content and gte updates for 201.4

docker · Jun 1, 2019 · b2a62bf · b2a62bf
1 parent 15eadaa
commit b2a62bf
Showing 11 changed files with 91 additions and 75 deletions.
diff --git a/docs/201/201.4.rst b/docs/201/201.4.rst
@@ -1,17 +1,15 @@
-
-===================================
-GTE 201.4 ACM2 eduPersonEntitlement
-===================================
+===================================================
+201.4 Access Control Model 2 eduPersonEntitlement
+===================================================
 
 -------------------
 Learning Objectives
 -------------------
 
 * Understand ACM2 model and how to implement attribute based access control
 * Implement grouper security model
-* Configure PSPNG to convert membership to **eduPersonEntitlement** values in LDAP
-* Configure Shibboleth to release specific **eduPersonEntitlement** values to SP
-
+* Configure PSPNG to provision **eduPersonEntitlement** values
+* Configure Shibboleth to release **eduPersonEntitlement** values
 
 --------------
 Lab Components
@@ -23,82 +21,89 @@ Lab Components
 * `Grouper Deployment Guide`_
 * `eduPerson Object Class Specification`_ 
 
-
 --------
 Overview
 --------
 
-`Grouper Deployment Guide`_ access control model 2 is all about subject attribute
-based access control.  ACM2 is applicable across a broad range of services where
-access control policy can be based on subject attributes, the policy decision can
-be precomputed, and simple subject attributes are sufficient to drive the enforcement
-point.
+`Grouper Deployment Guide`_ access control model 2 (ACM2) is all about
+attribute based access control (ABAC) as defined in `NIST SP 800-162`_.  ACM2 is
+applicable across a broad range of services where access control policy can be
+based on subject attributes, policy decisions can be precomputed, and simple
+subject attributes are sufficient to drive the policy enforcement point.
 
-""""
-ACM2
-""""
+In cases where the SAML Service Provider will accept an
+**eduPersonEntitlement** value for enforcing access control, implementing ACM2
+can be distilled to these basic steps:
 
-Implementing ACM2 can be distilled to these basic steps:
+#. Convert the natural language policy into reference and policy groups
+#. Provision policy group membership to OpenLDAP via PSPNG
+#. Release SP-specfiic **eduPersonEntitlement** values via Shibboleth
 
-#. Convert natural language policy to reference groups and policy groups
-#. Provisioning to LDAP-- Grouper group |rightarrow| LDAP attribute via PSPNG
-#. Release **eduPersonEntitlement** value in SAML authentication response
+---------------------------------------------------
+Exercise 201.4.1 Create policy for wiki application
+---------------------------------------------------
 
+#. Navigate to the  `app` folder.
+#. Create a new `wiki` application using the Application Template
+   (More actions -> New template)
 
-----------------
-Exercise 201.4.1
-----------------
+.. figure:: ../figures/201-wiki-app.png
 
-*Create policy for wiki application*
+[ use new policy template to create wiki_user]
+`app:wiki:service:policy:wiki_authorized|allow|deny`.
+Edit composite `wiki_authorized` to make it `wiki_allow` minus `wiki_deny`.
 
-#. Create folder `app:wiki`.
-#. Create policy groups `app:wiki:service:policy:wiki_authorized|allow|deny`.
-#. Edit composite `wiki_authorized` to make it `wiki_allow` minus `wiki_deny`.
+---------------------------------------------------
+Exercise 201.4.2 Review application security groups
+---------------------------------------------------
 
-----------------
-Exercise 201.4.2
-----------------
+`app:wiki:security`
 
-*Create security group*
+.. figure:: ../figures/201-wiki-security.png
 
-#. Create folder `app:wiki:security`.
-#. Create security group `app:wiki:security:wiki_admin`.
-#. Add **ADMIN** privileges to `wiki_admin` for `app:wiki:service`, and inherit
-   to all child objects (folders, groups, and attributes).
+-----------------------------------------------
+Exercise 201.4.3 Add reference groups to policy
+-----------------------------------------------
 
-----------------
-Exercise 201.4.3
-----------------
-
-*Add reference groups to policy*
+`wiki_user` is an application-secific role. Subjects in this role have general
+access to the wiki. The natural language policy is, "All students have access
+to the student wiki, unless they are in the global deny group".
 
 #. Add `ref:student:students` to `app:wiki:service:policy:wiki_allow`.
 #. Add `ref:iam:global_deny` to `app:wiki:service:policy:wiki_deny`.
+#. Review policy defintion (wiki_user -> More -> Visualization)
 
-----------------
-Exercise 201.4.4
-----------------
+.. figure:: ../figures/201-wiki-policy.png
 
-*Configure PSPNG to reflect policy to eduPersonEntitlement in LDAP*
+-------------------------------------------------------------------------------
+Exercise 201.4.4 Configure PSPNG to provision wiki_user to eduPersonEntitlement
+-------------------------------------------------------------------------------
 
