| Hendrik Hofstadt | 0d7c91e | 2019-10-23 21:44:47 +0200 | [diff] [blame] | 1 | ## Smalltown IAM |
| 2 | |
| 3 | There are 4 kinds of elements in Smalltown's Authorization system |
| 4 | * Identities |
| 5 | * User |
| 6 | * Key |
| 7 | * Module |
| 8 | * Objects |
| 9 | * Key |
| 10 | * Secret |
| 11 | * Module |
| 12 | * Policies |
| 13 | * Permissions |
| 14 | |
| 15 | ### Identity |
| 16 | Identities represent an actor that can execute **actions** like editing or interacting with an object. |
| 17 | |
| 18 | Identities possess **permissions** and **properties** which can be accessed by policies. |
| 19 | |
| 20 | ### Objects |
| 21 | Objects are things that can be interacted with like keys, secrets or modules. |
| 22 | |
| 23 | Each object has a **policy** that handles authorization of **actions** performed on it. |
| 24 | |
| 25 | When an object is created a default policy is attached which forwards all decisions to the global policy. |
| 26 | For the first iteration of the system this policy will not be modifiable. |
| 27 | |
| 28 | **WARNING**: by modifying a policy, an object could become inaccessible! |
| 29 | |
| 30 | ### Permissions |
| 31 | |
| 32 | Permissions can be assigned to an identity. |
| 33 | |
| 34 | | Property | Description | Example | |
| 35 | |----------|-------------|---------| |
| 36 | | Allowed Action | Regex specifying the allowed actions | key:meta:edit | |
| 37 | | Object | Regex specifying the objects this affects | keys:* | |
| 38 | | Multisig | Number of approvals required | 2 | |
| 39 | |
| 40 | Optionally a permission can have a multisig flag that requires N approvals from identities with the same permission. |
| 41 | |
| 42 | ### Policies |
| 43 | |
| 44 | Policies guard actions that are performed on an object. |
| 45 | |
| 46 | By default a global policy governs all objects and global actions using an AWS IAM like model. |
| 47 | |
| 48 | Potentially a dynamic model using attachable policies could be implemented in the future to allow |
| 49 | for highly custom models. |
| 50 | |
| 51 | A potential graphical representation of a future policy: |
| 52 | |
| 53 |  |
| 54 | |
| 55 | ### Global Default Ruleset |
| 56 | |
| 57 | This default global policy defines an AWS IAM like permission system. |
| 58 | |
| 59 | The following actions are implemented on objects: |
| 60 | |
| 61 | | Category | Action | Description | Note | |
| 62 | |----------|-------------|---------|---------| |
| 63 | | Object | object:view | Allow to view the object | Cannot be scripted using the policy builder | |
| 64 | | Object | object:delete | Allow to delete the object | |
| 65 | | Object | object:attach:normal | Allow to attach the object to a module slot | |
| 66 | | Object | object:attach:exclusive | Allow to attach the object to an exclusive module slot | |
| 67 | | Object | object:policy:view | Allow to view the object's attached policy | |
| 68 | | Object | object:policy:edit | Allow to edit the object's attached policy | |
| 69 | | Object | object:audit:view | Allow to view the object's audit log | |
| 70 | | Object:Key | key:sign:eddsa | Allow to sign using the key | |
| 71 | | Object:Key | key:sign:ecdsa | Allow to sign using the key | |
| 72 | | Object:Key | key:sign:rsa | Allow to sign using the key | |
| 73 | | Object:Key | key:encrypt:rsa | Allow to encrypt using the key | |
| 74 | | Object:Key | key:encrypt:des | Allow to encrypt using the key | |
| 75 | | Object:Key | key:encrypt:3des| Allow to encrypt using the key | |
| 76 | | Object:Key | key:encrypt:aes | Allow to encrypt using the key | |
| 77 | | Object:Key | key:decrypt:rsa | Allow to decrypt using the key | |
| 78 | | Object:Key | key:decrypt:des | Allow to decrypt using the key | |
| 79 | | Object:Key | key:decrypt:3des| Allow to decrypt using the key | |
| 80 | | Object:Key | key:decrypt:aes | Allow to decrypt using the key | |
| 81 | | Object:Key | key:auth:hmac | Allow to auth messages using the key | |
| 82 | | Object:Secret | secret:reveal | Allow to reveal a secret to the identity | |
| 83 | | Object:Module | module:update | Allow to update a module's bytecode | Updates verify the module signature |
| 84 | | Object:Module | module:config | Allow to configure a module | Assigning objects to slots requires additional permissions on that object |
| 85 | | Object:Module | module:call:* | Allow to call a function of the module | Function names are defined in the module and vary between modules |
| 86 | |
| 87 | The following actions are implemented globally: |
| 88 | |
| 89 | | Category | Action | Description | Note | |
| 90 | |----------|-------------|---------|---------| |
| 91 | | Object | g:key:generate | Allow to generate a key | |
| 92 | | Object | g:key:import | Allow to import a key | |
| 93 | | Object | g:secret:import | Allow to import a secret | |
| 94 | | Object | g:module:install | Allow to install a module | |
| 95 | | Object | g:user:create | Allow to create a user | |
| 96 | | Object | g:user:permission_remove | Allow to create a user | **Privilege Escalation Risk**: Recommend Multisig |
| 97 | | Object | g:user:permission_add | Allow to create a user | **Privilege Escalation Risk**: Recommend Multisig |
| 98 | | Object | g:cluster:view | Allow to view cluster nodes |
| 99 | | Object | g:cluster:add | Allow to add a node to the cluster | **Dangerous**: Recommend Multisig |
| 100 | | Object | g:cluster:remove | Allow to remove a node from the cluster | **Dangerous**: Recommend Multisig |
| 101 | | Object | g:config:edit | Allow to edit the global config |
| 102 | |