Embed Size (px)
Citation preview
Addressing Security Concerns with WSO2 Governance Registry as Policy Store
Arudsothy Sriragu (S
rArudsothy Sriragu (Senior Software Engineer-WSO2 Governance Registry)
& Eranda Sooriyabandara
(Senior Software Engineer-WSO2 Governance Registry) Engineer-‐WSO2 Governance Registry) & Eranda Sooriyabandara (Senior Software Engineer-‐WSO2 Governance Registry)
ing Governance Registry
About WSO2
• Providing the only complete open source componentized cloud platform
– Dedicated to removing all the stumbling blocks to enterprise agility – Enabling you to focus on business logic and business value
• Recognized by leading analyst firms as visionaries and leaders – Gartner cites WSO2 as visionaries in all 3 categories of application
infrastructure – Forrester places WSO2 in top 2 for API Management
• Global corporation with offices in USA, UK & Sri Lanka
– 200+ employees and growing
• Business model of selling comprehensive support & maintenance for our products
150+ globally positioned support customers
Agenda
} Understanding the policy enforcement in SOA environment } Why does a typical SOA enterprise need policy management } Some terminologies used in policy enforcement
} How WSO2 Identity Server plays as XACML policy engine
} Run-time policy vs Design-time policy } Demo - Sample usecase where WSO2 Governance Registry can
be used as policy store
} Q&A
Understand the policy enforcement in SOA environment
} A typical service oriented enterprise will have mainly three objects in interaction which are service consumers, services and resources
} How can a SOA environment control varies authorization level depends on the consumer type such as admin user, publisher level user, subscriber level user, login level user..etc.
} To address the above complexity SOA environment forced to
have a varies type of policies.
} Therefore applying policies for SOA environment to control its activities during the service consumption or service design will be called as policy enforcement.
Why a typical SOA enterprise need policy management
} To control authorization level among the users accessing the services in any typical SOA environment.
} Prevent Unauthorized access to the services must be
prevented. } Quality of service should be managed by service policy.
Therefore SOA enterprise needs a policy management system.
} Giving the access to the correct version of the service based on the consumer type. It can be managed by a versioning policy.
} SOA enterprises need to enforce the policy to accept the content passed as payload in terms of encoding format.
Some terminologies used in policy enforcement
} PEP -it stands for policy enforcement point where the incoming request is received and authorization request will be generated and sent over to authorization engine.
} PIP - stands for policy information point where information about
policy elements such as attribute value and meaning, resource information used in policy, environment in which the particular policy to be evaluated.
} PDP - stands for policy decision point where the authorization
request is evaluated which has been sent by the PEP and decision is made whether to authorize or not. This point in general called as authorization engine since it is the decision maker for authorization request.
Contd………
} PAP - stands for policy administration point where the policy is managed.
} PRP - stands for policy retrieval point where the policy is stored
and retrieved by authorization engine to evaluate against the incoming authorization request.
} WSO2 IS can be used as a PAP, PIP and PDP.
} WSO2 Governance Registry is used as PRP. } WSO2 ESB can be used as PEP.
How WSO2 Identity Server plays as XACML policy engine
} WSO2 IS uses the xacml policy based authorization. XACML stands for eXtensible access control markup language.
} WSO2 IS has the capability to play as a XACML based
authorization engine.
} WSO2 IS makes decision based on the policy relevant to the request, in other word IS functions as policy decision point.
} WSO2 Identity Server (IS) makes authorization decision based on XACML request.
} IS returns it authorization response to the policy enforcement point with what action to be taken for the client request. Response will be allow or deny the access.
Run-time policy vs Design-time policy
} Design time policies define the behavior of the service at the design time while the runtime policies define the behavior of the service at the runtime.
} Design time policies are enforced during the period when developer creates the services. For an example, WS-security to be used for security mechanisms.
} An example of runtime policy would be "Only users with admin
role are allowed to update the resource A between 10 and 12 o'clock. This policy will be enforced and evaluated at the service invocation.
Demo
Demo
Demo
} Client requests some resource via ESB proxy service. } When the ESB receives the client request “entitlement
mediator”[PEP] will generate the xacml request and call the WSO2 IS [PDP] “entitlement admin service” endpoint.
} WSO2 IS retrieves the policy stored in the Governance Registry
and evaluates xacml request. WSO2 IS functions as xacml engine
} Depends on the decision made by the IS request will be
processed further and returned the resource to the client or returned with an unauthorized message.
References
} http://wso2.com/library/articles/2011/08/finegrained-authorization-restful-services-xacml
} http://wso2.com/library/articles/2011/10/understanding-xacml-
policy-language-xacml-extended-assertion-markup-langue-part-1 } http://blog.facilelogin.com/2009/06/guide-to-write-xacml-policies-
in-wso2.html } http://hasini-gunasinghe.blogspot.com/2011/12/entitlement-
service-xacml-pdp-as-web.html } http://blog.facilelogin.com/2009/05/identity-server-20-as-xacml-
engine.html
Questions and Answers
Q & A
Engage with WSO2
• Helping you get the most out of your deployments • From project evaluation and inception to development
and going into production, WSO2 is your partner in ensuring 100% project success
Engage with WSO2
• Helping you get the most out of your deployments • From project evaluation and inception to development
and going into production, WSO2 is your partner in ensuring 100% project success