-#. Assign PSPNG attribute, **provision_to**  to `wiki_authorized` with a value
+#. Assign PSPNG attribute, **provision_to**  to `wiki_user` with a value
    of *pspng_entitlements*.
-#. Configure PSPNG to convert membership to ePE value of http://sp.example.org/wiki
+
+.. figure:: ../figures/201-wiki-user-pspng.png
+
+2. Configure PSPNG to convert membership to ePE value of http://sp.example.org/wiki
    and review in LDAP.  The relevent configuration is below:
 
    .. literalinclude:: examples/201-4-4.pspng-epe.grouper-loader.properties
         :language: properties
         :caption: grouper-loader.properties
         :linenos:
 
-----------------
-Exercise 201.4.5
-----------------
+2. Run CHANGE_LOG_consumer_pspng_entitlements
+   (Miscellaneous -> All daemon jobs -> Job actions -> Run job now)
+
+.. figure:: ../figures/201-pspng-entitlements-run-job.png
 
-*Configure Shib to release ePE value for our SP*
+---------------------------------------------------------------
+Exercise 201.4.5 Configure Shib to release ePE value for our SP
+---------------------------------------------------------------
 
-The demo shibboleth IdP has been configured to release the ePE attribute to
-the demo SP.  The relevant configuration is below:
+The demo Shibboleth IdP has been configured to release the
+**eduPersonEntitlement** attribute to the demo SP. The relevant configuration
+is below:
 
 .. literalinclude:: examples/201-4-5.attribute-filter.xml
     :language: xml
@@ -107,21 +112,21 @@ the demo SP.  The relevant configuration is below:
     :emphasize-lines: 17
     :linenos:
 
-----------------
-Exercise 201.4.6
-----------------
+1. Open a new browser to https://localhost:8443/app
+2. Log in with username `aclark706` and password `password`
+3. Check eduPersonEntitlement value
 
-*(Thought exercise!) Create accounts at target SP*
+.. figure:: ../figures/201-ePE-value.png
 
-Use policy groups to create/manage accounts at target SP.
+----------------------------------------------------------------
+Exercise 201.4.6 Thought exercise! Create accounts at target SP?
+----------------------------------------------------------------
+Can we use policy groups to create/manage accounts at target SP?
 
 * Native grouper SP specific provisioning components
-* RabbitMQ based provisioning / deprovisioning
+* RabbitMQ based provisioning
 * midPoint
 
-
-
-.. |rightarrow| unicode:: U+2192
-
 .. _eduPerson Object Class Specification: http://software.internet2.edu/eduperson/internet2-mace-dir-eduperson-201602.html
 .. _Grouper Deployment Guide: https://spaces.at.internet2.edu/display/Grouper/Grouper+Deployment+Guide+Work+-TIER+Program
+.. _NIST SP 800-162: https://csrc.nist.gov/publications/detail/sp/800-162/final
diff --git a/docs/201/examples/201-4-4.pspng-epe.grouper-loader.properties b/docs/201/examples/201-4-4.pspng-epe.grouper-loader.properties
@@ -3,7 +3,7 @@ changeLog.consumer.pspng_entitlements.type = edu.internet2.middleware.grouper.ps
 changeLog.consumer.pspng_entitlements.quartzCron = 0 * * * * ?
 changeLog.consumer.pspng_entitlements.ldapPoolName = demo
 changeLog.consumer.pspng_entitlements.provisionedAttributeName = eduPersonEntitlement
-changeLog.consumer.pspng_entitlements.provisionedAttributeValueFormat = ${group.name.equalsIgnoreCase('app:wiki:service:policy:wiki_authorized') ? 'http://sp.example.org/wiki' : 'urn:mace:example.edu:' + group.extension}
+changeLog.consumer.pspng_entitlements.provisionedAttributeValueFormat = ${group.name.equalsIgnoreCase('app:wiki:service:policy:wiki_user') ? 'http://sp.example.org/wiki' : 'urn:mace:example.edu:' + group.extension}
 changeLog.consumer.pspng_entitlements.userSearchBaseDn = ou=people,dc=internet2,dc=edu
 changeLog.consumer.pspng_entitlements.userSearchFilter = uid=${subject.id}
 changeLog.consumer.pspng_entitlements.allProvisionedValuesPrefix=*
diff --git a/docs/figures/201-ePE-value.png b/docs/figures/201-ePE-value.png
diff --git a/docs/figures/201-pspng-entitlements-run-job.png b/docs/figures/201-pspng-entitlements-run-job.png
diff --git a/docs/figures/201-wiki-app.png b/docs/figures/201-wiki-app.png
diff --git a/docs/figures/201-wiki-policy.png b/docs/figures/201-wiki-policy.png
diff --git a/docs/figures/201-wiki-security.png b/docs/figures/201-wiki-security.png
diff --git a/docs/figures/201-wiki-user-pspng.png b/docs/figures/201-wiki-user-pspng.png
diff --git a/ex201/ex201.1.1/container_files/grouper-loader.properties b/ex201/ex201.1.1/container_files/grouper-loader.properties
@@ -87,7 +87,7 @@ changeLog.consumer.pspng_entitlements.type = edu.internet2.middleware.grouper.ps
 changeLog.consumer.pspng_entitlements.quartzCron = 0 * * * * ?
 changeLog.consumer.pspng_entitlements.ldapPoolName = demo
 changeLog.consumer.pspng_entitlements.provisionedAttributeName = eduPersonEntitlement
-changeLog.consumer.pspng_entitlements.provisionedAttributeValueFormat = ${group.name.equalsIgnoreCase('app:wiki:service:policy:wiki_authorized') ? 'http://sp.example.org/wiki' : 'urn:mace:example.edu:' + group.extension}
+changeLog.consumer.pspng_entitlements.provisionedAttributeValueFormat = ${group.name.equalsIgnoreCase('app:wiki:service:policy:wiki_user') ? 'http://sp.example.org/wiki' : 'urn:mace:example.edu:' + group.extension}
 changeLog.consumer.pspng_entitlements.userSearchBaseDn = ou=people,dc=internet2,dc=edu
 changeLog.consumer.pspng_entitlements.userSearchFilter = uid=${subject.id}
 changeLog.consumer.pspng_entitlements.allProvisionedValuesPrefix=*
diff --git a/ex201/ex201.4.1/container_files/seed-data/bootstrap.gsh b/ex201/ex201.4.1/container_files/seed-data/bootstrap.gsh
@@ -1,2 +1,13 @@
 gs = GrouperSession.startRootSession()
+delStem("201.3.end")
+addRootStem("201.4.1", "201.4.1")
 
