Identity and Access Management Level 200

Transcription

1 Identity and Access Management Level 200 Flavio Pereira November

2 Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle s products remains at the sole discretion of Oracle. 2

3 Objectives After completing this lesson, you should be able to: Create Instance Principals Write advanced Policies Federate OCI with Oracle Identity Cloud Service (IDCS) Design reference IAM Model for an Enterprise 3

4 IAM Basics Identity and Access Management Service (IAM) enables you to control who can do what in your OCI account IAM service Principals Users/Groups, Instance Principals Authentication done through username/password and API Signing Keys Authorization done by defining specific privileges in Policies and associating them with Principals Policies are comprised of one or more human-readable statements which specify what groups can access what resources and what level of access users in that group have Compartment, a unique OCI feature, can be used to organize and isolate related cloud resources OCI supports both free form tags and defined tags with a schema and secured by policies OCI Audit Service Automatically records calls to OCI services API endpoints as log events 4

5 Instance Principals 5

6 Instance Principals Instance Principals lets instances (and applications) to make API calls against other OCI services removing the need to configure user credentials or a configuration file Current problem Storing API credentials on each instance Credential rotation Audits at instance level are impossible since credentials are same across hosts How does Instance principals solve the problem? Instance Principals gives instances their own identity, instances become a new type of Principal (in addition to OCI IAM users/groups) Dynamic groups allows policy to be defined on instances In the Audit, you will see the instance Id making the API call 6

7 Instance Principals Authentication is at instance level Customers don t do any credential management Authorization is done via Dynamic Groups Dynamic groups allow you to group OCI instances as principal actors, similar to user groups. Policy is set at Dynamic Group level. Membership in the group is determined by a set of criteria called matching rules. Resources that match the rule criteria are members of the dynamic group Services that support Instance Principals - Compute, Block Volume, Networking, Load Balancing, Object Storage 7

8 Step1: create a Dynamic Group that matches a set of instances Possible to exclude specific instances from a Dynamic Group All {instance.compartment.id = '<compartment_ocid>', instance.id!= '<instance1_to_exclude_ocid>', instance.id!= '<instance2_to_exclude_ocid>'} 8

9 Step2: create a Policy dictating what permissions those instances should receive 9

10 Step3: customer deploys code to an instance OCI SDK/CLI is able to make calls to OCI APIs without customer configured credentials cat config [DEFAULT] user=ocid1.user.oc1..aaaaaaaag3635pdkcopjvcvljf7kmo7besxqzeqiry2wzawa4zqk2xkx4z7q fingerprint=93:4f:c0:c3:26:3b:06:9f:c8:17:60:78:23:e1:1c:90 # key_file=/home/opc/.oci/oci_api_key.pem tenancy=ocid1.tenancy.oc1..aaaaaaaaxy6bh46cdnlfpaibasc6dotowv32hc2sbj4ph3ocxtfxhhva2hna region=us-ashburn-1 [opc@webserver1.oci]$ oci os ns get ERROR: The config file at ~/.oci/config is invalid: +Config Errors Key Error Hint key_file missing the full path and filename of the private PEM key file [opc@webserver1.oci]$ [opc@webserver1.oci]$ oci os ns get --auth instance_principal { "data": "intoraclerohit" } Java and Python SDKs and Terraform also support Instance Principal authorization 10

11 How it works? The internal PKI Service issues X.509 certificates for every compute instance These compute instance certificates are signed by our internal CA and contain information about the instance (instance Id, compartment Id, etc) If the OCI SDK/CLI can not find locally configured credentials, it will call the Instance Metadata service and use the provided X.509 certificate to call the Identity Auth Service, getting back a token to use in calling OCI APIs The Auth Service will verify the certificate was issued by us and issue a token with the key information from the certificate Calls made using that token will be authorized against any matching policy (using the new "instances" subject) The PKI Agent, running on the SmartNIC, will refresh the certificate periodically and the SDK, running on the instance, will get a new token from the Auth Service as necessary 11

