[Ace] attribute based access control
Randy Turner <rturner@amalfisystems.com> Fri, 16 December 2016 06:28 UTC
Return-Path: <rturner@amalfisystems.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 895CC129549 for <ace@ietfa.amsl.com>; Thu, 15 Dec 2016 22:28:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MujBJSzUlgFw for <ace@ietfa.amsl.com>; Thu, 15 Dec 2016 22:28:47 -0800 (PST)
Received: from atl4mhob18.myregisteredsite.com (atl4mhob18.myregisteredsite.com [209.17.115.111]) by ietfa.amsl.com (Postfix) with ESMTP id BD9401294ED for <ace@ietf.org>; Thu, 15 Dec 2016 22:28:47 -0800 (PST)
Received: from mailpod.hostingplatform.com ([10.30.71.208]) by atl4mhob18.myregisteredsite.com (8.14.4/8.14.4) with ESMTP id uBG6SjaA043857 for <ace@ietf.org>; Fri, 16 Dec 2016 01:28:45 -0500
Received: (qmail 20649 invoked by uid 0); 16 Dec 2016 06:28:45 -0000
X-TCPREMOTEIP: 73.207.234.73
X-Authenticated-UID: rturner@amalfisystems.com
Received: from unknown (HELO ?10.0.1.28?) (rturner@amalfisystems.com@73.207.234.73) by 0 with ESMTPA; 16 Dec 2016 06:28:45 -0000
From: Randy Turner <rturner@amalfisystems.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 10.1 \(3251\))
Message-Id: <EF55666E-29B1-4AB8-9C54-3A2E5DF73146@amalfisystems.com>
Date: Fri, 16 Dec 2016 01:28:44 -0500
To: ace@ietf.org
X-Mailer: Apple Mail (2.3251)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/qCnXT4NUKnSIlazWdJliqzgns4s>
Subject: [Ace] attribute based access control
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Dec 2016 06:28:49 -0000
HI, I was looking at draft-ietf-ace-oauth-authz-04, specifically the client-to-AS section — I am trying to determine if it is possible to use this OAUTH-based model to implement attribute-based authorization (ABAC). The client-to-AS section of this draft refers the reader to section 4 of RFC 6749, which provides a “client-id” (good) and a “scope” to include in an authorization request. In addition, it looks like the ACE draft adds to this the “aud” and “cnf” parameters. I’m trying to map this client-to-AS request to a traditional ABAC authorization request which asks the question “Identity <A> wants to perform action <B> on resource <C>” … is this allowed ? (allow/deny response) In one of the ACE draft examples, it uses the “aud” field to include the name of a sensor “tempSensor4711” - this could be the “resource” of the ABAC request, and the “client ID” (RFC 6749) could be the “identity” I’m missing the type of operation or “action” that the client is trying to perform on a resource (“read”, “write”, “something else, hopefully extensible”) — would this be the “scope” parameter ? I did see section 8.2 of the draft where it discusses a registry of parameters which might allow additional parameters to a client-to-AS request, but I was looking for a way to do ABAC without having to register anything. I’m specifically asking about obtaining an access token to be used later by a client accessing the actual resource. Has anyone tried combining draft-ietf-ace-oauth-authz-04 with ABAC systems ? Thanks! Randy
- [Ace] attribute based access control Randy Turner
- Re: [Ace] attribute based access control Ludwig Seitz
- Re: [Ace] attribute based access control Randy Turner