资源描述
Click to edit Master title style,Click to edit Master text styles,Second level,Third level,Fourth level,Fifth level,*,Click to edit Master title style,New Modular Authentication Architecture in Apache 2.2 and Beyond,Brad Nicholes,Sr. Software Engineer, Novell Inc.,Member, Apache Software Foundation,Agenda,Introduction,Difference between Apache 2.0 and 2.2,Configuration,Authentication and Authorization,Mix and match providers and methods,Mod_authn_alias,Coding for the new architecture,New features already in Apache 2.3,2,Introduction,Terms / Authentication Elements:,Authentication Type,Type,of,encryption,used during transport of the authentication credentials (Basic or Digest),Authentication Method/Provider, Process by which a user is verified to be who they say they are,Authorization, Process by which authenticated users are granted or denied access based on specific criteria,Previous to Apache 2.2, every authentication module had to implement all three elements,Choosing an,AuthType,limited which authentication and authorization methods could be used,Potential for inconsistencies across authentication modules,Note:,Pay close attention to the words Authentication vs. Authorization throughout the presentation,3,What Are the Advantages?,Flexibility:,Ability to choose between Authentication Type vs. Authentication Method vs. Authorization Method,Ability to use multiple different authentication methods,Mixing and matching is not a problem,Consistency:,Authorization methods are guaranteed to work the same no matter which authentication method is chosen,Ability to use the same authentication and authorization methods for all authentication types,Reuse:,Implementing a new authentication provider module does not require the reimplementation or duplication of existing authorization methods,The inverse of the above statement is also true,Ability to create your own custom authentication providers and reuse them throughout your configuration,4,New Modules - Introduction,The functionality of each Apache 2.0 authentication module has been split out into the three authentication elements for Apache 2.2,Overlapping functionality among the modules was simply eliminated in favor of a base implementation,The module name indicates which element of the authentication functionality it performs,Mod_auth_xxx, Implements an Authentication Type,Mod_authn_xxx, Implements an Authentication Method or Provider,Mod_authz_xxx, Implements an Authorization Method,5,New Modules Authentication Type,Modules,Directives,Mod_Auth_Basic,Basic authentication User credentials are received by the server as unencrypted data,AuthBasicAuthoritative,AuthBasicProvider,Mod_Auth_Digest,MD5 Digest authentication User credentials are received by the server in encrypted format,AuthDigestAlgorithm,AuthDigestDomain,AuthDigestNcCheck,AuthDigestNonceFormat,AuthDigestNonceLifetime,AuthDigestProvider,AuthDigestQop,AuthDigestShmemSize,6,New Modules Authentication Providers,Modules,Directives,Mod_Authn_Anon,Allows “anonymous” user access to authenticated areas,Anonymous,Anonymous_LogEmail,Anonymous_MustGiveEmail,Anonymous_NoUserID,Anonymous_VerifyEmail,Mod_Authn_DBM,DBM user authentication,AuthDBMType,AuthDBMUserFile,Mod_Authn_Default,Authentication fallback module,AuthDefaultAuthoritative,7,New Modules Authentication Providers,Modules,Directives,Mod_Authn_File,user authentication,AuthUserFile,Mod_Authnz_LDAP,LDAP directory based authentication,AuthLDAPBindDN,AuthLDAPBindPassword,AuthLDAPCharsetConfig,AuthLDAPDereferenceAliases,AuthLDAPRemoteUserIsDN,AuthLDAPUrl,8,New Modules - Authorization,Modules,Directives,Mod_Authnz_LDAP,LDAP directory based authorization,Require,ldap,-user,Require,ldap,-group,Require,ldap-dn,Require,ldap,-attribute,Require,ldap,-filter,AuthLDAPCompareDNOnServer,AuthLDAPGroupAttribute,AuthLDAPGroupAttributeIsDN,AuthzLDAPAuthoritative,Mod_Authz_Default,Authorization fallback module,AuthzDefaultAuthoritative,9,New Modules - Authorization,Modules,Directives,Mod_Authz_DBM,DBM group authorization,Require *,Require group,AuthDBMGroupFile,AuthzDBMAuthoritative,AuthzDBMType,Mod_Authz_GroupFile,group authorization,Require *,Require group,AuthGroupFile,AuthzGroup,Mod_Authz_Host,Group authorization based on host (name or IP address),Allow,Deny,Order,10,New Modules - Authorization,Modules,Directives,Mod_Authz_Owner,Authorization