lisa 11 fine grained access control for the puppet
play

LISA 11 Fine-grained access-control for the Puppet configuration - PowerPoint PPT Presentation

Dec 06, 2023 •22 likes •292 views

LISA 11 Fine-grained access-control for the Puppet configuration language Bart Vanbrabant, Joris Peeraer and Wouter Joosen DistriNet, Dept. of Computer Science, K.U.Leuven, Belgium December 7, 2011 1 / 27 Outline Systems configuration

  1. LISA ’11 Fine-grained access-control for the Puppet configuration language Bart Vanbrabant, Joris Peeraer and Wouter Joosen DistriNet, Dept. of Computer Science, K.U.Leuven, Belgium December 7, 2011 1 / 27

  2. Outline Systems configuration Context Problems Our solution: ACHEL Authorising Puppet Conclusion 2 / 27

  3. Outline Systems configuration Context Problems Our solution: ACHEL Authorising Puppet Conclusion 3 / 27

  4. System configuration tools 4 / 27

  5. System configuration tools 5 / 27

  6. System configuration tools 6 / 27

  7. System configuration tools 7 / 27

  8. System configuration tools M a l i c i o u s c o n f i g u r a t i o n 8 / 27

  9. System configuration tools 9 / 27

  10. System configuration tools 10 / 27

  11. Outline Systems configuration Context Problems Our solution: ACHEL Authorising Puppet Conclusion 11 / 27

  12. What is ACHEL? ACHEL manages access to repositories of configuration specification by implementing access control and enforcing workflows • fine-grained access control interpreting the semantics of changes • The actions that needs authorisation are derived automatically • access control is applied at the abstraction level of the configuration specification • support for workflow in federated infrastructures • a (configuration) language agnostic solution 12 / 27

  13. Generating meaningful changes with ACHEL 13 / 27

  14. Outline Systems configuration Context Problems Our solution: ACHEL Authorising Puppet Conclusion 14 / 27

  15. Puppet Authorise changes to the configuration model of a real tool: • System management tool used in production environment • Puppet has an expressive and complex configuration language • Manifests organised in modules • Authorisation based on modules and their file path • Link between contents of module and its name is not enforced 15 / 27

  16. Applying ACHEL to Puppet Steps to authorise changes the ACHEL way: • Aquire the AST from Puppet • AST contains syntax so normalisation is required • Derive to be authorised actions • Submit request to XACML policy engine • Report result of authorisation 16 / 27

  17. AST normalisation Define three users with one statement: user {["bart", "joris", "wouter"]: } Define three users with three statements: user {"bart": } user {"joris": } user {"wouter": } 17 / 27

  18. Prototype Challenges for prototype: • Not all language features supported, some are impossible to support • Prototype extracts AST from Puppet compiler and normalises it • The AST is serialised to XML so XPath can be used in policies • Prototype is integrated in a DVCS (Bazaar) to enforce access control 18 / 27

  19. Example: Adding vhosts Puppet manifest: # Apache-class class apache { ... } # vhost definition define apache::vhost ($document_root) { file {"/etc/apache2/vhosts-available/${name}": ensure => present, docroot => $document_root, } } node a { include apache } 19 / 27

  20. Example: Adding vhosts User Jdoe adds a virtual host: # Apache-class class apache { apache::vhost {"www.example.com": docroot => "/home/jdoe/public_html", } ... } # vhost definition define apache::vhost ($document_root) { file {"/etc/apache2/vhosts-available/${name}": ensure => present, docroot => $document_root, } ... 20 / 27

  21. Example: Adding vhosts Result from matching: * Updated: none * Inserted: Add member: Resource (title:www.example.com, type:apache::vhost) Add parameter: ResourceParam (param:docroot) Add value: String () => /home/jdoe/public_html * Removed: none 21 / 27

