WWDC2004 Session 611

Transcript

Kind: captions
Language: en
rusty Tucker
thank you and good afternoon I the
unit's permissions model has been around
with us for a while now this weekend
kind of tried to track it down what it
you know how long it we've had it
tracked it back to nineteen seventy nine
in the UNIX be seven and then earlier
today we tracked it back to nineteen
seventy one so it's been around at least
as far back as that I think now for Mac
OS 10 it's time for us to to move beyond
that and to actually introduce file
system access control so today we're
going to introduce you what we're doing
in tiger with file system access
controls and really try and answer three
deceptively simple questions what are
ACLs or ackles as we sometimes call them
why are we adding them to Mac OS 10 but
perhaps more importantly how do a CLS
affect the way that you're developing
software and managing your networks so
today we're going to cover this in in
seven different topics first an overview
of filesystem acl's what are the key
features and benefits of them and then
present a high level view of the
filesystem ACL model and it's some and
its capabilities then we'll show you how
we're changing Tiger 22 adapted to
provide access to access control and
then a more detailed look at how it's
being supported in the colonel along
with some specifics in how file access
controls work and how the colonel access
calculates permission I will show you
the developer API is that are available
for you for in controlling access on in
file system and then wrap up with and
how we've changed our group membership
and adaptive Mac os10 to a more flexible
group
membership system let's get started
the purpose of file access control so we
can get be more expressive and more
flexible than how permissions are used
with files right now the existing model
it's a bit too crude and a lot of times
gets in the way of how we're trying to
do our work come on a daily basis some
of the key things that we'd like to
achieve this with them access control
support one to be able to support XP
clients with our servers a lot of our
customers are requiring it to be able to
support their home directories and to
provide workgroup services in their
Microsoft networks and we like to do
this with not ghosts and server in
addition we'd like to enable better
clients hidden of the Mac os10 duck
desktop into active directory network so
that the Mac os10 client connected the
true peer to the other machines in those
networks and have full understanding of
the access controls that are in use
today on the servers that are on those
networks and also to provide a
foundation technology for for
collaborative applications so that's
sharing between users and different
groups that are easier and and more
secure and finally we'd like to be able
to enable workflow applications so that
the right permissions are set under on
documents as they work through as they
go through our workflow in a somewhat
automated fashion so connection
conceptually an ACL is really very
simple it's simply a list of access
control entries each one of those
entries identifies a user and a set of
permissions that are either granted or
denied for that option and then each of
ACLs is then bound to a file or
directory in the file system so for
example we can take a look at this
hypothetical math assignments document
and how we might be able to use ACL to
control access to it first of all we
definitely have to be able to have so
the teachers can read write and delete
the documents so that
at the assignment then we have a
hypothetical student teacher called miss
Buxton who is not really ready to
provide assignments or edit assignments
that she's going to be given read-only
access but she's actually a member of
the teachers group since she's a student
teacher the math student will then have
just read only access to the assignment
and everyone else will have no access
we'll revisit this example throughout
the presentation providing some more
detail around it and actually how it
would work within our system so we go
back to our original you know statement
of flexibility for file system access
controls and we've got some refinements
now that we can apply to that one we
definitely want to be able to associate
multiple users and groups and assign
those permissions to different file
system objects as well to provide more
granular permissions for example the
delete permission which you cannot
assign to an individual file today and
then also to support for missions
inheritance which will help enable our
workflow situations and finally support
empty compatibility of our client and
server so now that we have our
requirements let's take a look at what
the file system APL model actually is we
can compare this to existing models that
are out there today that one might draw
from first of all we can take a look at
Apple share privileges which weren't
really an ACL but we're more capable in
some ways than the POSIX for missions
that we have today for example we could
have a sign a group as an owner and
permissions inheritance was implicit in
the fact that you could only assign
permissions to folders there's also
Andrew file system which is very popular
for its a field and it provides the same
abilities set to have multiple users in
groups also assign permissions to
folders and introduces some new
permissions
the ability to a admin and delete but
it's not not NC compatible the windows
NT model for example introduces
fine-grained permission multiple users
in group the ability to allow and deny
permission as well as defining a rich
set of rules for inheritance finally
there was a POSIX draft one double O 3 1
dot 1e that define an ACL model for unix
system as a proposal it provided the
same set of permissions that we have
