and your configuration may differ. This information does not constitute legal, financial, coding, or regulatory advice in connection with your use of the product or service. Please consult your professional advisors for any such advice. GE, Predix and the GE Monogram are trademarks of General Electric Company. ©2016 General Electric Company – All rights reserved.