12 How it works? The certificate is rotated multiple times a day and customers cannot change the frequency You can use this Curl command to query the X.509 certificates, curl [opc@webserver1.oci]$ curl BEGIN CERTIFICATE----- MIIIPjCCBiagAwIBAgIQesV+WyeYgLqUxb4vSgrL/jANBgkqhkiG9w0BAQsFADCB qtfzmhega1uecxnqb3bjlwrldmljzto1ndo1yjo4ntpiotowmjo5yjo4yto4mdpl YTo1MjoxNzo1MjozYjo1ZjowZjpmMzo1MTpkNjo1YzoxZjpmYTozYTo1MTo4OTow ZDpjMTowNTo0MjphOTowYzplMTo4YjEyMDAGA1UEAxMpUEtJU1ZDIElkZW50aXR5 IEludGVybWVkaWF0ZSB1cy1hc2hidXJuLTEwHhcNMTgwNjE1MTc0MjU1WhcNMTgw NjE1MTg0MjU1WjCCAbQxggFSMBwGA1UECxMVb3BjLWNlcnR0eXBlOmluc3RhbmNl MGcGA1UECxNgb3BjLWluc3RhbmNlOm9jaWQxLmluc3RhbmNlLm9jMS5pYWQuYWJ1 d2nsanrrywmymjzzbdy1n3hsbhiznwszagozywjra3i3dm9sd3bndwd6c3nkdjd2 12

13 Competitive analysis Feature Credential distribution Auto rotation Per instance creds Default identity Identity/ instance Instance groups Oracle AWS Azure Instance Principals IAM roles for EC2 Service Principals Yes Yes Yes Yes 1 Yes Yes Yes Yes No 1 No No No No No n/a No Credential Distribution: are credentials distributed to customer instances automatically by the service provider? Auto Rotation: are credentials automatically rotated by the service provider? Per Instance Creds: are credentials scoped to a single instance? Default Identity: does every instance receive credentials by default? Identity/Instance: how many identities can be provisioned by instance? Instance Groups: can identities be provisioned to entire sets of instances or must it be done instance-by-instance? 13

14 Advanced Policies 14

15 Policy Syntax Allow <subject> to <verb> <resource-type> in <location> where <conditions> Verb inspect read use manage Type of access Ability to list resources Includes inspect + ability to get user-specified metadata/actual resource Includes read + ability to work with existing resources (the actions vary by resource type)* Includes all permissions for the resource Aggregate resource-type all-resources database-family instance-family object-family virtual-networkfamily volume-family Individual resource type db-systems, db-nodes, db-homes, databases instances, instance-images, volume-attachments, console-histories buckets, objects vcn, subnet, route-tables, security-lists, dhcpoptions, and many more resources (link) Volumes, volume-attachments, volume-backups * In general, this verb does not include the ability to create or delete that type of resource The IAM Service has no family resource-type, only individual ones; Audit and Load Balancer have individual resources (load-balancer, audit-events) 15

16 Verbs & Permissions When you write a policy giving a group access to a particular verb and resource-type, you're actually giving that group access to one or more predefined permissions Verb Permssions API Operation INSPECT VOLUME_INSPECT READ VOLUME_INSPECT ListVolumes GetVolume Permissions are the atomic units of authorization that control a user's ability to perform operations on resources READ +.. As you go from inspect > read > use > manage, the level of access generally increases, and the permissions granted are cumulative Volumes-family USE VOLUME_UPDATE VOLUME_WRITE Each API operation requires the caller to have access to one or more permissions. E.g., to use ListVolumes or GetVolume, you must have access to a single permission: VOLUME_INSPECT MANAGE USE + VOLUME_CREATE.. CreateVolume VOLUME_DELETE DeleteVolume 16

17 Policy Syntax Allow <subject> to <verb> <resource-type> in <location> where <conditions> Conditions: Syntax for a single condition: variable =!= value 2 variable types: request (relevant to the request itself), and target (relevant to the resource(s) being acted upon in the request) E.g. variable request.operation represents the API operation being requested (e.g. ListUsers); target.group.name represents the name of the group variable name is prefixed accordingly with either request or target followed by a period request.operation request.permission request.user.id request.groups.id target.compartment.id target.compartment.name request.region request.ad The API operation name being requested The underlying permission(s) requested OCID of the requesting user The OCIDs of groups requesting user is in The OCID of the compartment The name of the compartment specified in target.compartment.id The key of the region the request is made in The name of the AD the request is made in Example: Allow group Phoenix-Admins to manage all-resources in tenancy where request.region='phx' 17

