| |
@@ -0,0 +1,482 @@
|
| |
+ ..
|
| |
+ This work is licensed under a Creative Commons Attribution 3.0 Unported
|
| |
+ License.
|
| |
+
|
| |
+ http://creativecommons.org/licenses/by/3.0/legalcode
|
| |
+
|
| |
+ ================================
|
| |
+ Refined permissions for the KRA
|
| |
+ ================================
|
| |
+
|
| |
+ As we have expanded the role of the KRA to be able to store different
|
| |
+ kinds of secrets, it has become more important to be able to segregate
|
| |
+ secrets from each other. For example, secrets stored by IPA admins
|
| |
+ should only be accessible by those admins, whereas those stored by Barbican
|
| |
+ should be accessible only to Barbican.
|
| |
+
|
| |
+ In fact, when we add to Dogtag the ability to accept GSSAPI messages,
|
| |
+ it may be possible for IPA to proxy over the security context for that
|
| |
+ specific user. In that case, we need a mechanism to ensure that the secrets
|
| |
+ accessible are only those for a specific user.
|
| |
+
|
| |
+ Problem Description
|
| |
+ ===================
|
| |
+
|
| |
+ The way in which we access secrets in the KRA has changed. We need to be able
|
| |
+ to support the following flows:
|
| |
+
|
| |
+ N-Agent-mediated retrieval:
|
| |
+
|
| |
+ This is the traditional flow supported by the KRA. We need to be able to
|
| |
+ continue to support this flow for traditional PKI deployments, even to the
|
| |
+ point of being able to disable access using other flows.
|
| |
+
|
| |
+ * Agent initiates a recovery request. For the REST API, this is done through
|
| |
+ POST /keyrequests/retrieve.
|
| |
+
|
| |
+ * N agents approve the request. For REST, POST
|
| |
+ /keyrequests/{id}?action=approve
|
| |
+
|
| |
+ * Once request has been approved, the original agent retrieves the key,
|
| |
+ providing either apassword for a PKCS12 file or a symmetric key to wrap
|
| |
+ the secret. This is GET /keys/{id}
|
| |
+
|
| |
+ 1-Agent mediated retrieval:
|
| |
+
|
| |
+ This is just a subcase of the N-Agent retrieval above. We mention it in
|
| |
+ particular because both IPA and Barbican now use this type of access.
|
| |
+
|
| |
+ * Agent authentication is through client certificate authentication.
|
| |
+ * Agents have access to all secrets, independant of origin. So,
|
| |
+ IPA agents can retrieve Barbican secrets and visa versa.
|
| |
+ * This requires keeping the private key for a KRA agent on the IPA/Barbican
|
| |
+ server, which is a potential attack point. Once that credential is
|
| |
+ stolen, all secrets are compromised (unless they were pre-encrypted).
|
| |
+
|
| |
+ Direct Archival:
|
| |
+
|
| |
+ This flow is not yet supported, but presumably would become the default way
|
| |
+ to access secrets from IPA.
|
| |
+
|
| |
+ * IPA proxies the user's credentials using GSSAPI. After being processed in
|
| |
+ the relevant Tomcat Realm, a Principal is returned to the KRA servlets.
|
| |
+
|
| |
+ * Secret is stored in the KRA, along with the principal (owner)
|
| |
+ and a key_id is returned.
|
| |
+
|
| |
+ Direct Retrieval:
|
| |
+
|
| |
+ * IPA proxies the user's credentials through GSSAPI. After being processed
|
| |
+ in the Tomcat realm, a principal is returned.
|
| |
+
|
| |
+ * If the principal matches the owner, access and return the secret.
|
| |
+ The secret is of course wrapped for transport with a user provided
|
| |
+ transport key.