  22. Example: Adding vhosts XAMCL policy extract (without the namespace clutter) <Policy> <Description>Apache permissions for webuser</Description> <Target><Subjects><Subject><SubjectMatch> <AttributeValue>webuser</AttributeValue> <SubjectAttributeDesignator AttributeId="subject:role" /> </SubjectMatch></Subject></Subjects></Target> <Rule Effect="Permit"> <Description>Add or remove a vhost</Description> <Target><Resources><Resource><ResourceMatch> <AttributeValue>//pup:*[@type="apache::vhost"]</AttributeValue> <ResourceAttributeDesignator AttributeId="resource-id" DataType="xpath-expression" /> </ResourceMatch></Resource></Resources></Target> </Rule> <Rule Effect="Permit"> <Target><Resources><Resource><ResourceMatch> <AttributeValue>//pup:*[@type="apache::vhost"]/pup:*[@param="docroot"]</AttributeValue> <ResourceAttributeDesignator AttributeId="resource-id" DataType="xpath-expression" /> </ResourceMatch></Resource></Resources></Target> <Condition> <Apply FunctionId="string-starts-with"><Apply FunctionId="string-one-and-only"> <AttributeSelector RequestContextPath="//pup:*[@param=’docroot’]/pup:value/text()" /> </Apply> <Apply FunctionId="string-concatenate"> <AttributeValue>/home/</AttributeValue> <Apply FunctionId="string-one-and-only"> <SubjectAttributeDesignator AttributeId="subject-id" /> </Apply> </Apply></Apply> </Condition> </Rule> </Policy> 22 / 27

  23. Example: Adding vhosts First rule from extract: <Policy> ... <Rule Effect="Permit"> <Description>Add or remove a vhost</Description> <Target><Resources><Resource><ResourceMatch> <AttributeValue>//pup:*[@type="apache::vhost"] </AttributeValue> <ResourceAttributeDesignator AttributeId="resource-id" DataType="xpath-expression" /> </ResourceMatch></Resource></Resources></Target> </Rule> ... </Policy> 23 / 27

  24. Example: Adding vhosts Second rule from extract: <Policy> ... <Rule Effect="Permit"> <Target><Resources><Resource><ResourceMatch> <AttributeValue>//pup:*[@type="apache::vhost"]/pup:*[@param="docroot"]</AttributeValue> <ResourceAttributeDesignator AttributeId="resource-id" DataType="xpath-expression" /> </ResourceMatch></Resource></Resources></Target> <Condition> <Apply FunctionId="string-starts-with"><Apply FunctionId="string-one-and-only"> <AttributeSelector RequestContextPath="//pup:*[@param=’docroot’]/pup:value/text()" /> </Apply> <Apply FunctionId="string-concatenate"> <AttributeValue>/home/</AttributeValue> <Apply FunctionId="string-one-and-only"> <SubjectAttributeDesignator AttributeId="subject-id" /> </Apply> </Apply></Apply> </Condition> </Rule> </Policy> 24 / 27

  25. Use unsupported language constructions • Policy defines what is allowed • Usage of defines or classes can be authorised • Encapsulate unsupported or complex Puppet constructions • Authorise on the container of the unsupported statements 25 / 27

  26. Outline Systems configuration Context Problems Our solution: ACHEL Authorising Puppet Conclusion 26 / 27

  27. Conclusion • ACHEL method supports complex languages • Unsupported languages features using encapsulation • Clean AST required • XACML is powerful but hard to use 27 / 27

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Fine Grained Access Control Fine-Grained Access Control Fine Grained Access Control

Fine Grained Access Control Fine-Grained Access Control Fine Grained Access Control

Fine Grained Access Control Fine-Grained Access Control Fine Grained Access Control Fine-grained access control examples: p g Students can see their own grades Students can see grades of all students in courses they registered for

548 views • 34 slides
Fine-Grained Access Control Fine Grained Access Control Fine-grained access control examples:

Fine-Grained Access Control Fine Grained Access Control Fine-grained access control examples:

Fine-Grained Access Control Fine Grained Access Control Fine-grained access control examples: Students can see their own grades Students can see their own grades Students can see grades of all students in courses they registered for

338 views • 17 slides
On the Correctness Criteria of Fine-Grained Access Control in Relational Databases Qihua Wang,

On the Correctness Criteria of Fine-Grained Access Control in Relational Databases Qihua Wang,

On the Correctness Criteria of Fine-Grained Access Control in Relational Databases Qihua Wang, Ting Yu, Ninghui Li Jorge Lobo, Elisa Bertino Keith Irwin, Ji-Won Byun Outline Introduction Correctness Criteria A Fine-Grained Access

1.21k views • 51 slides
Flexible, fine-grained distributed access control John Mitchell Stanford with Adam Barth, Anupam

Flexible, fine-grained distributed access control John Mitchell Stanford with Adam Barth, Anupam

Flexible, fine-grained distributed access control John Mitchell Stanford with Adam Barth, Anupam Datta, Ninghui Li (Purdue), Helen Nissenbaum (NYU), Will Winsborough, . April 2006 Were all ears What policy concepts are important in

531 views • 20 slides
Fine-grained Data Access Control Systems with User Accountability in Cloud Computing Jin Li 1 ,

Fine-grained Data Access Control Systems with User Accountability in Cloud Computing Jin Li 1 ,

