Access Control on module integrated systems

Iván Chavero
JAWS Development Team
November 2004

Introduction

Every system needs to have some form of access control, in a multi-module/multi-user environment
this has to be adressed using a ACL (Access Control List) module.
The way this ACL’s are stored and accessed is the pourpouse of this document.

Access Control List

The ACL’s are a set of attributes that can only have boolean values, this attributes map
functions on the modules or other elements that integrate a certain system and
hold a true or false value defining whether a function can be executed or not.
They can be related to the different components that interact in the system:
users, modules, hosts, groups, etc…

ACL’s can be represented as an xpat like expression.

We can implement them as part of the elements of the system:

user:
/users/user_name/ACL/module_name/action_name = true
module:
/modules/module_name/ACL/action_name = false
group
/groups/group_name/ACL/modules/module_name/action_name = true
host
/host/host_ip/ACL/modules/module_name/action_name = true

or as a relation isolated from the other elements:

/ACL/users/user_name/modules/module_name/action_name

/ACL/modules/module_name/action_name

/ACL/hosts/host_name/modules/module_name/action_name

We can represent the ACL information as a tree:

ACL tree:

/
 ---+
    |
    +--- users
    |     |
    |     +--- user_name 
    |     |         |
    |     |         +--- ACL
    |     |               |
    |     |               +--- modules
    |     |                        |
    |     |                        +--- module_name
    |     |                                   |
    |     |                                   +--- action_name : true
    |     +--- default_user
    |               |
    |               +--- ACL
    |                     // empty ACL, takes default values
    |
    +--- modules
    |       |
    |       +--- ACL
    |             |
    |             +--- module_name
    |                       |
    |                       +--- action_name : true //this values define the defaults  
    |
    +--- hosts
    |       |
    |       +--- host_name|ip|ip/mask
    |                 |
    |                 +--- ACL
    |                       |
    |                       +--- modules
    |                               |
    |                               +--- module_name
    |                                         |
    |                                         +--- action_name : true
    |
    +--- groups
            |
            +--- ACL
            |     |
            |     +--- modules
            |             |
            |             +--- module_name
            |                         |
            |                         +--- action_name : true
            |
            |
            +--- users
                   |
                   +--- user_name
                   |
                   +--- user_name2

independent ACL schema:

  /ACL
    |
    +--- users
    |     |
    |     +--- user_name 
    |     |         |
    |     |         +--- modules
    |     |                 |
    |     |                 +--- module_name
    |     |                            |
    |     |                            +--- action_name : true
    |     +--- default_user
    |                     // empty ACL, takes default values
    |
    +--- modules
    |       |
    |       +--- module_name
    |                 |
    |                 +--- action_name : true //this values define the defaults  
    |
    +--- hosts
    |       |
    |       +--- host_name|ip|ip/mask
    |                 |
    |                 +--- modules
    |                         |
    |                         +--- module_name
    |                                    |
    |                                    +--- action_name : true
    |
    +--- groups
            |
            +--- modules
                    |
                    +--- module_name
                               |
                               +--- action_name : true

Also we can represent ACL’s using XML:

<users>
   <user>
      <name>
         user_name
      </name> 
      <ACL>
           <modules>
              <module>
                 <name>
                    module_name
                 </name>
                 <actions>
                    <action>
                       <name>
                          action_name 

                       </name>
                       <permited>
                          true
                       </permited>
                    </action>
                 </actions>
              </module>
           </modules>
      </ACL>
   </user>
</users>

standalone:

<ACL>
   <users>
      <user>
         <name>
            user_name
         </name>
         <modules>
            <module>
               <name>
                   module_name 
               </name>
               <actions>
                  <action>
                     <name>
                         action_name 
                     </name>
                     <permited>
                          true
                      </permited>
                   </action>
               </actions>
             </module>
         </modules>
      </user>
   </users>
</ACL>

Implementation

We can implement the ACL checking using a function that returns if the module, action pair are permited for a given user. This check can be done on each module or in a central controller that manages the interaction between the modules and the user (the controller on a MVC pattern).

Our ACL API could be:

* Get(user,module,action) - Returns true if the module, action are permitted for the user and false if they are not.
* Set(user,module,action) - Sets the ACL for the user,module,action set
* Denied($message) - Calls a method provided by the controller to display an “access denied” error message.

On the controller we could include the ACL check in this form:

<?php
//...controler stuff
 
if(!JawsACL::Get($user, $module, $action)) {
    JawsACL::Denied("You can't use this stuff.");
    // JawsACL::Denied will automatically end execution.
}
 
 
$module = new $module();
$module->$action();
 
//more controller stuff....
?>

To Do

  • Implementation.
  • Conclusion.

Current ACL implementations in PHP

by Iván <drslump_at_drslump.biz>

  Pros: Mature, fast, powerful and really generic. 
  Cons: it's a bit difficult to understand
  Pros: Fast, powerful and very adaptable
  Cons: still in alpha stage
  Pros: Mature, easy to use
  Cons: Quite heavy, not so generic as the other solutions
 
  /var/www/wiki/htdocs/data/jaws/acces_control_lists.txt · Last modified: 2007/11/02 16:27