2023-03-01 01:28:00 +01:00
<!DOCTYPE HTML>
< html lang = "en" class = "sidebar-visible no-js light" >
< head >
<!-- Book generated using mdBook -->
< meta charset = "UTF-8" >
< title > Elevated Priv Mode - Kanidm Administration< / title >
<!-- Custom HTML head -->
< meta name = "description" content = "" >
< meta name = "viewport" content = "width=device-width, initial-scale=1" >
< meta name = "theme-color" content = "#ffffff" / >
< link rel = "shortcut icon" href = "../../favicon.png" >
< link rel = "stylesheet" href = "../../css/variables.css" >
< link rel = "stylesheet" href = "../../css/general.css" >
< link rel = "stylesheet" href = "../../css/chrome.css" >
< link rel = "stylesheet" href = "../../css/print.css" media = "print" >
<!-- Fonts -->
< link rel = "stylesheet" href = "../../FontAwesome/css/font-awesome.css" >
< link rel = "stylesheet" href = "../../fonts/fonts.css" >
<!-- Highlight.js Stylesheets -->
< link rel = "stylesheet" href = "../../highlight.css" >
< link rel = "stylesheet" href = "../../tomorrow-night.css" >
< link rel = "stylesheet" href = "../../ayu-highlight.css" >
<!-- Custom theme stylesheets -->
< / head >
< body >
< div id = "body-container" >
<!-- Provide site root to javascript -->
< script >
var path_to_root = "../../";
var default_theme = window.matchMedia("(prefers-color-scheme: dark)").matches ? "navy" : "light";
< / script >
<!-- Work around some values being stored in localStorage wrapped in quotes -->
< script >
try {
var theme = localStorage.getItem('mdbook-theme');
var sidebar = localStorage.getItem('mdbook-sidebar');
if (theme.startsWith('"') & & theme.endsWith('"')) {
localStorage.setItem('mdbook-theme', theme.slice(1, theme.length - 1));
}
if (sidebar.startsWith('"') & & sidebar.endsWith('"')) {
localStorage.setItem('mdbook-sidebar', sidebar.slice(1, sidebar.length - 1));
}
} catch (e) { }
< / script >
<!-- Set the theme before any content is loaded, prevents flash -->
< script >
var theme;
try { theme = localStorage.getItem('mdbook-theme'); } catch(e) { }
if (theme === null || theme === undefined) { theme = default_theme; }
var html = document.querySelector('html');
html.classList.remove('no-js')
html.classList.remove('light')
html.classList.add(theme);
html.classList.add('js');
< / script >
<!-- Hide / unhide sidebar before it is displayed -->
< script >
var html = document.querySelector('html');
var sidebar = 'hidden';
if (document.body.clientWidth >= 1080) {
try { sidebar = localStorage.getItem('mdbook-sidebar'); } catch(e) { }
sidebar = sidebar || 'visible';
}
html.classList.remove('sidebar-visible');
html.classList.add("sidebar-" + sidebar);
< / script >
< nav id = "sidebar" class = "sidebar" aria-label = "Table of contents" >
< div class = "sidebar-scrollbox" >
2023-03-02 04:03:10 +01:00
< ol class = "chapter" > < li class = "chapter-item expanded " > < a href = "../../intro.html" > < strong aria-hidden = "true" > 1.< / strong > Introduction to Kanidm< / a > < / li > < li class = "chapter-item expanded " > < a href = "../../installing_the_server.html" > < strong aria-hidden = "true" > 2.< / strong > Installing the Server< / a > < / li > < li > < ol class = "section" > < li class = "chapter-item expanded " > < a href = "../../choosing_a_domain_name.html" > < strong aria-hidden = "true" > 2.1.< / strong > Choosing a Domain Name< / a > < / li > < li class = "chapter-item expanded " > < a href = "../../prepare_the_server.html" > < strong aria-hidden = "true" > 2.2.< / strong > Preparing for your Deployment< / a > < / li > < li class = "chapter-item expanded " > < a href = "../../server_configuration.html" > < strong aria-hidden = "true" > 2.3.< / strong > Server Configuration and Install< / a > < / li > < li class = "chapter-item expanded " > < a href = "../../security_hardening.html" > < strong aria-hidden = "true" > 2.4.