today read write and execute but allowed
also multiple users and groups with
allow only entries and no deny entry its
inheritance is somewhat limited and set
to a system of default permissions for
new item standard directory and this
this proposal is a failed to gain
standardization has been since withdrawn
so the models that were actually going
to provide in Tiger will support empty
cymatics including the fine-grained
permissions that are available on NT
system as well as fun and nfsv4 will
provide prosthetic inheritance so that
you can use the NT rules of inheritance
to define inheritance of permissions
when items are merely created in a
directory hierarchy as well as
supporting allowing deny so that you can
fine-tune permissions that are given to
a user based on group memberships and so
on the interesting innovation that we're
going to provide here is combining the
POSIX and UNIX permissions that we have
today with an ACL which will minimize
our ability to a migration impact and
maximize compatibility with existing
applications moreover that you will be
able to on an existing volume assign a
field and deploy them in specific parts
of the filesystem certain directories
individual file objects for example
without having to reformat the entire
volume to support that now finally we
have an API based on the deposit
extracted we had talked about earlier
which provides a level of abstraction
and flexibility to give us to allow for
future extension
the number of changes that we're going
to make entire court file system APL
first of that will be supporting acl's
from the kernel acl's are part of a new
extended security architecture those
ptl's are fully a first-class security
attribute for file and this will require
support deep in the kernel and mike
smith will come and explain this to us
in detail later on as part of this weave
I had to revisit how we address groups
in Mac OS 10 so we're eliminating the
existing 16 group membership limit and
then support for nested group in hfs+
acl's will be sported based on the new
support for extended attributes extended
attributes are our new new functionality
and hfs+ entire that's built on some
pre-existing definition in the
specification for HFS so that it doesn't
require completely reformatting the
volumes to take advantage of this it's
the new structures and and information
required in the volume format can be
built out transparently as you assign
ACLs and extended attributes to item and
finally this will be available both in
the tiger client and tiger server
of course change in the SMB client is
another important feature for us and the
in our ACL strategy providing us with a
good client fit in in Microsoft Network
and the ability to view users and groups
from Active Directory and edit v acl's
that are in the files on NT servers of
course will also be updating AFP and a
FD client to support acls natively all
together the changes in the kernel and
file system provide us a good foundation
for extended permission to tiger
through the plastics and carbon layers
your applications will gain access to
the atl api so that you can change and
manipulate a seals from your software
and also providing command-line tools
for management on for management of
systems including LS and cha mod for
example to give you an edit a CL but
also in command line tools like CP
because now we need to preserve this new
information when we copy file we're
changing the samba server to provide
native support with full fidelity to the
to SMB clients from Windows XP and other
Microsoft platforms if if you're
familiar it's a way that samba works
first for its standard compile options
you really have two different choices
today either you can go with its private
support for Windows acl's in which it
does not use file system permissions
from the file systems that it keeps the
shadow database of its own commissions
for items much in the way that a web
server would provide access to an hehd
access file the other option is to
compile for the positive KCl format as
is possible on Linux in doing that you
really end up with a lossy translation
between the POSIX ACLs and what's
available on Windows NT between the
client and server with our solution you
actually end up with a full fidelity
solution because the file system
permissions already have the same finer
grained permissions that are found on
the NT systems that it's being served to
and this is also reflected in the AFC
server where we'll be showing free
showing permissions as effective
permission to panther or an earlier
clients because they don't have the
current a capability of understanding
the more fine-grained ACL permissions
but fully filled for missions will be
exposed to tiger clients but both samba
an AFE together we'll work from same
basic set of permissions in the local
file system providing very unified
support to both clients and the same
capabilities eh52 finder will be
supporting editing ACLs from the desktop
on both AFP SMB and local volumes and of
course in our servers tools providing a
very flexible management of ACL in a
much more fine-grained manner including
the ability for you to set presets and
define your own permissions mask-making
management of ACL very efficient and
easy all in all I think we've got a very
very complete and comprehensive set of
changes in tiger for ACL and I would
like to introduce to you Mike Smith from
core OS engineering
thanks I see so in the next few minutes
i guess i'll be talking about the
colonel changes the introduction of new
centralized authorization infrastructure
so we're calling chaos a little bit
about some details of the ACL format
must the internal details for reference
purposes will work through a brief
example using a scenario that sir the
rusty raised earlier and then i'll talk
a little bit about the developer api i'm
not actually going to ball you by
working through the entire api a detail
by detail documentation all available in
good time but we'll go through our code
sample to give you a feel for or
actually doing so we embarked on
supporting exhales we already knew that
we're going to need a centralized
authorization infrastructure the
existing authorization mechanisms inside
the mac OS kernel whilst more than
adequate to the task so relatively had
hot water ization decisions are made all
over the place there is some duplication
of code in this works okay because then
the model we've been working with it's
in relatively simple however atl's and
and the like introduced considerable
complexities and so it's fairly
important for us to reduce the amount of
work that offers and developers need to
do and also to just overall reduce the
cobalt and replication of code
authorization itself inside the colonel
really involves knowing three things who
you actually performing the action for
what you're operating on and what the
actual operation is specific details
related to it chaos provides management
for credentials which are our
identification user identification it
supports processing of ACL provides
helper function so translation and the
like and it provides a flexible
mechanism for defining action as well as
a plug-in architecture that allows so
modules to participate in the
authorization process on a first go
places we expect this to particular
interest to folks writing a virus
filters but potentially also added
content filters and the functionality is
very much open ended so if you find
yourself having a desire to control the
way that access to particular resources
is managed and you can you can basically
write a module against our API and just
get involved the consequence of all of
this is that atl's are other than fully
integrated with the colonel my
authorization subsistence again in the
Vayner by producing the amount of work
that individual file systems and modules
need to perform we've layered ACL
implementation over the top quality
standard attribute support so any file
systems that support extended attributes
gets acl's for free file systems that
have their own ACO model can translate
to and from our format as we're using
the microsoft and the NFS before
semantics this so generally generally
for faucets include native SQL models
these translations have really been
explored them so they're well understood
and again as rusty pointed out we will
continue to support projects ACL the
default processing for ACL leave you in
situation when you're at the end of the
ACL one I'll get into that in more
detail on it a little bit where you
would deny the request in our case we
ultimately falter and consider the
politics permission and this gives the
expected behavior if you have a file
with existing project submissions and
you want to add extra control to it you
can apply an ACL the processing of the
two will behave pretty much that you
expect it to
this is a simplified overview of the way
that the things look now with the kale
subsystem interacting with the VFS to
provide the new authorization
functionality the interesting item on
this particular diagram is the group
membership as over as Rusty mentioned
we're going to be on the 16 word limit
integrating with Active Directory no
longer become it's not a practical for
us to keep a complete list of all of the
groups that every credential is a member
of inside the qur'an so in the next
panel resolution service
I can control briefly now about our
format this is obviously not a
comprehensive description we really
rather the use our API extra traction
and integrating l-e-e-et's but
understanding what's going on other
covers may help you because we keep keep
up some terminology rostov's already
briefly talked about access control
entries they associate an identifier of
some sort we have a set of commission an
access control lists the word list is
kind of important because it's an
ordered list the processing of nacl is
dependent upon the order of the entries
animalist a user ID and group ID you
should be submitted with already without
the current 32-bit user and group
identifier we've been using for some
time we're introducing a new globally
unique ID which can be applied to both
users and groups this is to deal with a
situation where you may have very large
numbers of users or you may have groups
of users or not in maintains coherently
so you run the problem French the
problems of either exhaust into user ID
space or simply having collision to
users numbers 500 for example the GUI d
is randomly generated guaranteed to be
unique operates in 128-bit space and so
you can uniquely identify objects by
their ownership even if you have
definitive moving around you have a
permanent handle for them and the
discussions not really complete without
mentioning microsoft's security
identifier as as a structured data that
item that is used with SMB operation it
performs very much the same
functionality as the GUI microsoft chose
to embed information in there rather
using a an indirect reference to the
information the chaos subsystem provides
functionality for translations between
all of all of these these items so if
you have a good you can get the uid you
can get the suit on local file system
that's using our extended attributes
support will be storing a good for the
owner of the object and the access
control list in canaday p I as any
incidental attribute obviously again we
would like you knew our API functions i
manipulating these may be getting a
common theme here one useful thing to
note is that because we are tracking the
owner with a good it becomes possible
for groups to own object rather than
forcing you learn to create individual
individual users just two tone
particular infrastructure item they
again associate an identifier if we sum
access right and control this which is
determined whether or not those right
granted or denied and also some bits
controlling and terrorism
Melissa stuff these are the access
permissions that we provide for
controlling access to file you can
independently control weeing writing
executing file deletion of individual
files obviously appending of data and
then rewrite controller individually
over the files basic attributes time Sam
sanilac extended attributes with the
exclusion of the security information
their security information itself and
you can also grant individuals or groups
the rights to change the ownership of
the file submissions associated with
directories are very similar obviously
we substitute we didn't write with less
than add file searching in the directory
it's possible to search within a
directory for a file if you know the
files name without having to have rights
accesses it is a pretty much parallels
to the current UNIX permission and again
the controls on rewrite of attributes
and ownership the slaves applied to an
individual is obviously allow them
tonight but the inter inheritance
businesses that have something that's
not quite so well walk quite the line
understood Directory objects allow you
to specify aces which will be inherited
either by child directories or by files
and also allow you to control whether
those inherited one or multiple times
this is what rusty was referring to as a
deck inheritance and it effectively
allows you to set up template ACL for
both files and directories created
inside others allows you to establish
emissions on on objects so that an
individual can create an object the may
not necessarily subsequently have full
access to that object it's a real
support for the workflow environment
so I'm going to come back to the
Russkies scenario in here work through a
couple of a brief example just to recap
we have a school network we have a group
which contains all the teachers we have
a group which contains a math students
we have a student teacher Miss buckland
who is part of the teachers group
because unions access to teachers only
files but right now we don't want to
grant her the ability to write to mr. GG
on that assignment so we rephrase this
is an ACL with 300 entries first up we
put a denial entry which prevents a
spokesman from either writing or
deleting that math assignment we have a
blanket allows for teachers that allows
them to read write and deliver file and
allows the map students actually want to
read the file the one we're processing
an ACL we process each entry in order
entries ID is compared against the idea
of the request but if they're not
identical or if the requester is not a
member of the group called out in the
entries and we just ignore the entry if
they do because I remember then we look
at whether video entry is an allow or
deny entry if it's a deny entry we take
these emissions that are being requested
by the operation if any of them are
denied by the entry we start processing
at that point alternatively if we
cumulatively accumulate all the
requested commissions from allow entries
when we allow the operation in this
particular example let's consider our
math students who want to open the file
read only that's they're copying it off
to a private disk so I can take it home
and work on it they'll be requesting
read access we look at the first entry
miss Buxton math students on this box of
5 second entry math students and other
teachers ok ignore that one too so one
math students ok they won't read it says
they can have read they get to read the
file
um we look at another example miss
Buxton is attempting to save over copy
the math assignment and maybe she just
make a mistake maybe she feels that
she's going to be a hacker one of these
days we know she's going to want she
will have open the file using
resubmissions would have looked at the
first entry denied miss Buxton okay this
applies to miss Buxton but it's only
denying her right and delete okay so
we're going to block her there take an
entry if I finishes the teacher which is
allowed read you can read the file comes
time to save she wants right access
first entry miss Buxton right denied so
you can express things with with even a
simple ACL like this that would not be
possible with the traditional POSIX
permissions and obviously I've kept this
example short because it could go on
forever
the developer API we went around with
this several times but ultimately
decided that rather than trying to
introduce a great deal of new API we
would try and say as close to the
deposit AP is the existing MPI that you
folks are familiar with already
certainly in philosophy obviously we
needed some extra functionality and we
had a bunch of more detail we try to
avoid Lance Bass collisions so that you
don't suddenly discover that there are
symbols near application that are
colliding with definitions that had
evolved and we've avoided exposing any
data structures directly rather we
preferred to us to stick with access a
function in a fashion that will allow
you to remain binary compatible even if
we need to add extra security
information obviously if your
application doesn't care about access
controls I'm not so sure why you're here
right now but your application you can
continue to not care we're not really
changing the basic concept of having
security information associated with a
file we're just being much more eloquent
about what you can express with it it
becomes particularly important with the
extra complexity that the go with ACL
that applications not try to simply look
at a file security information and
determine from that security information
whether or not something that they're
going to do is going to be successful
the group membership resolution process
can be time-consuming there may also be
other things going on behind the scenes
and finally the following your attempted
access may actually not be on the local
machine at all or maybe on a remote file
server which essentially has completely
different rules for evaluating whether
or not you're going to have access so if
you can all get away with it just go
ahead and try the operation be prepared
for it to fail have a good recovery
we're back out scenario but don't count
on on getting ahead of time whether or
not you're going to be out
research funding obviously some
applications do you need to know if you
want feedback for a GUI application you
want to be able to grow out the icon is
your mouse over at whatever we do
provide interfaces for that deposits
level you have access function there are
other functions in carbon these will
take a seals into account colleges the
same chaos infrastructure that's used
for actual access checking but there are
scenarios in which even those aren't
going to be able to give you answers so
you need to be prepared for the
situation where we simply can't tell you
ahead of time whether something's going
to success you're just going to have to
quick edge to try out to deal with the
situation so that some applications do
you need to care obviously anyone who
cares about security of the files
they're working with my favors and copy
is the one to be accurate want to
preserve the information that they're
really good standing in the security in
edina security structures anyone who is
providing file management functionality
whether you're a fine durant along with
your simply and enhanced open-close
dialogue which you have some other way
of representing files you're going to
need to be able to provide folks with
the opportunity to edit security
information on the file and so you will
need to use these api and need to count
with you I and football and obviously
we're building this this functionality
so that us developers can produce things
that we never thought of and so if you
find that acl's are relevant to
something you want to do then
again with our follows with with this
particular API our philosophy was to try
and avoid unnecessary changes to keep
with a spirit of the POSIX API and so
we've encapsulated all of the file
security information into an opaque
object I think we call the file faq.txt
and this is then passed around so stat
becomes fedex with an NP suffix so that
you know this is not a portable call and
it returns your file faq.txt openx takes
one instead of a mode to shimada X takes
the fall back the same alloy around the
ACL is part of the file security objects
so where the owner the group deposits
mode work lickable we provide an API for
the manipulation of the Baltic basically
get set check whether it's valid clear
it functionality and we provide an API
for manipulating to ACL itself which is
based on projects one tablet or e 1 e
API obviously we needed to make some
changes to cope with the differences but
since there is a good deal of
established code and understanding and
documentation is already available for
the manipulation API we decided that was
the best way to go
I'm gonna finish out here with a brief
fun a brief example creating a file with
an ACL associated in this particular
case we don't have to be the individual
that that is passed in us because we can
go ahead and as long as since we're
creating the file we can basically apply
whatever is here we like so we start off
we create an empty ACL fairly
straightforward we create an entry in
that ACL at this point in time both ACL
in the entry blank and then we apply the
the qualifier which we apply the
qualifier in this case the goods to the
ACL sorry to the eighth my apologies and
we'll turn this into an allow way
because we're going to grant read write
or read only access to the good that's
been passed in so we fetch the flags for
the eighth we clear them just as a
proportion and then we set the allowable
we get the submissions for the eighth
again we'll clear them as a precaution
and will grant the ability to read data
attributes extended attributes and
security information and then we apply
those to the eighth and so right now
we've created an ace with one entry
grants this particular good we don't
access to the file
next we'll create ourselves the file
security object since we're starting
from scratch we don't have one of these
from a spectacle we play that the ACL to
the file security object and then we can
drop the ACL because we've copied it
into the car security object will turn
off the POSIX permission so that only
the ACL applies to this particular file
and then we'll create the file as you
can see this looks just like an open
call if it's passing the file security
object rather than a mode again as with
the traditional open we can actually
open for any sort of access regardless
of the permissions with associated with
the file this actually allows us to be
able to create a file securely that we
have write access to because they're
copying into it or whatever but the no
one else can open for writing and clean
up we're done
for the hand it back to Rusty now just a
little bit about group membership now
we're going to talk a bit about group
membership and its relation to atl as
we're going through the design of atl's
it became very apparent that the
existing model that we had for group
membership really was not scalable
enough nor was it precise enough for the
things that we wanted to do with access
control so in Tiger we're going to make
it more scalable more robust eliminates
the 16 group limit that we have today in
Panther and this as you see is with the
group membership resolver and the
Colonel's ability to defer looking up
groups until the time that it's actually