18 Policy Syntax Allow <subject> to <verb> <resource-type> in <location> where <conditions> Conditions: Syntax for a single condition: variable =!= value Type String Pattern Types of value (single quotation marks are required around the value) /HR*/ (matches strings that start with "HR") /*HR/ (matches strings that end with "HR") /*HR*/ (matches strings with "HR") Syntax for multiple conditions: any all {<condition>,<condition>,...} 18

19 Advanced Policy Policy for GroupAdmins group to manage any groups with names that start with "A-Users-" Allow group GroupAdmins to manage groups in tenancy where target.group.name = /A-Users-*/ Policy for GroupAdmins group to manage the membership of any group besides the Administrators group: Allow group GroupAdmins to use users in tenancy where target.group.name!= 'Administrators' Policy lets A-Admins create, update, or delete any groups whose names start with "A-", except for the A- Admins group itself Allow group GroupAdmins to manage groups in tenancy where all {target.group.name=/a-*/,target.group.name!='a-admins'} 19

20 Scoping Access with Permissions or API Operations In a policy statement, you can use conditions combined with permissions or API operations to reduce the scope of access granted by a particular verb. Allow a user to manage VCN resources except have the ability to delete a VCN allow group TrainingGroup to manage virtual-network-family in compartment training where request.permission!= 'VCN_DELETE 20

21 Federation 21

22 Best Practices for securing IAM IAM Federation Oracle recommends that you use federation to manage logins into the Console Enterprise administrator needs to set up a federation trust between the on-premises identity provider (IdP) and IAM, in addition to creating mapping between on-premises groups and IAM groups Federation is especially important for enterprises using custom policies for user authentication (for example, multifactor authentication). When using federation, Oracle recommends that you create a federation administrators group that maps to the federated IdP administrator group The federation administrators group will have administrative privileges to manage customer tenancy, while being governed by the same security policies as the federated IdP administrator group In this scenario, it is a good idea to have access to the local tenancy administrator user (that is, member of the default tenancy administrator IAM group), to handle any break-glass type scenarios (for example, inability to access resources through federation) 22

23 Reference IAM model for Enterprises 24

24 Reference IAM Model: Authentication and user management All access by humans go through federation with a customer's corporate identity provider (IdP) to leverage their proven Auth mechanisms (MFA) and management capabilities (password complexity/rotation) Use case Human using console Human using the CLI/SDK Human using a PaaS/SaaS app Code running in OCI that calls OCI native APIs Code running outside OCI that calls OCI APIs "Break-glass" access by a human when federation fails Feature Use SAML2.0 federation between corporate IdP and OCI IAM Create an OCI IAM user with an API signing key Use SAML2.0 federation between corporate IdP and OCI IAM Use Instance Principals Create an OCI IAM "user" with an API signing key. The "user" in this case represents a software agent, not a human Create an OCI IAM user in the default Admins group Set a random Console password of sufficient length/complexity Store this password in a software password manager or physical safe Password is for infrequent use and should not be human memorizable Use once rotate password after every use Monitor via CASB or Audit Service directly Alarm on any use or attempted use of "break-glass" user Outside the "break-glass" scenario, there is no reason to have an OCI IAM user with a Console password 25

25 Compartment A compartment is a collection of related resources (VCN, instances,..) that can be accessed only by groups that have been given permission (by an administrator in your organization) Compartments help you organize and control access to your resources Design considerations: Each resource belongs to a single compartment but resources can be connected/shared across compartments (VCN and its subnets can live in different compartments) A compartment can be deleted after creation or renamed A compartment can have sub compartments that can be up to six levels deep A resource can't be reassigned to a different compartment after creation (exception: Buckets) After creating a compartment, you need to write at least one policy for it, otherwise it cannot be accessed (except by administrators or users who have permission to the tenancy) Sub compartment inherits access permissions from compartments higher up its hierarchy When you create a policy, you need to specify which compartment to attach it to 26