+global_deny = addGroup("ref:iam", "global_deny", "global_deny");
+AttributeDefName typeMarker = AttributeDefNameFinder.findByName("etc:objectTypes:grouperObjectTypeMarker", true);
+AttributeAssign attributeAssign = global_deny.getAttributeDelegate().hasAttribute(typeMarker) ? global_deny.getAttributeDelegate().retrieveAssignments(typeMarker).iterator().next() : global_deny.getAttributeDelegate().addAttribute(typeMarker).getAttributeAssign();
+attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDirectAssignment", "true");
+attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeName", "ref");
+attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDataOwner",
+"Identity and Access Management");
+attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeMembersDescription",
+"Global deny group");
diff --git a/ex201/ex201.4.end/container_files/seed-data/bootstrap.gsh b/ex201/ex201.4.end/container_files/seed-data/bootstrap.gsh
@@ -1,29 +1,29 @@
 gs = GrouperSession.startRootSession()
+delStem("201.4.1")
+addRootStem("201.4.end", "201.4.end")
 
 //ex201.4.1
 addStem("app", "wiki", "wiki");
 addStem("app:wiki", "service", "service");
 addStem("app:wiki:service", "policy", "policy");
 
-addGroup("app:wiki:service:policy", "wiki_authorized", "wiki_authorized");
-addGroup("app:wiki:service:policy", "wiki_authorized_allow", "wiki_authorized_allow");
-addGroup("app:wiki:service:policy", "wiki_authorized_deny",  "wiki_authorized_deny");
-addComposite("app:wiki:service:policy:wiki_authorized", CompositeType.COMPLEMENT, "app:wiki:service:policy:wiki_authorized_allow", "app:wiki:service:policy:wiki_authorized_deny");
+addGroup("app:wiki:service:policy", "wiki_user", "wiki_user");
+addGroup("app:wiki:service:policy", "wiki_user_allow", "wiki_user_allow");
+addGroup("app:wiki:service:policy", "wiki_user_deny",  "wiki_user_deny");
+addComposite("app:wiki:service:policy:wiki_user", CompositeType.COMPLEMENT, "app:wiki:service:policy:wiki_user_allow", "app:wiki:service:policy:wiki_user_deny");
 
 //ex201.4.2
 addStem("app:wiki", "security", "security");
-addGroup("app:wiki:security", "wiki_admin", "wiki_admin");
-grantPriv("app:wiki:service", "app:wiki:security:wiki_admin", NamingPrivilege.STEM)
+addGroup("app:wiki:security", "wikiAdmins", "wikiAdmins");
+grantPriv("app:wiki:service", "app:wiki:security:wikiAdmins", NamingPrivilege.STEM)
 
 //ex201.4.3
-addMember("app:wiki:service:policy:wiki_authorized_allow", "ref:student:students");
-addGroup("ref:iam", "global_deny", "global_deny");
-addMember("app:wiki:service:policy:wiki_authorized_deny", "ref:iam:global_deny");
+addMember("app:wiki:service:policy:wiki_user_allow", "ref:student:students");
+addMember("app:wiki:service:policy:wiki_user_deny", "ref:iam:global_deny");
 
 //ex201.4.4
-
 //Assign the PSPNG attribute for the standard groups
-group = GroupFinder.findByName(gs, "app:wiki:service:policy:wiki_authorized");
+group = GroupFinder.findByName(gs, "app:wiki:service:policy:wiki_user");
 
 # Auto create the PSPNG attributes
 edu.internet2.middleware.grouper.pspng.FullSyncProvisionerFactory.getFullSyncer("pspng_entitlements");