Mailing List Archive

[OpenStack][Keystone][new_service]
Dear OpenStackers,

Hello, I'm new to the list.

I would like to know what support is available for creating a new
OpenStack service that contains role-based access control components,
such as a Policy Decision Point (PDP), inside the new service.

I have come across oslo.policy in my research, is this what other OpenStack
components use for their PEP, PDP, PAP and PIP? If so, what resources are
available to help developers use this framework in their projects?

Background:
As part of my MSc degree in computer science, I am conducting a research
project into the application of self-adaptation in authorisation
infrastructures as a means of mitigation against insider threats towards
cloud computing infrastructures. I'm using Keystone as a role-based
access control system to protect access to a web-based game, and actions
that a player can perform in the game, which represents computing
resources, here snakes and ladders. Cheating in the game represents the
malicious behaviour of an insider threat, to which the authorisation
infrastructure responds by reducing/removing the user's privileges. The
intention is to have the game represent an OpenStack service, like
Swift. I am currently using the Queens release of Keystone and v3 of the
API for both service-level and infrastructure-level policy decisions.

Best wishes,
Bruno Canning

School of Computing, University of Kent
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Re: [OpenStack][Keystone][new_service] [ In reply to ]
Hi Bruno!

What is the new service you're looking to develop?

I think the answer depends on your needs. Most openstack projects use
the oslo policy library as a PDP to protect API access [1]. On the
other hand, if you want dynamic rules and very fine-grained access
control, you may also consider Openstack Congress [2] which offers a
general and flexible rule framework.

Either way, here is how it typically works in an openstack service:
Policy rules are written and stored in the chosen policy framework.
For oslo policy, this is typically the json file containing policy
rules. In Congress, the policy store is managed by Congress service
and accessed via Congress API.
When an API is accessed, the service serving the API acts as the PEP.
It consults the PDP to see whether something is allowed, and enforces
that decision. For oslo policy, this is a library call [3]. For
Congress, this is an API call to Congress service to query the result
of rule evaluation [4][5].

For oslo policy, the main PAP is the json file containing the policy
rules. For congress, the policies and rules are managed through the
Congress API/GUI/client.

Hope that helps. Happy to talk further!

Eric
OpenStack Congress contributor

[1] https://docs.openstack.org/oslo.policy/latest/reference/api/oslo_policy.policy.html#
[2] https://docs.openstack.org/congress/latest/user/policy.html#
[3] https://docs.openstack.org/oslo.policy/latest/reference/api/oslo_policy.policy.html#generic-checks
[4] https://docs.openstack.org/congress/latest/user/api.html#policy-table-rows-v1-policies-policy-id-tables-table-id
[5] https://github.com/openstack/python-congressclient/blob/master/congressclient/v1/client.py#L113

On Wed, Aug 15, 2018 at 8:29 AM, B.M.Canning <bmc20@kent.ac.uk> wrote:
> Dear OpenStackers,
>
> Hello, I'm new to the list.
>
> I would like to know what support is available for creating a new
> OpenStack service that contains role-based access control components,
> such as a Policy Decision Point (PDP), inside the new service.
>
> I have come across oslo.policy in my research, is this what other OpenStack
> components use for their PEP, PDP, PAP and PIP? If so, what resources are
> available to help developers use this framework in their projects?
>
> Background:
> As part of my MSc degree in computer science, I am conducting a research
> project into the application of self-adaptation in authorisation
> infrastructures as a means of mitigation against insider threats towards
> cloud computing infrastructures. I'm using Keystone as a role-based
> access control system to protect access to a web-based game, and actions
> that a player can perform in the game, which represents computing
> resources, here snakes and ladders. Cheating in the game represents the
> malicious behaviour of an insider threat, to which the authorisation
> infrastructure responds by reducing/removing the user's privileges. The
> intention is to have the game represent an OpenStack service, like
> Swift. I am currently using the Queens release of Keystone and v3 of the
> API for both service-level and infrastructure-level policy decisions.
>
> Best wishes,
> Bruno Canning
>
> School of Computing, University of Kent
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack@lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Re: [OpenStack][Keystone][new_service] [ In reply to ]
Hi Eric,

Thanks for getting back to me.

I'm not looking to develop a real, useful, new service for OpenStack but
develop a dummy service that plugs into OpenStack's authorisation
infrastructure in a way that it looks like an OpenStack service which
integrates with Keystone, like, say the Swift service. See picture
attached, where the swift object represents a resource in the dummy
service.