|
| |
+
|
| |
+ Escrow Agent Retrieval:
|
| |
+
|
| |
+ IPA has a retrieval mode (currently not implemented) that allows a secret
|
| |
+ to be retrieved by an escrow agent. When a vault is set up, the vault
|
| |
+ encryption key is encryted with the agent's private key and stored in the
|
| |
+ KRA. The agent then retrieves both the encrypted vault encryption key and
|
| |
+ the secrets.
|
| |
+
|
| |
+ From the point of view of the KRA, we need a mechanism to allow the agent to
|
| |
+ access the user's secret. The proposed mechanism will be through tags and
|
| |
+ ACLs.
|
| |
+
|
| |
+ In terms of the access methods described above, this is the desired
|
| |
+ end-state:
|
| |
+
|
| |
+ * CS users will continue to store encryption keys via the CA-KRA connector.
|
| |
+ These keys will be accessible by CS agents (who will continue to have an
|
| |
+ agent role) using the N-agent retrieval method. Nothing changes here
|
| |
+ except that CS agents will not be able to access secrets stored by other
|
| |
+ applications.
|
| |
+
|
| |
+ * IPA users will store secrets using the direct archival method. They will
|
| |
+ only be able to access those secrets for which they are the owner. They
|
| |
+ retrieve secrets using the direct retrieval method.
|
| |
+
|
| |
+ * IPA escrow agents will retrieve secrets using the direct access method.
|
| |
+ This means they will be able to retrieve secrets for which they are either
|
| |
+ the owner or which are permitted through tags/ACLs to access the secret.
|
| |
+
|
| |
+ * For the purposes of this design doc, the following IPA will be considered.
|
| |
+ A user U0 will store an IPA vault. This vault will have members U1, U2 and
|
| |
+ U3 (who are therefore permitted to retrieve and modify the secret. Also,
|
| |
+ the secret is archived by an organization's ("sales") escrow agents which
|
| |
+ are in escrow group EG0. All users and groups are in IPA.
|
| |
+
|
| |
+ Proposed Change
|
| |
+ ===============
|
| |
+
|
| |
+ Authentication
|
| |
+ --------------
|
| |
+
|
| |
+ Authentication will be performed using an authentication plugin that provides,
|
| |
+ for instance, credentials using GSSAPI. The exact authentication method
|
| |
+ may be determined based on the URL. I will defer the design of this module to
|
| |
+ the SPNEGO design document being written by Fraser. The main point though is
|
| |
+ that, as a result of this plugin, a principal is provided by the authentication
|
| |
+ plugin. This could be either an agent defined in the KRA dataabse, or a user
|
| |
+ (user, goup, role) in the IPA database.
|
| |
+
|
| |
+ Tags
|
| |
+ ----
|
| |
+
|
| |
+ When a secret is stored, the following fields will be added to each secret:
|
| |
+
|
| |
+ * tags - user defined label that is used to determine which authorization
|
| |
+ plugin should be invoked. We expect tags to be something like "ipa" or
|
| |
+ "barbican" or "rhcs". Creating or deleting tags is a KRA administrator
|
| |
+ operation. Tagging a specific key is an operation reserved to the owner(s)
|
| |
+ of the key. We can also add a parameter to tag a key when it is created,
|
| |
+ rather than performing these operations in two steps.
|
| |
+
|
| |
+ * owner - This will be populated by Dogtag when the secret is stored
|
| |
+ as the principal returned by the Tomcat realm. This is a multi-valued
|
| |
+ parameter. An interface will be provided for owners to add other owners.
|
| |
+
|
| |
+ Authorization
|
| |
+ -------------
|
| |
+
|
| |
+ Access control is then performed by an authz plugin. One could, for instance,
|
| |
+ retrieve any tags associated with a KeyRecord, and then perform a different
|
| |
+ check depending on the tag. So, for instance, if one of the tags is "IPA",
|
| |
+ then we would invoke an IPAAuthzPlugin. This plugin would contact the
|
| |
+ IPA server - maybe through some REST servlet that is hosted in the IPA server -
|
| |
+ and ask whether or not access is allowed.
