diff --git a/docs/201/201.1.rst b/docs/201/201.1.rst index 371268b..d7a207d 100644 --- a/docs/201/201.1.rst +++ b/docs/201/201.1.rst @@ -1,5 +1,5 @@ ================================== -Basis and Reference Groups (201.1) +201.1 Basis and Reference Groups ================================== ------------------- diff --git a/docs/201/201.2.rst b/docs/201/201.2.rst index b37debd..e3d027b 100644 --- a/docs/201/201.2.rst +++ b/docs/201/201.2.rst @@ -1,5 +1,5 @@ ============================ -Access Policy Groups (201.2) +201.2 Access Policy Groups ============================ ------------------- diff --git a/docs/201/201.3.rst b/docs/201/201.3.rst index 2c96a26..9165f65 100644 --- a/docs/201/201.3.rst +++ b/docs/201/201.3.rst @@ -1,7 +1,6 @@ - -======================================================= -Access Control Model 1 eduPersonAffiliation (GTE 201.3) -======================================================= +================================================= +201.3 Access Control Model 1 eduPersonAffiliation +================================================= ------------------- Learning Objectives diff --git a/docs/201/201.4.rst b/docs/201/201.4.rst index 2b96bac..18bf290 100644 --- a/docs/201/201.4.rst +++ b/docs/201/201.4.rst @@ -1,7 +1,6 @@ - -=================================== -GTE 201.4 ACM2 eduPersonEntitlement -=================================== +=================================================== +201.4 Access Control Model 2 eduPersonEntitlement +=================================================== ------------------- Learning Objectives @@ -9,9 +8,8 @@ Learning Objectives * Understand ACM2 model and how to implement attribute based access control * Implement grouper security model -* Configure PSPNG to convert membership to **eduPersonEntitlement** values in LDAP -* Configure Shibboleth to release specific **eduPersonEntitlement** values to SP - +* Configure PSPNG to provision **eduPersonEntitlement** values +* Configure Shibboleth to release **eduPersonEntitlement** values -------------- Lab Components @@ -23,67 +21,70 @@ Lab Components * `Grouper Deployment Guide`_ * `eduPerson Object Class Specification`_ - -------- Overview -------- -`Grouper Deployment Guide`_ access control model 2 is all about subject attribute -based access control. ACM2 is applicable across a broad range of services where -access control policy can be based on subject attributes, the policy decision can -be precomputed, and simple subject attributes are sufficient to drive the enforcement -point. +`Grouper Deployment Guide`_ access control model 2 (ACM2) is all about +attribute based access control (ABAC) as defined in `NIST SP 800-162`_. ACM2 is +applicable across a broad range of services where access control policy can be +based on subject attributes, policy decisions can be precomputed, and simple +subject attributes are sufficient to drive the policy enforcement point. -"""" -ACM2 -"""" +In cases where the SAML Service Provider will accept an +**eduPersonEntitlement** value for enforcing access control, implementing ACM2 +can be distilled to these basic steps: -Implementing ACM2 can be distilled to these basic steps: +#. Convert the natural language policy into reference and policy groups +#. Provision policy group membership to OpenLDAP via PSPNG +#. Release SP-specfiic **eduPersonEntitlement** values via Shibboleth -#. Convert natural language policy to reference groups and policy groups -#. Provisioning to LDAP-- Grouper group |rightarrow| LDAP attribute via PSPNG -#. Release **eduPersonEntitlement** value in SAML authentication response +--------------------------------------------------- +Exercise 201.4.1 Create policy for wiki application +--------------------------------------------------- +#. Navigate to the `app` folder. +#. Create a new `wiki` application using the Application Template + (More actions -> New template) ----------------- -Exercise 201.4.1 ----------------- +.. figure:: ../figures/201-wiki-app.png -*Create policy for wiki application* +[ use new policy template to create wiki_user] +`app:wiki:service:policy:wiki_authorized|allow|deny`. +Edit composite `wiki_authorized` to make it `wiki_allow` minus `wiki_deny`. -#. Create folder `app:wiki`. -#. Create policy groups `app:wiki:service:policy:wiki_authorized|allow|deny`. -#. Edit composite `wiki_authorized` to make it `wiki_allow` minus `wiki_deny`. +--------------------------------------------------- +Exercise 201.4.2 Review application security groups +--------------------------------------------------- ----------------- -Exercise 201.4.2 ----------------- +`app:wiki:security` -*Create security group* +.. figure:: ../figures/201-wiki-security.png -#. Create folder `app:wiki:security`. -#. Create security group `app:wiki:security:wiki_admin`. -#. Add **ADMIN** privileges to `wiki_admin` for `app:wiki:service`, and inherit - to all child objects (folders, groups, and attributes). +----------------------------------------------- +Exercise 201.4.3 Add reference groups to policy +----------------------------------------------- ----------------- -Exercise 201.4.3 ----------------- - -*Add reference groups to policy* +`wiki_user` is an application-secific role. Subjects in this role have general +access to the wiki. The natural language policy is, "All students have access +to the student wiki, unless they are in the global deny group". #. Add `ref:student:students` to `app:wiki:service:policy:wiki_allow`. #. Add `ref:iam:global_deny` to `app:wiki:service:policy:wiki_deny`. +#. Review policy defintion (wiki_user -> More -> Visualization) ----------------- -Exercise 201.4.4 ----------------- +.. figure:: ../figures/201-wiki-policy.png -*Configure PSPNG to reflect policy to eduPersonEntitlement in LDAP* +------------------------------------------------------------------------------- +Exercise 201.4.4 Configure PSPNG to provision wiki_user to eduPersonEntitlement +------------------------------------------------------------------------------- -#. Assign PSPNG attribute, **provision_to** to `wiki_authorized` with a value +#. Assign PSPNG attribute, **provision_to** to `wiki_user` with a value of *pspng_entitlements*. -#. Configure PSPNG to convert membership to ePE value of http://sp.example.org/wiki + +.. figure:: ../figures/201-wiki-user-pspng.png + +2. Configure PSPNG to convert membership to ePE value of http://sp.example.org/wiki and review in LDAP. The relevent configuration is below: .. literalinclude:: examples/201-4-4.pspng-epe.grouper-loader.properties @@ -91,14 +92,18 @@ Exercise 201.4.4 :caption: grouper-loader.properties :linenos: ----------------- -Exercise 201.4.5 ----------------- +2. Run CHANGE_LOG_consumer_pspng_entitlements + (Miscellaneous -> All daemon jobs -> Job actions -> Run job now) + +.. figure:: ../figures/201-pspng-entitlements-run-job.png -*Configure Shib to release ePE value for our SP* +--------------------------------------------------------------- +Exercise 201.4.5 Configure Shib to release ePE value for our SP +--------------------------------------------------------------- -The demo shibboleth IdP has been configured to release the ePE attribute to -the demo SP. The relevant configuration is below: +The demo Shibboleth IdP has been configured to release the +**eduPersonEntitlement** attribute to the demo SP. The relevant configuration +is below: .. literalinclude:: examples/201-4-5.attribute-filter.xml :language: xml @@ -107,21 +112,21 @@ the demo SP. The relevant configuration is below: :emphasize-lines: 17 :linenos: ----------------- -Exercise 201.4.6 ----------------- +1. Open a new browser to https://localhost:8443/app +2. Log in with username `aclark706` and password `password` +3. Check eduPersonEntitlement value -*(Thought exercise!) Create accounts at target SP* +.. figure:: ../figures/201-ePE-value.png -Use policy groups to create/manage accounts at target SP. +---------------------------------------------------------------- +Exercise 201.4.6 Thought exercise! Create accounts at target SP? +---------------------------------------------------------------- +Can we use policy groups to create/manage accounts at target SP? * Native grouper SP specific provisioning components -* RabbitMQ based provisioning / deprovisioning +* RabbitMQ based provisioning * midPoint - - -.. |rightarrow| unicode:: U+2192 - .. _eduPerson Object Class Specification: http://software.internet2.edu/eduperson/internet2-mace-dir-eduperson-201602.html .. _Grouper Deployment Guide: https://spaces.at.internet2.edu/display/Grouper/Grouper+Deployment+Guide+Work+-TIER+Program +.. _NIST SP 800-162: https://csrc.nist.gov/publications/detail/sp/800-162/final diff --git a/docs/201/201.5.rst b/docs/201/201.5.rst index d228427..993c642 100644 --- a/docs/201/201.5.rst +++ b/docs/201/201.5.rst @@ -1,7 +1,6 @@ - -====================================== -GTE 201.5 ACM3 Subject to Role Mapping -====================================== +==================================================== +201.5 Access Control Model 3 Subject to Role Mapping +==================================================== ------------------- Learning Objectives diff --git a/docs/201/examples/201-4-4.pspng-epe.grouper-loader.properties b/docs/201/examples/201-4-4.pspng-epe.grouper-loader.properties index 7c5ef95..67a2b3e 100644 --- a/docs/201/examples/201-4-4.pspng-epe.grouper-loader.properties +++ b/docs/201/examples/201-4-4.pspng-epe.grouper-loader.properties @@ -3,7 +3,7 @@ changeLog.consumer.pspng_entitlements.type = edu.internet2.middleware.grouper.ps changeLog.consumer.pspng_entitlements.quartzCron = 0 * * * * ? changeLog.consumer.pspng_entitlements.ldapPoolName = demo changeLog.consumer.pspng_entitlements.provisionedAttributeName = eduPersonEntitlement -changeLog.consumer.pspng_entitlements.provisionedAttributeValueFormat = ${group.name.equalsIgnoreCase('app:wiki:service:policy:wiki_authorized') ? 'http://sp.example.org/wiki' : 'urn:mace:example.edu:' + group.extension} +changeLog.consumer.pspng_entitlements.provisionedAttributeValueFormat = ${group.name.equalsIgnoreCase('app:wiki:service:policy:wiki_user') ? 'http://sp.example.org/wiki' : 'urn:mace:example.edu:' + group.extension} changeLog.consumer.pspng_entitlements.userSearchBaseDn = ou=people,dc=internet2,dc=edu changeLog.consumer.pspng_entitlements.userSearchFilter = uid=${subject.id} changeLog.consumer.pspng_entitlements.allProvisionedValuesPrefix=* diff --git a/docs/figures/201-ePE-value.png b/docs/figures/201-ePE-value.png new file mode 100644 index 0000000..487d428 Binary files /dev/null and b/docs/figures/201-ePE-value.png differ diff --git a/docs/figures/201-pspng-entitlements-run-job.png b/docs/figures/201-pspng-entitlements-run-job.png new file mode 100644 index 0000000..84ce524 Binary files /dev/null and b/docs/figures/201-pspng-entitlements-run-job.png differ diff --git a/docs/figures/201-wiki-app.png b/docs/figures/201-wiki-app.png new file mode 100644 index 0000000..7b32199 Binary files /dev/null and b/docs/figures/201-wiki-app.png differ diff --git a/docs/figures/201-wiki-policy.png b/docs/figures/201-wiki-policy.png new file mode 100644 index 0000000..43d81ee Binary files /dev/null and b/docs/figures/201-wiki-policy.png differ diff --git a/docs/figures/201-wiki-security.png b/docs/figures/201-wiki-security.png new file mode 100644 index 0000000..eb4535d Binary files /dev/null and b/docs/figures/201-wiki-security.png differ diff --git a/docs/figures/201-wiki-user-pspng.png b/docs/figures/201-wiki-user-pspng.png new file mode 100644 index 0000000..d53a481 Binary files /dev/null and b/docs/figures/201-wiki-user-pspng.png differ diff --git a/ex201/ex201.1.1/container_files/grouper-loader.properties b/ex201/ex201.1.1/container_files/grouper-loader.properties index 73c70d5..8b937f5 100644 --- a/ex201/ex201.1.1/container_files/grouper-loader.properties +++ b/ex201/ex201.1.1/container_files/grouper-loader.properties @@ -87,7 +87,7 @@ changeLog.consumer.pspng_entitlements.type = edu.internet2.middleware.grouper.ps changeLog.consumer.pspng_entitlements.quartzCron = 0 * * * * ? changeLog.consumer.pspng_entitlements.ldapPoolName = demo changeLog.consumer.pspng_entitlements.provisionedAttributeName = eduPersonEntitlement -changeLog.consumer.pspng_entitlements.provisionedAttributeValueFormat = ${group.name.equalsIgnoreCase('app:wiki:service:policy:wiki_authorized') ? 