3940
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
1 ===================
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
2 Security Mechanisms
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
3 ===================
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
4
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
5 :Version: $Revision: 1.16 $
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
6
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
7 Current situation
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
8 =================
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
9
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
10 Current logical controls:
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
11
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
12 ANONYMOUS_ACCESS = 'deny'
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
13 Deny or allow anonymous access to the web interface
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
14 ANONYMOUS_REGISTER = 'deny'
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
15 Deny or allow anonymous users to register through the web interface
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
16 ANONYMOUS_REGISTER_MAIL = 'deny'
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
17 Deny or allow anonymous users to register through the mail interface
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
18
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
19 Current user interface authentication and controls:
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
20
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
21 - command-line tool access controlled with passwords, but no logical controls
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
22 - CGI access is by username and password and has some logical controls
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
23 - mailgw access is through identification using sender email address, with
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
24 limited functionality available
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
25
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
26 The web interface implements has specific logical controls,
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
27 preventing non-admin users from accessing:
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
28
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
29 - other user's details pages
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
30 - listing the base classes (not issues or their user page)
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
31 - editing base classes
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
32
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
33 Issues
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
34 ======
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
35
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
36 1. The current implementation is ad-hoc, and not complete for all `use cases`_.
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
37 2. Currently it is not possible to allow submission of issues through email
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
38 but restrict those users from accessing the web interface.
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
39 3. Only one user may perform admin functions.
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
40 4. There is no verification of users in the mail gateway by any means other
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
41 than the From address. Support for strong identification through digital
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
42 signatures should be added.
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
43 5. The command-line tool has no logical controls.
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
44 6. The anonymous control needs revising - there should only be one way to be
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
45 an anonymous user, not two (currently there is user==None and
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
46 user=='anonymous').
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
47
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
48
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
49 Possible approaches
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
50 ===================
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
51
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
52 Security controls in Roundup could be approached in three ways:
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
53
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
54 1) at the hyperdb level, with read/write/modify permissions on classes, items
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
55 and item properties for all or specific transitions.
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
56 2) at the user interface level, with access permissions on CGI interface
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
57 methods, mailgw methods, roundup-admin methods, and so on.
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
58 3) at a logical permission level, checked as needed.
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
59
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
60 In all cases, the security built into roundup assumes restricted access to the
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
61 hyperdatabase itself, through Operating System controls such as user or group
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
62 permissions.
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
63
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
64
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
65 Hyperdb-level control
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
66 ---------------------
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
67
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
68 Control is implemented at the Class.get, Class.set and Class.create level. All
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
69 other methods must access items through these methods. Since all accesses go
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
70 through the database, we can implement deny by default.
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
71
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
72 Pros:
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
73
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
74 - easier to implement as it only affects one module
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
75 - smaller number of permissions to worry about
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
76
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
77 Cons:
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
78
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
79 - harder to determine the relationship between user interaction and hyperdb
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
80 permission.
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
81 - a lot of work to define
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
82 - must special-case to handle by-item permissions (editing user details,
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
83 having private messages)
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
84
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
85
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
86 User-interface control
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
87 ----------------------
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
88
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
89 The user interfaces would have an extra layer between that which
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
90 parses the request to determine action and the action method. This layer
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
91 controls access. Since it is possible to require methods be registered
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
92 with the security mechanisms to be accessed by the user, deny by default
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
93 is possible.
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
94
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
95 Pros:
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
96
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
97 - much more obvious at the user level what the controls are
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
98
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
99 Cons:
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
100
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
101 - much more work to implement
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
102 - most user interfaces have multiple uses which can't be covered by a
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
103 single permission
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
104
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
105 Logical control
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
106 ---------------
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
107
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
108 At each point that requires an action to be performed, the security mechanisms
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
109 are asked if the current user has permission. Since code must call the
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
110 check function to raise a denial, there is no possibility to have automatic
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
111 default of deny in this situation.
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
112
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
113 Pros:
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
114
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
115 - quite obvious what is going on
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
116 - is very similar to the current system
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
117
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
118 Cons:
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
119
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
120 - large number of possible permissions that may be defined, possibly
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
121 mirroring actual user interface controls.
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
122 - access to the hyperdb must be strictly controlled through program code
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
123 that implements the logical controls.
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
124
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
125
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
126 Action
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
127 ======
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
128
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
129 The CGI interface must be changed to:
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
130
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
131 - authenticate over a secure connection
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
132 - use unique tokens as a result of authentication, rather than pass the user's
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
133 real credentials (username/password) around for each request (this means
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
134 sessions and hence a session database)
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
135 - use the new logical control mechanisms
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
136
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
137 - implement the permission module
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
138 - implement a Role editing interface for users
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
139 - implement htmltemplate tests on permissions
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
140 - switch all code over from using config vars for permission checks to using
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
141 permissions
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
142 - change all explicit admin user checks for Role checks
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
143 - include config vars for initial Roles for anonymous web, new web and new
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
144 email users
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
145
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
146 The mail gateway must be changed to:
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
147
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
148 - use digital signatures
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
149 - use the new logical control mechanisms
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
150
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
151 - switch all code over from using config vars for permission checks to using
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
152 permissions
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
153
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
154 The command-line tool must be changed to:
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
155
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
156 - use the new logical control mechanisms (only allowing write
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
157 access by admin users, and read-only by everyone else)
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
158
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
159
|
