Security Developer Guide
- Introduction
- Security Modules (Bundles)
- Entity Relationship Diagramm (ERD)
- Authentication and Authorization (RBAC)
- Overview
- JAAS LoginModule
- Authentication
- Authorization
- REST API
The SS-Console is an OSGI based application developed using the Apache-Felix framework and deployed into the Apache-Karaf runtime. SSL/TLS and PGP encryption is used to secure HTTP tunnels and data exchange.
Component and features details:
| No | Component | Version | Details |
|---|---|---|---|
| 1 | Felix | 4.2.1 | OSGI Framework |
| 2 | Karaf | 3.0.5 | OSGI Runtime |
| 3 | Jetty | 8.1.x | Web-Server |
| 4 | Derby | 10.12.1.1 | Database |
| 5 | OpenJPA | 2.3.0 | JPA 2.0 |
| 6 | BouncyCastle | 1.52 | Cryptography Library |
(More details in General Security Architecture).
| No | OSGI Module | Description |
|---|---|---|
| 1 | identity-manager | Manages authentication and authorization, sessions and RBAC. Main Module that controls overall system identity and access permissions. |
| 2 | channel-manager | Controls HTTP/HTTS tunnels. Intercepts all incoming and outgoing requests, applies encryption, authorizes Web Tokens. |
| 3 | security-Manager | Contains services and tools for message encryption/decryption, PGPKey,x509 Certs management. Stores PGP private keys. |
| 4 | object-relation-manager | Manages relations between objects. (Object oriented Security) |
| 5 | key-server | PGP KeyServer. Stores and manages PGP Public keys. Server is not public and available only for authorized access. |
Channel-manager and Identity-manager are the main bundles that manage authentication and authorization. SS uses JAAS as LoginModule for the system (including Karaf-Console). Channel-Manager (AccessControlInterceptor) intercepts (catch) all incoming HTTP/HTTS requests, applies authn&authz and propagates it downstream (next services).
Overall SS Authn&Authz diagramm:
Identity-manager bundle overrides Apache Karaf's default JAAS module: implements a custom JAAS module. This makes it so the Karaf-Console and the SS-Console use the same identity management (users, roles) configuration.
(AOK: sentence below does not make sense)
To override the default Karaf JAAS module, OSGI-bundle configuration file should add custom JAAS settings.
SystemLoginModule class overrides Karaf's login module.
Service consumer or user can be authenticated in three ways:
- Username & Password
- JWToken
- PGPKey
The AuthID field (in a UserEntity) is used for PGP authentication. All authentication items have valid date. (AOK: meaning they can expire?)
Authentication entities:
| No | Field | Description | Details |
|---|---|---|---|
| 1 | userName | Username | ... |
| 2 | password | Password. Salted hash of the password. | ... |
| 3 | salt | Salt used for password hash | ... |
| 4 | securityKeyId | ID of the securityKey of the user. | ... |
| 5 | trustLevel | The trust level of the user | ... |
| 6 | authId | Authentication ID used to authenticate user with PGPKeys | ... |
| 7 | ... | ... | ... |
| No | Field | Description | Details |
|---|---|---|---|
| 1 | tokenId | ID of the Token | |
| 2 | secret | Secret key for HMAC | |
| 3 | type | Token type | Values: System, Regular |
| 4 | ... | ... | ... |
All HTTP requests are intercepted by "Channel-Manager", authenticated by JAAS LoginModule and propagated further. All services are annotated with below permissions:
Example, Identity-Manager|Write, allows only for users who have , Identity-Management write permission.
Service annotation:
| No | Permission | Description | Details |
|---|---|---|---|
| 1 | Identity-Management | User/Role managemnt | |
| 2 | Peer-Management | Peer relation permissions | |
| 3 | Environment-Management | Environment management (all LXC container related permissions) | |
| 4 | Resource-Management | Resource host management | |
| 5 | Template-Management | Kurjun (GORJUN) permissions, that allows template management. | |
| 6 | Karaf-Server-Administration | Karaf Server administration/manager | |
| 7 | System-Management | Overal SS and Karaf settings |