LISA 11 Fine-grained access-control for the Puppet configuration - - PowerPoint PPT Presentation

lisa 11 fine grained access control for the puppet
SMART_READER_LITE
LIVE PREVIEW

LISA 11 Fine-grained access-control for the Puppet configuration - - PowerPoint PPT Presentation

Dec 06, 2023 22 likes •294 views

LISA 11 Fine-grained access-control for the Puppet configuration language Bart Vanbrabant, Joris Peeraer and Wouter Joosen DistriNet, Dept. of Computer Science, K.U.Leuven, Belgium December 7, 2011 1 / 27 Outline Systems configuration

slide-1
SLIDE 1

LISA ’11 Fine-grained access-control for the Puppet configuration language

Bart Vanbrabant, Joris Peeraer and Wouter Joosen

DistriNet, Dept. of Computer Science, K.U.Leuven, Belgium

December 7, 2011

1 / 27

slide-2
SLIDE 2

Outline

Systems configuration Context Problems Our solution: ACHEL Authorising Puppet Conclusion

2 / 27

slide-3
SLIDE 3

Outline

Systems configuration Context Problems Our solution: ACHEL Authorising Puppet Conclusion

3 / 27

slide-4
SLIDE 4

System configuration tools

4 / 27

slide-5
SLIDE 5

System configuration tools

5 / 27

slide-6
SLIDE 6

System configuration tools

6 / 27

slide-7
SLIDE 7

System configuration tools

7 / 27

slide-8
SLIDE 8

System configuration tools

M a l i c i

  • u

s c

  • n

f i g u r a t i

  • n

8 / 27

slide-9
SLIDE 9

System configuration tools

9 / 27

slide-10
SLIDE 10

System configuration tools

10 / 27

slide-11
SLIDE 11

Outline

Systems configuration Context Problems Our solution: ACHEL Authorising Puppet Conclusion

11 / 27

slide-12
SLIDE 12

What is ACHEL?

ACHEL manages access to repositories of configuration specification by implementing access control and enforcing workflows

  • fine-grained access control interpreting the semantics of

changes

  • The actions that needs authorisation are derived automatically
  • access control is applied at the abstraction level of the

configuration specification

  • support for workflow in federated infrastructures
  • a (configuration) language agnostic solution

12 / 27

slide-13
SLIDE 13

Generating meaningful changes with ACHEL

13 / 27

slide-14
SLIDE 14

Outline

Systems configuration Context Problems Our solution: ACHEL Authorising Puppet Conclusion

14 / 27

slide-15
SLIDE 15

Puppet

Authorise changes to the configuration model of a real tool:

  • System management tool used in production environment
  • Puppet has an expressive and complex configuration language
  • Manifests organised in modules
  • Authorisation based on modules and their file path
  • Link between contents of module and its name is not enforced

15 / 27

slide-16
SLIDE 16

Applying ACHEL to Puppet

Steps to authorise changes the ACHEL way:

  • Aquire the AST from Puppet
  • AST contains syntax so normalisation is required
  • Derive to be authorised actions
  • Submit request to XACML policy engine
  • Report result of authorisation

16 / 27

slide-17
SLIDE 17

AST normalisation

Define three users with one statement:

user {["bart", "joris", "wouter"]: } Define three users with three statements: user {"bart": } user {"joris": } user {"wouter": }

17 / 27

slide-18
SLIDE 18

Prototype

Challenges for prototype:

  • Not all language features supported, some are impossible to

support

  • Prototype extracts AST from Puppet compiler and normalises

it

  • The AST is serialised to XML so XPath can be used in policies
  • Prototype is integrated in a DVCS (Bazaar) to enforce access

control

18 / 27

slide-19
SLIDE 19

Example: Adding vhosts

Puppet manifest:

# Apache-class class apache { ... } # vhost definition define apache::vhost ($document_root) { file {"/etc/apache2/vhosts-available/${name}": ensure => present, docroot => $document_root, } } node a { include apache }

19 / 27

slide-20
SLIDE 20

Example: Adding vhosts

User Jdoe adds a virtual host:

# Apache-class class apache { apache::vhost {"www.example.com": docroot => "/home/jdoe/public_html", } ... } # vhost definition define apache::vhost ($document_root) { file {"/etc/apache2/vhosts-available/${name}": ensure => present, docroot => $document_root, } ...

