How I Built an Access Management System Using Apache Directory Fortress Shawn McKinney May 13, 2016 ApacheCon NA, Vancouver Session Objectives  Learn about some access management specifications  Take an unflinching view of an open source project named Apache Directory Fortress ApacheCon NA, Vancouver 2016 2 Introductions Shawn McKinney • Software Architect • PMC Apache Directory Project • Engineering Team ApacheCon NA, Vancouver 2016 3 Session Agenda • Examine specs, req’s and designs to create an access mgmt product. • Intro to Apache Fortress – Project Stuff – Demo(s) Image from: HTTP://EVENTS.LINUXFOUNDATION.ORG/EVENTS/APACHECON-NORTH-AMERICA ApacheCon NA, Vancouver 2016 4 Cut to the Chase The recipe for any successful technology project: Mix well: • Well defined set of functional specifications • Understanding of the non-functional requirements • Usage of common platform elements • Practice accepted development methodologies ApacheCon NA, Vancouver 2016 5 Specs & Requirements What do we Build? Image from: http://www.cockpitseeker.com/aircraft/ ApacheCon NA, Vancouver 2016 6 System Requirements • Policy Enforcement APIs – Works on multiple platforms • Authentication – Works within various protocols, i.e. SAML, OpenID Connect • Authorization – Fine-grained and standards-based • Audit Trail – Centralized and queryable • Administration – Manage policy lifecycle • Service-based SLA – Security, performance, and reliability ApacheCon NA, Vancouver 2016 7 Why Use Functional Specifications? • Saves the trouble (and risk) of deciding what to do. • Instead we get to focus on the how. ApacheCon NA, Vancouver 2016 8 Which Functional Specifications • Protocols Must Be Standards-Based: – Role-Based Access Control - ANSI INCITS 359 – Attribute-Based Access Control (ABAC) – IETF Password Policies (Draft) – ARBAC02 Delegated Administration Model ApacheCon NA, Vancouver 2016 9 Role-Based Access Control (RBAC) ApacheCon NA, Vancouver 2016 10