Skip to content
Permalink
Browse files
describe the policy load files
  • Loading branch information
shawnmckinney committed Apr 24, 2019
1 parent 9111ce1 commit ec935c546c50f448d4068f55a884631134228de7
Showing 2 changed files with 80 additions and 35 deletions.
@@ -28,6 +28,7 @@
* SECTION 4. Test
* SECTION 5. Table with External Config Switches
* SECTION 6. Sample Config
* SECTION 7. Integration Test with Fortress Core

___________________________________________________________________________________
## Document Overview
@@ -39,9 +40,11 @@ This document contains instructions to deploy a pre-built Apache Fortress Rest w

Minimum software requirements:
* Apache Tomcat7++
* Completed either section in Apache Fortress Core Quickstart:
* Completed integration tests in one of the Apache Fortress Core Quickstarts:
* *SECTION 3. Apache Fortress Core Integration Test* in [README-QUICKSTART-SLAPD.md](https://github.com/apache/directory-fortress-core/blob/master/README-QUICKSTART-SLAPD.md)
* *SECTION 4. Apache Fortress Core Integration Test* in [README-QUICKSTART-APACHEDS.md](https://github.com/apache/directory-fortress-core/blob/master/README-QUICKSTART-APACHEDS.md)
* *SECTION 3. Apache Fortress Core Integration Test* in [README-QUICKSTART-DOCKER-SLAPD.md](https://github.com/apache/directory-fortress-core/blob/master/README-QUICKSTART-DOCKER-SLAPD.md)
* *SECTION 3. Apache Fortress Core Integration Test* in [README-QUICKSTART-DOCKER-APACHEDS.md](https://github.com/apache/directory-fortress-core/blob/master/README-QUICKSTART-DOCKER-APACHEDS.md)

___________________________________________________________________________________
## SECTION 2. Configure Tomcat and Deploy Fortress Rest
@@ -86,26 +89,23 @@ Set the java system properties in tomcat with the target ldap server's coordinat
___________________________________________________________________________________
## SECTION 3. Load Sample Security Policy

From the fortress core package perform the following steps:

1. Download the load file from git:

```
wget https://github.com/apache/directory-fortress-enmasse/blob/master/src/main/resources/FortressRestServerPolicy.xml -P ldap/setup
1. From the project folder, run maven install to Apache Fortress RBAC security policy for Rest server:
```maven
mvn install -Dload.file=src/main/resources/FortressRestServerPolicy.xml
```

2. Run maven install with load file:
* This step creates test user, roles, needed for tests to be successfully run.

```
mvn install -Dload.file=ldap/setup/FortressRestServerPolicy.xml
2. Optional, load a sample security policy for ARBAC.
```maven
mvn install -Dload.file=src/main/resources/FortressRestArbacSamplePolicy.xml
```

Note: This step must be completed before tests can be successfully run.

* See [README-SECURITY-MODEL](./README-SECURITY-MODEL.md)
___________________________________________________________________________________
## SECTION 4. Test

1. Smoke test:
1. Smoke test a few services:

```
mvn test -Dtest=EmTest
@@ -183,5 +183,50 @@ JAVA_OPTS=" -Dversion=2.0.4-SNAPSHOT \
-Dfortress.trust.store.password=changeit \
-Dfortress.trust.store.onclasspath=false
```
___________________________________________________________________________________
## SECTION 7. Integration Test with Fortress Core

These tests will use Apache Fortress Core test programs to drive the Apache Fortress Rest services.
See *SECTION 1. Prerequisites* of this document for more info on how to prepare a test env.

1. Point your Apache Fortress Core test env to Apache Fortress REST runtime.

* Add these properties to slapd.properties or build.properties file:

```
enable.mgr.impl.rest=true
# This user account is added automatically during deployment of fortress-rest via -Dload.file=./src/main/resources/FortressRestServerPolicy.xml:
http.user=demouser4
http.pw=password
http.host=localhost
http.port=8080
http.protocol=http
```

2. Next, from **FORTRESS_CORE_HOME** enter the following command:

```
mvn install
```

* This will update the fortress.properties with the settings in the build and slapd.prooperties.

3. Now run the integration tests:

```
mvn -Dtest=FortressJUnitTest test
```

* If everything was setup correctly the Apache Fortress Core tests will drive the tests via Apache Fortress Rest calls.

4. Next, from **FORTRESS_CORE_HOME** enter the following command:

```
mvn test -Pconsole
```

* Console operations will now run through Apache Fortress Rest.

#### END OF README-QUICKSTART
@@ -24,13 +24,13 @@ ________________________________________________________________________________

* Document Overview
* Understand the security model of Apache Fortress Rest
* 1. TLS
* 2. Java EE security
* 3. Apache CXF's **SimpleAuthorizingInterceptor**
* 4. Apache Fortress **ARBAC02 Checks**
* 5. Java EE security and Apache CXF SimpleAuthorizingInterceptor policy load
* 6. ARBAC policy load
* 7. The list of Services that enforce ARBAC02
* SECTION 1. TLS
* SECTION 2. Java EE security
* SECTION 3. Apache CXF's **SimpleAuthorizingInterceptor**
* SECTION 4. Apache Fortress **ARBAC Checks**
* SECTION 5. Java EE security and Apache CXF SimpleAuthorizingInterceptor policy load
* SECTION 6. ARBAC policy load
* SECTION 7. The list of Services that enforce ARBAC02
___________________________________________________________________________________

## Document Overview
@@ -73,32 +73,32 @@ This policy enforcement mechanism maps RBAC roles to a given set of services. T
| Config Manager | true | false | false | false | false | false | false | false | false | true |

