|
7092
|
1 .. meta::
|
|
|
2 :description:
|
|
|
3 Security mechanism implementation document for historical purposes.
|
|
|
4
|
|
|
5 :orphan:
|
|
|
6
|
7322
485cecfba982
Simplify TOC; older docs pushed a level down; Consolidate debugging
John Rouillard <rouilj@ieee.org>
diff
changeset
|
7 =============================
|
485cecfba982
Simplify TOC; older docs pushed a level down; Consolidate debugging
John Rouillard <rouilj@ieee.org>
diff
changeset
|
8 Old Security Mechanisms Notes
|
485cecfba982
Simplify TOC; older docs pushed a level down; Consolidate debugging
John Rouillard <rouilj@ieee.org>
diff
changeset
|
9 =============================
|
3940
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
10
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
11 Current situation
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
12 =================
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
13
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
14 Current logical controls:
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
15
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
16 ANONYMOUS_ACCESS = 'deny'
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
17 Deny or allow anonymous access to the web interface
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
18 ANONYMOUS_REGISTER = 'deny'
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
19 Deny or allow anonymous users to register through the web interface
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
20 ANONYMOUS_REGISTER_MAIL = 'deny'
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
21 Deny or allow anonymous users to register through the mail interface
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
22
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
23 Current user interface authentication and controls:
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
24
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
25 - command-line tool access controlled with passwords, but no logical controls
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
26 - CGI access is by username and password and has some logical controls
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
27 - mailgw access is through identification using sender email address, with
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
28 limited functionality available
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
29
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
30 The web interface implements has specific logical controls,
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
31 preventing non-admin users from accessing:
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
32
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
33 - other user's details pages
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
34 - listing the base classes (not issues or their user page)
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
35 - editing base classes
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
36
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
37 Issues
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
38 ======
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
39
|
|
4732
|
40 1. The current implementation is ad-hoc, and not complete for all use cases.
|
3940
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
41 2. Currently it is not possible to allow submission of issues through email
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
42 but restrict those users from accessing the web interface.
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
43 3. Only one user may perform admin functions.
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
44 4. There is no verification of users in the mail gateway by any means other
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
45 than the From address. Support for strong identification through digital
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
46 signatures should be added.
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
47 5. The command-line tool has no logical controls.
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
48 6. The anonymous control needs revising - there should only be one way to be
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
49 an anonymous user, not two (currently there is user==None and
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
50 user=='anonymous').
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
51
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
52
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
53 Possible approaches
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
54 ===================
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
55
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
56 Security controls in Roundup could be approached in three ways:
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
57
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
58 1) at the hyperdb level, with read/write/modify permissions on classes, items
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
59 and item properties for all or specific transitions.
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
60 2) at the user interface level, with access permissions on CGI interface
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
61 methods, mailgw methods, roundup-admin methods, and so on.
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
62 3) at a logical permission level, checked as needed.
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
63
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
64 In all cases, the security built into roundup assumes restricted access to the
|
|
4567
|
65 hyperdatabase itself, through operating-system controls such as user or group
|
3940
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
66 permissions.
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
67
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
68
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
69 Hyperdb-level control
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
70 ---------------------
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
71
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
72 Control is implemented at the Class.get, Class.set and Class.create level. All
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
73 other methods must access items through these methods. Since all accesses go
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
74 through the database, we can implement deny by default.
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
75
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
76 Pros:
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
77
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
78 - easier to implement as it only affects one module
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
79 - smaller number of permissions to worry about
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
80
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
81 Cons:
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
82
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
83 - harder to determine the relationship between user interaction and hyperdb
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
84 permission.
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
85 - a lot of work to define
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
86 - must special-case to handle by-item permissions (editing user details,
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
87 having private messages)
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
88
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
89
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
90 User-interface control
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
91 ----------------------
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
92
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
93 The user interfaces would have an extra layer between that which
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
94 parses the request to determine action and the action method. This layer
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
95 controls access. Since it is possible to require methods be registered
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
96 with the security mechanisms to be accessed by the user, deny by default
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
97 is possible.
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
98
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
99 Pros:
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
100
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
101 - much more obvious at the user level what the controls are
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
102
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
103 Cons:
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
104
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
105 - much more work to implement
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
106 - most user interfaces have multiple uses which can't be covered by a
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
107 single permission
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
108
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
109 Logical control
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
110 ---------------
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
111
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
112 At each point that requires an action to be performed, the security mechanisms
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
113 are asked if the current user has permission. Since code must call the
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
114 check function to raise a denial, there is no possibility to have automatic
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
115 default of deny in this situation.
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
116
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
117 Pros:
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
118
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
119 - quite obvious what is going on
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
120 - is very similar to the current system
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
121
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
122 Cons:
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
123
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
124 - large number of possible permissions that may be defined, possibly
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
125 mirroring actual user interface controls.
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
126 - access to the hyperdb must be strictly controlled through program code
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
127 that implements the logical controls.
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
128
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
129
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
130 Action
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
131 ======
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
132
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
133 The CGI interface must be changed to:
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
134
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
135 - authenticate over a secure connection
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
136 - use unique tokens as a result of authentication, rather than pass the user's
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
137 real credentials (username/password) around for each request (this means
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
138 sessions and hence a session database)
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
139 - use the new logical control mechanisms
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
140
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
141 - implement the permission module
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
142 - implement a Role editing interface for users
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
143 - implement htmltemplate tests on permissions
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
144 - switch all code over from using config vars for permission checks to using
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
145 permissions
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
146 - change all explicit admin user checks for Role checks
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
147 - include config vars for initial Roles for anonymous web, new web and new
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
148 email users
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
149
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
150 The mail gateway must be changed to:
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
151
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
152 - use digital signatures
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
153 - use the new logical control mechanisms
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
154
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
155 - switch all code over from using config vars for permission checks to using
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
156 permissions
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
157
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
158 The command-line tool must be changed to:
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
159
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
160 - use the new logical control mechanisms (only allowing write
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
161 access by admin users, and read-only by everyone else)
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
162
|
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
163
|