Fine-grained Data Access Control Systems with User Accountability in Cloud Computing Jin Li 1 , Gansen Zhao 2 , and Xiaofeng Chen 3 Chunming Rong 4 , Yong Tang 2 1 Guangzhou University, China South China Normal University 2 3 Xidian University

784 views • 21 slides
Fine-Grained Geographic Communication (Geocast) Nexus Workshop Frank Drr 23.07.2003 1

Fine-Grained Geographic Communication (Geocast) Nexus Workshop Frank Drr 23.07.2003 1

Fine-Grained Geographic Communication (Geocast) Nexus Workshop Frank Drr 23.07.2003 1 Overview Motivation Requirements for Fine-Grained Geocast Location Model for Fine-Grained Geographic Addressing Summary Related Work

752 views • 18 slides
LAMINAR: PRACTICAL FINE-GRAINED DECENTRALIZED INFORMATION FLOW CONTROL (DIFC) Indrajit Roy ,

LAMINAR: PRACTICAL FINE-GRAINED DECENTRALIZED INFORMATION FLOW CONTROL (DIFC) Indrajit Roy ,

LAMINAR: PRACTICAL FINE-GRAINED DECENTRALIZED INFORMATION FLOW CONTROL (DIFC) Indrajit Roy , Donald E. Porter, Michael D. Bond, Kathryn S. McKinley, Emmett Witchel The University of Texas at Austin Untrusted code on trusted data Your

820 views • 45 slides
Copy raising and perception: A fine-grained semantics for raising and control Ash Asudeh &amp;

Copy raising and perception: A fine-grained semantics for raising and control Ash Asudeh &amp;

Copy raising and perception: A fine-grained semantics for raising and control Ash Asudeh &amp; Ida Toivonen Carleton University LAGB 2007, Kings College London 1 Copy raising 1. Louise seems like shes had a rough day. 2. The lawyer

752 views • 43 slides
Mechanized Verification of Fine-grained Concurrent Programs Ilya Sergey Aleks Nanevski

Mechanized Verification of Fine-grained Concurrent Programs Ilya Sergey Aleks Nanevski

Mechanized Verification of Fine-grained Concurrent Programs Ilya Sergey Aleks Nanevski Anindya Banerjee PLDI 2015 Terminology Coarse-grained Concurrency synchronisation between threads via locks ; Fine-grained

973 views • 72 slides
Parts of Speech More Fine-Grained Classes More

Parts of Speech More Fine-Grained Classes More

Parts of Speech More Fine-Grained Classes More Fine-Grained Classes Actually , I ran home extremely quickly yesterday The closed classes Example of POS tagging The Penn Treebank Part-of-Speech

747 views • 54 slides
Inferring Fine-grained Control Flow Inside SGX Enclaves with Branch Shadowing Sangho Lee Ming-Wei

Inferring Fine-grained Control Flow Inside SGX Enclaves with Branch Shadowing Sangho Lee Ming-Wei

Inferring Fine-grained Control Flow Inside SGX Enclaves with Branch Shadowing Sangho Lee Ming-Wei Shih Prasun Gera Taesoo Kim Hyesoon Kim Marcus Peinado 26 th USENIX Security Symposium August 17, 2017 Intel Software Guard Extension (SGX)

437 views • 42 slides
Machine Learning for Fine-Grained Hardware Prefetcher Control Jason Hiebel Laura E. Brown

Machine Learning for Fine-Grained Hardware Prefetcher Control Jason Hiebel Laura E. Brown

Machine Learning for Fine-Grained Hardware Prefetcher Control Jason Hiebel Laura E. Brown Zhenlin Wang jshiebel@mtu.edu lebrown@mtu.edu zlwang@mtu.edu Department of Computer Science Michigan Technological University International

544 views • 31 slides
Fine-grained Visual Analysis: From Classification to Retrieval Yi-Zhe Song SketchX Lab, CVSSP,

Fine-grained Visual Analysis: From Classification to Retrieval Yi-Zhe Song SketchX Lab, CVSSP,

Fine-grained Visual Analysis: From Classification to Retrieval Yi-Zhe Song SketchX Lab, CVSSP, University of Surrey, UK http://sketchx.ai Why fine-grained? Dog Dog Dog I am not just a dog Why fine-grained? Husky

615 views • 24 slides
Fine-grained Image Recognition Lei Wang VILA group School of Computing and Information

Fine-grained Image Recognition Lei Wang VILA group School of Computing and Information

Learning Kernel-matrix-based Representation for Fine-grained Image Recognition Lei Wang VILA group School of Computing and Information Technology University of Wollongong, Australia 11-Dec-2019 Introduction Fine-grained image recognition

