New Modular Authentication Architecture in Apache 2.2 and Beyond

About This Presentation

Title:

New Modular Authentication Architecture in Apache 2.2 and Beyond

Description:

Group authorization based on host (name or IP address) Require file-group* Require group ... user must be a member of the group to which the requested file belongs ... – PowerPoint PPT presentation

Number of Views:111

Avg rating:3.0/5.0

Slides: 40

Provided by: bradni4

Learn more at: http://people.apache.org

Category:

Tags: address | an | apache | architecture | authentication | belongs | beyond | do | find | how | ip | modular | new | out | to | who

more less

Transcript and Presenter's Notes

Title: New Modular Authentication Architecture in Apache 2.2 and Beyond

1
New Modular Authentication Architecture in Apache
2.2 and Beyond

Brad Nicholes
Sr. Software Engineer, Novell Inc.
Member, Apache Software Foundation
bnicholes_at_apache.org

2
Agenda

Introduction
Difference between Apache 2.0 and 2.2
Configuration
Authentication and Authorization
Mix and match providers and methods
Mod_authn_alias
Coding for the new architecture
New features already in Apache 2.3

3
Introduction
Terms / Authentication Elements

Authentication Type Type of protocol used
during transport of the authentication
credentials (Basic or Digest)
Authentication Method/Provider Process by which
a user is verified to be who they say they are
Authorization Process by which authenticated
users are granted or denied access based on
specific criteria
Previous to Apache 2.2, every authentication
module had to implement all three elements
Choosing an AuthType limited which authentication
and authorization methods could be used
Potential for inconsistencies across
authentication modules

Note Pay close attention to the words
Authentication vs. Authorization throughout the
presentation
4
What Are the Advantages?

Flexibility
Ability to choose between Authentication Type vs.
Authentication Method vs. Authorization Method
Ability to use multiple different authentication
methods
Mixing and matching is not a problem
Consistency
Authorization methods are guaranteed to work the
same no matter which authentication method is
chosen
Ability to use the same authentication and
authorization methods for all authentication
types
Reuse
Implementing a new authentication provider module
does not require the reimplementation or
duplication of existing authorization methods
The inverse of the above statement is also true
Ability to create your own custom authentication
providers and reuse them throughout your
configuration

5
New Modules - Introduction

The functionality of each Apache 2.0
authentication module has been split out into the
three authentication elements for Apache 2.2
Overlapping functionality among the modules was
simply eliminated in favor of a base
implementation
The module name indicates which element of the
authentication functionality it performs
Mod_auth_xxx Implements an Authentication Type
Mod_authn_xxx Implements an Authentication
Method or Provider
Mod_authz_xxx Implements an Authorization Method

6
New Modules Authentication Type
Modules Directives
Mod_Auth_Basic Basic authentication User credentials are received by the server as unencrypted data AuthBasicAuthoritative AuthBasicProvider
Mod_Auth_Digest MD5 Digest authentication User credentials are received by the server in encrypted format AuthDigestAlgorithm AuthDigestDomain AuthDigestNcCheck AuthDigestNonceFormat AuthDigestNonceLifetime AuthDigestProvider AuthDigestQop AuthDigestShmemSize
7
New Modules Authentication Providers
Modules Directives
Mod_Authn_Anon Allows anonymous user access to authenticated areas Anonymous Anonymous_LogEmail Anonymous_MustGiveEmail Anonymous_NoUserID Anonymous_VerifyEmail
Mod_Authn_DBM DBM file based user authentication AuthDBMType AuthDBMUserFile
Mod_Authn_Default Authentication fallback module AuthDefaultAuthoritative
8
New Modules Authentication Providers
Modules Directives
Mod_Authn_File File based user authentication AuthUserFile
Mod_Authnz_LDAP LDAP directory based authentication AuthLDAPBindDN AuthLDAPBindPassword AuthLDAPCharsetConfig AuthLDAPDereferenceAliases AuthLDAPRemoteUserIsDN AuthLDAPUrl
9
New Modules - Authorization
Modules Directives
Mod_Authnz_LDAP LDAP directory based authorization Require ldap-user Require ldap-group Require ldap-dn Require ldap-attribute Require ldap-filter AuthLDAPCompareDNOnServer AuthLDAPGroupAttribute AuthLDAPGroupAttributeIsDN AuthzLDAPAuthoritative
Mod_Authz_Default Authorization fallback module AuthzDefaultAuthoritative
10
New Modules - Authorization
Modules Directives
Mod_Authz_DBM DBM file based group authorization Require file-group Require group AuthDBMGroupFile AuthzDBMAuthoritative AuthzDBMType
Mod_Authz_GroupFile File based group authorization Require file-group Require group AuthGroupFile AuthzGroupFileAuthoritative
Mod_Authz_Host Group authorization based on host (name or IP address) Allow Deny Order
11
New Modules - Authorization
Modules Directives
Mod_Authz_Owner Authorization based on file ownership Require file-owner AuthzOwnerAuthoritative
Mod_Authz_User User authorization Require valid-user Require user AuthzUserAuthoritative
12
Differences Between Apache 2.0 2.2

New Directives
AuthBasicProvider OnOffprovider-name
provider-name
AuthDigestProvider OnOffprovider-name
provider-name
AuthzXXXAuthoritative OnOff
Renamed Directives
AuthBasicAuthoritative OnOff
Multiple modules must be loaded (auth, authn,
authz) rather than a single mod_auth_xxx module

13
Differences More Authorization Types

Apache 2.0
Require Valid-User
Require User user-id user-id
Require Group group-name group-name
Apache 2.2
Same as Apache 2.0
LDAP - ldap-user, ldap-group, ldap-dn,
ldap-filter, ldap-attribute
GroupFile file-group
DBM file-group
Owner file-owner
Since multiple authorization methods can be used,
in most cases the type names should be unique

14
file-group Authorization Type

Unique because it depends on the Authz_Owner
module for base functionality but other Authz_xxx
modules to do the work
Allows authorization based on file system group
membership
Implemented in Apache 1.3.20 but missing from
Apache 2.0
The authenticated user must be a member of the
group to which the requested file belongs
The group name is derived from the group
permission of the requested file
Authorization is actually performed by secondary
authz modules (Mod_Authz_Groupfile,
Mod_Authz_DBM, others??)

15
ldap-xxx Authorization Types

The standard types, ldap-user, ldap-group and
ldap-dn were renamed to avoid conflicts and for
consistency
New LDAP authorization types
ldap-attribute allows the administrator to grant
access based on attributes of the authenticated
user in the LDAP directory. If multiple
attributes are listed then the result is an OR
operation.
require ldap-attribute city"San Jose"
statusactive
ldap-filter allows the administrator to grant
access based on a complex LDAP search filter. If
the dn returned by the filter search matches the
authenticated user dn, access is granted.
require ldap-filter (cell)(departmentmarketing
)