___________________________________________________________________________________
## 4. Apache Fortress **ARBAC02 Checks**
## 4. Apache Fortress **ARBAC Checks**

Disabled by default. To enable, add this to fortress.properties file and restart instance:
The Apache Fortress Administrative Role-Based Access Control (ARBAC) subsystem handles delegating administrative tasks to special users.
Disabled in Apache Fortress REST by default, to enable, add the following declaration to the fortress.properties:

```concept
# Boolean value. Disabled by default. If this is set to true, the runtime will enforce administrative permissions and ARBAC02 DA checks:
is.arbac02=true
```
is.arbac02=true
```

The ARBAC checks when enabled, include the following:
The ARBAC checks once enabled, perform the following additional security checks:

a. All service invocations, except AccessMgr and DelAccessMgr, perform an ADMIN permission check automatically corresponding with the exact service/API being called.
a. All service invocations, except for AccessMgr and DelAccessMgr, perform an ADMIN permission check automatically corresponding with the exact service/API being called.

For example, the permission with an objectName: **org.apache.directory.fortress.core.impl.AdminMgrImpl** and operation name: **addUser** is automatically checked
during the call to the **userAdd** service.

This means at least one ADMIN role must be activated for the user calling the service that has been granted the required permission.
The entire list of permissions, and their mappings to services are listed in the table that follows.

b. Some services (#'s 1 - 12 listed below) perform organizational verification, comparing the org on the ADMIN role with that on the target user or permission in the HTTP request.
b. Some services (#'s 1 - 12 in ARBAC table below) perform organizational verification, comparing the org on the ADMIN role with that on the target user or permission in the HTTP request.
There are two types of organizations being checked, User and Permission.

For example, **roleAsgn** and **roleDeasgn** (9 and 10 below) will verify that the caller has an ADMIN role with a user org unit that matches the ou of the target user.
For example, **roleAsgn** and **roleDeasgn** (9 and 10 in ARBAC table) will verify that the caller has an ADMIN role with a user org unit that matches the ou of the target user.
There is a similar check on **roleGrant** and **roleRevoke** (11 and 12) verifying the caller has an activated ADMIN role with a perm org unit that matches the ou on the target permission.

c. Some services (#'s 9,10,11,12) perform a range check on the target RBAC role to verify user has matching ADMIN role with authority to assign to user or grant to permission.
c. Some services (#'s 9,10,11,12 in ARBAC table) perform a range check on the target RBAC role to verify user has matching ADMIN role with authority to assign to user or grant to permission.
The Apache Fortress REST **roleAsgn**, **roleDeasgn**, **roleGrant** and **roleRevoke** services will enforce ADMIN authority over the particular RBAC role that is being targeted in the HTTP request.
These checks are based on a (hierarchical) range of roles, for which the target role must fall inside.

@@ -161,12 +161,12 @@ c. Some services (#'s 9,10,11,12) perform a range check on the target RBAC role
## 6. ARBAC policy load

a. The ARBAC policies are enforced when the following property is present in runtime *fortress.properties*:
```concept
```
# Boolean value. Disabled by default. If this is set to true, the runtime will enforce administrative permissions and ARBAC02 DA checks:
is.arbac02=true
```

b. The policy load file in this section Creates an ADMIN Role named: *fortress-rest-admin*, and associates with (Test) Perm and User OU's:
b. The policy load file in this section Creates an ADMIN Role named: *fortress-rest-admin*, and associates with (Test) Perm and User OUs:

```
PermOUs="APP0,APP1,APP2,APP3,APP4,APP5,APP6,APP7,APP8,APP9,APP10,
@@ -176,7 +176,7 @@ PermOUs="APP0,APP1,APP2,APP3,APP4,APP5,APP6,APP7,APP8,APP9,APP10,
oamT4POrg4,oamT4POrg5,oamT4POrg6,oamT4POrg7,oamT4POrg8,
oamT4POrg9,T5POrg1,T5POrg2,T5POrg3,T5POrg4,T5POrg5,T6POrg1,
T6POrg2,T6POrg3,T6POrg4,T6POrg5,T6POrg6,T6POrg7,T7POrg1,T7POrg2,
T7POrg3,T7POrg4,T7POrg5,T7POrg6,T7POrg7,"
T7POrg3,T7POrg4,T7POrg5,T7POrg6,T7POrg7"
UserOUs="DEV0,DEV1,DEV2,DEV3,DEV4,DEV5,DEV6,DEV7,DEV8,DEV9,DEV10,
oamT1UOrg1,oamT1UOrg10,oamT1UOrg2,oamT1UOrg3,oamT1UOrg4,
@@ -206,9 +206,9 @@ UserOUs="DEV0,DEV1,DEV2,DEV3,DEV4,DEV5,DEV6,DEV7,DEV8,DEV9,DEV10,
mvn install -Dload.file=src/main/resources/FortressRestArbacSamplePolicy.xml
```

e. Now demoUser4 may execute every service and pass the ARBAC checks corresponding with the test data inside of Apache Fortress Core's integration test suite.
e. Now *demoUser4* may invoke every service in the subsystem and pass all of the ARBAC checks corresponding with the test data inside of Apache Fortress Core's integration test suite.

## 7. The list of Services that enforce ARBAC02 checking.
## 7. The list of Services that enforce ARBAC checking.

| # | **Services** | UserOU Check | PermOU Check | Role Range Check | **ADMIN Permissions** |
| --- | ------------------------------ | ------------ | ------------ | ---------------- | ------------------------------------------------------------------------------------------------- |

0 comments on commit ec935c5

Please sign in to comment.