< / strong > Platform Security Hardening< / a > < / li > < li class = "chapter-item expanded " > < a href = "../../server_update.html" > < strong aria-hidden = "true" > 2.5.< / strong > Server Updates< / a > < / li > < / ol > < / li > < li class = "chapter-item expanded " > < a href = "../../client_tools.html" > < strong aria-hidden = "true" > 3.< / strong > Client Tools< / a > < / li > < li > < ol class = "section" > < li class = "chapter-item expanded " > < a href = "../../installing_client_tools.html" > < strong aria-hidden = "true" > 3.1.< / strong > Installing client tools< / a > < / li > < / ol > < / li > < li class = "chapter-item expanded " > < li class = "part-title" > Administration< / li > < li class = "chapter-item expanded " > < a href = "../../administrivia.html" > < strong aria-hidden = "true" > 4.< / strong > Administration< / a > < / li > < li > < ol class = "section" > < li class = "chapter-item expanded " > < a href = "../../accounts_and_groups.html" > < strong aria-hidden = "true" > 4.1.< / strong > Accounts and Groups< / a > < / li > < li class = "chapter-item expanded " > < a href = "../../posix_accounts.html" > < strong aria-hidden = "true" > 4.2.< / strong > POSIX Accounts and Groups< / a > < / li > < li class = "chapter-item expanded " > < a href = "../../backup_restore.html" > < strong aria-hidden = "true" > 4.3.< / strong > Backup and Restore< / a > < / li > < li class = "chapter-item expanded " > < a href = "../../database_maint.html" > < strong aria-hidden = "true" > 4.4.< / strong > Database Maintenance< / a > < / li > < li class = "chapter-item expanded " > < a href = "../../domain_rename.html" > < strong aria-hidden = "true" > 4.5.< / strong > Domain Rename< / a > < / li > < li class = "chapter-item expanded " > < a href = "../../monitoring.html" > < strong aria-hidden = "true" > 4.6.< / strong > Monitoring the platform< / a > < / li > < li class = "chapter-item expanded " > < a href = "../../password_quality.html" > < strong aria-hidden = "true" > 4.7.< / strong > Password Quality and Badlisting< / a > < / li > < li class = "chapter-item expanded " > < a href = "../../recycle_bin.html" > < strong aria-hidden = "true" > 4.8.< / strong > The Recycle Bin< / a > < / li > < / ol > < / li > < li class = "chapter-item expanded " > < li class = "part-title" > Services< / li > < li class = "chapter-item expanded " > < a href = "../../integrations/pam_and_nsswitch.html" > < strong aria-hidden = "true" > 5.< / strong > PAM and nsswitch< / a > < / li > < li class = "chapter-item expanded " > < a href = "../../ssh_key_dist.html" > < strong aria-hidden = "true" > 6.< / strong > SSH Key Distribution< / a > < / li > < li class = "chapter-item expanded " > < a href = "../../integrations/oauth2.html" > < strong aria-hidden = "true" > 7.< / strong > Oauth2< / a > < / li > < li class = "chapter-item expanded " > < a href = "../../integrations/ldap.html" > < strong aria-hidden = "true" > 8.< / strong > LDAP< / a > < / li > < li class = "chapter-item expanded " > < a href = "../../integrations/radius.html" > < strong aria-hidden = "true" > 9.< / strong > RADIUS< / a > < / li > < li class = "chapter-item expanded affix " > < li class = "part-title" > Synchronisation< / li > < li class = "chapter-item expanded " > < a href = "../../sync/concepts.html" > < strong aria-hidden = "true" > 10.< / strong > Concepts< / a > < / li > < li class = "chapter-item expanded " > < a href = "../../sync/freeipa.html" > < strong aria-hidden = "true" > 11.< / strong > FreeIPA< / a > < / li > < li class = "chapter-item expanded affix " > < li class = "part-title" > Integration Examples< / li > < li class = "chapter-item expanded " > < a href = "../../examples/k8s_ingress_example.html" > < strong aria-hidden = "true" > 12.< / strong > Kubernetes I