20 / 27

slide-21
SLIDE 21

Example: Adding vhosts

Result from matching:

* Updated: none * Inserted: Add member: Resource (title:www.example.com, type:apache::vhost) Add parameter: ResourceParam (param:docroot) Add value: String () => /home/jdoe/public_html * Removed: none

21 / 27

slide-22
SLIDE 22

Example: Adding vhosts

XAMCL policy extract (without the namespace clutter)

<Policy> <Description>Apache permissions for webuser</Description> <Target><Subjects><Subject><SubjectMatch> <AttributeValue>webuser</AttributeValue> <SubjectAttributeDesignator AttributeId="subject:role" /> </SubjectMatch></Subject></Subjects></Target> <Rule Effect="Permit"> <Description>Add or remove a vhost</Description> <Target><Resources><Resource><ResourceMatch> <AttributeValue>//pup:*[@type="apache::vhost"]</AttributeValue> <ResourceAttributeDesignator AttributeId="resource-id" DataType="xpath-expression" /> </ResourceMatch></Resource></Resources></Target> </Rule> <Rule Effect="Permit"> <Target><Resources><Resource><ResourceMatch> <AttributeValue>//pup:*[@type="apache::vhost"]/pup:*[@param="docroot"]</AttributeValue> <ResourceAttributeDesignator AttributeId="resource-id" DataType="xpath-expression" /> </ResourceMatch></Resource></Resources></Target> <Condition> <Apply FunctionId="string-starts-with"><Apply FunctionId="string-one-and-only"> <AttributeSelector RequestContextPath="//pup:*[@param=’docroot’]/pup:value/text()" /> </Apply> <Apply FunctionId="string-concatenate"> <AttributeValue>/home/</AttributeValue> <Apply FunctionId="string-one-and-only"> <SubjectAttributeDesignator AttributeId="subject-id" /> </Apply> </Apply></Apply> </Condition> </Rule> </Policy> 22 / 27

slide-23
SLIDE 23

Example: Adding vhosts

First rule from extract:

<Policy> ... <Rule Effect="Permit"> <Description>Add or remove a vhost</Description> <Target><Resources><Resource><ResourceMatch> <AttributeValue>//pup:*[@type="apache::vhost"] </AttributeValue> <ResourceAttributeDesignator AttributeId="resource-id" DataType="xpath-expression" /> </ResourceMatch></Resource></Resources></Target> </Rule> ... </Policy>

23 / 27

slide-24
SLIDE 24

Example: Adding vhosts

Second rule from extract:

<Policy> ... <Rule Effect="Permit"> <Target><Resources><Resource><ResourceMatch> <AttributeValue>//pup:*[@type="apache::vhost"]/pup:*[@param="docroot"]</AttributeValue> <ResourceAttributeDesignator AttributeId="resource-id" DataType="xpath-expression" /> </ResourceMatch></Resource></Resources></Target> <Condition> <Apply FunctionId="string-starts-with"><Apply FunctionId="string-one-and-only"> <AttributeSelector RequestContextPath="//pup:*[@param=’docroot’]/pup:value/text()" /> </Apply> <Apply FunctionId="string-concatenate"> <AttributeValue>/home/</AttributeValue> <Apply FunctionId="string-one-and-only"> <SubjectAttributeDesignator AttributeId="subject-id" /> </Apply> </Apply></Apply> </Condition> </Rule> </Policy> 24 / 27

slide-25
SLIDE 25

Use unsupported language constructions

  • Policy defines what is allowed
  • Usage of defines or classes can be authorised
  • Encapsulate unsupported or complex Puppet constructions
  • Authorise on the container of the unsupported statements

25 / 27

slide-26
SLIDE 26

Outline

Systems configuration Context Problems Our solution: ACHEL Authorising Puppet Conclusion

26 / 27

slide-27
SLIDE 27

Conclusion

  • ACHEL method supports complex languages
  • Unsupported languages features using encapsulation
  • Clean AST required
  • XACML is powerful but hard to use

27 / 27