|
| |
+
|
| |
+ The idea here is that the application (in this IPA) knows the users, roles
|
| |
+ and groups, amd also an acls that determine access. So, for instance, the KRA
|
| |
+ would contact the IPA server and provide the secret_id, and principal (user,
|
| |
+ groups, role). The IPA server would look up the vault corresponding to the
|
| |
+ secret_id, and determine access based on which principals are in a members
|
| |
+ list or an owner's list. It would return YES/NO to permit access.
|
| |
+
|
| |
+ For applications like Barbican, a group-based authz plugin may be sufficient.
|
| |
+ This plugin would check if the returned principal was part of a particular
|
| |
+ group.
|
| |
+
|
| |
+ Use Cases
|
| |
+ ---------
|
| |
+
|
| |
+ Below is a description of how each of the above use cases will be
|
| |
+ satisfied using the mechanism above:
|
| |
+
|
| |
+ * N-agent retrieval: This will not be affected by the changes in
|
| |
+ this design. Secrets will continue to be stored by agents through
|
| |
+ the CA-KRA connector, and retrieved using the N-agent retrieval
|
| |
+ request mechanism. Note though that we need to restrict CS agents
|
| |
+ from being able to access secrets stored by other applications.
|
| |
+ A couple of mechanisms that come to mind to do this are:
|
| |
+
|
| |
+ * Tagging all existing CS secrets with a special "cs_application"
|
| |
+ tag, and adding ACLs to allow CS agents to access secrets with
|
| |
+ that tag.
|
| |
+
|
| |
+ * Modifying the key request servlets to explicitly exclude those keys
|
| |
+ which are tagged.
|
| |
+
|
| |
+ * IPA vault:
|
| |
+
|
| |
+ We will illusrate the following example. IPA creates a vault for user U0
|
| |
+ containing multiple secrets that is accessible to a set of users {U1, U2, U3}.
|
| |
+ These users can read the secret but cannot overwrite it. In addition, the
|
| |
+ vault is escrowed by the organization's escrow officer group E0.
|
| |
+
|
| |
+ * During the IPA install, the KRA administrator would define a tag "ipa"
|
| |
+ and register and configure the IPAAuthzPlugin.
|
| |
+
|
| |
+ * User U0 creates a vault secret though IPA. IPA proxies U0's credentials
|
| |
+ to Dogtag through GSSAPI, and will create a secret corresponding to a vault
|
| |
+ using direct archival. The owner field will be populated with the U0
|
| |
+ principal by the Dogtag application. The secret will also be tagged as "ipa".
|
| |
+
|
| |
+ * When the secret is retrieved by a user UX, the user's credentials are
|
| |
+ proxied to Dogtag through GSSAPI and are extracted by the authentication
|
| |
+ plugin. Because the secret is tagged as "ipa", the IPAAuthzPlugin is invoked.
|
| |
+ This plugin contacts the IPA server and provides the secret_id and user
|
| |
+ principal (users, groups, roles) and access type and queries whether
|
| |
+ access should be granted.
|
| |
+
|
| |
+ * A couple of ways to contact the IPA server come to mind.
|
| |
+
|
| |
+ * One way is to create a new access-control REST web service on IPA.
|
| |
+ This service would look up the vault_secret_id from the secret_id, and
|
| |
+ then attempt to access the vault secret with the relevant principal
|
| |
+ (and operation).
|
| |
+
|
| |
+ * Another way is to add a user defined metadata field to the the key record
|
| |
+ in the KRA. IPA would set the vault_secret_id in this field. Then the
|
| |
+ plugin could attempt to query the IPA database using the proxied credentials.
|
| |
+
|
| |
+ * Barbican access:
|
| |
+
|
| |
+ * When Barbican is configured to interact with the KRA, a KRA
|
| |
+ administrator will create a "barbican" tag.
