New Modular Authentication Architecture in Apache 2.2 and
Download
Report
Transcript New Modular Authentication Architecture in Apache 2.2 and
New Modular Authentication
Architecture in Apache 2.2 and
Beyond
Brad Nicholes
Sr. Software Engineer, Novell Inc.
Member, Apache Software Foundation
[email protected]
Agenda
• Introduction
• Difference between Apache 2.0 and 2.2
• Configuration
–
–
Authentication and Authorization
Mix and match providers and methods
• Mod_authn_alias
• Coding for the new architecture
• New features already in Apache 2.3
© Novell Inc. All rights reserved
2
Introduction
Terms / Authentication Elements:
• Authentication Type – Type of protocol used during transport of the
authentication credentials (Basic or Digest)
• Authentication Method/Provider – Process by which a user is verified
to be who they say they are
• Authorization – Process by which authenticated users are granted or
denied access based on specific criteria
• Previous to Apache 2.2, every authentication module had to implement
all three elements
– Choosing an AuthType limited which authentication and
authorization methods could be used
– Potential for inconsistencies across authentication modules
Note: Pay close attention to the words Authentication vs.
Authorization throughout the presentation
© Novell Inc. All rights reserved
3
What Are the Advantages?
• Flexibility:
– Ability to choose between Authentication Type vs. Authentication Method vs.
Authorization Method
– Ability to use multiple different authentication methods
– Mixing and matching is not a problem
• Consistency:
– Authorization methods are guaranteed to work the same no matter which
authentication method is chosen
– Ability to use the same authentication and authorization methods for all authentication
types
• Reuse:
– Implementing a new authentication provider module does not require the
reimplementation or duplication of existing authorization methods
– The inverse of the above statement is also true
– Ability to create your own custom authentication providers and reuse them throughout
your configuration
© Novell Inc. All rights reserved
4
New Modules - Introduction
• The functionality of each Apache 2.0 authentication module
has been split out into the three authentication elements for
Apache 2.2
• Overlapping functionality among the modules was simply
eliminated in favor of a base implementation
• The module name indicates which element of the
authentication functionality it performs
–Mod_auth_xxx – Implements an Authentication Type
–Mod_authn_xxx – Implements an Authentication Method or Provider
–Mod_authz_xxx – Implements an Authorization Method
© Novell Inc. All rights reserved
5
New Modules – Authentication Type
Modules
Mod_Auth_Basic
Basic authentication – User credentials are
received by the server as unencrypted data
Directives
• AuthBasicAuthoritative
• AuthBasicProvider
Mod_Auth_Digest
• AuthDigestAlgorithm
MD5 Digest authentication – User credentials
are received by the server in encrypted format
• AuthDigestDomain
• AuthDigestNcCheck
• AuthDigestNonceFormat
• AuthDigestNonceLifetime
• AuthDigestProvider
• AuthDigestQop
• AuthDigestShmemSize
© Novell Inc. All rights reserved
6
New Modules – Authentication
Providers
Modules
Directives
Mod_Authn_Anon
• Anonymous
Allows “anonymous” user access to
authenticated areas
• Anonymous_LogEmail
• Anonymous_MustGiveEmail
• Anonymous_NoUserID
• Anonymous_VerifyEmail
Mod_Authn_DBM
• AuthDBMType
DBM file based user authentication
• AuthDBMUserFile
Mod_Authn_Default
• AuthDefaultAuthoritative
Authentication fallback module
© Novell Inc. All rights reserved
7
New Modules – Authentication
Providers
Modules
Mod_Authn_File
Directives
• AuthUserFile
File based user authentication
Mod_Authnz_LDAP
• AuthLDAPBindDN
LDAP directory based authentication
• AuthLDAPBindPassword
• AuthLDAPCharsetConfig
• AuthLDAPDereferenceAliases
• AuthLDAPRemoteUserIsDN
• AuthLDAPUrl
© Novell Inc. All rights reserved
8
New Modules - Authorization
Modules
Mod_Authnz_LDAP
