Return-Path: Delivered-To: apmail-incubator-directory-dev-archive@www.apache.org Received: (qmail 39184 invoked from network); 22 Jun 2004 04:22:47 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur-2.apache.org with SMTP; 22 Jun 2004 04:22:47 -0000 Received: (qmail 47922 invoked by uid 500); 22 Jun 2004 04:23:03 -0000 Delivered-To: apmail-incubator-directory-dev-archive@incubator.apache.org Received: (qmail 47735 invoked by uid 500); 22 Jun 2004 04:23:00 -0000 Mailing-List: contact directory-dev-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "Apache Directory Developers List" Reply-To: "Apache Directory Developers List" Delivered-To: mailing list directory-dev@incubator.apache.org Received: (qmail 47700 invoked by uid 99); 22 Jun 2004 04:23:00 -0000 Received: from [24.201.245.36] (HELO relais.videotron.ca) (24.201.245.36) by apache.org (qpsmtpd/0.27.1) with ESMTP; Mon, 21 Jun 2004 21:22:59 -0700 Received: from [192.168.0.122] ([24.37.52.157]) by VL-MO-MR011.ip.videotron.ca (iPlanet Messaging Server 5.2 HotFix 1.21 (built Sep 8 2003)) with ESMTP id <0HZP001CT0584M@VL-MO-MR011.ip.videotron.ca> for directory-dev@incubator.apache.org; Tue, 22 Jun 2004 00:22:20 -0400 (EDT) Date: Tue, 22 Jun 2004 00:21:48 +0000 From: Vincent Tence Subject: Re: [Apache Directory Project Wiki] Updated: JanusHome In-reply-to: <20040622041044.35697.72195@minotaur.apache.org> To: directory-dev@incubator.apache.org Message-id: <40D77B9C.80009@videotron.ca> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii; format=flowed Content-transfer-encoding: 7BIT X-Accept-Language: en-us, en User-Agent: Mozilla Thunderbird 0.7 (X11/20040615) References: <20040622041044.35697.72195@minotaur.apache.org> X-Virus-Checked: Checked X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N I have written ideas for Janus on the wiki that I want to experiment in the following weeks . In the current code base Authentication is pretty well defined, but I am not very pleased with the way authorization works. The focus on Role Based Access Control is too strong and the code cannot accomodate other security policy needs. I'll be working in the Janus sandbox in the next weeks to try implement those ideas to hopefully come up with a stable framework foundation. XML will be my preferred definition language for proving the concepts. Then, I plan to add persistent implementations: RDBMS, LDAP, ... - Vincent directory-cvs@incubator.apache.org wrote: > Date: 2004-06-21T21:10:43 > Editor: 24.37.52.157 <> > Wiki: Apache Directory Project Wiki > Page: JanusHome > URL: http://wiki.apache.org/directory/JanusHome > > no comment > >Change Log: > >------------------------------------------------------------------------------ >@@ -7,15 +7,68 @@ > > Following is a proposed direction to drive the development of Janus. > >-==== Terminology ==== >+==== Glossary ==== > >+||'''Credential'''||Unit of proof of identity|| >+||'''Realm'''||A set of principals and associated credentials and an authentication method|| >+||'''Subject'''||Result of a successful authentication|| >+||'''Authenticator'''||Renders an authentication result - may act on several realms|| > ||'''Resource'''||Object of an authorization decision|| > ||'''Action'''||Operation to be performed on a resource|| > ||'''Permission'''||An action on a associated resource which is the subject of an authorization decision|| > ||'''Condition'''||An expression of predicates on a subject (on its principals)|| > ||'''Rule'''||Definition of an effect of verifying a condition on a permission|| >-||'''Effect'''||Consequence of verifying a rule: permit or deny|| >+||'''Effect'''||Consequence of evaluating a rule: permit, deny, indeterminate|| > ||'''Policy'''||A set of rules and an algorithm for combining rules|| > ||'''Policy Set'''||A set of policies (or other policy sets) and an algorithm for combining policies|| > ||'''Applicable Policy'''||A set of policies and policy sets that apply to a resource|| > ||'''Context'''||A set of environmental attributes that affects an authorization decision|| >+||'''Information Provider'''||Provides information on subject attributes (e.g. groups, roles)|| >+||'''Authorization decision'''||Result of evaluating policies: permit or deny access|| >+||'''Authorizer'''||Renders authorization decision based on policies and or policy sets|| >+ >+==== Control Flow ==== >+Based on the above definitions, the typical flow would be (notice the great ASCII art ;-)): >+ >+ >+'''Authentication''' >+{{{ >+ credentials >+Client ----------------------------> credentials >+ authentication request -------------------> >+ Realm >+ <------------------- >+ Principal >+ >+ Authenticator (...might repeat...) >+ >+ Subject >+ ------------------> >+ Information Provider >+ <------------------ >+ Subject Subject (e.g. with group or roles attributes) >+ <---------------------------- >+ authentication result >+}}} >+ >+'''Authorization''' >+{{{ >+ Subject + Permission >+Client ----------------------------> >+ authorization request ------- >+ | Identify applicable policies >+ <------ >+ >+ Subject + Permission >+ -------------------------> >+ Applicable Policy (or policy set) >+ Authorizer <------------------------- >+ Effect (combination of applicable rules effects) >+ >+ (...migh repeat...) >+ >+ ------- >+ | Combine policies >+ <------ >+ <----------------------------- >+ Authorization decision > > >