RE: Is this topic dead?
P.V.McMahon@rea0803.wins.icl.co.uk Wed, 13 July 1994 12:24 UTC
Received: from ietf.nri.reston.va.us by IETF.CNRI.Reston.VA.US id aa01482; 13 Jul 94 8:24 EDT
Received: from CNRI.RESTON.VA.US by IETF.CNRI.Reston.VA.US id aa01478; 13 Jul 94 8:24 EDT
Received: from venera.isi.edu by CNRI.Reston.VA.US id aa04530; 13 Jul 94 8:22 EDT
Received: from relay1.pipex.net by venera.isi.edu (5.65c/5.61+local-14) id <AA24022>; Wed, 13 Jul 1994 04:48:39 -0700
X400-Received: by mta relay1.pipex.net in /PRMD=pipex/ADMD=pipex/C=gb/; Relayed; Wed, 13 Jul 1994 02:32:40 +0100
X400-Received: by /PRMD=icl/ADMD=gold 400/C=GB/; converted (ia5 text (2)); Relayed; Wed, 13 Jul 1994 02:31:18 +0100
Date: Wed, 13 Jul 1994 02:31:18 +0100
X400-Originator: P.V.McMahon@rea0803.wins.icl.co.uk
X400-Recipients: non-disclosure:;
X400-Mts-Identifier: [/PRMD=icl/ADMD=gold 400/C=GB/;rea0803 0000016300010321]
Original-Encoded-Information-Types: undefined (0)
X400-Content-Type: P2-1984 (2)
Content-Identifier: 10321
Priority: Urgent
Sender: ietf-archive-request@IETF.CNRI.Reston.VA.US
From: P.V.McMahon@rea0803.wins.icl.co.uk
Message-Id: <"10321*/I=PV/S=McMahon/OU=rea0803/O=icl/PRMD=icl/ADMD=gold 400/C=GB/"@MHS>
To: Pope@secstan.demon.co.uk
Cc: ietf-aac@isi.edu
In-Reply-To: <65@secstan.demon.co.uk>
Subject: RE: Is this topic dead?
Nick, > Has there been any interest in progressing the proposed API? Has > anyone produced any proposals? Or is this activity likely to drop into > oblivion. I think that there is interest, but other work items have higher priority ... The official status (from the SAAG minutes): * wi029: Authorization and Access Control WG (Updated 04/94) The authorization and access control draft that exists will be revised and get a final working group review in Toronto before being submitted for publication as an informational document. At that time the charter of this working group will be revised. > If there are any proposed API specifications can someone give me a FTP > reference. See the Houston minutes which summarise discussions to date. These were posted to the list and are available on-line and in the proceedings I have been looking at this area in the context of another project. I was holding off posting until I had an implementation which was suitable for wider distribution, however since you asked I would be interested in any comments you (or others) have on the following Piers --- ACCESS DECISION FUNCTION 23MAY94 pvm 1. Summary In support of the goal of a generic access decision function interface, this paper discusses related work in XDSF (POSIX.22), POSIX.6, and DCE, and then proposes a portability model (as considered in IETF AAC). 2. References The following are referenced by this paper: [POSIX.6] Protection, Audit, and Control Interfaces P1003.1e, draft 14, MAR94 [DCE-ACL] DCE RFC 46, OCT93 [XDSF V3] XDSF Version 3 -- P1003.22 D3 [ISO-AC] ISO Access Control Framework [Ex-GSS] An Extended Generic Security Service API, Ses/Paper/010, Issue 5, 25JAN94 3. XDSF XDSF section 4.3 defines a model for access control based on the ISO access control framework. A number of services are identified, namely: * Access decision function - Decide Access (based on initiator, target, and required action) * Management Services - Install ACI - Modify ACI - Revoke ACI - List ACI - Disable Component (i.e. ADF) - Re-enable Component (i.e. ADF) * Other Operational Services - Acquire Initiator ADI - Acquire Target ADI - Generate Data ADI - Generate Action ADI - Revoke ADI - Verify Action ADI - Get Contextual Information - Bind Initiator ADI - Retrieve Initiator ADI The "other operational services" are given in abstract terms, and while some of likely to be of concern to application developers, others are of concern to mechanism-providers. It would be helpful to develop the operational model more completely. 