1.56k views • 58 slides
TRILL Fine Grained Labeling Donald Eastlake 3 rd Huawei

TRILL Fine Grained Labeling Donald Eastlake 3 rd Huawei

TRILL Fine Grained Labeling Donald Eastlake 3 rd Huawei Technologies d3e3e3@gmail.com November 2011 TRILL WG 1 Fine Grained Labeling A way to

469 views • 8 slides
Fine-Grained User-Space Security Through Virtualization Mathias Payer and Thomas R. Gross ETH

Fine-Grained User-Space Security Through Virtualization Mathias Payer and Thomas R. Gross ETH

Fine-Grained User-Space Security Through Virtualization Mathias Payer and Thomas R. Gross ETH Zurich Motivation Applications often vulnerable to security exploits Solution: restrict application access to the minimum amount of data

890 views • 29 slides
Information Retrieval Modeling Russian Summer School in Information Retrieval Djoerd Hiemstra

Information Retrieval Modeling Russian Summer School in Information Retrieval Djoerd Hiemstra

Information Retrieval Modeling Russian Summer School in Information Retrieval Djoerd Hiemstra http://www.cs.utwente.nl/~hiemstra 1/35 PART 4 Structured Information Retrieval 2/35 Overview 1. implicit vs. explicit structure 2. static vs.

580 views • 35 slides
XML Processing (XPath, XQuery, XUpdate) Part 5: XQuery + XPath Fulltext 21.12.2011 Outline

XML Processing (XPath, XQuery, XUpdate) Part 5: XQuery + XPath Fulltext 21.12.2011 Outline

Module 3 XML Processing (XPath, XQuery, XUpdate) Part 5: XQuery + XPath Fulltext 21.12.2011 Outline Motivation Challenges XQuery Full-Text Language XQuery Full-Text Semantics and Data Model 21.12.2011 Peter

620 views • 46 slides
9. Path expressions: XPath XPath is a language for selecting parts of XML documents it is

9. Path expressions: XPath XPath is a language for selecting parts of XML documents it is

9. Path expressions: XPath XPath is a language for selecting parts of XML documents it is a kind of simple query language . XPath does not use normal XML syntax; path expressions are strings for the parser. XPath is a tree

223 views • 20 slides
XPath &amp; XQuery (continued) CS 645 Apr 24, 2008 1 Some slide content courtesy of

XPath &amp; XQuery (continued) CS 645 Apr 24, 2008 1 Some slide content courtesy of

XPath &amp; XQuery (continued) CS 645 Apr 24, 2008 1 Some slide content courtesy of Ramakrishnan &amp; Gehrke, Dan Suciu, Zack Ives. Today s lecture Review of XPath continuation of XQuery 2 Querying XML Data XPath = simple

569 views • 38 slides
XML and XQuery 5DV120 Database System Principles Ume a University Department of Computing

XML and XQuery 5DV120 Database System Principles Ume a University Department of Computing

XML and XQuery 5DV120 Database System Principles Ume a University Department of Computing Science Stephen J. Hegner hegner@cs.umu.se http://www.cs.umu.se/~hegner XML and XQuery 20151114 Slide 1 of 54 The XML Context XML was

897 views • 54 slides
XQUERY? Just a query Language for XML? Right? NO NO

XQUERY? Just a query Language for XML? Right? NO NO

XQuery vs . The World Nuno Job nunojob.com nunojob.com and @dscape dscape (twitter, github) Dynamic Languages Conference 2011 portugal, new york, toronto, san francisco, london 11

497 views • 31 slides
Symmetrically Exploiting XML Shuohao Zhang and Curtis Dyreson School of E.E. and Computer Science

Symmetrically Exploiting XML Shuohao Zhang and Curtis Dyreson School of E.E. and Computer Science

Symmetrically Exploiting XML Shuohao Zhang and Curtis Dyreson School of E.E. and Computer Science Washington State University Pullman, Washington, USA The 15 th International World Wide Web Conference May 2006 Edinburgh, Scotland 1970s

496 views • 22 slides
Information Systems XQuery Nikolaj Popov Research Institute for Symbolic Computation Johannes

Information Systems XQuery Nikolaj Popov Research Institute for Symbolic Computation Johannes

Information Systems XQuery Nikolaj Popov Research Institute for Symbolic Computation Johannes Kepler University of Linz, Austria popov@risc.uni-linz.ac.at What Is XQuery The purpose of XQuery is to provide a language for extracting data

302 views • 19 slides

More recommend