anchela commented on code in PR #571: URL: https://github.com/apache/jackrabbit-oak/pull/571#discussion_r875802058
########## oak-doc/src/site/markdown/security/authorization/bestpractices.md: ########## @@ -0,0 +1,316 @@ +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> + +Best Practices for Authorization +-------------------------------------------------------------------------------- + +<!-- MACRO{toc} --> + +## Before you get started +### Threat Model + +Before you start coding, creating content or setting up access control set aside some time to consider what is needed +when it comes to securing your application (and what could go wrong). In other words: write a threat model and +make sure you keep updating it as you continue developing. + +The following references provide a good overview as well as guidance on how to build a threat model: + +- https://shostack.org/resources/whitepapers/threat-modeling-what-why-how +- https://owasp.org/www-community/Threat_Modeling +- https://owasp.org/www-community/Threat_Modeling_Process + +### Content Modelling + +As suggested in [Jackrabbbit Wiki](https://jackrabbit.apache.org/archive/wiki/JCR/DavidsModel_115513389.html#DavidsModel-Rule#2:Drivethecontenthierarchy,don'tletithappen) +the content hierarchy in your JCR repository should be designed and access control requirements tend to be a good driver. + +Make sure the content design allows for a readable and manageable access control setup later on to secure your data. +Excessive complexity is often a strong indicator for problems with your content model, making its security error prone +and difficult to reason about (and might ultimately might lead to issues with scaling). + +Here is an example of a access control setup (in Sling RepoInit language) illustrating why content with +different access requirements should be kept in separate trees and how complexity may yield undesired +effects (see also section 'Remember inheritance' below): + + # TO BE AVOIDED + + create path /content + create path /content/public + create path /content/content2/also_public + create path /content/sensitive_info + + set ACL on /content + deny everyone jcr:all # most likely redundant + allow readers jcr:read + allow editors jcr:read, jcr:write + deny readers jcr:read restriction(rep:subtrees, /sensitive_info) # what about editors or a subject being both reader and editor? + allow everyone jcr:read restriction(rep:subtrees, /public, /also_public) # different public folders?? + + # ... and what happens with a new node /content/public/abc/sensitive_info? + end + +### Define Roles and Tasks + +Finally, write down basic characteristics and demands of your application without getting into access control details +or making any assumptions on how your needs will reflected in the repository: + +- what roles are present +- what kind of tasks are those roles designed to perform +- define if you have services accessing the repository and what kind of tasks they need to complete + +Note, that this document should be human readable not go into implementation details: +Instead of writing principal 'content-authors' needs jcr:write on /content, define that you have an asset 'content', +define what kind of data it contains and how sensitive the data is (similar to the threat model). +Then identify what roles are going to interact with this data and how they interact: for example you may identify +a role that just reading data, a second role that is expected to read and write and a third one that is will only +approve new content and publish it). + +## General Best Practices + +### Know how to get what you need + +Familiarize yourself with JCR access control management and Oak authorization design and extensions before starting +to edit the permission setup of your Oak installation. This will help you avoid common pitfalls. If you find yourself +granting your _content-writers_ role full access to just make it work, you probably left your application vulnerable. + +- JCR Specification sections [Access Control Management](https://s.apache.org/jcr-2.0-spec/16_Access_Control_Management.html) +and [Permissions and Capabilities](https://s.apache.org/jcr-2.0-spec/9_Permissions_and_Capabilities.html) +- [Oak Authorization Documentation](../authorization.html) with separate sections for [Access Control Management](../accesscontrol.html) and [Permission Evaluation](../permission.html). +- Exercises for authorization topics below https://github.com/apache/jackrabbit-oak/tree/trunk/oak-exercise/src/test/java/org/apache/jackrabbit/oak/exercise/security/authorization + +### Principle of least privilege + +Keep in mind that not having any permissions granted is equivalent to denying everything (which is in +this case redundant). Start without any access and then keep granting permissions as needed, following the +[principle of least privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege). +In other words: only grant the minimal set of privileges required to perform a particular task. + +### Verification + +Write tests upfront and verify that for each role and task the expected effective permissions (see definition of roles) are Review Comment: only pseudo-code.... but i can add that -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
