[PPT] - LISA 09 Federated access control and workflow enforcement in PowerPoint Presentation

SLIDE 1

LISA ’09 Federated access control and workflow enforcement in systems configuration

Bart Vanbrabant, Thomas Delaet and Wouter Joosen

DistriNet, Dept. of Computer Science, K.U.Leuven, Belgium

November 6, 2009

1 / 40

SLIDE 2

Outline

Systems configuration Context Problems Our solution: ACHEL Access control and workflow Generating meaningful changes Prototype Evaluation Case 1 Case 2 Conclusion

2 / 40

SLIDE 3

Outline

Systems configuration Context Problems Our solution: ACHEL Access control and workflow Generating meaningful changes Prototype Evaluation Case 1 Case 2 Conclusion

3 / 40

SLIDE 4

System configuration tools

4 / 40

SLIDE 5

System configuration tools

5 / 40

SLIDE 6

System configuration tools

6 / 40

SLIDE 7

System configuration tools

7 / 40

SLIDE 8

System configuration tools

M a l i c i

u

s c

n

f i g u r a t i

n

8 / 40

SLIDE 9

System configuration tools

9 / 40

SLIDE 10

State of practice in access control

lib/ net/ dhcp.cf routing.cf web/ cluster.cf ... mail/ ... file/ ... hosts/ verdana.cs.kuleuven.be.cf clio.cs.kuleuven.be.cf ...

Access control rules

[@netadmins] lib = r hosts = r lib/net = rw [@senior] = rw [@mail] lib/mail = rw lib/file = rw [userA] hosts/verdana.cs.kuleuven.be.cf = rw

10 / 40

SLIDE 11

State of practice in access control UserA can not be trusted

hosts/verdana.cs.kuleuven.be.cf Some global network configuration!

11 / 40

SLIDE 12

Workflow

Dev repository Q&A repository Production repository

Updates approved by security officer

12 / 40

SLIDE 13

Federated infrastructures

Central Repository Site 1 Repository Site 2 Repository Site 3 Repository Site 4 Repository

13 / 40

SLIDE 14

Outline

Systems configuration Context Problems Our solution: ACHEL Access control and workflow Generating meaningful changes Prototype Evaluation Case 1 Case 2 Conclusion

14 / 40

SLIDE 15

What is ACHEL?

ACHEL manages access to repositories of configuration specification by implementing access control and enforcing workflows

fine-grained acccess control interpreting the semantics of

changes

access control is applied at the abstraction level of the

configuration specification

support for workflow in federated infrastructures
a (configuration) language agnostic solution

15 / 40

SLIDE 16

Update 1: an allowed change

16 / 40

SLIDE 17

Update 1: an allowed change

Current specification for managing the motd file written by Bart:

motd_file = File() motd_file.name = "/etc/motd" motd_file.content = "Welcome to $hostname" motd_file.owner = "root" motd_file.group = "root" motd_file.perm = "0644"

17 / 40

SLIDE 18

Update 1: an allowed change

Thomas changes the content of the motd file:

motd_file = File() motd_file.name = "/etc/motd" motd_file.content = template("motd.tmpl") motd_file.owner = "root" motd_file.group = "root" motd_file.perm = "0644"

18 / 40

SLIDE 19

Update 1: an allowed change

Access control policy

# list of admins define admins as bart.vanbrabant@cs.kuleuven.be, wouter.joosen@cs.kuleuven.be # allow admins to create the motd allow admins to: * assign File() to motd_file * assign "/etc/motd" to motd_file.name # allow everyone to manage the motd allow to: * assign * to motd_file.content # demand approval by an admin to change # the permissions (all other attributes) allow to: /(add|modify)/ assign * to motd_file.* authorised by 1 admins

update { action => modify

peration => assign

lhs => motd_file.content rhs => template("motd.tmpl")

ld_rhs => "Welcome to $hostname"
wner => bart.vanbrabant@cs.kuleuven.be

author => thomas.delaet@cs.kuleuven.be }

19 / 40

SLIDE 20

Update 1: an allowed change

Output from our prototype for the motd example:

Rev 1 has 6 changes and 0 signatures

allowed bart.vanbrabant@cs.kuleuven.be to add assign "/etc/motd" to motd_file.name allowed bart.vanbrabant@cs.kuleuven.be to add assign "Welcome at $hostname" to motd_file.content allowed bart.vanbrabant@cs.kuleuven.be to add assign "root" to motd_file.group allowed bart.vanbrabant@cs.kuleuven.be to add assign File() to motd_file allowed bart.vanbrabant@cs.kuleuven.be to add assign "root" to motd_file.owner allowed bart.vanbrabant@cs.kuleuven.be to add assign "0644" to motd_file.perm

Rev 2 has 1 changes and 0 signatures

allowed thomas.delaet@cs.kuleuven.be to modify assign template("motd.tmpl") to motd_file.content

20 / 40

SLIDE 21

Update 1: an allowed change

21 / 40

SLIDE 22

Update 2: a change requiring authorisation

22 / 40

SLIDE 23

Update 2: a change requiring authorisation

Thomas changes the permissions of the motd file:

motd_file = File() motd_file.name = "/etc/motd" motd_file.content = template("motd.tmpl") motd_file.owner = "root" motd_file.group = "wheel" motd_file.perm = "0644"

23 / 40

SLIDE 24

Update 2: a change requiring authorisation

Access control policy

# list of admins define admins as bart.vanbrabant@cs.kuleuven.be, wouter.joosen@cs.kuleuven.be # allow admins to create the motd allow admins to: * assign File() to motd_file * assign "/etc/motd" to motd_file.name # allow everyone to manage the motd allow to: * assign * to motd_file.content # demand approval by an admin to change # the permissions (all other attributes) allow to: /(add|modify)/ assign * to motd_file.* authorised by 1 admins

update { action => modify

peration => assign

lhs => motd_file.group rhs => "wheel"

ld_rhs => "root"
wner => bart.vanbrabant@cs.kuleuven.be

author => thomas.delaet@cs.kuleuven.be }

24 / 40

SLIDE 25

Update 2: a change requiring authorisation

Output from our prototype for the motd example:

Rev 1 has 6 changes and 0 signatures allowed bart.vanbrabant@cs.kuleuven.be to add assign "/etc/motd" to motd_file.name allowed bart.vanbrabant@cs.kuleuven.be to add assign "Welcome at $hostname" to motd_file.content allowed bart.vanbrabant@cs.kuleuven.be to add assign "root" to motd_file.group allowed bart.vanbrabant@cs.kuleuven.be to add assign File() to motd_file allowed bart.vanbrabant@cs.kuleuven.be to add assign "root" to motd_file.owner allowed bart.vanbrabant@cs.kuleuven.be to add assign "0644" to motd_file.perm Rev 2 has 1 changes and 0 signatures allowed thomas.delaet@cs.kuleuven.be to modify assign template("motd.tmpl") to motd_file.content Rev 3 has 1 changes and 0 signatures authorisation (1) required for thomas.delaet@cs.kuleuven.be to modify assign "wheel" to motd_file.group owned by bart.vanbrabant@cs.kuleuven.be

25 / 40

SLIDE 26

Update 2: a change requiring authorisation

26 / 40

SLIDE 27

Generating meaningful changes

27 / 40

SLIDE 28

Generating meaningful changes

added = { 24 } modified = { 13 -> 22 } deleted = { 12, 15 } 21 22 23 24 11 13 15 14 12

Version repository new Config file revision Abstract syntax tree Abstract syntax tree Config file

Compilation Tree matching Edit script generation

Algorithm based on:

Meaningful change detection in structured data. CHAWATHE AND GARCIA-MOLINE. 1997
Change Distilling: Tree Differencing for Fine-Grained Source Code Change Extraction. FLURI, WUERSCH,