16
Configuring Simple Authentication
LoadModule auth_basic_module modules/mod_auth_ba
sic.so LoadModule authn_file_module
modules/mod_authn_file.so LoadModule
authz_user_module modules/mod_authz_user.so Load
Module authz_host_module modules/mod_authz_host.
so ltDirectory /www/docsgt Order deny,allow
Allow from all AuthType Basic AuthName
Authentication_Test AuthBasicProvider file
AuthUserFile /www/users/users.dat require
valid-user lt/Directorygt
The authentication provider is file based and the
authorization method is any valid-user
17
Requiring Group Authorization
LoadModule auth_basic_module modules/mod_auth_basi
c.so LoadModule authn_file_module
modules/mod_authn_file.so LoadModule
authz_user_module modules/mod_authz_user.so LoadMo
dule authz_host_module modules/mod_authz_host.so L
oadModule authz_groupfile_module
modules/mod_authz_groupfile.so ltDirectory
/www/docsgt Order deny,allow Allow from
all AuthType Basic AuthName
Authentication_Test AuthBasicProvider file
AuthUserFile /www/users/users.dat
AuthGroupFile /www/users/group.dat require
group my-valid-group lt/Directorygt
The authentication provider is file based but the
authorization method is group file based
18
Multiple Authentication Providers
LoadModule auth_basic_module modules/mod_auth_basi
c.so LoadModule authn_file_module
modules/mod_authn_file.so LoadModule
authz_user_module modules/mod_authz_user.so LoadMo
dule authz_host_module modules/mod_authz_host.so L
oadModule authnz_ldap_module modules/mod_authnz_ld
ap.so LoadModule ldap_module modules/mod_ldap.so
ltDirectory /www/docsgt Order deny,allow
Allow from all AuthType Basic AuthName
Authentication_Test AuthBasicProvider file
ldap AuthUserFile /www/users/users.dat
AuthLDAPURL ldap//ldap.server.com/omy-context
Require valid-user lt/Directorygt
The authentication includes both file and LDAP
providers with the file provider taking
precedence followed by LDAP
19
Multiple Authorization Methods
LoadModule auth_basic_module modules/mod_auth_basi
c.so LoadModule authn_file_module
modules/mod_authn_file.so LoadModule
authz_user_module modules/mod_authz_user.so LoadMo
dule authz_host_module modules/mod_authz_host.so L
oadModule authz_groupfile_module
modules/mod_authz_groupfile.so LoadModule
authnz_ldap_module modules/mod_authnz_ldap.so Load
Module ldap_module modules/mod_ldap.so ltDirectory
/www/docsgt Order deny,allow Allow from
all AuthType Basic AuthName
Authentication_Test AuthBasicProvider file
AuthUserFile /www/users/users.dat
AuthGroupFile /www/users/group.dat
AuthLDAPURL ldap//ldap.server.com/omy-context
require ldap-group cnpublic-users,omy-context
require group my-valid-group lt/Directorygt
Check autorization according to ldap-group OR
file group
20
File-group Authorization
LoadModule auth_basic_module modules/mod_auth_basi
c.so LoadModule authn_file_module
modules/mod_authn_file.so LoadModule
authz_host_module modules/mod_authz_host.so LoadMo
dule authz_groupfile_module modules/mod_authz_grou
pfile.so LoadModule authnz_owner_module
modules/mod_authz_owner.so ltDirectory
/www/docsgt Order deny,allow Allow from
all AuthType Basic AuthName
Authentication_Test AuthBasicProvider file
AuthUserFile /www/users/users.dat
AuthGroupFile /www/users/group.dat require
file-group lt/Directorygt
The group that the user belongs to that is
defined by the AuthGroupFile, must match the
actual file group of the requested file
21
Introduction Mod_Authn_Alias

Ability to create extended providers
Ability to reference the same base provider
multiple times from a single AuthnxxxProvider
directive
Extended providers are assigned a new name or
Alias
Extended provider aliases are referenced by the
directives AuthBasicProvider or
AuthDigestProvider in the same manner as base
providers
Extended providers can be re-referenced by
multiple configuration blocks

22
Creating Custom Providers
LoadModule authn_alias_module modules/mod_authn_al
ias.so ltAuthnProviderAlias ldap ldap-alias1gt
AuthLDAPBindDN cnyouruser,octx
AuthLDAPBindPassword yourpassword AuthLDAPURL
ldap//ldap.host/octx lt/AuthnProviderAliasgt ltAu
thnProviderAlias ldap ldap-other-aliasgt
AuthLDAPBindDN cnyourotheruser,odev
AuthLDAPBindPassword yourotherpassword
AuthLDAPURL ldap//other.ldap.host/odev?cn lt/Auth
nProviderAliasgt
Use an ltAuthnProviderAliasgt block to combine
authentication directives
23
Creating Custom Providers
LoadModule authn_alias_module modules/mod_authn_al
ias.so ltAuthnProviderAlias ldap
ldap-alias1gt AuthLDAPBindDN cnyouruser,octxAut
hLDAPBindPassword yourpasswordAuthLDAPURL
ldap//ldap.host/octx lt/AuthnProviderAliasgt ltAu
thnProviderAlias ldap ldap-other-aliasgtAuthLDAPBi
ndDN cnyourotheruser,odevAuthLDAPBindPassword
yourotherpasswordAuthLDAPURL ldap//other.ldap.ho
st/odev?cn lt/AuthnProviderAliasgt
Each ltAuthnProviderAliasgt block references the
base provider and assigns a provider alias that
will be referenced in the AuthXXXProvider
directives
24
Using Custom Providers
LoadModule auth_basic_module modules/mod_auth_basi
c.so LoadModule authz_host_module
modules/mod_authz_host.so LoadModule
authz_user_module modules/mod_authz_user.so LoadMo
dule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule ldap_module modules/mod_ldap.so
ltDirectory /webpages/securegtOrder
deny,allowAllow from allAuthBasicProvider
ldap-other-alias ldap-alias1AuthType
BasicAuthName LDAP_Protected_Placerequire
valid-user lt/Directorygt
Whenever an Authn_alias provider is referenced,
the entire set of AuthnProviderAlias directives
are added to the configuration
25
Using Custom Providers
LoadModule auth_basic_module modules/mod_auth_basi
c.so LoadModule authz_host_module
modules/mod_authz_host.so LoadModule
authz_user_module modules/mod_authz_user.so LoadMo
dule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule ldap_module modules/mod_ldap.so
ltDirectory /webpages/securegtOrder
deny,allowAllow from allAuthBasicProvider
ldap-other-alias ldap-alias1AuthType
BasicAuthName LDAP_Protected_Placerequire
valid-user lt/Directorygt
Creating Authn_alias extended providers allows
the ldap base provider to be referenced
multiple times under different conditions, from a
single AuthBasicProvider directive
26
Converting Mod_Simple_Auth 2.0 to Apache 2.2
static int check_user_access (request_rec r)
/ Much of this code reimplements
existing authorization types / for (x 0
x lt all_possible_authorization_types x)
authorization_type all_possible_authorizati
on_typesx if (!strcmp(authorization_ty
pe, "valid-user")) return OK
if (!strcmp(authorization_type, "user"))
if (authorized_user)
return OK if
(!strcmp(authorization_type, "group"))
if (user_is_member_of_authorized_group)
return OK if
(!strcmp(authorization_type, "simple-user")
if (authorized_simple_user)
return OK return
HTTP_UNAUTHORIZED
static int authenticate_basic_user (request_rec
r) / Locked into basic authentication
with this call / ap_get_basic_auth_pw (r,
sent_pw) / Determine if the credentials
are good and then send the appropriate
response / if (!good_credentials)
return HTTP_UNAUTHORIZED return OK