The dummy service itself is a web-based game of snakes and ladders
written in JavaScript/jQuery which makes Ajax calls to its PEP, written
in PHP. The PHP code interacts with Keystone via the PHP cURL library
and also logs all game actions in a MariaDB database.

The game has been written in a way that it can be exploited by malicious
users who already have access to the system, e.g players can travel up
the snakes or simply ignore the snakes. The idea is that an autonomic
controller is recording the user's actions, analysing them, planning a
response (if necessary) and executing a change. This change could be
inserting a policy line into policy.json or via the congress API. It
could also be removing a role from a user which denies them further
access to the resource in Keystone.

The aim of this research is to produce an effective and efficient means
of mitigating against insider threats directed at computing resources
and information systems. This idea has been previously examined with
LDAP serving as an authentication service and PERMIS serving as an
authorisation service [1]. What is of interest here is porting the setup
to an authorisation infrastructure that is relevant to cloud computing.

I've had a look at congress, I have it running on my game server and it
is registered as a service in Keystone after following [2] (except I
installed the software from CentOS 7 "cloud" repo, "openstack-queens"
[3] but at the moment, calls to the API are returning "Service
Unavailable (HTTP 503)". This may be because there are no datasources
configured. I started to write a driver for the dummy service [4] but as
the game itself does not have a RESTful API, I'm not sure what approach
to take here. I note that this distinction may favour a driver which is
a subclass of PushedDataSourceDriver, rather than
PollingDataSourceDriver. Failing that, I might pursue the Oslo policy
library route, but again, I'm having difficulty in finding where to
start. How might you suggest going about making a new, dummy service,
such as that which I have described?

Best wishes,
Bruno

[1] https://core.ac.uk/download/pdf/30710337.pdf - Chapter 6
[2] https://docs.openstack.org/congress/latest/install/index.html
[3] http://www.mirrorservice.org/sites/mirror.centos.org/7/cloud/x86_64/openstack-queens
[4] https://docs.openstack.org/congress/latest/user/cloudservices.html#drivers


From: Eric K <ekcs.openstack@gmail.com>
Sent: 16 August 2018 22:17
To: openstack@lists.openstack.org
Cc: B.M.Canning
Subject: Re: [Openstack] [OpenStack][Keystone][new_service]
?

Hi Bruno!

What is the new service you're looking to develop?

I think the answer depends on your needs. Most openstack projects use
the oslo policy library as a PDP to protect API access [1]. On the
other hand, if you want dynamic rules and very fine-grained access
control, you may also consider Openstack Congress [2] which offers a
general and flexible rule framework.

Either way, here is how it typically works in an openstack service:
Policy rules are written and stored in the chosen policy framework.
For oslo policy, this is typically the json file containing policy
rules. In Congress, the policy store is managed by Congress service
and accessed via Congress API.
When an API is accessed, the service serving the API acts as the PEP.
It consults the PDP to see whether something is allowed, and enforces
that decision. For oslo policy, this is a library call [3]. For
Congress, this is an API call to Congress service to query the result
of rule evaluation [4][5].

For oslo policy, the main PAP is the json file containing the policy
rules. For congress, the policies and rules are managed through the
Congress API/GUI/client.

Hope that helps. Happy to talk further!

Eric
OpenStack Congress contributor

[1] https://docs.openstack.org/oslo.policy/latest/reference/api/oslo_policy.policy.html#
[2] https://docs.openstack.org/congress/latest/user/policy.html#
[3] https://docs.openstack.org/oslo.policy/latest/reference/api/oslo_policy.policy.html#generic-checks
[4] https://docs.openstack.org/congress/latest/user/api.html#policy-table-rows-v1-policies-policy-id-tables-table-id
[5] https://github.com/openstack/python-congressclient/blob/master/congressclient/v1/client.py#L113

