Network Working Group E. Stokes
Request for Comments: 2820 D. Byrne
Category: Informational IBM
B. Blakley
Dascom
P. Behera
Netscape
May 2000
Network Working Group E. Stokes
Request for Comments: 2820 D. Byrne
Category: Informational IBM
B. Blakley
Dascom
P. Behera
Netscape
May 2000
Access Control Requirements for LDAP
LDAP的访问控制要求
Status of this Memo
本备忘录的状况
This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.
本备忘录为互联网社区提供信息。它没有规定任何类型的互联网标准。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (2000). All Rights Reserved.
版权所有(C)互联网协会(2000年)。版权所有。
Abstract
摘要
This document describes the fundamental requirements of an access control list (ACL) model for the Lightweight Directory Application Protocol (LDAP) directory service. It is intended to be a gathering place for access control requirements needed to provide authorized access to and interoperability between directories.
本文档描述了轻量级目录应用程序协议(LDAP)目录服务的访问控制列表(ACL)模型的基本要求。它旨在成为访问控制需求的聚集地,以提供对目录的授权访问和目录之间的互操作性。
The keywords "MUST", "SHOULD", and "MAY" used in this document are to be interpreted as described in [bradner97].
本文件中使用的关键词“必须”、“应该”和“可能”应按照[bradner97]中所述进行解释。
The ability to securely access (replicate and distribute) directory information throughout the network is necessary for successful deployment. LDAP's acceptance as an access protocol for directory information is driving the need to provide an access control model definition for LDAP directory content among servers within an enterprise and the Internet. Currently LDAP does not define an access control model, but is needed to ensure consistent secure access across heterogeneous LDAP implementations. The requirements for access control are critical to the successful deployment and acceptance of LDAP in the market place.
在整个网络中安全访问(复制和分发)目录信息的能力是成功部署所必需的。LDAP被接受为目录信息的访问协议,这促使人们需要为企业和Internet中的服务器之间的LDAP目录内容提供访问控制模型定义。目前LDAP没有定义访问控制模型,但需要它来确保跨异构LDAP实现的一致安全访问。访问控制要求对于LDAP在市场上的成功部署和接受至关重要。
The RFC 2119 terminology is used in this document.
本文件中使用了RFC 2119术语。
The major objective is to provide a simple, but secure, highly efficient access control model for LDAP while also providing the appropriate flexibility to meet the needs of both the Internet and enterprise environments and policies.
主要目标是为LDAP提供一个简单、安全、高效的访问控制模型,同时提供适当的灵活性以满足Internet和企业环境和策略的需要。
This generally leads to several general requirements that are discussed below.
这通常导致以下讨论的几个一般要求。
This section is divided into several areas of requirements: general, semantics/policy, usability, and nested groups (an unresolved issue). The requirements are not in any priority order. Examples and explanatory text is provided where deemed necessary. Usability is perhaps the one set of requirements that is generally overlooked, but must be addressed to provide a secure system. Usability is a security issue, not just a nice design goal and requirement. If it is impossible to set and manage a policy for a secure situation that a human can understand, then what was set up will probably be non-secure. We all need to think of usability as a functional security requirement.
本节分为几个需求领域:一般、语义/策略、可用性和嵌套组(未解决的问题)。这些要求没有任何优先顺序。必要时提供示例和解释性文本。可用性可能是一组通常被忽略的需求,但必须加以解决以提供一个安全的系统。可用性是一个安全问题,而不仅仅是一个好的设计目标和要求。如果不可能为人类能够理解的安全情况设置和管理策略,那么所设置的可能是不安全的。我们都需要将可用性视为一种功能安全需求。
G1. Model SHOULD be general enough to support extensibility to add desirable features in the future.
G1。模型应该足够通用,以支持可扩展性,以便在将来添加所需的特性。
G2. When in doubt, safer is better, especially when establishing defaults.
G2。当有疑问时,越安全越好,尤其是在确定违约时。
G3. ACL administration SHOULD be part of the LDAP protocol. Access control information MUST be an LDAP attribute.
G3。ACL管理应该是LDAP协议的一部分。访问控制信息必须是LDAP属性。
G4. Object reuse protection SHOULD be provided and MUST NOT inhibit implementation of object reuse. The directory SHOULD support policy controlling the re-creation of deleted DNs, particularly in cases where they are re-created for the purpose of assigning them to a subject other than the owner of the deleted DN.
G4。应提供对象重用保护,且不得阻止对象重用的实现。目录应支持控制已删除DNs的重新创建的策略,特别是在重新创建这些DNs以将其分配给已删除DN所有者以外的主题的情况下。
S1. Omitted as redundant; see U8.
S1。因多余而省略;见U8。
S2. More specific policies must override less specific ones (e.g. individual user entry in ACL SHOULD take precedence over group entry) for the evaluation of an ACL.
S2。对于ACL的评估,更具体的策略必须覆盖不太具体的策略(例如,ACL中的单个用户条目应优先于组条目)。
S3. Multiple policies of equal specificity SHOULD be combined in some easily-understood way (e.g. union or intersection). This is best understood by example. Suppose user A belongs to 3 groups and those 3 groups are listed on the ACL. Also suppose that the permissions for each of those groups are not identical. Each group is of equal specificity (e.g. each group is listed on the ACL) and the policy for granting user A access (given the example) SHOULD be combined in some easily understood way, such as by intersection or union. For example, an intersection policy here may yield a more limited access for user A than a union policy.
S3。应以易于理解的方式(如并集或交叉)组合具有相同特性的多个策略。最好通过例子来理解这一点。假设用户A属于3个组,并且这3个组列在ACL上。还假设这些组中的每个组的权限都不相同。每个组都具有相同的特异性(例如,每个组都列在ACL上),并且授予用户访问权限的策略(给定示例)应该以某种易于理解的方式组合,例如通过交叉或联合。例如,此处的交叉点策略可能会为用户a提供比联合策略更有限的访问权限。
S4. Newly created directory entries SHOULD be subject to a secure default policy.
S4。新创建的目录项应遵守安全默认策略。
S5. Access policy SHOULD NOT be expressed in terms of attributes which the directory administrator or his organization cannot administer (e.g. groups whose membership is administered by another organization).
S5。访问策略不应表示为目录管理员或其组织无法管理的属性(例如,其成员资格由另一组织管理的组)。
S6. Access policy SHOULD NOT be expressed in terms of attributes which are easily forged (e.g. IP addresses). There may be valid reasons for enabling access based on attributes that are easily forged and the behavior/implications of doing that should be documented.
中六。访问策略不应表示为容易伪造的属性(例如IP地址)。基于容易伪造的属性启用访问可能有合理的理由,并且应该记录这样做的行为/含义。
S7. Humans (including administrators) SHOULD NOT be required to manage access policy on the basis of attributes which are not "human-readable" (e.g. IP addresses).
S7。不应要求人员(包括管理员)根据非“人类可读”的属性(例如IP地址)管理访问策略。
S8. It MUST be possible to deny a subject the right to invoke a directory operation. The system SHOULD NOT require a specific implementation of denial (e.g. explicit denial, implicit denial).
S8。必须可以拒绝主题调用目录操作的权利。系统不应要求特定的拒绝实施(例如,显式拒绝、隐式拒绝)。
S9. The system MUST be able (semantically) to support either default-grant or default-deny semantics (not simultaneously).
S9。系统必须能够(在语义上)支持默认授予或默认拒绝语义(而不是同时)。
S10. The system MUST be able to support either union semantics or intersection semantics for aggregate subjects (not simultaneously).
S10。系统必须能够支持聚合主题的联合语义或交叉语义(而不是同时)。
S11. Absence of policy SHOULD be interpretable as grant or deny. Deny takes precedence over grant among entries of equal specificity.
S11。缺乏政策应解释为同意或拒绝。在具有相同特异性的条目中,拒绝优先于授予。
S12. ACL policy resolution MUST NOT depend on the order of entries in the ACL.
S12。ACL策略解析不能依赖于ACL中条目的顺序。
S13. Rights management MUST have no side effects. Granting a subject one right to an object MUST NOT implicitly grant the same or any other subject a different right to the same object. Granting a
S13。权限管理必须没有副作用。授予主体对某一客体的一项权利不得含蓄地授予同一主体或任何其他主体对同一客体的不同权利。批准
privilege attribute to one subject MUST NOT implicitly grant the same privilege attribute to any other subject. Granting a privilege attribute to one subject MUST NOT implicitly grant a different privilege attribute to the same or any other subject. Definition: An ACL's "scope" is defined as the set of directory objects governed by the policy it defines; this set of objects is a sub-tree of the directory. Changing the policy asserted by an ACL (by changing one or more of its entries) MUST NOT implicitly change the policy governed by an ACL in a different scope.
一个主体的特权属性不得隐式地将相同的特权属性授予任何其他主体。向一个主体授予特权属性不得隐式地向同一主体或任何其他主体授予不同的特权属性。定义:ACL的“范围”定义为受其定义的策略管辖的目录对象集;这组对象是目录的一个子树。更改ACL声明的策略(通过更改其一个或多个条目)不得隐式更改不同范围内由ACL管辖的策略。
S14. It SHOULD be possible to apply a single policy to multiple directory entries, even if those entries are in different subtrees. Applying a single policy to multiple directory entries SHOULD NOT require creation and storage of multiple copies of the policy data. The system SHOULD NOT require a specific implementation (e.g. nested groups, named ACLs) of support for policy sharing.
S14。应该可以对多个目录条目应用单个策略,即使这些条目位于不同的子树中。将单个策略应用于多个目录项不应要求创建和存储策略数据的多个副本。系统不应要求支持策略共享的特定实现(例如嵌套组、命名ACL)。
U1. When in doubt, simpler is better, both at the interface and in the implementation.
U1。如果有疑问,在接口和实现方面越简单越好。
U2. Subjects MUST be drawn from the "natural" LDAP namespace; they should be DNs.
U2。主题必须从“自然”LDAP名称空间中提取;它们应该是DNs。
U3. It SHOULD NOT be possible via ACL administration to lock all users, including all administrators, out of the directory.
U3。不能通过ACL管理将所有用户(包括所有管理员)锁定在目录之外。
U4. Administrators SHOULD NOT be required to evaluate arbitrary Boolean predicates in order to create or understand policy.
U4。为了创建或理解策略,不应要求管理员评估任意布尔谓词。
U5. Administrators SHOULD be able to administer access to directories and their attributes based on their sensitivity, without having to understand the semantics of individual schema elements and their attributes (see U9).
U5。管理员应该能够根据其敏感性管理对目录及其属性的访问,而不必理解单个模式元素及其属性的语义(请参见U9)。
U6. Management of access to resources in an entire subtree SHOULD require only one ACL (at the subtree root). Note that this makes access control based explicitly on attribute types very hard, unless you constrain the types of entries in subtrees. For example, another attribute is added to an entry. That attribute may fall outside the grouping covered by the ACL and hence require additional administration where the desired affect is indeed a different ACL. Access control information specified in one administrative area MUST NOT have jurisdiction in another area. You SHOULD NOT be able to control access to the aliased entry in the alias. You SHOULD be able to control access to the alias name.
U6。管理对整个子树中资源的访问应该只需要一个ACL(位于子树根)。请注意,这使得显式基于属性类型的访问控制非常困难,除非约束子树中的条目类型。例如,将另一个属性添加到条目中。该属性可能不在ACL覆盖的分组范围内,因此需要额外的管理,其中所需的影响实际上是不同的ACL。在一个行政区域指定的访问控制信息不得在另一个区域具有管辖权。您应该无法控制对别名中别名项的访问。您应该能够控制对别名的访问。
U7. Override of subtree policy MUST be supported on a per-directory-entry basis.
U7。必须基于每个目录条目支持子树策略的重写。
U8. Control of access to individual directory entry attributes (not just the whole directory entry) MUST be supported.
U8。必须支持对单个目录条目属性(而不仅仅是整个目录条目)的访问控制。
U9. Administrator MUST be able to coarsen access policy granularity by grouping attributes with similar access sensitivities.
U9。管理员必须能够通过对具有类似访问敏感性的属性进行分组来粗化访问策略粒度。
U10. Control of access on a per-user granularity MUST be supported.
U10。必须支持按用户粒度控制访问。
U11. Administrator MUST be able to aggregate users (for example, by assigning them to groups or roles) to simplify administration.
U11。管理员必须能够聚合用户(例如,通过将用户分配到组或角色),以简化管理。
U12. It MUST be possible to review "effective access" of any user, group, or role to any entry's attributes. This aids the administrator in setting the correct policy.
U12。必须能够查看任何用户、组或角色对任何条目属性的“有效访问”。这有助于管理员设置正确的策略。
U13. A single administrator SHOULD be able to define policy for the entire directory tree. An administrator MUST be able to delegate policy administration for specific subtrees to other users. This allows for the partitioning of the entire directory tree for policy administration, but still allows a single policy to be defined for the entire tree independent of partitioning. (Partition in this context means scope of administration). An administrator MUST be able to create new partitions at any point in the directory tree, and MUST be able to merge a superior and subordinate partition. An administrator MUST be able to configure whether delegated access control information from superior partitions is to be accepted or not.
U13。单个管理员应该能够为整个目录树定义策略。管理员必须能够将特定子树的策略管理委托给其他用户。这允许对整个目录树进行分区以进行策略管理,但仍然允许为整个目录树定义独立于分区的单个策略。(本文中的分区指管理范围)。管理员必须能够在目录树中的任何位置创建新分区,并且必须能够合并上级分区和下级分区。管理员必须能够配置是否接受来自上级分区的委派访问控制信息。
U14. It MUST be possible to authorize users to traverse directory structure even if they are not authorized to examine or modify some traversed entries; it MUST also be possible to prohibit this. The tree structure MUST be able to be protected from view if so desired by the administrator.
U14。必须能够授权用户遍历目录结构,即使他们无权检查或修改某些遍历的条目;也必须有可能禁止这种行为。如果管理员需要,必须能够保护树结构不被查看。
U15. It MUST be possible to create publicly readable entries, which may be read even by unauthenticated clients.
U15。必须能够创建公开可读的条目,即使未经验证的客户端也可以读取这些条目。
U16. The model for combining multiple access control list entries referring to a single individual MUST be easy to understand.
U16。组合多个访问控制列表项(指单个用户)的模型必须易于理解。
U17. Administrator MUST be able to determine where inherited policy information comes from, that is, where ACLs are located and which ACLs were applied. Where inheritance of ACLs is applied, it must be able to be shown how/where that new ACL is derived from.
U17。管理员必须能够确定继承的策略信息来自何处,即ACL位于何处以及应用了哪些ACL。在应用ACL继承的地方,必须能够显示新ACL的派生方式/来源。
U18. It SHOULD be possible for the administrator to configure the access control system to permit users to grant additional access control rights for entries which they create.
U18。管理员应该可以配置访问控制系统,以允许用户为其创建的条目授予额外的访问控制权限。
Access control is a security consideration. This documents addresses the requirements.
访问控制是一项安全考虑。本文件阐述了这些要求。
This glossary is intended to aid the novice not versed in depth about access control. It contains a list of terms and their definitions that are commonly used in discussing access control [emca].
本词汇表旨在帮助不精通访问控制的新手。它包含讨论访问控制[emca]时常用的术语及其定义的列表。
Access control - The prevention of use of a resource by unidentified and/or unauthorized entities in any other that an authorized manner.
访问控制-防止身份不明和/或未经授权的实体以任何其他授权方式使用资源。
Access control list - A set of control attributes. It is a list, associated with a security object or a group of security objects. The list contains the names of security subjects and the type of access that may be granted.
访问控制列表-一组控制属性。它是一个列表,与一个安全对象或一组安全对象关联。该列表包含安全主题的名称和可能授予的访问类型。
Access control policy - A set of rules, part of a security policy, by which human users, or their representatives, are authenticated and by which access by these users to applications and other services and security objects is granted or denied.
访问控制策略-一组规则,是安全策略的一部分,通过这些规则对用户或其代表进行身份验证,并通过这些规则授予或拒绝这些用户对应用程序、其他服务和安全对象的访问。
Access context - The context, in terms of such variables as location, time of day, level of security of the underlying associations, etc., in which an access to a security object is made.
访问上下文—根据位置、时间、基础关联的安全级别等变量,对安全对象进行访问的上下文。
Authorization - The granting of access to a security object.
授权-授予对安全对象的访问权限。
Authorization policy - A set of rules, part of an access control policy, by which access by security subjects to security objects is granted or denied. An authorization policy may be defined in terms of access control lists, capabilities, or attributes assigned to security subjects, security objects, or both.
授权策略—一组规则,是访问控制策略的一部分,通过这些规则,安全主体可以授予或拒绝对安全对象的访问。授权策略可以根据分配给安全主体、安全对象或两者的访问控制列表、功能或属性来定义。
Control attributes - Attributes, associated with a security object that, when matched against the privilege attributes of a security subject, are used to grant or deny access to the security object. An access control list or list of rights or time of day range are examples of control attributes.
控制属性—与安全对象关联的属性,当与安全主题的权限属性匹配时,这些属性用于授予或拒绝对安全对象的访问。访问控制列表或权限列表或时间范围是控制属性的示例。
Credentials - Data that serve to establish the claimed identity of a security subject relative to a given security domain.
凭据—用于建立安全主体相对于给定安全域的声明身份的数据。
Privilege attributes - Attributes, associated with a security subject that, when matched against control attributes of a security object, are used to grant or deny access to that subject. Group and role memberships are examples of privilege attributes.
特权属性—与安全主题关联的属性,当与安全对象的控制属性匹配时,这些属性用于授予或拒绝对该主题的访问。组和角色成员身份是特权属性的示例。
Security attributes - A general term covering both privilege attributes and control attributes. The use of security attributes is defined by a security policy.
安全属性-涵盖权限属性和控制属性的通用术语。安全属性的使用由安全策略定义。
Security object - An entity in a passive role to which a security policy applies.
安全对象-应用安全策略的被动角色实体。
Security policy - A general term covering both access control policies and authorization policies.
安全策略-涵盖访问控制策略和授权策略的通用术语。
Security subject - An entity in an active role to which a security policy applies.
安全主体-处于活动角色的实体,安全策略适用于该实体。
[ldap] Kille, S., Howes, T. and M. Wahl, "Lightweight Directory Access Protocol (v3)", RFC 2251, August 1997.
[ldap]Kille,S.,Howes,T.和M.Wahl,“轻量级目录访问协议(v3)”,RFC 2251,1997年8月。
[ecma] ECMA, "Security in Open Systems: A Security Framework" ECMA TR/46, July 1988.
[ecma]ecma,“开放系统中的安全:安全框架”,ecma TR/461988年7月。
[bradner97] Bradner, S., "Key Words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[bradner97]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
Bob Blakley Dascom 5515 Balcones Drive Austin, TX 78731 USA
Bob Blakley Dascom 5515 Balcones Drive Austin,TX 78731美国
Phone: +1 512 458 4037 ext 5012
Fax: +1 512 458 2377
EMail: blakley@dascom.com
Phone: +1 512 458 4037 ext 5012
Fax: +1 512 458 2377
EMail: blakley@dascom.com
Ellen Stokes IBM 11400 Burnet Rd Austin, TX 78758 USA
美国德克萨斯州奥斯汀伯内特路11400号爱伦斯托克斯IBM 78758
Phone: +1 512 838 3725
Fax: +1 512 838 0156
EMail: stokes@austin.ibm.com
Phone: +1 512 838 3725
Fax: +1 512 838 0156
EMail: stokes@austin.ibm.com
Debbie Byrne IBM 11400 Burnet Rd Austin, TX 78758 USA
美国德克萨斯州奥斯汀伯内特路11400号Debbie Byrne IBM 78758
Phone: +1 512 838 1930
Fax: +1 512 838 8597
EMail: djbyrne@us.ibm.com
Phone: +1 512 838 1930
Fax: +1 512 838 8597
EMail: djbyrne@us.ibm.com
Prasanta Behera Netscape 501 Ellis Street Mountain View, CA 94043 USA
Prasanta Behera Netscape 501美国加利福尼亚州埃利斯街山景城94043
Phone: +1 650 937 4948
Fax: +1 650 528-4164
EMail: prasanta@netscape.com
Phone: +1 650 937 4948
Fax: +1 650 528-4164
EMail: prasanta@netscape.com
Copyright (C) The Internet Society (2000). All Rights Reserved.
版权所有(C)互联网协会(2000年)。版权所有。
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.
本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。
The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.
上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。
This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。