Re: [keycloak-user] Data filtering in SQL

Thanks Dmitry and Pedro, Pardon my simple-minded response below, but I am wondering how these specific items would work? Dmitry, yes I agree your GET /projects/<project> and GET /projects scenario is on point for the issue – I hope my questions below can further clarify the discussion. Here, I will have to make a “go or no-go” decision in about a week. ☺ I would love to take on the challenge of searching for the “holy grail” in this, but atm will need to figure out what Keycloak (or OPA, etc.) can confidently do today. Thanks for the great discussion and continued help! Questions 1) Simple role-based authorization policy seems doable. * Ex: “Only veterinarians are allowed to read pet profiles.” 2) But how to answer once more context is needed, such as one resource’s affinity to another? Literally how does the application figure it out? Like the below example would need a pet-veterinarian mapping resolved somehow, it seems: * “Only the treating veterinarian is allowed to read a pet’s profile.” 3) Keycloak has taken an example of “Pet owners can access their own pet’s profiles.” and said we can write policies saying that "Only Owner" can access "/api/petservice/pet/{id}". But how does the policy engine figure out who is the owner of /pet/2 vs /pet/3? 4) Similarly, an OPA blog https://blog.openpolicyagent.org/write-policy-in-opa-enforce-policy-in-sq... gives the example where “Only the treating veterinarian is allowed to read a pet’s profile, and only when signed in from a device at the pet’s clinic”. Again, it is easy enough to provide the OPA engine the target pet and the current device location, but how exactly is it determined who is the treating veterinarian of that pet and what clinic the pet belongs to? 5) In general, the security difficulty is constraining what a user can see/do in a particular feature, so how exactly would a policy engine bring back a subset of records that particular user can see (based on their affiliated company, etc.)? 6) Similarly, how exactly would a policy engine bring back all records but not the fields a user should not see (such as employee salary field, unless the user is a HR VIP)? These last two could be likened to @PostAuth post-filtering in spring security. Rob Byrd DST Solutions Lead SS&C Technologies Inc. | 1055 Broadway, Kansas City, MO 64105 t: (816) 435-7286 | m (816) 509-0119 rmbyrd@dstsystems.com<mailto:rmbyrd@dstsystems.com> | www.ssctech.com<http://www.ssctech.com/> Follow us: [cid:image001.png@01D412C1.A14C5770] <https://www.linkedin.com/company/ss-c-technologies/> | [cid:image002.png@01D412C1.A14C5770] <https://twitter.com/ssctechnologies> | [cid:image003.png@01D412C1.A14C5770] <https://www.facebook.com/ssctechnologies/> From: Pedro Igor Silva [mailto:psilva@redhat.com] Sent: Thursday, November 8, 2018 6:42 AM To: Dmitry Telegin <dt(a)acutus.pro&gt; Cc: Byrd, Rob M <rmbyrd(a)dstsystems.com>; keycloak-user <keycloak-user(a)lists.jboss.org&gt; Subject: Re: [keycloak-user] Data filtering in SQL Hi Dmitry, Agree with you when you mention application vs data security. I also agree that Keycloak can also solve data security problems. Privacy is one of the main reasons behind our UMA support a very important aspect of data security. In addition to privacy, we also added extensions to UMA and OAuth2 standards to enable applications to use Keycloak as a Policy Decision Point, mainly target for application security. As PDP (and PAP), Keycloak allows you to govern access to protected resources and to obtain authorization decisions as a result of the evaluation of policies associated with these resources. Being based on UMA and OAuth2 we support token-based authorization but also access control based on the permissions granted by the server. So, yeah, it should be possible to filter data based on those permissions as well dynamically create WHERE clauses. My main concerns about data security are scalability and manageability, two aspects that are closely related to how much fine-grained you want to be. Like I said, in Keycloak you can protect a set of one or more resources as well as scope specific permissions, which can span access decisions for one or more resources. We are using data security when you enable permissions to users or groups, where results are filtered based on the evaluation of these permissions. Performance wise, evaluation is quite satisfactory, being the main challenges the trade-off between usability vs performance. Recently we had important changes to improve the performance of our token endpoint and policy evaluation engine and I think we can perform well when fetching permissions from the server for a set of one or more resources. I'm happy to discuss how we can leverage what we have for data security if the community is interested. Regards. Pedro Igor On Wed, Nov 7, 2018 at 8:47 PM Dmitry Telegin <dt@acutus.pro<mailto:dt@acutus.pro>> wrote: Hi Rob, On Tue, 2018-11-06 at 16:28 +0000, Byrd, Rob M wrote: Cannot speak for Keycloak guys, but will put in my 2¢ as an architect - URL-based (or rather resource-based) authorization covers only one aspect of the application security. Data filtering is equally important, but it's just another facet of the problem, and needs to be solved accordingly. Indeed, Keycloak doesn't provide OOTB any means for automatically limiting subsets of data shown to the user, as Keycloak has a completely different scope (namely Web SSO/IDM solution). However, you can still use Keycloak as a central warehouse for your security (meta)data, and use it the way you want. Like I said before, nothing stops you from defining some policies in Keycloak, then retrieving them and converting to a WHERE clause for your SQL/JPQL/NoSQL query. Speaking of NoSQL - this might be not directly relevant to your problem, but still interesting. A similar problem has surfaced in the discussion following my talk on Apache Sling + Keycloak [1] earlier this year; the central point was: "okay, we can have Keycloak path-based authorization in Sling, but how do we limit the content visible to the user?" That time we came up with some sort of hybrid solution, like path-based security + JCR ACLs and/or application-level rules; but now I think this might be something similar, like generating JCR's equivalent to the WHERE clause based on Keycloak policy definition. Just to make sure I understand the case, let's imagine: - there are users and groups (live in Keycloak); - there are, say, "projects" (live in business tier + DB); - there is a policy in Keycloak saying "projects should be accessible only to the members of the respective groups"; - based on that: - GET /projects/<project> should return 200 + representation if the user is a member of the group, 403 otherwise; - GET /projects should return the list of projects the current user has access to. Is this correct? [1] https://adapt.to/2018/en/schedule/modern-authentication-in-sling-with-ope... Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info@acutus.pro<mailto:info@acutus.pro> _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user Please consider the environment before printing this email and any attachments. This e-mail and any attachments are intended only for the individual or company to which it is addressed and may contain information which is privileged, confidential and prohibited from disclosure or unauthorized use under applicable law. If you are not the intended recipient of this e-mail, you are hereby notified that any use, dissemination, or copying of this e-mail or the information contained in this e-mail is strictly prohibited by the sender. If you have received this transmission in error, please return the material received to the sender and delete all copies from your system.