On Wed, Aug 15, 2018 at 8:29 AM, B.M.Canning <bmc20@kent.ac.uk> wrote:
> Dear OpenStackers,
>
> Hello, I'm new to the list.
>
> I would like to know what support is available for creating a new
> OpenStack service that contains role-based access control components,
> such as a Policy Decision Point (PDP), inside the new service.
>
> I have come across oslo.policy in my research, is this what other OpenStack
> components use for their PEP, PDP, PAP and PIP? If so, what resources are
> available to help developers use this framework in their projects?
>
> Background:
> As part of my MSc degree in computer science, I am conducting a research
> project into the application of self-adaptation in authorisation
> infrastructures as a means of mitigation against insider threats towards
> cloud computing infrastructures. I'm using Keystone as a role-based
> access control system to protect access to a web-based game, and actions
> that a player can perform in the game, which represents computing
> resources, here snakes and ladders. Cheating in the game represents the
> malicious behaviour of an insider threat, to which the authorisation
> infrastructure responds by reducing/removing the user's privileges. The
> intention is to have the game represent an OpenStack service, like
> Swift. I am currently using the Queens release of Keystone and v3 of the
> API for both service-level and infrastructure-level policy decisions.
>
> Best wishes,
> Bruno Canning
>
> School of Computing, University of Kent
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to???? : openstack@lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Re: [OpenStack][Keystone][new_service] [ In reply to ]
On Fri, Aug 17, 2018 at 9:34 AM, B.M.Canning <bmc20@kent.ac.uk> wrote:
> Hi Eric,
>
> Thanks for getting back to me.
>
> I'm not looking to develop a real, useful, new service for OpenStack but
> develop a dummy service that plugs into OpenStack's authorisation
> infrastructure in a way that it looks like an OpenStack service which
> integrates with Keystone, like, say the Swift service. See picture
> attached, where the swift object represents a resource in the dummy
> service.
>
> The dummy service itself is a web-based game of snakes and ladders
> written in JavaScript/jQuery which makes Ajax calls to its PEP, written
> in PHP. The PHP code interacts with Keystone via the PHP cURL library
> and also logs all game actions in a MariaDB database.
>
> The game has been written in a way that it can be exploited by malicious
> users who already have access to the system, e.g players can travel up
> the snakes or simply ignore the snakes. The idea is that an autonomic
> controller is recording the user's actions, analysing them, planning a
> response (if necessary) and executing a change. This change could be
> inserting a policy line into policy.json or via the congress API. It
> could also be removing a role from a user which denies them further
> access to the resource in Keystone.
>
> The aim of this research is to produce an effective and efficient means
> of mitigating against insider threats directed at computing resources
> and information systems. This idea has been previously examined with
> LDAP serving as an authentication service and PERMIS serving as an
> authorisation service [1]. What is of interest here is porting the setup
> to an authorisation infrastructure that is relevant to cloud computing.
>
> I've had a look at congress, I have it running on my game server and it
> is registered as a service in Keystone after following [2] (except I
> installed the software from CentOS 7 "cloud" repo, "openstack-queens"
> [3] but at the moment, calls to the API are returning "Service
> Unavailable (HTTP 503)". This may be because there are no datasources
> configured.
Ah I think the issue is that there is no rabbitmq server running. We
should probably make that clear in docs.
https://www.rabbitmq.com/install-rpm.html
> I started to write a driver for the dummy service [4] but as
> the game itself does not have a RESTful API, I'm not sure what approach
> to take here. I note that this distinction may favour a driver which is
> a subclass of PushedDataSourceDriver, rather than
> PollingDataSourceDriver.
I think there is no need to make a driver. Rather, your service can
simply make API calls to Congress the same way it calls Keystone.
> Failing that, I might pursue the Oslo policy
> library route, but again, I'm having difficulty in finding where to
> start. How might you suggest going about making a new, dummy service,
> such as that which I have described?
oslo policy is the stardard used by most openstack services. So if
your goal is to demonstrate doing something using the standard
framework, then that's the way to go. Though since it's a python
library you'd need some kind of bridge between your PHP web service
and oslo policy.

unfortunately it's not the most obvious how to get started. Here's a
simple example (from congress code):
step 1: define enforcement function using oslo policy library
https://github.com/openstack/congress/blob/master/congress/common/policy.py#L74
step 2: call the enforcement function to check for valid authorization
before taking action
https://github.com/openstack/congress/blob/master/congress/api/webservice.py#L417

More api reference here:
https://docs.openstack.org/oslo.policy/latest/reference/api/oslo_policy.policy.html#oslo_policy.policy.Enforcer.enforce

On the other hand, if you don't want to involve python, you can use
directly make API calls to Congress service using PHP.

_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack