nethz 3.0: Design & Status - ETH - ITEK - ETH Zürich
nethz 3.0: Design & Status - ETH - ITEK - ETH Zürich
nethz 3.0: Design & Status - ETH - ITEK - ETH Zürich
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>nethz</strong> <strong>3.0</strong>: <strong>Design</strong> & <strong>Status</strong><br />
Matteo Corti <br />
ID-Basisdienste, Web Applications and Identity Management<br />
© <strong>ETH</strong> <strong>Zürich</strong> |<br />
2011-05-11
Outline<br />
� Identity management at <strong>ETH</strong>Z<br />
� Goals<br />
� What’s new<br />
� <strong>Status</strong><br />
2011-05-11 Matteo Corti/<strong>ETH</strong> Zurich, Informatikdienste/matteo.corti@id.ethz.ch 2
Identity Management at <strong>ETH</strong>Z<br />
Persons<br />
SAP<br />
OIS<br />
applications<br />
OIS<br />
Security principals<br />
permissions<br />
groups<br />
<strong>nethz</strong><br />
AdminTool<br />
2011-05-11 Matteo Corti/<strong>ETH</strong> Zurich, Informatikdienste/matteo.corti@id.ethz.ch<br />
Directories and<br />
applications<br />
LDAPS<br />
AD<br />
Radius<br />
Linux<br />
<strong>ETH</strong>is<br />
Web apps<br />
…<br />
Windows<br />
Mail<br />
Sharepoint<br />
…<br />
VPN<br />
802.1X<br />
…<br />
3
New identity management: Why?<br />
� <strong>nethz</strong> is more than 10 years old<br />
� outdated initial architecture/design: the system<br />
grew from a password management tool to a huge<br />
identity management system<br />
� new design<br />
� implemented as a bunch of Perl scripts<br />
� several parts are outdated<br />
� not in sync with ID strategy<br />
� UML, Java, Releases, …<br />
2011-05-11 Matteo Corti/<strong>ETH</strong> Zurich, Informatikdienste/matteo.corti@id.ethz.ch<br />
4
Goals<br />
� New model (definition of the business processes and<br />
objects)<br />
� New architecture (domain separation, releases, …)<br />
� New GUI (workflows, multilingual, help)<br />
� Orders and authorizations<br />
� Auditing/tracking<br />
� General model (open source product)<br />
� Quick overview of some of the changes<br />
2011-05-11 Matteo Corti/<strong>ETH</strong> Zurich, Informatikdienste/matteo.corti@id.ethz.ch<br />
5
Orders<br />
� Every change is requested through an order by user<br />
� If necessary, the operation needs to be authorized by<br />
� the resource owner (e.g., CMN)<br />
� an ISG (e.g., VPN, mail, …)<br />
� a fund owner (e.g., CMN)<br />
� A user can issue orders for another user<br />
� Orders can be tracked<br />
� The DB status is archived (~ Time Machine)<br />
2011-05-11 Matteo Corti/<strong>ETH</strong> Zurich, Informatikdienste/matteo.corti@id.ethz.ch<br />
6
Workflow changes for “administrators”<br />
� For many tasks they will only need to authorize (or<br />
deny) an order<br />
� Users will be able to generate orders for third parties.<br />
2011-05-11 Matteo Corti/<strong>ETH</strong> Zurich, Informatikdienste/matteo.corti@id.ethz.ch<br />
7
Security attributes vs. Centralized authorization<br />
<strong>nethz</strong> dir application<br />
identity<br />
• student<br />
• …<br />
security principal<br />
• student<br />
• …<br />
<strong>nethz</strong> dir application<br />
identity<br />
• student<br />
• …<br />
<strong>nethz</strong><br />
security principal<br />
• permission p<br />
• …<br />
permission<br />
application<br />
security attributes<br />
2011-05-11 Matteo Corti/<strong>ETH</strong> Zurich, Informatikdienste/matteo.corti@id.ethz.ch<br />
permissions<br />
8
Model<br />
Every business object and the relationships among<br />
them are precisely defined and documented:<br />
� Identities: persons, machines, …<br />
� Security domains: security principals, permissions<br />
� Resources<br />
� Groups<br />
Case study: change of a password<br />
2011-05-11 Matteo Corti/<strong>ETH</strong> Zurich, Informatikdienste/matteo.corti@id.ethz.ch<br />
9
Simplified model<br />
Security Domain<br />
Identity Identity Group<br />
Principal Principal Group<br />
Permission Group Permission<br />
2011-05-11 Matteo Corti/<strong>ETH</strong> Zurich, Informatikdienste/matteo.corti@id.ethz.ch<br />
Resource<br />
10
Business object life cycles<br />
Every business object will be either<br />
� managed externally (e.g., by OIS)<br />
� no manual changes<br />
� lifecycle determined by the source<br />
� managed manually<br />
� no automatic changes<br />
� lifecycle managed by the owner (limited in time)<br />
2011-05-11 Matteo Corti/<strong>ETH</strong> Zurich, Informatikdienste/matteo.corti@id.ethz.ch<br />
11
System architecture<br />
GUI<br />
Order<br />
management<br />
DB<br />
Order<br />
management<br />
Order<br />
management<br />
Identity<br />
management<br />
Identity<br />
management<br />
Order management engine<br />
Identity<br />
management<br />
Mail<br />
management<br />
Mail<br />
management<br />
Mail<br />
management<br />
Prepaid<br />
management<br />
Prepaid<br />
management<br />
Prepaid<br />
management<br />
2011-05-11 Matteo Corti/<strong>ETH</strong> Zurich, Informatikdienste/matteo.corti@id.ethz.ch<br />
We split neth in<br />
several application<br />
domains with<br />
separate:<br />
• release cycles<br />
•DB<br />
but a common GUI<br />
• single sign on<br />
• unique layout<br />
12
Groups<br />
� Identities and security principals can be grouped<br />
� decoupled from their technical incarnation<br />
� everybody can manage groups<br />
� Permissions can be grouped<br />
� Unified group management (e.g., ISG Tool)<br />
2011-05-11 Matteo Corti/<strong>ETH</strong> Zurich, Informatikdienste/matteo.corti@id.ethz.ch<br />
13
Project status<br />
Specifications and configuration ✔<br />
Business model ✔<br />
Order management engine ✔<br />
Core: identity management ✔<br />
OIS connector ~<br />
Core: other (mail, …) ✗<br />
GUI: design (content and workflows) ~<br />
GUI: implementation ~<br />
Synchronization(s) ✗<br />
Documentation ✗<br />
Migration ✗<br />
Estimated first release candidate: end of year<br />
2011-05-11 Matteo Corti/<strong>ETH</strong> Zurich, Informatikdienste/matteo.corti@id.ethz.ch<br />
35KLOC<br />
14