FTN8.4: FutoIn Security Concept - Access Control Version: 0.3DV Date: 2018-01-05 Copyright: 2014-2018 FutoIn Project (http://futoin.org) Authors: Andrey Galkin
This sub-specification of FTN8 covers Access Control specification.
Introduction is done in the main spec.
There are two goals:
Details of Auth Query are defined in FTN8.3 sub-spec.
This is low level concept which is used to grant and check dynamic access in runtime.
Access hierarchy: Service -> Interface -> Version -> Function -> Parameters. Such combination is called "Access Control Descriptor" in this spec.
ACD can be partially defined to act like a "mask". In most cases, parameters and functions are omitted.
Service builds a full ACD based on actual request to be checked using related AuthService.
Doing an API call for every action may produce a significant overhead. It is important to design effective caching mechanism with stable invalidation for security reasons.
It's not user-friendly to ask for particular API details. Instead, providing Service registers named groups of ACDs with detailed description in multiple languages.
User grants access based on such named Access Groups. Associated ACDs may get updated, but user should not be asked re-confirm access unless Access Group identifier changes.
In many cases, there is a fixed number of object types, like users, posts, files, etc. And there is a variable size of objects per type, many users, posts and files. Every object can have actions like Create/Read/Update/Delete.
A hierarchy is seen: Service -> Object Types -> Individual Objects -> Individual Object Action.
However, as all FutoIn operations are done through interfaces, it's possible to map
those to ACDs described above. This specification does not limit such flexibility and
the way such access get granted internally, but it's assumed that access is checked
through checkAccess()
call.
ACD_UPD
- update of ACDs per userlocal_id
- local user ID User/ServiceA ServiceB AuthService
| . .
|-------- request -------> | .
. |-------- checkAccess() -----> |
. | <-- validation constraints --|
| <------ response --------| .
| . .
ServiceA ServiceB AuthService
| . .
|-------- request -------> | .
. |-------- checkOBF() --------> |
. | <-- validation constraints --|
. |-------- checkAccess() -----> |
. | <-- validation constraints --|
| <------ response --------| .
| . .
{
"iface" : "futoin.auth.access",
"version" : "{ver}",
"ftn3rev" : "1.9",
"imports" : [
"futoin.ping:1.0",
"futoin.auth.types:{ver}"
],
"funcs" : {
"checkOBF" : {
"params" : {
"obf" : "AuthInfo",
"iface" : "FTNFace",
"ver" : "FTNVersion",
"func" : "FTNFunction"
},
"result" : {
"params" : "ParamConstraint"
}
},
"checkAccess" : {
"params" : {
"user" : "AuthInfo",
"iface" : "FTNFace",
"ver" : "FTNVersion",
"func" : "FTNFunction"
},
"result" : {
"params" : "ParamConstraint"
}
}
},
"requires" : [
"SecureChannel",
"MessageSignature"
]
}
=END OF SPEC=