|
| |
+
|
| |
+ * The adminstrator will also create a barbican user and group of barbican
|
| |
+ agents. If the agents group already exists, the barbican user will be added
|
| |
+ to it. These users and groups will be added to the KRA database.
|
| |
+ Note that this user is NOT a KRA agent.
|
| |
+
|
| |
+ It remains an open question as to whether these users/groups should be
|
| |
+ created in IPA if an IPA store is available. In order for this to be
|
| |
+ viable, the Dogtag plugin in Barbican would need to be configured to
|
| |
+ interact with Dogtag either through IPA or using GSSAPI.
|
| |
+
|
| |
+ * Optionally, an authz plugin can be configured for Barbican-tagged secrets.
|
| |
+ This plugin would simply check if the returned principal is part of the
|
| |
+ Barbican group.
|
| |
+
|
| |
+ * Secrets are stored by the Barbican user using direct archival. This will
|
| |
+ store the owner of the barbican user principal as the owner of the secret.
|
| |
+ The secret should also be tagged as a Barbican secret.
|
| |
+
|
| |
+ * Retrival of the secret is done using direct retrieval. If an authz plugin
|
| |
+ is enabled, the "barbican" tag will trigger the Barbican authz plugin, which
|
| |
+ would check if the principal is part of the Barbican group.
|
| |
+
|
| |
+ * Otherwise, we would fall through to an authz check as to whether the principal
|
| |
+ is the owner of the secret,
|
| |
+
|
| |
+ Alternatives
|
| |
+ ------------
|
| |
+
|
| |
+ None.
|
| |
+
|
| |
+ Data model impact
|
| |
+ -----------------
|
| |
+
|
| |
+ The following optional fields will need to be added to the keyRecord object:
|
| |
+
|
| |
+ * owner (does an owner attribute already exist and what is populated there?)
|
| |
+
|
| |
+ * tag (which can be multi-valued, to allow the potential access of secrets
|
| |
+ through multiple applications)
|
| |
+
|
| |
+ If we consider adding user metadata to the secret - like the vault_secret_id
|
| |
+ to allow the IPA AUthz Plugin to access the IPA DB directly, then we may need
|
| |
+ to add fields/tables to that effect.
|
| |
+
|
| |
+ A new suffix will need to be added for tags (ou=tags, ou=kra, {rootSuffix}).
|
| |
+ Under this suffix, tag objects will need to be stored. Tag objects will
|
| |
+ have at a minimum a cn and description.
|
| |
+
|
| |
+ REST API impact
|
| |
+ ---------------
|
| |
+
|
| |
+ An interface will need to be added to add and remove tags.
|
| |
+
|
| |
+ * Add or modify tags
|
| |
+
|
| |
+ * Add a tag to be used in ACIs for secrets. This tag is user defined.
|
| |
+ If a tag needs to be updated, it should be removed first. Otherwise,
|
| |
+ an admin would not know that he is overwriting an existing tag that
|
| |
+ probably occurs in existing ACLs.
|
| |
+
|
| |
+ * PUT /kra/tags/{foo}
|
| |
+
|
| |
+ * Returns 201 (Created) on success
|
| |
+
|
| |
+ * Returns 409 (Conflict) if the tag already exists.
|
| |
+
|
| |
+ * Body of the request is a json blob containing "description"
|
| |
+
|
| |
+ * Request limited to KRA admins.
|
| |
+
|
| |
+ * Remove tag
|
| |
+
|
| |
+ * Remove a tag. This tag is user defined.
|
| |
+
|
| |
+ * DEL /kra/tags/{foo}
|
| |
+
|
| |
+ * Returns 204 on success
|
| |
+
|
| |
+ * Returns 404 if the ACI does not exist
|
| |
+
|
| |
+ * Request limited to KRA admins.
|
| |
+
|
| |
+ * List tags:
|
| |
+
|
| |
+ * GET /kra/tags
|
| |
+
|
| |
+ * Request can be run by anyone.
