One Fish Two Fish An Intro to Grouper

Transcription

1 One Fish Two Fish An Intro to Grouper Bill Thompson CISSP, Director IAM, Unicon Shilen Patel, Senior IT Analyst, Duke University June 10-15, 2012 Growing Community; Growing Possibilities

2 About Bill 395 days - Director, IAM Practice, Unicon IAM Practice, CAS/Shib/Grouper, CAS Steering Committee, CAS 3.5 Roadmap, CISSP 2.5 years - Senior Associate Director, Princeton University.NET CAS Client, Enterprise WebSSO Strategy 6 years - Associated Director - Rutgers University myrutgers (uportal 2/3), Jasig CAS Project, uportal Release Engineer, Jasig Board of Directors 2

3 About Unicon Trusted Partner since 1993 Expertise in Open Source Software for Education Professional Services for uportal, Sakai, CAS, Shib, Grouper, and soon Student Success Plan Innovative Cooperative Support Program 3

4 Agenda Why Grouper? History Concepts, Architecture & Components Grouper in What s Next Questions & Comments 4

5 5

6 Why have an access management strategy? Lower cost and time to deliver a new service Simplify and make consistent by using the same group or role in many places Physics 101 Course Group Group Wiki Access Lab Reservations 6

7 Access management stages: 1. Start out using a single user attribute, affiliation, in LDAP or Active Directory. This lets services implement simple access policies. Affiliation Service student faculty staff Staff portal guest 7

8 Access management stages: 2. Enrich & centralize access management with groups determined from systems of record Courses, financial accounts, departments Define service-specific access policies in the centralized access management system Math Faculty Group can access Math Faculty Resources 8

9 Access management stages: 3. Get central IT out of the loop Distributed management Exceptions Departmental applications Math Faculty Group Math Support Group + can access Math Faculty Resources 9

10 Access management stages: 4. Increase integration of access management Direct integration with applications using web services SOAP/REST/ESB Roles & privileges to support applications more deeply For Math Department, while John works there HR Admin Role 10

11 Why Grouper? Authentication, WebSSO is not enough Lots of apps, lots of groups Identities -> Groups -> Roles/Permissions IAM Maturity Cloud enablement Distributed management Security, Efficiency, Agility 11

12 History Open source, community-driven project of the Internet2 Middleware Initiative Initial release v0.5 - December December September March targeted for early

13 Contribution organizations, so far... Internet2 / JISC Brown University California Polytech Cardiff University Campus Crusade for Christ International Cornell University Duke University Freie Universität Berlin GIP RECIA LIGO Newcastle University Northern Arizona University Ohio State University SURFnet University of Bristol University of Chicago University of Kansas University of Memphis University of Pennsylvania University of Washington University of Web Bohemia 13

14 14

15 15

16 16

17 17

18 18

19 Grouper Core Concepts 19

20 Grouper Core Concepts Folders in hierarchies Group Direct members Subgroup Indirect members = U Composite groups 20

21 Security & Delegation Create groups Create subfolders Admin Update membership Read membership View group Opt-in Opt-out Delegation 21

22 Beyond groups... Attributes Roles Permissions Attribute definition Permission definition Role inheritance Delegation model extends that for Groups 22

23 Access management lifecycle Membership start & end times (optional) Move or copy folders, groups, etc User audit Point in time audit Rules 23

24 UChicago VPN access vpn:authorized Core business systems eligible IdM system = staff student postdoc IRB IRB Office denied closure locked IT Security Team Different groups, different authorities VPN only uses vpn:authorized 24

25 UChicago Grouper managed Apps aams Ad Astra Bulkmail Business Objects Enterprise Chalk CityRyde Cmail cnet Confluence Directory Administration dmca Facilities SIMS gnetid grouper Service Now sharepoint shibboleth statements portlet SVN tank unifiedcomm versions virtualization voip vpn web hosting webproxy webshare webspace wireless 25

26 Google Apps* Any SaaS Applications Shibboleth IdP Grouper Plugin Kuali Rice Grouper Plugin Atlassian Jira Confluence Grouper Plugin LDAP/AD Provisioning Service Provider Delegation Rules Web Services REST/SOAP Applications Grouper Client Person Registry Subject API JNDI/JDBC Subjects Groups Roles Permissions Policy Audit Change Log Notifications XMPP/HTTP ESB Grouper Loader Web UI Grouper Shell Systems of Record LDAP/AD * PSP connectors may be needed Groups, Roles and Permissions Management Grouper Admin 26

27 Grouper in 27

28 Contents Background Architecture Naming Provisioning Dynamic Groups Courses and other collaboration groups Active Directory Permissions 28

29 Background Started in 2006 with Grouper v0.5. No existing group management system centrally. Existing attributes were not enough for authorization. Though when they were, they were complicated. 29

30 30

31 Nagios monitors Grouper WS DB is a single point of failure. 31

32 Naming duke:employees - institutionally managed groups based on employee data. duke:orgs - organizational hierarchy. duke:resources - used to store resources in Grouper primarily to manage external resources. duke:siss - course enrollments 32

33 Naming (continued) duke:users - user specific groups duke:<department> - separate folders for each department using Grouper, such as OIT, Library, and Law. Department specific dynamic groups Department specific user managed groups. Sub-folders for app-specific or sub-dept. 33

34 Provisioning 34

35 Provisioning Provisioning at least one LDAP directory in near real-time since Incremental only. Bulk seems very expensive, so we try to make incremental reliable. Custom change log before Grouper had a change log. Keeps track of which consumers have processed which change. Daily retries. 35

36 Provisioning (continued) Target systems OIM - used to provision resources Active Directory - applications specifically designed to use AD. Service Directories - legacy, original LDAP provisioning. 36

37 Provisioning (continued) Target systems Util Directories - non-ad, fast, limited data. Authentication Directories - Shibboleth IdP. 37

38 Dynamic Groups 38

39 Dynamic Groups OIM maintained using custom connector. Connector knows which Grouper group are dynamic based on Grouper group type. Grouper has definition of the groups. Connector knows which attributes are involved in dynamic groups. 39

40 Dynamic Groups (continued) When an attribute of a person changes: Connector finds relevant dynamic groups. For each one, determines if the person should or should not be in the group. For each one, determines if the person is in the group or not. Makes changes using Grouper WS if needed. 40

41 Dynamic Groups (continued) OIM retries failures every day. Manually run sync script. Real-time. 41

42 Courses and other collaboration groups 42

43 Courses Get course files from source system every day. Diff with previous file and update Grouper. Accounts for 90%+ of our groups. For each course, automatically creates groups for students, instructors, and TAs. 43

44 Toolkits Allows students and employees to create online communities. Communities based on courses or other ad-hoc groups. Allows instructors and other delegated administrators to define other course groups. visitors, auditors, developers, etc. 44

45 Toolkits (continued) Toolkits maps the various course groups with default permissions in various applications. Ad-hoc communities also have groups associated with permissions. Applications include Sakai, WordPress, Sympa, Confluence, and more. 45

46 Toolkits (continued) 46

47 Creates various groups in Grouper (admin, contrib, viewers, all) Toolkits (continued) 47

48 Toolkits (continued) 48

49 Toolkits (continued) 49

50 Active Directory Permissions 50

51 Initial Environment Used to be in a world where the central Active Directory was manually managed. Passwords in the Active Directory were not in sync with NetID passwords (MIT Kerberos). Departments also had their own Active Directory environments. 51

52 High Level Goals IdM manages user objects for Duke students, employees, and affiliates. One way password sync from MIT Kerberos to Active Directory. Departments need to be able to read and update some user attributes. Departments need to be able to create some objects. 52

53 Solution KDC plugin to sync passwords. Additional integration with ERP to define functional group attribute. e.g. OIT:SSI or TrinityCollege:A&S:Art Org hierarchy in Grouper based on functional group attribute and dynamic groups. Grouper to manage permissions. 53

54 Departmental OUs Chancellor HealthAffairs OU= DukeDepts Financial Services Trinity College DFAS tech svcs Chem A&S Art duke:resources duke:resources:dept_tree duke:resources:dept_tree:trinitycollege duke:resources:dept_tree:trinitycollege:dfas duke:resources:dept_tree:trinitycollege:dfas:techsvcs duke:resources:dept_tree:trinitycollege:a&s duke:resources:dept_tree:trinitycollege:a&s:chem duke:resources:dept_tree:trinitycollege:a&s:art duke:resources:dept_tree:financialservices duke:resources:dept_tree:chancellorhealthaffairs Map Departmental OUs in AD onto Grouper Resources in One Hieararchy 54

55 People OUs OU= DukePeople Financial Services DFAS Trinity College A&S Users duke:resources:people_tree duke:resources:people_tree:trinitycollege duke:resources:people_tree:trinitycollege:objectclass duke:resources:people_tree:trinitycollege:unixloginshell duke:resources:people_tree:trinitycollege:unixhomedirectory tech svcs Users Chem Art Users duke:resources:people_tree:trinitycollege:users duke:resources:people_tree:trinitycollege:users:objectclass duke:resources:people_tree:trinitycollege:users:unixloginshell duke:resources:people_tree:trinitycollege:users:unixhomedirectory Users Users Users duke:resources:people_tree:trinitycollege:a&s etc... Map (User OUs x Attributes) onto Grouper Resources in Separate Hierarchy 55

56 Departmental Roles it_nonmanagers (dynamic) it_managers (dynamic) ad_manager (explicitly defined with includes/excludes) ad_admins (explicitly defined with includes/excludes) 56

57 Mapping Permissions Express AD Access Rights as Grouper Perms (subject,action,resource) (duke:orgs:oit:ssi:ad_admins,action_full, duke:resources:ad:dept_tree:oit:ssi) (OIT:SSI AD Admins have full rights in DukeDepts\OIT\SSI [recursively]) (duke:orgs:oit:ssi:ad_admins,action_readwrite, duke:resources:ad:people_tree:oit:ssi:unixhomedire ctory) (OIT:SSI:AD Admins have read-write access to the unixhomedirectory attribute in DukePeople\OIT\SSI [recursively]) 57

58 Web UI Manager view to manage OU=DukePeople 58

59 Future Upgrade from 1.5 to 2.1. Changes to provisioning strategy. PSP? Additional subject sources More with permissions High availability Privacy and subject filtering 59

60 Grouper Roadmap Release Item Description 2.2 New Grouper UI Provide new UI capabilities that better meet community needs Services in Grouper Improved Grouper configuration On-going Grouper Core On-going Community contributions Tag objects in Grouper so that folders, groups, permissions can be associated with a "service to make it easier for users to perform tasks in Make Grouper more easily deployable and upgradeable across environments with cascaded config files and expression language in config file Continue adding capabilities to meet requirements from the field. Solicit and publicize community contributions of extensions and complements to Grouper. 60

61 Resources Grouper Project Grouper demo server: 61

62 Thanks! Bill Thompson CISSP, Director IAM, Unicon Shilen Patel, Senior IT Analyst, Duke University 62