2023-03-01 01:28:00 +01:00
< / div >
< div id = "sidebar-resize-handle" class = "sidebar-resize-handle" > < / div >
< / nav >
< div id = "page-wrapper" class = "page-wrapper" >
< div class = "page" >
< div id = "menu-bar-hover-placeholder" > < / div >
< div id = "menu-bar" class = "menu-bar sticky bordered" >
< div class = "left-buttons" >
< button id = "sidebar-toggle" class = "icon-button" type = "button" title = "Toggle Table of Contents" aria-label = "Toggle Table of Contents" aria-controls = "sidebar" >
< i class = "fa fa-bars" > < / i >
< / button >
< button id = "theme-toggle" class = "icon-button" type = "button" title = "Change theme" aria-label = "Change theme" aria-haspopup = "true" aria-expanded = "false" aria-controls = "theme-list" >
< i class = "fa fa-paint-brush" > < / i >
< / button >
< ul id = "theme-list" class = "theme-popup" aria-label = "Themes" role = "menu" >
< li role = "none" > < button role = "menuitem" class = "theme" id = "light" > Light< / button > < / li >
< li role = "none" > < button role = "menuitem" class = "theme" id = "rust" > Rust< / button > < / li >
< li role = "none" > < button role = "menuitem" class = "theme" id = "coal" > Coal< / button > < / li >
< li role = "none" > < button role = "menuitem" class = "theme" id = "navy" > Navy< / button > < / li >
< li role = "none" > < button role = "menuitem" class = "theme" id = "ayu" > Ayu< / button > < / li >
< / ul >
< button id = "search-toggle" class = "icon-button" type = "button" title = "Search. (Shortkey: s)" aria-label = "Toggle Searchbar" aria-expanded = "false" aria-keyshortcuts = "S" aria-controls = "searchbar" >
< i class = "fa fa-search" > < / i >
< / button >
< / div >
< h1 class = "menu-title" > Kanidm Administration< / h1 >
< div class = "right-buttons" >
< a href = "../../print.html" title = "Print this book" aria-label = "Print this book" >
< i id = "print-button" class = "fa fa-print" > < / i >
< / a >
< a href = "https://github.com/kanidm/kanidm" title = "Git repository" aria-label = "Git repository" >
< i id = "git-repository-button" class = "fa fa-github" > < / i >
< / a >
2023-03-02 04:03:10 +01:00
< a href = "https://github.com/kanidm/kanidm/edit/master/book/src/developers/designs/elevated_priv_mode.md" title = "Suggest an edit" aria-label = "Suggest an edit" >
2023-03-01 01:28:00 +01:00
< i id = "git-edit-button" class = "fa fa-edit" > < / i >
< / a >
< / div >
< / div >
< div id = "search-wrapper" class = "hidden" >
< form id = "searchbar-outer" class = "searchbar-outer" >
< input type = "search" id = "searchbar" name = "searchbar" placeholder = "Search this book ..." aria-controls = "searchresults-outer" aria-describedby = "searchresults-header" >
< / form >
< div id = "searchresults-outer" class = "searchresults-outer hidden" >
< div id = "searchresults-header" class = "searchresults-header" > < / div >
< ul id = "searchresults" >
< / ul >
< / div >
< / div >
<!-- Apply ARIA attributes after the sidebar and the sidebar toggle button are added to the DOM -->
< script >
document.getElementById('sidebar-toggle').setAttribute('aria-expanded', sidebar === 'visible');
document.getElementById('sidebar').setAttribute('aria-hidden', sidebar !== 'visible');
Array.from(document.querySelectorAll('#sidebar a')).forEach(function(link) {
link.setAttribute('tabIndex', sidebar === 'visible' ? 0 : -1);
});
< / script >
< div id = "content" class = "content" >
< main >
< h1 id = "elevation-of-privilege-inside-user-sessions" > < a class = "header" href = "#elevation-of-privilege-inside-user-sessions" > Elevation of Privilege Inside User Sessions< / a > < / h1 >
