Tutorials - SecurePG v1.0

Scenario Tab

The scenario section allows you to quickly populate the MySQL database with a list of generated subjects (users, groups, roles, service and federated entities - only supported in AWS) and resources (folders - AWS Buckets and OpenStack Containers - and objects) to use as input when specifying the permissions in SecurePG (tab “Natural language Authorizations (NLA) & SecurePG Input”).

By pressing the Populate DB button, the number of requested entities will be added to the database using the “gen” prefix and, where necessary, the AWS Root Account ID and the OpenStack Domain informations (e.g. as part of the AWS ARN code) provided in this tab.

The entities can also be automatically loaded from an AWS instance (Load from AWS button) or a local OpenStack installation (Load from OpenStack button) once the user configured a set of credentials with sufficient permissions on the aforementioned root account/domain in the MySQL “credential” table. In order to load the components of AWS S3, it is also necessary to specify the endpoint to connect to.

By pressing the Generate Ownership and Generate Assignment button, or by invoking one of the two automatic loaders, the tool will randomly link the components present in the database according to the Domain Ownership and Domain Relations formulas detailed in Figure 1.

In the tutorial video, the user initially populates the database with the requested components and then, after clearing it from them, loads the entities from an Amazon AWS instance.

Note I. The tool will randomly put the generated objects inside the generated folder. Note II. The action of adding elements is not cumulative: by pressing the populate button with 3 subjects twice, the database will still contain three users. Note III. As of the current version, the credential table must be populated manually (e.g. with the help of MySQL Workbench)

Figure 1: Rational reconstruction of the AWS and OpenStack AC models

Natural language Generator Tab

The NLA generator section allows you to quickly generate a list of semicolon-separated authorizations in the input tab (“Natural language Authorizations (NLA) & SecurePG Input”).

By pressing the Generate button, the tool generates a list of sentences according to grammar tokens defined with ANTLR. In the following scenario:

For each sentence, SecurePG will include up to 5 subject, each of which with up to five attributes (that use up to five values); similar considerations apply for resources and conditions. It will also use up to 5 hints and one of the pre-defined purposes possible to provide(“extra” token). Providing a seed number, it’s possible to initialize the random selector to repeat the experiments.

By pressing the Reset button it’s possible to clear the SecurePG input tab.

Note I. Considering the policy warnings that guide the generation of the entities and the policies when clicking on the SecurePG AWS and Openstack Output tabs, it is not advisable to evaluate a large number of permissions.

Natural Language Authorization (NLA) & SecurePG input Tab

The NLA & SecurePG input section allows you to provide the input for SecurePG.

The tool supports the specification of the permissions through the GUI or manually, providing a string according to the grammar tokens defined with ANTLR (e.g. without any resource or with the use of special AWS tokens). By using the former, the Add button allows the user to create the NLA sentence from the GUI components. By pressing the Entities menu it’s possible to switch between subject and resource names.

The entities shown in the GUI, among with other components, are fetch from the SQL database - populated manually, using the OpenStack and AWS loaders or by creating the subjects and objects during the permissions processing. . Nonetheless, the user can manually provide different entities - to populate the database with subjects and resources not present beforehand - or use the wildcard * together with their names.

It is important to highlight that all the NLA authorization components that are not supported by the Cloud Provider or the current version of the tool (e.g. specific attributes or policy types, conditions when generating OpenStack policies and the purpose) will be not considered during the policy generation. E.g. by specifying the "Trust" type in the NLA (as an object attribute), it's possible to generate a trust policy only in AWS (not in OpenStack).

Example videos:

Note I : as of the current version, the purposes table must be populated manually (e.g. with the help of MySQL Workbench) Note II: while SecurePG shows the user only actions that are common to AWS and OpenStack, it’s possible to manually provide specific AWS and OpenStack actions (according to the AWS and OpenStack services supported by the tool) Note III. SecurePG uses the assignments DB table to assist the user while providing the subjects attributes (as shown here).

SecurePG AWS Output

The AWS output section provides the Amazon policies generated from the NLA authorizations after the sentence processing according to the AWS syntax.

SecurePG requires its users to assist the policies generation in the following cases:

One or more entities are not present in the SQL database. If so, the tool will prompt the user for continuing or for their creation - for subjects, the tool creates them as Users;
(Ambiguities) More entries are fetch from the SQL database or the SecurePG user used the wildcard * when providing entities or actions, e.g. providing a “create*” action, the tool prompts the user a drop-down menu populated with “Create Folder”, “Create Group”, “Create Role”. If so, the tool ask the user to choose from a drop-down menu populated with “Create Folder”, “Create Group”, “Create Role”..;
(Ambiguities) Unrecognized action type. This feature is use to recover the AWS ARN code from the name of the subject/resource;
..

SecurePG will finally provide its users warnings and errors occurred during the policy generation process (e.g. the use of the subject “everyone”, special combination like “deny nobody”, misspelling and so on). This helps the user to fix the NLA permissions and re-try the policies generation.

After correctly generating the policies, the user can click File -> Push Policies to AWS button for their enforcement in the Cloud.

Note I: it is possible to suggest SecurePG the entity type by using the “type” attribute.

Note II: the popup menus usually include the string provided as input by the SecurePG user. This allows, for instance, to specify a wildcard value in the final policies.

SecurePG OpenStack Output

The OpenStack output section provides the OpenStack policies generated from the (mandatory) NLA authorizations after the sentence processing according to the OpenStack requirements.

The generation engine uses the same messages, advices and warnings mentioned in the AWS Output bullet, limited to the OpenStack components and features, with the addition of those related to the concept of OpenStack projects.

As of the current version, the user is required to manually insert the generated rules in the Swift ACL configuration (if processing resource-based authorization) or in the Keystone policy file - usually stored in /etc/keystone/ - (if processing authorizations not evaluated as resource policies).

Note I : SecurePG will try to use a set the set of credentials associated to the Root Account ID provided by the user in the “Scenario” tab (prompting a menu if multiple are found)

SecurePG General Output

Json-based representation of the output generated from the ANTLR processing of the NLAs.

SMT Policy Simulator

The SMT Policy Simulator section allows the user to test the permissions before their enforcement in the cloud by querying SecurePG. SecurePG uses the SQL database and the NLA (provided in the input section) to populate a CPRL policy document with subject names, types, groups, roles and IDs (that compose the entity User), action names (entity Action), resource names and types (that compose the entity Resource), condition names, operators and values (that compose the entity Environment). NLAs will also be used to create the release policies used to evaluate the queries provided with the GUI. For the query specification, SecurePG supports the usage of one or more subjects (by selecting their names and optionally one or more of the subjects attributes loaded by the database); one or more actions; one or more resource and one or more conditions.

By pressing the General/AWS/OpenStack button it’s possible to switch context between a general environment (components supported by AWS and OpenStack) or one focused on AWS or OpenStack; e.g. this allows to specify the AWS conditions or provide the OpenStack subject id as attributes.

By pressing the Reset it’s possible to clear the tab input (shown on the left) and the output (shown on the right).

By pressing the Add new query button it’s possible to add a new query as input.

By pressing the Print queries button it’s possible to evaluate the queries.

As output, SecurePG prints if the query is allowed and which NLA (Release Policy) allows it.

Example video:

Permissions Testing

Amazon AWS Entities and Policies enforcement

Example video:

AWS Entities and Policies enforcement

Google Sites

Report abuse