IETF Logo Mail Archive

Re: [Ace] attribute based access control

Randy Turner <rturner@amalfisystems.com> Thu, 26 January 2017 22:58 UTC

Return-Path: <rturner@amalfisystems.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 420DC129C4D for <ace@ietfa.amsl.com>; Thu, 26 Jan 2017 14:58:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.282
X-Spam-Level:
X-Spam-Status: No, score=-1.282 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DATE_IN_PAST_12_24=1.049, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.723, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-1.156, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j740VnG-PVbQ for <ace@ietfa.amsl.com>; Thu, 26 Jan 2017 14:58:13 -0800 (PST)
Received: from atl4mhob23.registeredsite.com (atl4mhob23.registeredsite.com [209.17.115.117]) by ietfa.amsl.com (Postfix) with ESMTP id 7B950129C49 for <ace@ietf.org>; Thu, 26 Jan 2017 14:58:13 -0800 (PST)
Received: from mailpod.hostingplatform.com ([10.30.71.204]) by atl4mhob23.registeredsite.com (8.14.4/8.14.4) with ESMTP id v0QMwBfC033302 for <ace@ietf.org>; Thu, 26 Jan 2017 17:58:11 -0500
Received: (qmail 13742 invoked by uid 0); 26 Jan 2017 22:58:11 -0000
X-TCPREMOTEIP: 73.207.234.73
X-Authenticated-UID: rturner@amalfisystems.com
Received: from unknown (HELO ?10.0.1.32?) (rturner@amalfisystems.com@73.207.234.73) by 0 with ESMTPA; 26 Jan 2017 22:58:11 -0000
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Content-Type: text/html; charset="utf-8"
X-Apple-Auto-Saved: 1
X-Apple-Mail-Remote-Attachments: YES
From: Randy Turner <rturner@amalfisystems.com>
X-Apple-Base-Url: x-msg://12/
In-Reply-To: <c58054c0-8e4f-8c3b-82f3-157c9dccbf89@sics.se>
X-Apple-Windows-Friendly: 1
Date: Thu, 26 Jan 2017 02:11:24 -0500
X-Apple-Mail-Signature: SKIP_SIGNATURE
Content-Transfer-Encoding: quoted-printable
Message-Id: <3A173362-507B-42BA-8B49-4FE3FADB2404@amalfisystems.com>
References: <EF55666E-29B1-4AB8-9C54-3A2E5DF73146@amalfisystems.com> <c58054c0-8e4f-8c3b-82f3-157c9dccbf89@sics.se>
X-Uniform-Type-Identifier: com.apple.mail-draft
To: Ludwig Seitz <ludwig@sics.se>
X-Mailer: Apple Mail (2.3259)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/3euy9gSrEgkjEq8UQ1MmNBG-UCc>
Cc: ace@ietf.org
Subject: Re: [Ace] attribute based access control
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Jan 2017 22:58:15 -0000

Hi Ludwig,

Apologies for getting back to you so late on your ABAC-related email reply — your approach sounds very similar to what we were thinking - originally, we were looking at CBOR-encoded JSON that represented an equivalent XACML authorization request.  However, we are also exploring ACE credentials grant flows as well, interpreting one or more token fields in our own way. 

I think an ABAC form of ACE would be a popular use-case going forward, and I was thinking an ABAC profile of ACE could be a “normative” thing, instead of an informational appendix or other example text.  This would allow my client to work with your AS, and other potential interoperable scenarios.  At the moment, our interpretation of how to do this would be a proprietary use of the token fields.

I looked at the ACE document collection and I’m not sure I see a document wherein a normative profile of a credentials grant for ABAC would fit.  Do you think an ABAC profile of ACE should be spec’d as a standards track document ?

Thanks!
Randy


On Dec 16, 2016, at 3:47 AM, Ludwig Seitz <ludwig@sics.se> wrote:

On 2016-12-16 07:28, Randy Turner wrote:
HI,

I was looking at draft-ietf-ace-oauth-authz-04, specifically the
client-to-AS section — I am trying to determine if it is possible to
use this OAUTH-based model to implement attribute-based authorization
(ABAC). The client-to-AS section of this draft refers the reader to
section 4 of RFC 6749, which provides a “client-id” (good) and a
“scope” to include in an authorization request.


In addition, it looks like the ACE draft adds to this the “aud” and
“cnf” parameters.

I’m trying to map this client-to-AS request to a traditional ABAC
authorization request which asks the question “Identity <A> wants to
perform action <B> on resource <C>” … is this allowed ?  (allow/deny
response)

In one of the ACE draft examples, it uses the “aud” field to include
the name of a sensor “tempSensor4711”  - this could be the “resource”
of the ABAC request, and the “client ID” (RFC 6749) could be the
“identity”

I’m missing the type of operation or “action” that the client is
trying to perform on a resource (“read”, “write”, “something else,
hopefully extensible”) — would this be the “scope” parameter ?

I did see section 8.2 of the draft where it discusses a registry of
parameters which might allow additional parameters to a client-to-AS
request, but I was looking for a way to do ABAC without having to
register anything.

I’m specifically asking about obtaining an access token to be used
later by a client accessing the actual resource.

Has anyone tried combining draft-ietf-ace-oauth-authz-04 with ABAC
systems ?

Yes I have. My approach is the following:

I use the OAuth client credentials grant flow to request an access token, and then I use an XACML engine internally on the AS to decide on access token requests base on the client's credentials and the "scope" and "aud" parameters of the access token request.

When it comes to extracting an action and a resource from an access token request, my understanding is that the scope parameter actually gives you both in an application specific way.

If you look at the examples of how scope is used in https://www.brandur.org/oauth-scope" class="" rel="nofollow">https://www.brandur.org/oauth-scope you can see that e.g. LinkedIn uses some kind of capability-like format for their scope parameters (r_basicprofile r_emailaddress rw_groups w_messages). Thus you could extract the action and the resource from scope with an application specific processing module.

You could also have a look at
https://tools.ietf.org/html/draft-bormann-core-ace-aif-03" class="" rel="nofollow">https://tools.ietf.org/html/draft-bormann-core-ace-aif-03
which defines a CoAP specific capability format. I was considering to use that as values for the scope in CoAP-specific scenarios.

I would be happy to hear your take on this and discuss the issue in more detail.

Regards,

Ludwig



-- 
Ludwig Seitz, PhD   SICS Swedish ICT AB
Ideon Science Park, Building Beta 2
Scheelevägen 17, SE-223 70 Lund
Phone +46(0)70-349 92 51

The RISE institutes SP, Swedish ICT and Innventia are merging in order
to create a unified institute sector and become a stronger innovation
partner for businesses and society. At the end of the year we will
change our name to RISE. Read more at http://www.ri.se/en/about-rise" class="" rel="nofollow">www.ri.se/en/about-rise

v2.23.0 | Report a Bug | By Email