Next Generation Directory-Based User Management for Cloud - - PowerPoint PPT Presentation

Next Generation Directory-Based User Management for Cloud Infrastructure

Nov 16, 2016 ApacheCon EU, Seville

Introductions

• Katarina Valalikova – Evolveum
• Shawn McKinney - Symas

ApacheCon EU, Seville 2016 2

Security is Hard

“I had to keep guessing at the channel; I had to discern, mostly by inspiration, the signs of hidden banks; I watched for sunken stones; When you have to attend to things of that sort, to the mere incidents of the surface, the reality—the reality, I tell you—fades. The inner truth is hidden.” Joseph Conrad, Heart of Darkness

https://en.wikipedia.org/wiki/File:VingtAnnees_286.jpg

ApacheCon EU, Seville 2016

Session Objective

Uncover that hidden navigation channel for users and machines through ‘the cloud’.

ApacheCon EU, Seville 2016 4

Session Agenda

• History
• Building Blocks
• Model
• Solution
• Use Case
• Demo
• Questions

Image from: HTTP://EVENTS.LINUXFOUNDATION.ORG/EVENTS/APACHECON-NORTH-AMERICA

Knowing the path forward necessarily means we understand where we’ve been.

ApacheCon EU, Seville 2016 6

History

History

https://upload.wikimedia.org/wikipedia/commons/7/77/Unix_history-simple.svg

7

History

RFC2307 PAM NSS sudo su dns users POSIX Security

ApacheCon EU, Seville 2016 8

NSS

Soup of the day

Operating System

AIX ApacheCon EU, Seville 2016 9

should work

• n most

unix platforms

Cloud Infrastructure

ApacheCon EU, Seville 2016 10

must work

• n all

The Wheel

• Let’s not reinvent

ApacheCon EU, Seville 2016 11

Back in time

circa 1995

• Internet went mainstream
• Linux is viable
• Sun released Java
• Work on Apache HTTP server begun
• The die was cast on LDAP

ApacheCon EU, Seville 2016 12

Building Blocks

• 1. POSIX security controls
• 2. Directory services

ApacheCon EU, Seville 2016 13

Best practic ices es

Fast Forward

• 3. Mediator

New practic ice

ApacheCon EU, Seville 2016 14

Building Blocks Conceptual

ApacheCon EU, Seville 2016 15

Building Blocks Actual

ApacheCon EU, Seville 2016 16

Building Blocks - AuthN

ApacheCon EU, Seville 2016 17

Pluggable Authentication Module

• Authentication
• Coarse-grained Authorization

ApacheCon EU, Seville 2016 18

Jus ust an au authN N servic ice

Building Blocks - AuthZ

ApacheCon EU, Seville 2016 19

sudo

20

Just an a authZ service ce

Building Blocks – Reporting

ApacheCon EU, Seville 2016 21

Name Service Switch

• Used by unix processes to lookup user and

group info

ApacheCon EU, Seville 2016 22

Jus ust a l lookup up servic ice

What is LDAP

23

Building Blocks - LDAP

System of record

• Users
• Passwords
• Groups

ApacheCon EU, Seville 2016 24

Just a

Building Blocks - Mediator

• Keeps things in synch between the machines

and LDAP as things change.

ApacheCon EU, Seville 2016 25

Mediator

• 1. Machine added to network, notifies mediator
• 2. Based on policies stored in DB
• 3. Updates ldap accordingly

1 3 2

ApacheCon EU, Seville 2016 26

Model

amsouth

• m1001

m1002 m1003 … afnorth

• m2010

..... aspac

• m3100

…

ApacheCon EU, Seville 2016 27

Requir iremen ements ts

Three Kinds of Security Checks

• 1. Authentication with LDAP
• 2. Coarse-grained authZ - memberOf target machine

– (i.e. LDAP group name == hostname)

• 3. Medium-grained authZ. memberOf at least one:

– Admin - root access – User - typical user access – Auditor - read-only access to entire machine.

sudo PAM

ApacheCon EU, Seville 2016 28

Three Types of Groups

• 1. Machine Sets
• 2. Machines
• 3. Security Roles

mediator tor PAM sudo

ApacheCon EU, Seville 2016 29

m1set

• m1001

m1002 m1003 … m2set

• m2010

m2020 m2030 … m3set

• m3100

m3200 m3300 …

ApacheCon EU, Seville 2016 30

• 1. Machine Sets

Used d by mediator tor to compute te polici cies es

• 2. Machines

Used d by PAM

ApacheCon EU, Seville 2016 31

• 3. Security Roles

Used d by sudo

ApacheCon EU, Seville 2016 32

m1set

• m1001

m1002 m1003 … m2set

• m2010

m2020 m2030 … m3set

• m3100

m3200 m3300 …

User, r, role and machine e set

ApacheCon EU, Seville 2016 33

admin auditor user

Policy Combiner

The mediato tor r can do this

Pick Two

ApacheCon EU, Seville 2016 34

Solution

ApacheCon EU, Seville 2016 35

Target System Architecture

36

Client-side Solution

Script during machine instantiation:

• 1. Configures pam, sudo & nss to LDAP
• 2. Call mediator to add LDAP machine group
• 3. Call mediator to recompute LDAP groups