LDAP directory based authorization
Mod_Authz_Default
Directives
• Require
ldap-user
• Require ldap-group
• Require ldap-dn
• Require ldap-attribute
• Require ldap-filter
• AuthLDAPCompareDNOnServer
• AuthLDAPGroupAttribute
• AuthLDAPGroupAttributeIsDN
• AuthzLDAPAuthoritative
• AuthzDefaultAuthoritative
Authorization fallback module
© Novell Inc. All rights reserved
9
New Modules - Authorization
Modules
Mod_Authz_DBM
DBM file based group authorization
Mod_Authz_GroupFile
File based group authorization
Directives
• Require
file-group*
• Require group
• AuthDBMGroupFile
• AuthzDBMAuthoritative
• AuthzDBMType
• Require
file-group*
• Require group
• AuthGroupFile
• AuthzGroupFileAuthoritative
Mod_Authz_Host
• Allow
Group authorization based on host (name or IP
address)
• Deny
• Order
© Novell Inc. All rights reserved
10
New Modules - Authorization
Modules
Directives
Authorization based on file ownership
file-owner
• AuthzOwnerAuthoritative
Mod_Authz_User
• Require
Mod_Authz_Owner
User authorization
• Require
valid-user
• Require user
• AuthzUserAuthoritative
© Novell Inc. All rights reserved
11
Differences Between Apache 2.0 & 2.2
• New Directives
–AuthBasicProvider On|Off|provider-name [provider-name]…
–AuthDigestProvider On|Off|provider-name [provider-name]…
–AuthzXXXAuthoritative On|Off
• Renamed Directives
–AuthBasicAuthoritative On|Off
• Multiple modules must be loaded (auth, authn, authz) rather
than a single mod_auth_xxx module
© Novell Inc. All rights reserved
12
Differences – More Authorization Types
• Apache 2.0
–Require Valid-User
–Require User user-id [user-id] …
–Require Group group-name [group-name] …
• Apache 2.2
–Same as Apache 2.0
–LDAP - ldap-user, ldap-group, ldap-dn, ldap-filter, ldap-attribute
–GroupFile – file-group*
–DBM – file-group*
–Owner – file-owner
• Since multiple authorization methods can be used, in most cases the
type names should be unique
© Novell Inc. All rights reserved
13
“file-group” Authorization Type
• Unique because it depends on the Authz_Owner module for base
functionality but other Authz_xxx modules to do the work
• Allows authorization based on file system group membership
• Implemented in Apache 1.3.20 but missing from Apache 2.0
• The authenticated user must be a member of the group to which the
requested file belongs
• The group name is derived from the group permission of the requested
file
• Authorization is actually performed by secondary authz modules
(Mod_Authz_Groupfile, Mod_Authz_DBM, others??)
© Novell Inc. All rights reserved
14
“ldap-xxx” Authorization Types
• The standard types, ldap-user, ldap-group and ldap-dn were renamed to
avoid conflicts and for consistency
• New LDAP authorization types
–ldap-attribute allows the administrator to grant access based on attributes
of the authenticated user in the LDAP directory. If multiple attributes are
listed then the result is an ‘OR’ operation.
• require ldap-attribute city="San Jose" status=active
–ldap-filter allows the administrator to grant access based on a complex
LDAP search filter. If the dn returned by the filter search matches the
authenticated user dn, access is granted.
• require ldap-filter &(cell=*)(department=marketing)
© Novell Inc. All rights reserved
15
Configuring Simple Authentication
LoadModule auth_basic_module
LoadModule authn_file_module
LoadModule authz_user_module
LoadModule authz_host_module
modules/mod_auth_basic.so
modules/mod_authn_file.so
modules/mod_authz_user.so
modules/mod_authz_host.so
<Directory /www/docs>
Order deny,allow
Allow from all
AuthType Basic
AuthName Authentication_Test
AuthBasicProvider file
AuthUserFile /www/users/users.dat
require valid-user
</Directory>
The
authentication
provider is file
based and the
authorization
method is any
valid-user
© Novell Inc. All rights reserved
16
Requiring Group Authorization
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule authn_file_module modules/mod_authn_file.so
#LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
<Directory /www/docs>
Order deny,allow
Allow from all
AuthType Basic
