Plugin Architecture¶
Access control rules must be tailored to fit the individual needs. Therefore we used a modular design, so that users can modify the behaviour to their needs. As above figure illustrates, there are three possibilities to use plugins:
Obligations
Environment setters
Object Setters
For each type the plugin must inherit from a specific class and the Python module must be placed in specific configurable folder.
Obligations¶
An obligation plugin gets the result of the access control evaluation and the context data and must return a boolean. If a single obligation does not return True then access is denied. The obligation class must set the class attribute name and can referenced by it from the access control entities.
In some businesses traceability is a big concern. These businesses can use our log obligations. We include the following obligations: log every access (obl_log), log only successful accesses (obl_log_successful), log denied accesses (obl_log_failed). Since we use the Python Logging module ([logging]), the loggers can perform various tasks, from writing to a file on a local disk, writing to the system log, to writing a mail. The default configuration of the logger can either be used without changes, with changes like a changed filename, or completely changed.
Environment setters¶
Environment setters are run when the evaluation process requests a specific environment attribute, referenced by the class attribute target. The return value of the environment setter is then used every time the environment attribute is requested.
We include the following environment setters for time related attributes (in parentheses the attribute key): time in “hh:mm:ss” format (time), time and day in “YYYY-MM-DD HH:MM:SS” format (datetime), only hours as integers (time_hour), only minutes as integer (time_minute), only seconds as integers (time_second). These environment setters do not use a timezone, i.e. they are given in UTC.
For an application example consider a company that wants to protect its employees for overwork. This company can limit the time that a webservice is available via this rule: environment.time_hour >= 8 and environment.time_hour < 18. This rule would only evaluate to true between 08:00 and 17:59.
Object setters¶
Object setters are run when an object attribute is requested and not found. Then, every enabled object setter is run in the order of their priority, starting with the smallest priority. Object setters are initialized with their configuration data and get the object data as input. One object setter can set as many attributes of the object as needed, though object setters running later will override the values of previous ones.
We included two object setters: urlmap and json.
urlmap¶
The urlmap object setter takes a list of regular expressions and matches each against the target path. For example, if a service offers information about musicians and the url syntax is artist/album/title the regex could be (?P<artist>[w ]+)/(?P<album>[w ]+)/(?P<track>[w ]+). For the path Rise Against/Appeal to Reason/Entertainment the objectsetter would set Rise Against as artist, Appeal to Reason as album and Entertainment as track. Note that the regex must match the whole path, so a regex that sets a value only based on the first folder, must end on something like .* to match.
json¶
The json setter calls an URL, parses the results it gets as json, and adds the key value pairs to the object data. The json setter adds the the current object dictionary as request parameters. For example, consider a read request from the Bell LaPadula Modell [belllapadula]. A read request in the Bell La Padula modell is only possible if the subject’s privilege level is higher or equal to the object’s privilege level. The condition of a rule could look like: subject.privilege >= object.privilege. To get the privilege of an object, the service provider can set up an endpoint that maps the target path to the object’s privilege. The endpoint can return a simple string as {‘privilege’ : 5 }. In the configuration of our proxy the user must enable the json object setter and enter the endpoint URL.