4. POSIX.6 POSIX.6 defines an ACL (access control list) facility for POSIX.1 files which serves to extend the existing POSIX.1 discretionary access control. The draft standard defines - basic concepts: + ACL semantics (though not the internal respresentation), + ACLEs (i.e.: ACL entries) + ACLE tag type, and the standard POSIX.6 types (ACL_USER, ACL_GROUP, ACL_GROUP_OBJ, ACL_USER, ACL_USER_OBJ, ACL_OTHER_OBJ) + ACLE qualifier, and its definition for ACL_USER and ACL_GROUP + [ACLE] permission set - the algorithm for evaluating ACLs, - rules and functions for the association of ACLs with objects, - functions for manipulating ACLs, and - functions for ACL import/export in text and (implementation- defined) binary format. POSIX.6 functions are defined to: - manage the ACL working storage area - manipulate ACLEs - manipulate fields within ACL entries - read/write an ACL on an object - translate an ACL into different formats POSIX.6 functions to manage the ACL working storage area - acl_dup duplicate ACL data object - acl_free release ACL memory data object - acl_init allocate/initialise ACL data object POSIX.6 functions to manipulate ACL entries - acl_copy_entry copies between ACLEs - acl_create_entry create ACLE - acl_delete_entry delete ACLE - acl_first_entry goto 1st ACLE (start of ACL staorage area) - acl_get_entry get ACLE descriptor - acl_valid report duplicate, missing, ill-formed ACLEs POSIX.6 functions to manipulate fields in an ACL entries - acl_add_perm add permission to permission set - acl_calc_mask initialise ACL_MASK ACLE - acl_check_perm check permission in permission set - acl_clear_perm check all permissions in permission set - acl_delete_perm delete a permissions in permission set - acl_get_qualifier get ACLE qualifier - acl_get_tag_type get ACLE tag type - acl_acl_set_permset get ACLE permission set - acl_set_qualifier set ACLE qualifier - acl_set_tag_type set ACLE tag type POSIX.6 functions to read/write an ACL on an object - acl_delete_def_fd delete default ACL asscciated with fd - acl_delete_def_file delete default ACL associated with file - acl_get_fd get ACL associated with fd - acl_get_file get ACL associated with file - acl_set_fd set ACL assciated with fd - acl_set_file set ACL associated with file POSIX.6 functions to translate an ACL into different formats - acl_copy_ext export ACL in implementation-defined format - acl_copy_int import ACL in implementation-defined format - acl_from_text import ACL in text format - acl_size size implementation-defined format - acl_to_text export ACL in text format 5. DCE DCE 1.0 currently provides an example authorisation facility which is intended to be supplanted in DCE 1.1 by a standard DCE ACL library which includes backing store. DCE 1.0 (and, it is expected, DCE 1.1) implements a generalisation of the POSIX.6 ACL model such that POSIX.6 concepts and POSIX.6 D12 ACL evaluation semantics are followed, but POSIX.6 functions aren't supported. Unlike POSIX.6 (which defines ACLs for POSIX.1 files), DCE defines a set of ACL types for use within DCE, and enables applications to invent their own types (and the different associated "ACL Managers"). However, this means that applications must maintain the link between application objects and ACLs. Like POSIX.6, DCE defines a set of ACLE types (effectively a superset of POSIX.6). DCE ACLEs, again like POSIX.6, contain a type (like the .6 qualifier), type-specific data, and a permission set. The APIs intended to be supported by DCE1.1 are: - dce_acl_register_object_type called to register ACL type - dce_acl_is_client_authorised decide access based on ACL and permissions - dce_acl_inq_client_permissions get initiator permissions - dce_acl_inq_permset_for_PAC get POSIX subset of above - dce_acl_inq_client_pac get (DCE1.0) PAC - dce_acl_obj_create create ACL - dce_acl_obj_free free ACL - dce_acl_obj_add_user_entry add ACLE for user - dce_acl_obj_add_group_entry add ACLE for group - dce_acl_obj_add_id_entry add ACLE for other id - dce_acl_obj_add_unauth_entry add "unauthenticated" ACLE - dce_acl_obj_add_obj_entry add general ACLE - dce_acl_obj_add_foreign_entry add "foreign" ACLE In order to enable the ACL manager to get the ACL associated with an object, each application developer must use a default "resolver" function, or specify its own 6. General Portability Model For maximum applicability, an authorisation facility and the associated interfaces should be able to work in a number of different distributed environments. The mechanism for retrieval of the client's ADI and its representation may, and