AuthName Authentication_Test
AuthBasicProvider file
AuthUserFile /www/users/users.dat
AuthGroupFile /www/users/group.dat
require group my-valid-group
</Directory>
The authentication
provider is file
based but the
authorization
method is group
file based
© Novell Inc. All rights reserved
17
Multiple Authentication Providers
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule ldap_module modules/mod_ldap.so
<Directory /www/docs>
Order deny,allow
Allow from all
AuthType Basic
AuthName Authentication_Test
AuthBasicProvider file ldap
AuthUserFile /www/users/users.dat
AuthLDAPURL ldap://ldap.server.com/o=my-context
Require valid-user
</Directory>
The
authentication
includes both file
and LDAP
providers with
the file provider
taking
precedence
followed by LDAP
© Novell Inc. All rights reserved
18
Multiple Authorization Methods
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule authn_file_module modules/mod_authn_file.so
#LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule ldap_module modules/mod_ldap.so
<Directory /www/docs>
Order deny,allow
Allow from all
AuthType Basic
AuthName Authentication_Test
AuthBasicProvider file
AuthUserFile /www/users/users.dat
Check autorization
according to ldapgroup OR file group
AuthGroupFile /www/users/group.dat
AuthLDAPURL ldap://ldap.server.com/o=my-context
require ldap-group cn=public-users,o=my-context
require group my-valid-group
</Directory>
© Novell Inc. All rights reserved
19
File-group Authorization
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authnz_owner_module modules/mod_authz_owner.so
<Directory /www/docs>
Order deny,allow
Allow from all
AuthType Basic
AuthName Authentication_Test
AuthBasicProvider file
AuthUserFile /www/users/users.dat
AuthGroupFile /www/users/group.dat
require file-group
</Directory>
The group that the
user belongs to that is
defined by the
AuthGroupFile, must
match the actual file
group of the requested
file
© Novell Inc. All rights reserved
20
Introduction – Mod_Authn_Alias
• Ability to create extended providers
• Ability to reference the same base provider multiple times
from a single AuthnxxxProvider directive
• Extended providers are assigned a new name or Alias
• Extended provider aliases are referenced by the directives
AuthBasicProvider or AuthDigestProvider in the same
manner as base providers
• Extended providers can be re-referenced by multiple
configuration blocks
© Novell Inc. All rights reserved
21
Creating Custom Providers
LoadModule authn_alias_module modules/mod_authn_alias.so
<AuthnProviderAlias ldap ldap-alias1>
AuthLDAPBindDN cn=youruser,o=ctx
AuthLDAPBindPassword yourpassword
AuthLDAPURL ldap://ldap.host/o=ctx
</AuthnProviderAlias>
Use an
<AuthnProviderAlias>
block to combine
authentication
directives
<AuthnProviderAlias ldap ldap-other-alias>
AuthLDAPBindDN cn=yourotheruser,o=dev
AuthLDAPBindPassword yourotherpassword
AuthLDAPURL ldap://other.ldap.host/o=dev?cn
</AuthnProviderAlias>
© Novell Inc. All rights reserved
22
Creating Custom Providers
LoadModule authn_alias_module modules/mod_authn_alias.so
<AuthnProviderAlias ldap ldap-alias1>
AuthLDAPBindDN cn=youruser,o=ctx
AuthLDAPBindPassword yourpassword
AuthLDAPURL ldap://ldap.host/o=ctx
</AuthnProviderAlias>
Each
<AuthnProviderAlias>
block references the
base provider and
assigns a provider
alias that will be
referenced in the
AuthXXXProvider
directives
<AuthnProviderAlias ldap ldap-other-alias>
AuthLDAPBindDN cn=yourotheruser,o=dev
AuthLDAPBindPassword yourotherpassword
AuthLDAPURL ldap://other.ldap.host/o=dev?cn
</AuthnProviderAlias>
© Novell Inc. All rights reserved
23
Using Custom Providers
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule ldap_module modules/mod_ldap.so
Whenever an
Authn_alias
provider is
referenced, the
AuthBasicProvider ldap-other-alias ldap-alias1
entire set of
AuthnProviderAlias
AuthType Basic
directives are added
AuthName LDAP_Protected_Place
to the configuration
<Directory /webpages/secure>
Order deny,allow
Allow from all
require valid-user
</Directory>