27
Converting Mod_Simple_Auth 2.0 to Apache 2.2
static void register_hooks (apr_pool_t p)
ap_hook_check_user_id(authenticate_basic_user,
NULL,NULL,APR_HOOK_MIDDLE)
ap_hook_auth_checker(check_user_access, NULL,NU
LL,APR_HOOK_MIDDLE) module AP_MODULE_DECLARE_D
ATA auth_module STANDARD20_MODULE_STUFF,
create_auth_dir_config, NULL,
NULL, NULL,
auth_cmds,
register_hooks
28
Mod_Authn_Simple for Apache 2.2
static const authn_provider authn_simple_provider
check_password, / password validation
function / get_realm_hash, / digest
hash function / static void register_hooks
(apr_pool_t p) ap_register_provider(p,
AUTHN_PROVIDER_GROUP, "simple", "0",
authn_simple_provider) module
AP_MODULE_DECLARE_DATA authn_simple_module
STANDARD20_MODULE_STUFF, create_authn_simple_d
ir_config, NULL, NULL, NULL,
authn_simple_cmds, register_hooks
static authn_status check_password (request_rec
r, const char user, const char password)
/ Determine if the credentials are good and
then send the appropriate response / if
(!good_credentials) return AUTH_DENIED
return AUTH_GRANTED static authn_status
get_realm_hash (request_rec r, const char user,
const char realm, char rethash) /
Determine the hash and do the right thing /
the_hash determine_the_hash() if
(!the_hash) return AUTH_USER_NOT_FOUND
rethash the_hash return
AUTH_USER_FOUND
29
Mod_Authz_Simple for Apache 2.2
static void register_hooks (apr_pool_t p)
ap_hook_auth_checker(check_user_access,
NULL, NULL, APR_HOOK_MIDDLE) module
AP_MODULE_DECLARE_DATA authz_simple_module
STANDARD20_MODULE_STUFF, create_authz_simple_
dir_config, NULL, NULL, NULL,
authz_simple_cmds, register_hooks
static int check_user_access (request_rec r)
for (x 0 x lt all_possible_authorization_types
x) authorization_type
all_possible_authorization_typesx if
(!strcmp(authorization_type, "simple-user"))
if (authorized_simple_user) return
OK / If we aren't
authoritative then just DECLINE / if
(!authoritative) return DECLINED /
Return the appropriate response / return
HTTP_UNAUTHORIZED
30
New Features Already in Apache 2.3

Moving from hook-based to provider-based
authorization
AND/OR/NOT logic in authorization
Host Access Control as an authorization type
Require IP , Require Host , Require Env
Require All Granted, Require All Denied
Order Allow/Deny, Satisfy where did they go?
Backward compatibility with the 2.0/2.2 Host
Access Control, use the Mod_Access_Compat module

31
Mod_Authz_Simple Provider for Apache 2.3
static void register_hooks (apr_pool_t
p) ap_register_provider(p, AUTHZ_PROVIDER
_GROUP, "simple-user", "0", authz_simpleuser_p
rovider) module AP_MODULE_DECLARE_DATA
authz_simple_module STANDARD20_MODULE_STUF
F, create_authz_simple_dir_config, NULL,
NULL, NULL, authz_simple_cmds,
register_hooks
static authz_status simple_user_authorization
(request_rec r,const char
require_args) if (authorized_simple_
user) return AUTHZ_GRANTED
return AUTHZ_DENIED static const
authz_provider authz_simpleuser_provider
simple_user_authorization,
32
Authorization Types
Mod_Authnz_LDAP LDAP-User LDAP-Group LDAP-DN LDAP-Attribute LDAP-Filter Mod_Authz_Host Env IP Host All
Mod_Authz_DBD DBD-Group DBD-Login DBD-Logout Mod_Authz_Groupfile Group File-Group
Mod_Authz_DBM DBM-Group DBM-File-Group Mod_Authz_User User Valid-User
Mod_Authz_Owner File-Owner
33
Adding AND/OR/NOT Logic to Authorization

Allows authorization to be granted or denied
based on a complex set of Require statements
New Directives
ltSatisfyAllgt lt/SatisfyAllgt - Must satisfy all
of the encapsulated statements
ltSatisfyOnegt lt/SatisfyOnegt - Must satisfy at
least one of the encapsulated statements
ltRequireAliasgt lt/RequireAliasgt - Defines a
Require alias
Reject Reject all matching elements

34
Authorization using AND/OR Logic
Configuration ltDirectory /www/mydocsgt Authname
... AuthType ... AuthBasicProvider ...
... Require user John ltSatisfyAllgt
Require Group admins Require ldap-group
cnmygroup,ofoo ltSatisfyOnegt Require
ldap-attribute dept"sales Require
file-group lt/SatisfyOnegt lt/SatisfyAllgt lt/Di
rectorygt
Authorization Logic if ((user "John")
((Group "admin") (ldap-group ltcontains
usergt) ((ldap-attribute dept"sales")
(file-group contains user))))then
Authorization Grantedelse Authorization
Denied
35
Host Access Control as Authorization Types
Apache 2.3 ltLocation gt Require All Denied lt/Locationgt Apache 2.2 ltLocation gt Order Allow,Deny Deny From All lt/Locationgt
ltLocation gt Require Host Apache.org lt/Locationgt ltLocation gt Order Deny,Allow Allow From Apache.org lt/Locationgt
ltLocation gt ltSatisfyAllgt Require IP 10.1 172.5 Require env LET_ME_IN lt/SatisfyAllgt ltLocationgt
36
Backwards Compatible Host Access Control with
Mod_Access_Compat

The directives Order Allow/Deny and Satisfy
are still available with Mod_Access_Compat
Mod_Access_Compat will allow you to mix the new
authorization types with the old host access
control
Mod_Authn_Default and Mod_Authz_Default modules
must be loaded

37
Summary

Choosing the way authentication and authorization
is done is now more modular
No longer bound to a specific authentication
method based on authentication type
No longer bound to an authorization method based
on the chosen authentication module
Ability to use multiple authentication providers
along with multiple different authorization
methods
Create, use and reuse custom authentication
providers
Reuse the same authentication base provider under
different conditions from the same
AuthnxxxProvider directive
Much more powerful, flexible and consistent
More to come in Apache 2.3!

38
(No Transcript)
39

General Disclaimer
This document is not to be construed as a promise
by any participating company to develop, deliver,
or market a product. It is not a commitment to
deliver any material, code, or functionality, and
should not be relied upon in making purchasing
decisions. Novell, Inc. makes no representations
or warranties with respect to the contents of
this document, and specifically disclaims any
express or implied warranties of merchantability
or fitness for any particular purpose. The
development, release, and timing of features or
functionality described for Novell products
remains at the sole discretion of Novell.
Further, Novell, Inc. reserves the right to
revise this document and to make changes to its
content, at any time, without obligation to
notify any person or entity of such revisions or
changes. All Novell marks referenced in this
presentation are trademarks or registered
trademarks of Novell, Inc. in the United States
and other countries. All third-party trademarks
are the property of their respective owners.