|
| |
+
|
| |
+ * Get tag:
|
| |
+
|
| |
+ * GET /kra/tags/{foo}
|
| |
+
|
| |
+ * Request can be run by anyone.
|
| |
+
|
| |
+ We will also need an interface to configure and register authz plugins, and
|
| |
+ associate them them with tags. This would be restricted to KRA admins.
|
| |
+
|
| |
+ The current KeyResource only exposes interfaces for the agent to interact
|
| |
+ with the system (via /agent/keys). We will need to expand this interface
|
| |
+ to provide direct archival and retrieval for all users.
|
| |
+
|
| |
+ So, we will need to add methods to archive, list and retrieve keys, as well
|
| |
+ as modify certain attributes like the members and tags. Fortunately, because
|
| |
+ the old N-agent mechanisms exist under /agent/keys, and the new mechanisms
|
| |
+ exist under /keys, there should be no conflicts.
|
| |
+
|
| |
+ In fact, we should include a parameter that allows deployers who do not
|
| |
+ want to permit direct access to shut down /keys.
|
| |
+
|
| |
+ All of the /keys operations require authentication either through GSSAPI
|
| |
+ or client certificate.
|
| |
+
|
| |
+ Operations to be added include:
|
| |
+
|
| |
+ * GET /keys - list keys to which I have access. Returns a KeyInfoCollection.
|
| |
+
|
| |
+ * GET /keys/{key_id} - returns the metadata for the key. Returns a KeyInfo.
|
| |
+
|
| |
+ * POST /keys/retrieve - retrieve a key.
|
| |
+
|
| |
+ * This operation is a POST operation because we need to provide a
|
| |
+ transport-key wrapped symmetric key or passphrase to wrap the
|
| |
+ returned key. This is too large to include in Query headers.
|
| |
+
|
| |
+ * Just like the agent/keys/retrieve counterpart, we pass in the JSON
|
| |
+ representation of a KeyRecoveryRequest, and expect the JSON for a
|
| |
+ KeyData object to be returned.
|
| |
+
|
| |
+ * GET /keys/{key_id}/tags - List tags
|
| |
+
|
| |
+ * PUT /keys/{key_id}/tags/{tag_id} - add a tag to the secret. Returns 400
|
| |
+ if the tag does not exist.
|
| |
+
|
| |
+ * DEL /keys/{key_id}/tags/{tag_id} - delete a tag from the secret
|
| |
+
|
| |
+ * POST /keys - archive a secret. Passes in a ResourceMessage.
|
| |
+
|
| |
+ Security impact
|
| |
+ ---------------
|
| |
+
|
| |
+ Security of the system should increase significantly. While we have
|
| |
+ expanded the pool of protential clients to the KRA to include end-users,
|
| |
+ rather than just agents, we have restricted the scope of what users
|
| |
+ (even agents) can access.
|
| |
+
|
| |
+ Secrets should only be accessible for owners and members of the secret, as
|
| |
+ well as those to whom we have explicitly designated access. That access
|
| |
+ is strictly prescribed by acls defined by administrators.
|
| |
+
|
| |
+ Moreover, by not relying only on agents to perform archival and retrieval
|
| |
+ operations, we can now audit exactly who is accessing or storing secrets.
|
| |
+ Previously, we only knew which agent was performing the operation and relied
|
| |
+ on the agent to keep records as to who accessed or stored a key.
|
| |
+
|
| |
+ Previously, because we depended on agents to access and store the keys,
|
| |
+ and because agents were able to access all keys, the loss of an agent
|
| |
+ credential compromised all the keys. With the new ACIs, the loss of an
|
| |
+ agent credential does not expose all of the keys.
|
| |
+
|
| |
+ And by using tags and ACIs, we can regulate and prevent one application
|
| |
+ from seeing another applications secrets.
|
| |
+
|
| |
+ Notifications & Audit Impact
|
| |
+ ----------------------------
|
| |
+
|
| |
+ We need to ensure that all the new interfaces are completely audited.