© Novell Inc. All rights reserved
24
Using Custom Providers
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule ldap_module modules/mod_ldap.so
Creating Authn_alias
<Directory /webpages/secure>
extended providers
Order deny,allow
allows the “ldap”
Allow from all
base provider to be
AuthBasicProvider ldap-other-alias ldap-alias1 referenced multiple
times under different
conditions, from a
AuthType Basic
single
AuthName LDAP_Protected_Place
require valid-user
AuthBasicProvider
directive
</Directory>
© Novell Inc. All rights reserved
25
Converting Mod_Simple_Auth 2.0
to Apache 2.2
static int
static int
authenticate_basic_user
check_user_access
(request_rec *r)
{
/* Locked into basic authentication
with this call */
ap_get_basic_auth_pw (r, &sent_pw);
(request_rec *r)
{
/* Much of this code reimplements existing
authorization types */
for (x = 0; x <
all_possible_authorization_types;
x++) {
authorization_type =
all_possible_authorization_types[x];
/* Determine if the credentials are
good and then send the
appropriate response */
if (!good_credentials) {
return HTTP_UNAUTHORIZED;
}
if (!strcmp(authorization_type,
"valid-user"))
return OK;
if (!strcmp(authorization_type, "user")) {
if (authorized_user)
return OK;
}
if (!strcmp(authorization_type, "group")) {
if (user_is_member_of_authorized_group)
return OK;
}
if (!strcmp(authorization_type,
"simple-user") {
if (authorized_simple_user)
return OK;
}
return OK;
}
}
return HTTP_UNAUTHORIZED;
}
© Novell Inc. All rights reserved
26
Converting Mod_Simple_Auth 2.0
to Apache 2.2
static void register_hooks (apr_pool_t *p)
{
ap_hook_check_user_id(authenticate_basic_user,
NULL,NULL,APR_HOOK_MIDDLE);
ap_hook_auth_checker(check_user_access,
NULL,NULL,APR_HOOK_MIDDLE);
}
module AP_MODULE_DECLARE_DATA auth_module =
{
STANDARD20_MODULE_STUFF,
create_auth_dir_config,
NULL,
NULL,
NULL,
auth_cmds,
register_hooks
};
© Novell Inc. All rights reserved
27
Mod_Authn_Simple for Apache
2.2
static authn_status check_password
(request_rec *r, const char *user,
const char *password)
{
/* Determine if the credentials are
good and then send the
appropriate
response */
if (!good_credentials)
return AUTH_DENIED;
return AUTH_GRANTED;
}
static const authn_provider
authn_simple_provider
=
{
&check_password, /* password validation
function */
&get_realm_hash, /* digest hash function */
};
static void register_hooks (apr_pool_t *p)
{
ap_register_provider(p, AUTHN_PROVIDER_GROUP,
"simple", "0", &authn_simple_provider);
}
static authn_status get_realm_hash
(request_rec *r, const char *user,
module AP_MODULE_DECLARE_DATA authn_simple_module=
const char *realm, char
**rethash)
{
{
STANDARD20_MODULE_STUFF,
/* Determine the hash and do the right
create_authn_simple_dir_config,
thing */
NULL,
the_hash = determine_the_hash();
NULL,
NULL,
if (!the_hash)
authn_simple_cmds,
return AUTH_USER_NOT_FOUND;
register_hooks
*rethash = the_hash;
return AUTH_USER_FOUND;
};
}
© Novell Inc. All rights reserved
28
Mod_Authz_Simple for Apache
2.2
static void
static int
check_user_access
(request_rec *r)
register_hooks
(apr_pool_t *p)
{
{
for (x = 0; x < all_possible_authorization_types; x++) {
authorization_type =
all_possible_authorization_types[x];
if (!strcmp(authorization_type, "simple-user")) {
if (authorized_simple_user) {
return OK;
}
}
}
/* If we aren't authoritative then just DECLINE */
if (!authoritative)
return DECLINED;
ap_hook_auth_checker(check_user_access,
NULL, NULL, APR_HOOK_MIDDLE);
}
module AP_MODULE_DECLARE_DATA authz_simple_module =
{
STANDARD20_MODULE_STUFF,
create_authz_simple_dir_config,
NULL,
NULL,
NULL,
authz_simple_cmds,
register_hooks
};
/* Return the appropriate response */
return HTTP_UNAUTHORIZED;
}
© Novell Inc. All rights reserved
29
New Features Already in Apache 2.3
• Moving from hook-based to provider-based authorization
• “AND/OR/NOT” logic in authorization
• Host Access Control as an authorization type
–Require IP …, Require Host …, Require Env …
–Require All Granted, Require All Denied
–“Order Allow/Deny”, “Satisfy” where did they go?