ApacheCon EU, Seville 2016

Server-side Solution

• 1. MidPoint - mediator

– delegated admin, approvals, audit – html & http admin services

• 2. PostGreSQL – master database

– users, roles, orgs, svcs

• 3. OpenLDAP – security database

– users, groups – posixAccount, posixGroup

38

High-level Solution Design

ApacheCon EU, Seville 2016 39

Detail Design

Data Models

• 1. LDAP Hierarchical Database

– data used for the posix security access control

• 2. Midpoint Relational Database

– stores master copy of all data used across all repositories

ApacheCon EU, Seville 2016 41

LDAP Data Model

Standard object schemas:

• 1. RFC2307bis

– posixAccount – posixGroup

• 2. SudoRole

ApacheCon EU, Seville 2016 42

LDAP Data Model

Hierarchica archical

ApacheCon EU, Seville 2016 43

Use RFC2307bis LDAP Schema

ApacheCon EU, Seville 2016 44

Machine Set M1

dn: cn=m1set, ou=Groups, ... description: Machine Set 1 member: cn=m1001,... member: cn=m1002,... member: cn=m1003,...

…

ApacheCon EU, Seville 2016 45

Machine M1001

dn: cn=m1001, ou=Groups,…

• bjectClass: posixGroup

description: Machine Group M1001 member: uid=curly,ou=People,… member: uid=frank,ou=People,… member: uid=marla,ou=People,…

…

ApacheCon EU, Seville 2016 46

Security Role M1Admin

dn: cn=m1admin, ou=Groups, ...

• bjectClass: posixGroup

description: Admin Machine Set 1 cn: m1admin member: uid=curly,ou=People,... member: uid=frank,ou=People,... member: uid=marla,ou=People,...

…

ApacheCon EU, Seville 2016 47

sudo LDAP Schema

• bjectclass ( 1.3.6.1.4.1.15953.9.2.1

NAME 'sudoRole' SUP top STRUCTURAL DESC 'Sudoer Entries' MUST ( cn ) MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $ sudoOrder $ description ) )

ApacheCon EU, Seville 2016 48

sudo M1Admin

dn: cn=admin access to m1,ou=sudo,dc=example,dc=com

• bjectClass: sudoRole

cn: admin access to m1 sudoUser: %m1admin sudoHost: m1001 sudoHost: m1002 sudoHost: m1003 sudoHost: m1004

ApacheCon EU, Seville 2016 49

MidPoint Data Model

Rela lational tional

50

Provisioning Overview

1. Adding a new User into LDAP triggers into midpoint DB and vice versa. 2. Adding a new machine group as a memberOf a particular machine set group it automatically adds eligible users as membersOf of the same machine group. 3. Assigning a Role with a parameterized Org to a User automatically adds to memberOf associated machine and security groups in LDAP.

ApacheCon EU, Seville 2016 51

Data Mapping

Use midpoin int t paramete eterized rized roles

52

Midpoint (mediator)

53

Midpoint manages the LDAP groups

54

Users

ApacheCon EU, Seville 2016 56

OpenLDAP Resource

ApacheCon EU, Seville 2016 57

Use Cases

Manage a large cluster of machines for a technology company with 100 employees and 100,000 customers.

ApacheCon EU, Seville 2016 58

Overview

• Many types of machines but here we’ll be

using Debian and Redhat systems.

• These deploy into the cloud of a well-known

provider.

• Must maintain strict control over who may

access the machines to verify compliance.

ApacheCon EU, Seville 2016 59

Use Case 1

Create a New Machine

• Assigns authorized Users as members of the

Machine Group

• New machine uses the Machine Group in PAM
• Uses the security roles in SUDO

ApacheCon EU, Seville 2016 60

Use Case 2

Remove a Machine:

• Deletes the Machine Group from LDAP

ApacheCon EU, Seville 2016 61

Use Case 3

Assigning a User to a Role:

• Add to corresponding Security Role
• Adds to corresponding Machine Groups

ApacheCon EU, Seville 2016 62

Use Case 4

Deassigning a User from a Role:

• Removes User from corresponding Security

Role

• Removes User from corresponding Machine

Groups

ApacheCon EU, Seville 2016 63

Machine Sets

Each machine resides es in a si single le domain

ApacheCon EU, Seville 2016 64

Machines

ApacheCon EU, Seville 2016 65

Security Roles

ApacheCon EU, Seville 2016 66

67

Demo

• 1. Assign Users to Roles / Machine Sets
• 2. Deassign Users from Roles / Machine Sets
• 3. Add New Machines
• 4. Remove Machines

ApacheCon EU, Seville 2016 68

Role- machine m1001 m1002 m1003 m2010 m2020 m2030 m3100 m3200 m3300 M1Admin T T T M1User T T T M1Auditor T T T M2Admin T T T M2User T T T M2Auditor T T T T T T M3User T T T M3Auditor T T T

Demo Role to Machine

69 ApacheCon EU, Seville 2016

User- Role- Machine m1001 m1002 m1003 m2010 m2020 m2030 m3100 m3200 m3300

Curly

Admin Admin Admin

Moe

Auditor Auditor Auditor

Larry

User User User

Demo User to Role to Machine

70 ApacheCon EU, Seville 2016

<-----

• ---- Set 1------
• -----> <------
• --Set

Set 2 2 ------

• -----> <-----
• ---- Set 3

3 -----

• ---->

Wrap-up

ApacheCon EU, Seville 2016 71