based on,Require,AuthzOwnerAuthoritative,Mod_Authz_User,User authorization,Require valid-user,Require user,AuthzUserAuthoritative,11,Differences Between Apache 2.0 & 2.2,New Directives,AuthBasicProvider,On|Off|provider,-name provider-name,AuthDigestProvider,On|Off|provider,-name provider-name,AuthzXXXAuthoritative,On|Off,Renamed Directives,AuthBasicAuthoritative,On|Off,Multiple modules must be loaded (auth,authn,authz,) rather than a single,mod_auth_xxx,module,12,Differences More Authorization Types,Apache 2.0,Require Valid-User,Require User user-id user-id ,Require Group group-name group-name ,Apache 2.2,Same as Apache 2.0,LDAP -,ldap,-user,ldap,-group,ldap-dn,ldap,-filter,ldap,-attribute,GroupFile, *,DBM *,Owner ,Since multiple authorization methods can be used, in most cases the type names should be unique,13,“” Authorization Type,Unique because it depends on the,Authz_Owner,module for base functionality but other,Authz_xxx,modules to do the work,Allows authorization based on group membership,Implemented in Apache 1.3.20 but missing from Apache 2.0,The authenticated user must be a member of the group to which the requested,The group name is derived from the group permission of the requested file,Authorization is actually performed by secondary,authz,modules (,Mod_Authz_Groupfile,Mod_Authz_DBM, others?),14,“ldap-xxx” Authorization Types,The standard types,ldap,-user,ldap,-group and,ldap-dn,were renamed to avoid conflicts and for consistency,New LDAP authorization types,ldap,-attribute,allows the administrator to grant access based on attributes of the authenticated user in the LDAP directory. If multiple attributes are listed then the result is an OR operation.,require,ldap,-attribute city=San Jose status=active,ldap,-filter,allows the administrator to grant access based on a complex LDAP search filter. If the,dn,returned by the filter search matches the authenticated user,dn, access is granted.,require,ldap,-filter &(cell=*)(department=marketing),15,Configuring Simple Authentication,LoadModule auth_basic_module modules/mod_auth_basic.so,LoadModule authn_ modules/mod_authn_,LoadModule authz_user_module modules/mod_authz_user.so,LoadModule authz_host_module modules/mod_authz_host.so,Order deny,allow,Allow from all,AuthType Basic,AuthName Authentication_Test,AuthBasicProvider file,AuthUser,require valid-user,The authentication provider is and the authorization method is any valid-user,16,Requiring Group Authorization,LoadModule auth_basic_module modules/mod_auth_basic.so,LoadModule authn_ modules/mod_authn_,#,LoadModule authz_user_module modules/mod_authz_user.so,LoadModule authz_host_module modules/mod_authz_host.so,LoadModule authz_group modules/mod_authz_group,Order deny,allow,Allow from all,AuthType Basic,AuthName Authentication_Test,AuthBasicProvider file,AuthUser,AuthGroup,require group my-valid-group,The authentication provider is but the authorization method is group,17,Multiple Authentication Providers,LoadModule auth_basic_module modules/mod_auth_basic.so,LoadModule authn_ modules/mod_authn_,LoadModule authz_user_module modules/mod_authz_user.so,LoadModule authz_host_module modules/mod_authz_host.so,LoadModule authnz_ldap_module modules/mod_authnz_ldap.so,LoadModule ldap_module modules/mod_ldap.so,Order deny,allow,Allow from all,AuthType Basic,AuthName Authentication_Test,AuthBasicProvider,AuthUser,AuthLDAPURL ldap:/ off,require valid-user,The authentication includes both LDAP providers with the taking precedence followed by LDAP,18,Multiple Authorization Methods,LoadModule auth_basic_module modules/mod_auth_basic.so,LoadModule authn_ modules/mod_authn_,#,LoadModule authz_user_module modules/mod_authz_user.so,LoadModule authz_host_module modules/mod_authz_host.so,LoadModule authz_group modules/mod_authz_group,LoadModule authnz_ldap_module modules/mod_authnz_ldap.so,LoadModule ldap_module modules/mod_ldap.so,Order deny,allow,Allow from all,AuthType Basic,AuthName Authentication_Test,AuthBasicProvider file,AuthUser,AuthzLDAPAuthoritative OFF,AuthGroup,AuthLDAPURL ldap:/ ldap-group cn=public-users,o=my-context,require group my-valid-group,Set AuthzLDAPAuthoritative to “OFF” to allow the LDAP authorization method to defer if necessary,19,Authorization,LoadModule auth_basic_module modules/mod_auth_basic.so,LoadModule authn_ modules/mod_authn_,LoadModule authz_host_module modules/mod_authz_host.so,LoadModule authz_group modules/mod_authz_group,LoadModule authnz_owner_module modules/mod_authz_owner.so,Order deny,allow,Allow from all,AuthType Basic,AuthName Authentication_Test,AuthBasicProvider file,AuthUser,AuthGroup,require,The group that the user belongs to that is defined by the AuthGroupFile, must match the actual of the requested file,20,Introduction Mod_Authn_Alias,Ability to create extended providers,Ability to reference the same base provider multiple times from a single,AuthnxxxProvider,directive,Extended providers are assigned a new name or Alias,Extended provider aliases are referenced by the directives,AuthBasicProvider,or,AuthDigestProvider,in the same manner as base providers,Extended providers can be re-referenced by multiple configuration blocks,21,Creating Custom Providers,LoadModule authn_alias_module modules/mod_authn_alias.so,AuthLDAPBindDN cn=youruser,o=ctxAuthLDAPBindPassword yourpasswordAuthLDAPURL ldap:/ldap.host/o=ctx,AuthLDAPBindDN cn=yourotheruser,o=devAuthLDAPBindPassword yourotherpasswordAuthLDAPURL ldap:/other.ldap.host/o=dev?cn,Use an block to combine authentication directives,22,Creating Custom Providers,LoadModule authn_alias_module modules/mod_authn_alias.so,AuthLDAPBindDN cn=youruser,o=ctxAuthLDAPBindPassword yourpasswordAuthLDAPURL ldap:/ldap.host/o=ctx,AuthLDAPBindDN cn=yourotheruser,o=devAuthLDAPBindPassword yourotherpasswordAuthLDAPURL ldap:/other.ldap.host/o=dev?cn,Each block references the base provider and assigns a provider alias that will be referenced in the AuthXXXProvider directives,23,Using Custom Providers,LoadModule auth_basic_module modules/mod_auth_basic.so,LoadModule authz_host_module modules/mod_authz_host.so,LoadModule authz_user_module modules/mod_authz_user.so,LoadModule authnz_ldap_module modules/mod_authnz_ldap.so,LoadModule ldap_module modules/mod_ldap.so,Order deny,allowAllow from all,AuthBasicProvider ldap-other-alias ldap-alias1,AuthType BasicAuthName LDAP_Protected_PlaceAuthzLDAPAuthoritative offrequire valid-user,Whenever an Authn_alias provider is referenced, the entire set of AuthnProviderAlias directives are added to the configuration,24,Using Custom Providers,LoadModule auth_basic_module modules/mod_auth_basic.so,LoadModule authz_host_module modules/mod_authz_host.so,LoadModule authz_user_module modules/mod_authz_user.so,LoadModule authnz_ldap_module modules/mod_authnz_ldap.so,LoadModule ldap_module modules/mod_ldap.so,Order deny,allowAllow from all,AuthBasicProvider ldap-other-alias ldap-alias1,AuthType BasicAuthName LDAP_Protected_PlaceAuthzLDAPAuthoritative offrequire valid-user,Creating Authn_alias extended providers allows the “ldap” base provider to be referenced multiple times under different conditions, from a single AuthBasicProvider directive,25,Converting Mod_Simple_Auth to Apache 2.2 An Apache 2.0 Implementation,static int,authenticate_basic_user,(request_rec *r),/*,Locked into basic authentication,with this call,*/,ap_get_basic_auth_pw (r, ,/* Determine if the credentials are,good and then send the,appropriate response */,if (!good_credentials) ,return HTTP_UNAUTHORIZED;,return OK;,static int,check_user_access,(request_rec *r),/*,Much of this code reimplements existing,authorization types,*/,for (x = 0; x all_possible_authorization_types; x+) ,authorization_type = all_possible_authorization_typesx;,if (!strcmp(authorization_type,valid-user,),return OK;,if (!strcmp(authorization_type, ,user,) ,if (authorized_user),return OK;,if (!strcmp(authorization_type, ,group,) ,if (user_is_member_of_authorized_group),return OK;,if (!strcmp(authorization_type,simple-user,) ,if (authorized_simple_user),return OK;,return HTTP_UNAUTHORIZED;,26,Converting,Mod_Simple_Auth,to Apache 2.2 An Apache 2.0 Implementation,static void,register_hooks,(apr_pool_t *p),ap_hook_check_user_id(,authenticate_basic_user,NULL,NULL,APR_HOOK_MIDDLE);,ap_hook_auth_checker(,check_user_access,NULL,NULL,APR_HOOK_MIDDLE);,module AP_MODULE_DECLARE_DATA auth_module =,STANDARD20_MODULE_STUFF,create_auth_dir_config,NULL,NULL,NULL,auth_cmds,register_hooks,;,27,Mod_Authn_Simple for Apache 2.2,static authn_status,check_password,(request_rec *r, const char *user,const char *password),/* Determine if the credentials are good and then send the appropriate