26 Reference IAM Model: Compartments Compartment: NetworkInfra Critical network infrastructure that should be centrally managed by network admins Resources: Security Lists, Internet Gateways, DRGs, the toplevel VCN(s), etc. Compartment: ProdNetwork Production environment that may or may not be centrally managed but is typically under change management Modeled as a separate compartment to easily write policy about who can use (i.e. attach resources to) the network Optionally Databases and Storage may be included here depending on whether they are shared resources or not Resources: Subnets, (Databases), (File Storage) 27

27 Reference IAM Model: Compartments Tenancy Groups NetworkAdmins (John) Groups A-Admins (Tom) ProjectA Allow group NetworkAdmins to MANAGE virtual-networkfamily in compartment NetworkInfra Allow group NetworkAdmins to manage instance-family in compartment NetworkInfra John creates a Network in NetworkInfra compartment John can't terminate, reboot or launch new instances into ProjectA compartment Allow group A-Admins to USE virtual-network-family in compartment NetworkInfra Allow group A-Admins to manage all-resources in compartment ProjectA Tom launches instances in ProjectA using the VCN in NetworkInfra compartment Tom cannot launch instance inside the NetworkInfra compartment The instances Tom launched reside in the VCN from a network topology standpoint but from an access standpoint, they're in the ProjectA compartment, not the NetworkInfra compartment where the VCN is 28

28 Reference IAM Model: Federated Roles Federated Roles is a set of OCI IAM groups that reflect roles within the organization. Federated Roles should be mapped to federated groups in a customer's corporate directory. Group names do not have to match between OCI IAM and the corporate directory but it's easier if they do Group: GlobalAdmins Group: IAMAdmins Group: NetworkAdmins Group: StorageAdmins Group: DBAdmins Group: ComputeAdmins Group: ProjectXYZOperators 29

29 Reference IAM Model: Federated Roles Group: GlobalAdmins Tenancy-level policy: allow group GlobalAdmins to manage all-resources in tenancy Only for enterprises with a notion of root or global admins already, otherwise omit in favor of the more specialized admin groups below Group: IAMAdmins Tenancy-level policy: Note that there is no "family" resource type for IAM, hence the very explicit policy allow group IdentityAdmins to manage compartments in tenancy allow group IdentityAdmins to manage users in tenancy allow group IdentityAdmins to manage groups in tenancy allow group IdentityAdmins to manage dynamic-groups in tenancy allow group IdentityAdmins to manage policies in tenancy allow group IdentityAdmins to manage identity-providers in tenancy allow group IdentityAdmins to manage tenancy in tenancy allow group IdentityAdmins to manage tag-namespaces in tenancy allow group IdentityAdmins to manage tag-definitions in tenancy 30

30 Reference IAM Model: Federated Roles Group: NetworkAdmins Tenancy-level policy: allow group NetworkAdmins to manage virtual-network-family in tenancy allow group NetworkAdmins to manage load-balancers in tenancy allow group NetworkAdmins to manage dns in tenancy Group: StorageAdmins Tenancy-level policy: allow group StorageAdmins to manage object-family in tenancy allow group StorageAdmins to manage volume-family in tenancy allow group StorageAdmins to manage file-systems in tenancy allow group StorageAdmins to manage mount-targets in tenancy allow group StorageAdmins to manage export-sets in tenancy Group: DBAdmins Tenancy-level policy: allow group DBAdmins to manage database-family in tenancy 31

31 Reference IAM Model: Federated Roles Group: ComputeAdmins Tenancy-level policy: allow group ComputeAdmins to manage instance-family in tenancy Group: ProjectXYZOperators Project-level policy: allow group ProjectXYZOperators to manage instance-family in compartment ProjectXYZ allow group ProjectXYZOperators to manage volume-family in compartment ProjectXYZ allow group ProjectXYZOperators to manage database-family in compartment ProjectXYZ Network level policy: allow group ProjectXYZOperators to use virtual-network-family in compartment DevNetwork 32

32 Summary You should now be familiar with the following Using Instance principals for your applications Advanced Policy Syntax Federating OCI with Oracle Identity Cloud Service (IDCS) Reference IAM model 33

33 cloud.oracle.com/iaas cloud.oracle.com/tryit 34