< p > To improve user experience, we need to allow long lived sessions in browsers. This is especially
important as a single sign on system, users tend to be associated 1 to 1 with devices, and by having
longer lived sessions, they have a smoother experience.< / p >
< p > However, we also don't want user sessions to have unbound write permissions for the entire (possibly
unlimited) duration of their session.< / p >
< p > Prior art for this is github, which has unbounded sessions on machines and requests a
re-authentication when a modifying or sensitive action is to occur.< / p >
< p > For us to implement this will require some changes to how we manage sessions.< / p >
< h2 id = "session-issuance" > < a class = "header" href = "#session-issuance" > Session Issuance< / a > < / h2 >
< ul >
< li >
< p > ISSUE: Sessions are issued identically for service-accounts and persons< / p >
< / li >
< li >
< p > CHANGE: service-accounts require a hard/short session expiry limit and always have elevated
permissions< / p >
< / li >
< li >
< p > CHANGE: persons require no session expiry and must request elevation for privs.< / p >
< / li >
< li >
< p > ISSUE: Sessions currently indicate all read-write types as the same access scope type.< / p >
< / li >
< li >
< p > CHANGE: Split sessions to show rwalways, rwcapable, rwactive< / p >
< / li >
< li >
< p > ISSUE: Sessions currently are recorded identically between service-accounts, persons, and api
tokens< / p >
< / li >
< li >
< p > CHANGE: Change the session storage types to have unique session types for these ✅< / p >
< / li >
< li >
< p > ISSUE: Access Scope types are confused by api session using the same types.< / p >
< / li >
< li >
< p > CHANGE: Use access scope only as the end result of current effective permission calculation and
not as a method to convert to anything else. ✅< / p >
< p > AccessScope { ReadOnly, ReadWrite, Synchronise }< / p >
< p > // Bound by token expiry ApiTokenScope { ReadOnly, ReadWrite, Synchronise }< / p >
< p > UatTokenScope { ReadOnly, // Want to avoid " read write" here to prevent dev confusion.
PrivilegeCapable, PrivilegeActive { expiry }, ReadWrite, }< / p >
< p > SessionScope { Ro, RwAlways, PrivCapable, }< / p >
< p > ApiTokenScope { RO RW Sync }< / p >
< p > AuthSession if service account rw always, bound expiry< / p >
< pre > < code > if person
priv cap, unbound exp
- Should we have a " trust the machine flag" to limit exp though?
- can we do other types of cryptographic session binding?
< / code > < / pre >
< / li >
< / ul >
< h2 id = "session-validation" > < a class = "header" href = "#session-validation" > Session Validation< / a > < / h2 >
< ul >
< li > CHANGE: Session with PrivCapable indicates that re-auth can be performed.< / li >
< li > CHANGE: Improve how Uat/Api Token scopes become Access Scopes< / li >
< li > CHANGE: Remove all AccessScope into other types. ✅< / li >
< / ul >
< h2 id = "session-re-authentication" > < a class = "header" href = "#session-re-authentication" > Session Re-Authentication< / a > < / h2 >
< ul >
< li >
< p > Must be performed by the same credential that issued the session originally< / p >
< ul >
< li > This is now stored in the session metadata itself.< / li >
< li > Does it need to be in the cred-id?< / li >
< / ul >
< / li >
< li >
< p > CHANGE: Store the cred id in UAT so that a replica can process the operation in a replication sync
failure?< / p >
< ul >
< li > This would rely on re-writing the session.< / li >
< / ul >
< / li >
< li >
< p > CHANGE: Should we record in the session when priv-escalations are performed?< / p >
< / li >
< / ul >
< h2 id = "misc" > < a class = "header" href = "#misc" > Misc< / a > < / h2 >
< ul >
< li > CHANGE: Compact/shrink UAT size if possible.< / li >