'http://sp.example.org/wiki' : 'urn:mace:example.edu:' + group.extension} +changeLog.consumer.pspng_entitlements.provisionedAttributeValueFormat = ${group.name.equalsIgnoreCase('app:wiki:service:policy:wiki_user') ? 'http://sp.example.org/wiki' : 'urn:mace:example.edu:' + group.extension} changeLog.consumer.pspng_entitlements.userSearchBaseDn = ou=people,dc=internet2,dc=edu changeLog.consumer.pspng_entitlements.userSearchFilter = uid=${subject.id} changeLog.consumer.pspng_entitlements.allProvisionedValuesPrefix=* diff --git a/ex201/ex201.4.1/container_files/seed-data/bootstrap.gsh b/ex201/ex201.4.1/container_files/seed-data/bootstrap.gsh index 63f8ffd..1d2a9ac 100644 --- a/ex201/ex201.4.1/container_files/seed-data/bootstrap.gsh +++ b/ex201/ex201.4.1/container_files/seed-data/bootstrap.gsh @@ -1,2 +1,13 @@ gs = GrouperSession.startRootSession() +delStem("201.3.end") +addRootStem("201.4.1", "201.4.1") +global_deny = addGroup("ref:iam", "global_deny", "global_deny"); +AttributeDefName typeMarker = AttributeDefNameFinder.findByName("etc:objectTypes:grouperObjectTypeMarker", true); +AttributeAssign attributeAssign = global_deny.getAttributeDelegate().hasAttribute(typeMarker) ? global_deny.getAttributeDelegate().retrieveAssignments(typeMarker).iterator().next() : global_deny.getAttributeDelegate().addAttribute(typeMarker).getAttributeAssign(); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDirectAssignment", "true"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeName", "ref"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeDataOwner", +"Identity and Access Management"); +attributeAssign.getAttributeValueDelegate().assignValue("etc:objectTypes:grouperObjectTypeMembersDescription", +"Global deny group"); \ No newline at end of file diff --git a/ex201/ex201.4.end/container_files/seed-data/bootstrap.gsh b/ex201/ex201.4.end/container_files/seed-data/bootstrap.gsh index c713f52..8135772 100644 --- a/ex201/ex201.4.end/container_files/seed-data/bootstrap.gsh +++ b/ex201/ex201.4.end/container_files/seed-data/bootstrap.gsh @@ -1,29 +1,29 @@ gs = GrouperSession.startRootSession() +delStem("201.4.1") +addRootStem("201.4.end", "201.4.end") //ex201.4.1 addStem("app", "wiki", "wiki"); addStem("app:wiki", "service", "service"); addStem("app:wiki:service", "policy", "policy"); -addGroup("app:wiki:service:policy", "wiki_authorized", "wiki_authorized"); -addGroup("app:wiki:service:policy", "wiki_authorized_allow", "wiki_authorized_allow"); -addGroup("app:wiki:service:policy", "wiki_authorized_deny", "wiki_authorized_deny"); -addComposite("app:wiki:service:policy:wiki_authorized", CompositeType.COMPLEMENT, "app:wiki:service:policy:wiki_authorized_allow", "app:wiki:service:policy:wiki_authorized_deny"); +addGroup("app:wiki:service:policy", "wiki_user", "wiki_user"); +addGroup("app:wiki:service:policy", "wiki_user_allow", "wiki_user_allow"); +addGroup("app:wiki:service:policy", "wiki_user_deny", "wiki_user_deny"); +addComposite("app:wiki:service:policy:wiki_user", CompositeType.COMPLEMENT, "app:wiki:service:policy:wiki_user_allow", "app:wiki:service:policy:wiki_user_deny"); //ex201.4.2 addStem("app:wiki", "security", "security"); -addGroup("app:wiki:security", "wiki_admin", "wiki_admin"); -grantPriv("app:wiki:service", "app:wiki:security:wiki_admin", NamingPrivilege.STEM) +addGroup("app:wiki:security", "wikiAdmins", "wikiAdmins"); +grantPriv("app:wiki:service", "app:wiki:security:wikiAdmins", NamingPrivilege.STEM) //ex201.4.3 -addMember("app:wiki:service:policy:wiki_authorized_allow", "ref:student:students"); -addGroup("ref:iam", "global_deny", "global_deny"); -addMember("app:wiki:service:policy:wiki_authorized_deny", "ref:iam:global_deny"); +addMember("app:wiki:service:policy:wiki_user_allow", "ref:student:students"); +addMember("app:wiki:service:policy:wiki_user_deny", "ref:iam:global_deny"); //ex201.4.4 - //Assign the PSPNG attribute for the standard groups -group = GroupFinder.findByName(gs, "app:wiki:service:policy:wiki_authorized"); +group = GroupFinder.findByName(gs, "app:wiki:service:policy:wiki_user"); # Auto create the PSPNG attributes edu.internet2.middleware.grouper.pspng.FullSyncProvisionerFactory.getFullSyncer("pspng_entitlements");