response */,if (!good_credentials),return,AUTH_DENIED,;,return,AUTH_GRANTED,;,static authn_status,get_realm_hash,(request_rec *r, const char *user,const char *realm, char *rethash),/* Determine the hash and do the right thing */,the_hash = determine_the_hash();,if (!the_hash),return AUTH_USER_NOT_FOUND;,*rethash = the_hash;,return AUTH_USER_FOUND;,static const authn_provider,authn_simple_provider,=,&,check_password, /* password validation function */,&,get_realm_hash, /* digest hash function */,;,static void,register_hooks,(apr_pool_t *p),ap_register_provider(p, AUTHN_PROVIDER_GROUP, ,simple, 0, &,authn_simple_provider,);,module AP_MODULE_DECLARE_DATA authn_simple_module=,STANDARD20_MODULE_STUFF,create_authn_simple_dir_config,NULL,NULL,NULL,authn_simple_cmds,register_hooks,;,28,Mod_Authz_Simple for Apache 2.2,static int,check_user_access,(request_rec *r),for (x = 0; x all_possible_authorization_types; x+) ,authorization_type = all_possible_authorization_typesx;,if (!strcmp(authorization_type, ,simple-user,) ,if (authorized_simple_user) ,return OK;,/* If we arent authoritative then just DECLINE */,if (!authoritative),return DECLINED;,/* Return the appropriate response */,return HTTP_UNAUTHORIZED;,static void,register_hooks,(apr_pool_t *p),ap_hook_auth_checker(,check_user_access,NULL, NULL, APR_HOOK_MIDDLE);,module AP_MODULE_DECLARE_DATA authz_simple_module =,STANDARD20_MODULE_STUFF,create_authz_simple_dir_config,NULL,NULL,NULL,authz_simple_cmds,register_hooks,;,29,New Features Already in Apache 2.3,Moving from hook-based to provider-based authorization,“AND/OR/NOT” logic in authorization,Host Access Control as an authorization type,Require IP , Require Host , Require,Env,Require All Granted, Require All Denied,“Order Allow/Deny”, “Satisfy” where did they go?,Backward compatibility with the 2.0/2.2 Host Access Control, use the,Mod_Access_Compat,module,30,Mod_Authz_Simple Provider for Apache 2.3,static authz_status,simple_user_authorization,(request_rec *r,const char,*require_args),if (authorized_simple_user) ,return,AUTHZ_GRANTED,;,return,AUTHZ_DENIED,;,static const authz_provider,authz_simpleuser_provider,=,&,simple_user_authorization,;,static void,register_hooks,(apr_pool_t *p),ap_register_provider(p,AUTHZ_PROVIDER_GROUP,simple-user, 0, &,authz_simpleuser_provider,);,module AP_MODULE_DECLARE_DATA authz_simple_module =,STANDARD20_MODULE_STUFF,create_authz_simple_dir_config,NULL,NULL,NULL,authz_simple_cmds,register_hooks,;,31,Authorization Types,32,Adding “AND/OR/NOT” Logic to Authorization,Allows authorization to be granted or denied based on a complex set of “Require” statements,New Directives, - Must satisfy all of the encapsulated statements, - Must satisfy at least one of the encapsulated statements, - Defines a Require alias,Reject ,Reject,all matching elements,33,Authorization using AND/OR Logic,Authorization Logic,if (user = John) |,(Group = admin) &,(ldap-group ) &,(ldap-attribute dept=sales) |,( contains user)then Authorization Grantedelse Authorization Denied,Configuration,Authname .,AuthType .,AuthBasicProvider .,.,Require user John,Require Group admins,Require ldap-group cn=mygroup,o=foo,Require ldap-attribute dept=sales“,Require,34,Host Access Control as Authorization Types,35,Backwards Compatible Host Access Control with Mod_Access_Compat,The directives “Order Allow/Deny” and “Satisfy” are still available with,Mod_Access_Compat,Mod_Access_Compat,will allow you to mix the new authorization types with the old host access control,Mod_Authn_Default,and,Mod_Authz_Default,modules must be loaded,36,Summary,Choosing the way authentication and authorization is done is now more modular,No longer bound to a specific authentication method based on authentication type,No longer bound to an authorization method based on the chosen authentication module,Ability to use multiple authentication providers along with multiple different authorization methods,Create, use and reuse custom authentication providers,Reuse the same authentication base provider under different conditions from the same,AuthnxxxProvider,directive,Much more powerful, flexible and consistent,More to come in Apache 2.3!,37,Questions,General Disclaimer,This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. Novell, Inc., makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.,
展开阅读全文