|
| |
+
|
| |
+ Command Line Client Impact
|
| |
+ --------------------------
|
| |
+
|
| |
+ Python and Java client libraries will have to be modified to add the
|
| |
+ new interfaces. In addtion, clients like the pki CLI and python clients
|
| |
+ will need to be modified to do GSSAPI authentication.
|
| |
+
|
| |
+ Other end user impact
|
| |
+ ---------------------
|
| |
+
|
| |
+ Both IPA and the Barbican client will need to be modified to take advantage
|
| |
+ of this work. It should be noted though that as the old agent mechanism
|
| |
+ is still supported, there should be no interruption in functionality when
|
| |
+ using either old or new clients with an updated server.
|
| |
+
|
| |
+ Performance Impact
|
| |
+ ------------------
|
| |
+
|
| |
+ There will be more interaction - particularly with the IPA database to determine
|
| |
+ whether access is permitted. Thats part of the price to payt for greater
|
| |
+ access control granularity though.
|
| |
+
|
| |
+ On the other hand though, direct access makes the process simpler -
|
| |
+ no more creating and acting on archival and retrieval requests.
|
| |
+
|
| |
+ Cloning Impact
|
| |
+ --------------
|
| |
+
|
| |
+ As ACIs are replicated across clones, there should be no impact on cloning.
|
| |
+
|
| |
+ Other deployer impact
|
| |
+ ---------------------
|
| |
+
|
| |
+ TBA.
|
| |
+
|
| |
+ Migration scenarios will be considered later, particularly with regard to
|
| |
+ IPA. Scripts will have to be written to add owner fields to the existing
|
| |
+ IPA vault owners.
|
| |
+
|
| |
+ Barbican is not yet widely deployed, and there are fewer changes here in
|
| |
+ any case.
|
| |
+
|
| |
+ One thing that will simplify migration is that currently, there are no
|
| |
+ mixed systems - ie. systems with Barbican, IPA and CS data. That simplifies
|
| |
+ the migration scripts because we need not try to figure out which
|
| |
+ keys belong to which application.
|
| |
+
|
| |
+ Developer impact
|
| |
+ ----------------
|
| |
+
|
| |
+ TBA during implementation.
|
| |
+
|
| |
+ Implementation
|
| |
+ ==============
|
| |
+
|
| |
+ Assignee(s)
|
| |
+ -----------
|
| |
+
|
| |
+ Primary assignee:
|
| |
+ vakwetu or ftweedal
|
| |
+
|
| |
+ Other contributors:
|
| |
+ edewata
|
| |
+
|
| |
+ Work Items
|
| |
+ ----------
|
| |
+
|
| |
+ To be completed once the design has been approved.
|
| |
+
|
| |
+ Dependencies
|
| |
+ ============
|
| |
+
|
| |
+ * These changes require Dogtag being modified to accept GSSAPI authentication.
|
| |
+ That design is being written by Fraser.
|
| |
+
|
| |
+
|
| |
+ Testing
|
| |
+ =======
|
| |
+
|
| |
+ More details to be added later, but we will need to be sure that
|
| |
+ - existing CS tests continue to pass
|
| |
+ - existing Barbican and IPA instances continue to work
|
| |
+ - migrated Barbican and IPA instances continue to work.
|
| |
+ - functional tests are added for all interfaces.
|
| |
+
|
| |
+ Documentation Impact
|
| |
+ ====================
|
| |
+
|
| |
+ Top-level and client docs will need to be modified to document this new access
|
| |
+ mechanism. Man pages and client library (API) documetation will also need to
|
| |
+ be modified.
|
| |
+
|
| |
+ References
|
| |
+ ==========
|
| |
+
|
| |
+ None
|
| |
edewata commented 8 years ago
Need to clarify that GSSAPI will only be used between IPA and PKI, but not between PKI and DS, although IPA is already using GSSAPI to communicate to DS directly.