< / ul >
< h2 id = "diagram" > < a class = "header" href = "#diagram" > Diagram< / a > < / h2 >
< pre > < code > Set
┌───────────────────────PrivActive────────────────────┐
│ + Exp │
│ │
┌ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┐ │ .───────────. ┌────────────────┐
│ ┌────────────────▶( If Priv Cap )───────▶│Re-Auth-Allowed │
│ │ │ │ `───────────' └────────────────┘
DB Content ┌ ─ ─ ─ ┼ ─ ┼ ─ ─ ─ ─ ─ ─ ─ ─
┌───────────────────┐ │ │ JWT │ │ │
│ │ │ ▼ │
│ AuthSession │ │ ┌──────────────┐ │ ┌──────────────┐ │
│ │ │SessionScope │ │ │UatScope │
│ Service Account │ │ │- RO │ │ │- RO │ │
│ -> RWAlways │──────────────────▶│- RW │─────────┼──▶│- RW │──────────────────────────┐
│ │ │ │- PrivCapable │ │ │- PrivCapable │ │ │
│ Person │ └──────────────┘ │ │- PrivActive │ │
│ -> PrivCap │ │ │ └──────────────┘ │ │
│ │ │ │
└───────────────────┘ │ │ │ ▼
│ ┌──────────────┐
│ │ │ │AccessScope │ ┌───────────────┐
│ │- RO │ │ │
│ │ │ │- RW │───────────▶ │Access Controls│
│ │- Sync │ │ │
┌───────────────────┐ │ ┌─────────────────┐ │ ┌──────────────┐ │ └──────────────┘ └───────────────┘
│ │ │ApiSessionScope │ │ │ApiTokenScope │ ▲
│ Create API Token │ │ │- RO │ │ │- RO │ │ │
│ │───────────────▶│- RW │────────┼───▶│- RW │─────────────────────────┘
│Access Based On Req│ │ │- Sync │ │ │- Sync │ │
│ │ └─────────────────┘ │ │ │
└───────────────────┘ │ │ └──────────────┘ │
│
│ │ │
─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ └ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─
< / code > < / pre >
< h2 id = "todo" > < a class = "header" href = "#todo" > TODO:< / a > < / h2 >
< ol >
< li > Remove the ident-only access scope, it's useless! ✅< / li >
< li > Split tokens to have a dedicated session type separate to uat sessions. ✅< / li >
< li > Change uat session access scope recording to match service-account vs person intent.< / li >
< li > Change UAT session issuance to have the uat purpose reflect the readwrite or readwrite-capable
nature of the session, based on < em > auth-type< / em > that was used.< / li >
< li > Based on auth-type, limit or unlimit expiry to match the intent of the session.< / li >
< / ol >
< / main >
< nav class = "nav-wrapper" aria-label = "Page navigation" >
<!-- Mobile navigation buttons -->
< a rel = "prev" href = "../../developers/designs/rest_interface.html" class = "mobile-nav-chapters previous" title = "Previous chapter" aria-label = "Previous chapter" aria-keyshortcuts = "Left" >
< i class = "fa fa-angle-left" > < / i >
< / a >
< a rel = "next" href = "../../developers/python.html" class = "mobile-nav-chapters next" title = "Next chapter" aria-label = "Next chapter" aria-keyshortcuts = "Right" >
< i class = "fa fa-angle-right" > < / i >
< / a >
< div style = "clear: both" > < / div >
< / nav >
< / div >
< / div >
< nav class = "nav-wide-wrapper" aria-label = "Page navigation" >
< a rel = "prev" href = "../../developers/designs/rest_interface.html" class = "nav-chapters previous" title = "Previous chapter" aria-label = "Previous chapter" aria-keyshortcuts = "Left" >
< i class = "fa fa-angle-left" > < / i >
< / a >
< a rel = "next" href = "../../developers/python.html" class = "nav-chapters next" title = "Next chapter" aria-label = "Next chapter" aria-keyshortcuts = "Right" >
< i class = "fa fa-angle-right" > < / i >
< / a >
< / nav >
< / div >
< script >
window.playground_copyable = true;
< / script >
< script src = "../../elasticlunr.min.js" > < / script >
< script src = "../../mark.min.js" > < / script >
< script src = "../../searcher.js" > < / script >
< script src = "../../clipboard.min.js" > < / script >
< script src = "../../highlight.js" > < / script >
< script src = "../../book.js" > < / script >
<!-- Custom JS scripts -->
< / div >
< / body >
< / html >
