-
-
Notifications
You must be signed in to change notification settings - Fork 670
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
4.1.7 - Real time access control decision making (ed note: initially became 4.1.6) #2059
Comments
We have a requirement
I have proposed to move it to access control in #1917
It may make sense to read the issue, as there are other related comments, but let's continue the discussion in this issue. |
Note: revoking the token is pretty dramatic. I'd rather set up a rule with the new access control policy for that user (using some caching method) so the user experience is not effected. If you can revoke an active token, then having a "access control over-ride" list is just as easy. |
Apparently (today I learned), the blessed lingo for that would be/become "self-encoded tokens"? |
So we currently have two proposals. I prefer @EnigmaRosa's requirement above #2059 (comment), because it is more outcomes focused than implementation focused. However, I think we do also need to address the token based situation as well. I would propose something like:
What do we think? |
This is a quite weird requirement by wording - "You must do it immediately, ... or a bit later is also ok." What do you mean by "rotate the token" - from the OAuth perspective - is the requirement addressing refresh token's or access tokens? What means "very short lifetime"? It overlaps with V3 stateful vs stateless and with OAuth topics. I think we need to find more general solution here than writing "if stateless" to each requirement. |
What about something like "ensure that changes of roles and entitlement are taken into account in the policy enforcement points in at most When using some kind of reference token which involves a request to a separate service for validation, you will probably end up using a small cache in order to avoid making the token validation request for each incoming request (based on the freshness of your last check and how critical the current request is). When using a self-encoded token, this is going to be implemented by the short validity of the token. |
Really the question is if we want to go high-level or make sure to include classical and stateless |
I can accept that, on the other hand, I don't want to overthink this too much.
In principle, I want to keep things high level. On the other hand, in a system where the permissions mechanism relies on signed tokens, is it possible to comply with this requirement? Maybe the solution is to either allow a grace period or make this an L2 or L3 requirement. What do people think? |
Yes, in practice for scalability reasons, you are often going to have some small grace period between the moment you modify some user permissions and the moment the modification is actually taken into account (especially in highly distributed and high-availability systems). Some examples: If you are using some OIDC user claims for authorization decision and you want real-time access control decision, you are going to need to be a UserInfo request for each incoming request. (Another solution would be to rely on Shared Signals). If you are using OAuth access tokens and you want real-time access control decision, the resource server is going to need to check the status of the access token (using token introspection) for each incoming request. Another case is if you are storing the user permissions in a database which features eventual consistency for high availability. Google's Zanzibar is certainly a well-designed scalable system for this topic. However it does not feature real-time access control decision (in this sense) but only features external consistency:
|
I'm good with making this L2 & L3 |
Updated proposal. I have made this Level 2 and have reworded to try and focus on the problem. @elarlang is ok with it. What do you think @jmanico @EnigmaRosa?
|
A few suggestions: Verify permission values used in access control decisions are updated in real-time or as quickly as possible. If updates exceed a few minutes, implement monitoring and alerts to detect and block unauthorized actions. Invalidate stale permissions promptly and refresh cached permissions regularly. |
The requirement here should only be about V4 authorization. One thing per requirement. |
Fair point. I suggest we just keep is simple then. Verify permission values used in access control decisions are updated in real-time. |
Also, I recommend thinking about and defining, what "real time" means. Let's say we have a "classical" server-side session, session token/id delivered in a cookie - if there is a permission change, account termination, etc - "real-time" means that in the very next second this user is logged out from the UI, and not waiting for the next request to the server. So it requires sockets to keep it "real-time". |
That's fair. How about back to: Verify permission values used in access control decisions are updated in real-time or as quickly as possible |
Are you talking about "If updates exceed a few minutes, implement monitoring and alerts to detect and block unauthorized actions." If so, I think that this is an important mitigating control which is why I added it as there are a lot of reasons why "immediate" is not possible.
I think the implication is that the next time the user attempts to refresh data it will no longer be accessible. I don't think we can handle a situation where they have just left the screen open. That is what idle timeout is for :) I also feel like the "real time" phrase is causing problems. I would suggest: Verify that permission values used in access control decisions are updated immediately or as quickly as possible. |
I feel like the "as quickly as possible" language is going to be a problem. I understand why we select that phrase, I'm just concerned users will have issues with it. |
I agree it is not ideal but I think real time is also a little relative :) Any thoughts on different wording? |
Actually, the definition of "real-time" is that the delay must be bounded by some specified value, so if we wanted to paraphrase the meaning of this, it would be:
|
Feels like we are back to my previous proposal: #2059 (comment) This proposal provides some practical bounds for what "as fast as possible" means as well as a practical mitigation. I think the second sentence is clearly relevant to the first sentence as a direct follow-on/consequence.
|
New bone to bite:
|
Good point about information leakage. Comparing "as fast as possible. Where this is longer than a few minutes," and "are effective immediately. There can be a maximum few minutes for changes to take effect", what do you specifically prefer about your wording? |
It's too much to say that I prefer my wording, it's just different, and the reason for not using "fast as possible" is that it is relative depending on solution, for someone "fast as possible" is 10 minutes maybe. |
Ok but I also qualify with "more than a few minutes" which hopefully makes it less relative |
Maybe we take the time out from this, for the direction:
But we should mention the stateless token struggle there more clearly to cover current requirement:
|
Ok so how about:
Sorry I didn't understand your point |
All this Where values cannot be updated immediately part is basically meant for stateless tokens solutions, but it's not that clearly highlighted. From the first part you ignored my update proposal, and it's not clear, for whom/what the "immediate update" must be done. |
Final proposal discussed with @elarlang.
This should supersede 3.5.7 as a a more goal focused requirement. @set-reminder @tghosth to open PR in 1 hour |
⏰ Reminder
|
PR opened (requirement is 4.1.6), #2210 |
Note: this is referenced as 4.1.10 in #2033, but I updating the numbering to account for the skipped requirements.
Ed note: This is being merged as 4.1.6
I propose the addition of a new requirement that addresses the need for access decisions to be made on the most current permissions information. For example, let's say a user's access permissions are modified while that user has an active session (i.e. admin revokes access to edit files) - if the system does not check the user's permissions in real time (i.e. instead relying on cached access information), the user would be able to edit a file, which they should no longer be able to do.
The text was updated successfully, but these errors were encountered: