Geovane Fedrecheski
Advisor: Marcelo Zuffo
Nov 2016
Lee, Edward A., et al. "The Swarm at the Edge of the Cloud." IEEE Design & Test 31.3 (2014): 8-20.
NIST IR 7316 2006
Access control is concerned with providing users with selective access to resources.
NIST SP 800-162 2014
The Purpose of Logical Access Control is to protect objects from unauthorized operations.
resource user:op ------------------ /tmp pablo:rw file.txt pablo:r / root:rwx
{
"id": "1",
"name": "policy 1",
"privileges": [
{
"originators": [
"john",
"rick"
],
"operations": 4,
"contexts": [
{"time_window": ["* * 6-22 * * *"]}
],
"targets": [
"indoorsensor/*",
"indoorsensor/*",
"outdoorsensor/temperature"
]
}
]
}
Policy Enforcement
{from=X op=read to=Y/value}
GET /value origin: X
originators: ["Z", "X"], operations: 0x02 targets: ["Y/*"]
(ABAC terminology)
Policy Enforcement Point
(PEP)
Policy Decision Point
(PDP)
Policy Information Point
(PIP)
Policy
Administration
Point
(PAP)
Policy Management
Cowboy webserver
defmodule Sensor.Router do
use Plug.Router
plug :match
plug Plug.Parsers, parsers: [:json], json_decoder: Poison
plug :fetch_sd_params
plug BrokerHTTPClient, :authorize
plug :dispatch
get "/temperature-sensor/value" do
value = Handler.read |> Float.round(1)
resp =
%{"value" => value, "unit" => "celsius"}
|> Poison.encode!
send_resp(conn, 200, resp)
end
end
defmodule BrokerHTTPClient do
def authorize(conn, _opts) do
params = fetch_authz_params(conn)
Logger.info "Called PEP with #{inspect params}"
broker_access_control =
conn.assigns[:broker_url] <> @authorize_path
resp = HTTPoison.get(broker_access_control, [], params: params)
if allowed?(resp) do
conn
else
send_resp(conn, 401, "") |> halt
end
end
end
defmodule BrokerHTTP.Router do
use BrokerHTTP.Web, :router
pipeline :api do
plug :accepts, ["json"]
end
scope "/broker", BrokerHTTP do
pipe_through :api
resources "/registry", RegistryController, only: [:index, :create, :show]
resources "/locate-requests", LocateController, only: [:create] do
resources "/candidates", CandidateController, only: [:index, :create, :show]
end
get "/security/authorize-request", AccessControlController, :index
resources "/security/policies", PolicyController
end
end
defmodule BrokerHTTP.AccessControlController do
use BrokerHTTP.Web, :controller
alias Plug.Conn.Status
def index(conn, %{"fr" => from, "to" => to, "op" => op}) do
req = %Request{from: from, to: to, op: String.to_integer(op), id: nil}
status = if Broker.AccessControl.authorize(req) do
Status.code(:ok)
else
Status.code(:unauthorized)
end
send_resp conn, status, ""
end
end
defmodule Broker.AccessControl.PDP do
def authorize(request) do
acp_rules = PRP.get_applicable_acp request
decision = Enum.reduce(acp_rules, false, fn(rule, acc) ->
acc || match(rule, request)
end)
Logger.info "Authorizing request #{inspect request} resulted in #{decision}"
decision
end
def match(rule, %Request{} = request) do
match_origs(rule, request)
&& match_ops(rule, request)
&& match_targets(rule, request)
&& match_ctxs(rule, PIP.fetch_context(request))
end
end
defmodule BrokerHTTP.Router do
use BrokerHTTP.Web, :router
pipeline :api do
plug :accepts, ["json"]
end
scope "/broker", BrokerHTTP do
pipe_through :api
resources "/registry", RegistryController, only: [:index, :create, :show]
resources "/locate-requests", LocateController, only: [:create] do
resources "/candidates", CandidateController, only: [:index, :create, :show]
end
get "/security/authorize-request", AccessControlController, :index
resources "/security/policies",
PolicyController,
only: [:index, :create, :show, :update, :delete]
end
end
prototype
prototype
Geovane Fedrecheski
geonnave@gmail.com
Advisor: Marcelo Zuffo
Nov 2016