necessary so today when you log in with
a panther system it needs to go out onto
the directory and discover all the
groups to which you are a member even if
there are only four or five or 16 taking
the first 16 that it finds and those
become the groups that you have from a
derived permission from will also be
supporting nested group the demon will
be able to expand group memberships and
and test membership against that as well
as provide compatibility with on legacy
software
so in the directory will require a new
group schema to support this this new
group schema is based on an
authoritative list of goods rather than
using short names to define membership
and these goods may reference I their
other users or the group's which
provides us the nesting capability and
provides us for future expansion since
Goods can really be referencing any type
of object out there including computers
or things of devices we haven't really
thought of yet the groups are also
further identified by their legacy group
ID and optionally DNT secure ID this
provides us with the ability to provide
static translations for function for
clients such as XP clients or a service
such as the samba service when binding
to Active Directory networks you don't
need to change the schema there the new
at the group resolution demon
understands the schema that's present in
Active Directory networks and contingent
can work with them
so as I said before Panthers using a 16
group array attacker will be using a new
group membership service to take to
replace that provides the group
expansion capabilities and performance
is caching the results of these queries
in both positive and negative with the
time to live and so that because groups
and group memberships can be checked
quite often especially when going
through atl and then provides also the
ID translation services so these i do
these services are going to be available
to your software as well through a new
API that will allow you to test
membership against groups so that you
don't need to parse membership lists
manually and also to provide the UID and
guha translation services or as well and
tss on the CID services so privileges
processes today can edit their the
groups to which they're being considered
a member and and which are being
evaluated and new API will be available
to more precisely define that within
this new scheme all of this really opens
up the possibility for a new way to
manage individuals on your network using
smaller groups and method hierarchies of
group so we can revisit the example that
we have with the teachers and student
teachers and and redo that in a more
dynamic fashion rather than having a
single group of teachers to represent
all teachers and student teachers will
create two separate groups one of the
staff teachers and and another of just
student teachers together these will be
nested into one larger global teachers
group for youth where that's appropriate
in the example that we showed rather
than having to have a deny entry
specifically from its Buxton for that
matter
and we can simply say student teachers
have read access to this file and then
staff teachers have the necessary or
read write and delete access what's
really nice about going this way is that
as roles as people's role change within
your organization miss Buxton gets
promoted to gets hired at the staff
teacher you can simply reassign her
membership within the in the directory
system and she'll automatically be
obtaining new permissions in the file
system where that group is sized the new
group membership is encountered so we'll
kind of wrap up here with a little lot
you know sneak peek at some proposed
user interface to manage ACL first of
all within finders get info window you
can see it's very similar to what you
have today but now we have the addition
of an others listing which is not just a
single group as it is now but another
listing of both groups and users that
can be assigned different permissions to
this object the idea here is to keep
something that's very simple manageable
that people can use them from their own
systems the initial view in the tiger
server admin tools is a very similar
file to same you know easy to use idea
that we have in following and finder but
also provides a more detailed view of
the ACL and its associated access
control entries allowing you to edit
specific information about them as to
whether it's an allow or deny record and
also to be able to access preset groups
of permission entries from the pop-up
menu that you see here and those will
provide customization abilities so that
you can define your own sets of presets
to manage to meet the way that your men
submissions on your network and from
there you can drill down and find more
you know access more detailed
permissions on the different objects to
the ax get to the real fine grained
permission control over inheritance and
so forth so to summarize where we are
with acls and tiger with providing a
much more flexible way of expressing
permissions on objects in the file
system and reducing the arbitrary limits
that we have today in the OS supporting
compatibility with Microsoft in
Microsoft networks in both our client
and the server and providing a better
platform for collaboration and workflow
with that we're providing new
information is now exposed in the file
system both in terms of acl's and
extended attributes that needs to be
supported by software specifically copy
engines archiver's and so on some of
those changes will be making ourselves
and some of those are going to be
required by your third-party software
and finally this may impact the way that
you manage your network and hopefully
we're able to give you enough of a some
information here today that you can
begin planning for those changes coming
up