in practice do, differ between mechanisms such as: - Kerberos - DCE - X.500 - Netware - NT/Cairo - SESAME - TMACH (see Ex-GSS for an overview of these mechanisms) Furthermore, a model is needed which allows for existing distributed applications to use authorisation services independent of how the acquisition of client ADI is achieved such that application logic is unaffected by migration towards distribited systems. Given that applications may implement complex access control mechanisms, it is important to separate out generic ADF functions from applications-specific ones. The following figure identifies the main interfaces associated with general model for software access decision functionality: +----------------------+----------------------+ +-----------------+ | | | | | | Application Service | Application Resource | | Application | | Instance | Access | | Resource | | Initialisation | | | Management | | | | | (including | | | | | possible app- | | | | | specific ADF) | | | | | | +----------------------+----------------------+ +-----------------+ | | | | | | | 2 V 4 V | ========================== ===================== | | | | | | | Access Decision | | ADF SMIB | | | Function (ADF) | | | | | | | | | +----------------------+ +-----------------+ | | | | 1 V 3 V ==================....========================== | | | | | Secure | | Client ADI Retrieval | | Association | | | | | | | +--------------+......+----------------------+ The proposed interfaces are as follows: 1. Secure association The could be implicit for simple applications, or GSS-API (etc) for distributed applications, or an equivalent store-and-forward security API for messaging applications. 2. Access decision function A general interface is needed, this could be of the form developed by the AAC WG: check-authorisation [OUT] output, - boolean or application- specific response [IN] security context, - reference to authentication context (if not defaulted) [IN] target, - objectname with namespace specified in control- parameters [IN] operation, - requested permission (subject to namespace in control parameters) [IN] control-parameters - where control-parameters indicates the name-space and form of the other arguments 3. Attribute retrieval API Insulates whether attributes are obtained from a PAC, local file, or directory. Possibly gss_get_attributes from Ex-GSS. 4. Management API Interface to the ADF SMIB. While different name-spaces can be supported, the complete portability of the above interfaces are dependent on a naming convention being agreed (perhaps based on XFN) which insulates applications from the naming used by specific distributed environments. 7. Conclusions Its is proposed that the following follow-on activities are required: (1) XDSF improvements The XDSF model needs some additional material to: * separate out services of concern to application developers and mechanism providers * provide concrete examples for services identified, in particular the operational services identifier (2) Portability Model Definition of a complete mechanism-independent authorisation facility portability model which takes the best of DCE and POSIX, but doesn't preclude applicability to other environments such as existing application servers, X.500 DSA implementations, and Netware NDS. Section 6, above, is suggested as a starting point with the next steps being: - refinement of specification to a set of C bindings for interfaces 2 and 4 above - agreement of external ACL format - agreement of attribute types and syntaxes (and a registration procedure for new ones) - implementations for stand-alone systems (using either password or Kerberos authentication mechanisms), and distributed authorisation systems (such as DCE, Restricted Proxies, SESAME) ------------------------------------------------------- P V McMahon 23MAY94 ICL Enterprises post: Kings House, 33 Kings Road, Reading, RG1 3PX, UK email: p.v.mcmahon@rea0803.wins.icl.co.uk OR p.mcmahon@xopen.co.uk phone: +44 734 634882 fax: +44 734 855106 -------------------------------------------------------
- Is this topic dead? Nick Pope
- Is this topic dead? Clifford Neuman
- RE: Is this topic dead? P.V.McMahon
- RE: Is this topic dead? Rich Salz