–Backward compatibility with the 2.0/2.2 Host Access Control, use
the Mod_Access_Compat module
© Novell Inc. All rights reserved
30
Mod_Authz_Simple Provider for
Apache 2.3
static authz_status
static void
simple_user_authorization
register_hooks
(request_rec *r,const char
*require_args)
(apr_pool_t *p)
{
{
ap_register_provider(p,
AUTHZ_PROVIDER_GROUP,
"simple-user", "0",
&authz_simpleuser_provider);
if (authorized_simple_user) {
return AUTHZ_GRANTED;
}
}
return AUTHZ_DENIED;
}
static const authz_provider
authz_simpleuser_provider
{
&simple_user_authorization,
};
=
module AP_MODULE_DECLARE_DATA
authz_simple_module =
{
STANDARD20_MODULE_STUFF,
create_authz_simple_dir_config,
NULL,
NULL,
NULL,
authz_simple_cmds,
register_hooks
};
© Novell Inc. All rights reserved
31
Authorization Types
Mod_Authnz_LDAP
Mod_Authz_Host
• LDAP-User
• LDAP-Group
• LDAP-DN
• LDAP-Attribute
• LDAP-Filter
• Env
• IP
• Host
• All
Mod_Authz_DBD
Mod_Authz_Groupfile
• DBD-Group
• DBD-Login
• DBD-Logout
• Group
• File-Group
Mod_Authz_DBM
Mod_Authz_User
• DBM-Group
• DBM-File-Group
• User
• Valid-User
Mod_Authz_Owner
• File-Owner
© Novell Inc. All rights reserved
32
Adding “AND/OR/NOT” Logic to
Authorization
• Allows authorization to be granted or denied based on a
complex set of “Require…” statements
• New Directives
–<SatisfyAll> … </SatisfyAll> - Must satisfy all of the encapsulated
statements
–<SatisfyOne> … </SatisfyOne> - Must satisfy at least one of the
encapsulated statements
–<RequireAlias> … </RequireAlias> - Defines a ‘Require’ alias
–Reject – Reject all matching elements
© Novell Inc. All rights reserved
33
Authorization using ‘AND/OR’
Logic
Authorization Logic
Configuration
if ((user == "John") ||
((Group == "admin") &&
(ldap-group <contains user>) &&
((ldap-attribute dept=="sales") ||
(file-group contains user))))
then
Authorization Granted
else
Authorization Denied
<Directory /www/mydocs>
Authname ...
AuthType ...
AuthBasicProvider ...
...
Require user John
<SatisfyAll>
Require Group admins
Require ldap-group cn=mygroup,o=foo
<SatisfyOne>
Require ldap-attribute dept="sales“
Require file-group
</SatisfyOne>
</SatisfyAll>
</Directory>
© Novell Inc. All rights reserved
34
Host Access Control as Authorization
Types
Apache 2.3
Apache 2.2
<Location …>
Require All Denied
</Location>
<Location …>
Order Allow,Deny
Deny From All
</Location>
<Location …>
Require Host Apache.org
</Location>
<Location …>
Order Deny,Allow
Allow From Apache.org
</Location>
<Location …>
<SatisfyAll>
Require IP 10.1 172.5
Require env LET_ME_IN
</SatisfyAll>
<Location>
© Novell Inc. All rights reserved
35
Backwards Compatible Host Access
Control with Mod_Access_Compat
• The directives “Order Allow/Deny” and “Satisfy” are still
available with Mod_Access_Compat
• Mod_Access_Compat will allow you to mix the new
authorization types with the old host access control
• Mod_Authn_Default and Mod_Authz_Default modules
must be loaded
© Novell Inc. All rights reserved
36
Summary
• Choosing the way authentication and authorization is done is now more
modular
• No longer bound to a specific authentication method based on
authentication type
• No longer bound to an authorization method based on the chosen
authentication module
• Ability to use multiple authentication providers along with multiple
different authorization methods
• Create, use and reuse custom authentication providers
• Reuse the same authentication base provider under different conditions
from the same AuthnxxxProvider directive
• Much more powerful, flexible and consistent
• More to come in Apache 2.3!
© Novell Inc. All rights reserved
37
General Disclaimer
This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is
not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions.
Novell, Inc. makes no representations or warranties with respect to the contents
of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular
purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole
discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any
time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this
presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party
trademarks are the property of their respective owners.