PINZGER AND GALL. 2007 28 / 40

SLIDE 29

Outline

Systems configuration Context Problems Our solution: ACHEL Access control and workflow Generating meaningful changes Prototype Evaluation Case 1 Case 2 Conclusion

29 / 40

SLIDE 30

Prototype

Prototype in Python

built on Mercurial
simple configuration language and BCFG2 for deployment
PGP for signatures and authentication
access control language using regular expressions for pattern

matching

30 / 40

SLIDE 31

Outline

Systems configuration Context Problems Our solution: ACHEL Access control and workflow Generating meaningful changes Prototype Evaluation Case 1 Case 2 Conclusion

31 / 40

SLIDE 32

Case 1: access control and simple workflow

Small infrastructure
Team with junior and senior sysadmins
Enforce responsibilities
Enforce coding guidelines
Manage network configuration

32 / 40

SLIDE 33

Case 1: access rules

# enforce some conventions on everyone deny to: * assign File() to /^[^_]+_(?!file_)[\S]+$/ * assign Package() to /^[^_]+_(?!pkg_)[\S]+$/ * assign Service() to /^[^_]+_(?!service_)[\S]+$/ * assign Directory() to /^[^_]+_(?!dir_)[\S]+$/ * assign Symlink() to /^[^_]+_(?!ln_)[\S]+$/ * assign Permissions() to /^[^_]+_(?!perm_)[\S]+$/ # senior admins can do anything else allow senioradmin to: * * * # allow admins to do everything if a senior admins approves allow to: * * * authorised by 1 senioradmin # network related configuration deny netadmins to: # deny files other then those in /etc/network * assign /^(?!\/etc\/network\/)\S+/ to /^net_file_\w+\.name$/ # deny services other then dhcpd and network * assign /^(?!(dhcpd$|network$))\w+$/ to /^net_service_\w+\.name$/ allow netadmins to: * import /^dhcp/ # allow adding a list of values to the net_dhcp_clients list * add /^\[[^\]]$/ to /^net_dhcp_clients$/ # allow only variables prefixed with net (ignore rhs) * assign * to /^(?!net_)\S+$/

33 / 40

SLIDE 34

Case 1: configuration

# configure network interfaces net_file_interfaces = File() net_file_interfaces.name = "/etc/network/interfaces" net_file_interfaces.owner = "root" net_file_interfaces.group = "root" net_file_interfaces.perms = "0644" net_file_interfaces.content = source("net/interfaces.$hostname") # network service needs to be enabled net_service_network = Service() net_service_network.name = "network" net_service_network.status = "on" # use template for /etc/hosts net_file_hosts = File() net_file_hosts.name = "/etc/hosts" net_file_hosts.owner = "root" net_file_hosts.group = "root" net_file_hosts.perms = "0644" net_file_hosts.content = template("net/hosts.tmpl")

34 / 40

SLIDE 35

Case 2: complex workflow in federated infrastructures

Large federated grid infrastructure
Several administrative domains
Shared and site specific configuration
Based on the description of BeGrid in Devolved Management
f Distributed Infrastructures With Quattor, LISA ’08

35 / 40

SLIDE 36

Case 2: complex workflow in federated infrastructures

Central Repository at Belnet KULeuven Repository UGent Repository UA Repository UCL Repository

36 / 40

SLIDE 37

Outline

Systems configuration Context Problems Our solution: ACHEL Access control and workflow Generating meaningful changes Prototype Evaluation Case 1 Case 2 Conclusion

37 / 40

SLIDE 38

Future work

Validate ACHEL on a complex real-life configuration language. Key challenges:

develop an access control language that integrates with the

configuration language

provide integration with the tools used with the configuration

language

38 / 40

SLIDE 39

Conclusion

ACHEL’s contributions

fine-grained acccess control interpreting the semantics of

changes

access control is applied at the abstraction level of the

configuration specification

support for workflow in federated infrastructures
a language agnostic approach

39 / 40

SLIDE 40

Questions?

40 / 40