6

I have a project that I need ABAC implemented in. I've been searching the internet for information on how ABAC works specifically from a Nodejs standpoint. I have an understanding of the basic concepts of ABAC but not really how to implement it successfully. I've read white papers on the subject and have tried to examine some projects that claim to have implemented ABAC but it didn't seem complete or clear.

First I want to describe my project in the high level and then how I plan to implement ABAC in my project. I'm hoping that someone can give me guidance on this topic and whether or not the way I want to implement ABAC is good, bad, or I'm missing something and it needs some work.

My tech stack:

below are the most important pieces of tech in my stack

  1. reactjs
  2. nodejs
  3. express
  4. MySQL
  5. JSON web tokens

My project:

It is an e-commerce platform that will allow users to create certain resources that can be sold and/or shared with other users in the system. When these resources are shared or are being sold, that is when ABAC will "kick in". The project will have an interface that will allow its end-users to create ABAC policies for their resources. the policies will affect other users and organizations users are apart of. There could be 1000s of users and 100s of 1000s of resources.

My possible ABAC implementation:

So the first thing I want to do is restructure my database so that every object and subject (in this case that would be users and their resources) will have a table just for their attributes and a lookup table that tracks which object/subject has which attribute key/value pair. So for instance: if there is a users table then there will be a table with user attribute keys and a lookup table that tracks which user has which attribute key assigned to them and that key's value. example:

| userId | attr_key   | attr_val |
|--------|------------|----------|
| 1      | department | sales    |

My project will have a UI for the end-users to create policies for their resources. The UI will allow the user to create the policy based on the 4 main ABAC principles: subject, object, action, and environment (in this case "environment" will be time). In the UI, each of these principles will have a button that the user can add an attribute and a logical operator to it. Once a user is done creating a policy the UI will save it into the MySQL DB a particular way so it can be quired when enforcement is needed.

Given what I wrote above, I see ABAC working this way in my project:

  1. a policy is created that allows or denies a user access to a resource (I will create a policy syntax that can be stored in the DB which can be retrieved later for interpretation and calculation)
  2. when a user tries to do an action on a resource at a specific RESTFUL route (let's say they want to view/get) the PEP I'll create will intercept the RESTFUL request and extract all data sent in the request and then the PEP will send a request to the PDP using the data it extracted from the request to ask for the policy that is connected to the user and the requested resource.
  3. the PDP will pull the policy for that resource and all the attributes associated with the policy (this will be a request to the PIP for the subject, object, and environment) and then it will assemble the policy.
  4. the assembled policy will be computed against the request data, current attributes, and values used in calculations against the attributes and a boolean decision will be generated.
  5. the boolean decision will be used to either return the resource requested or return the reason why it was denied back to the route that initiated the request.

So first, is the above way feasible? second, is it practical? And lastly, is there anything missing from the ABAC paradigm with my planned implementation or any suggestions on how to improve it?

zero
  • 2,999
  • 9
  • 42
  • 67
  • 2
    Looks fine. Have you given any thought to the framework you will use? Axiomatics? AuthZForce? OPA? – David Brossard Jul 09 '19 at 03:24
  • 1
    So my post is really about doing abac from scratch with node/express to fit my app. So far the only framework I've seen is axiomatics but they seem more geared to enterprise level apps/companies and from what I've seen it looks pretty heavy to get into. The other two frameworks you listed I haven't seen before and may take a closer look at but they are Java based and I'm trying to keep things JavaScript based unless the tool is cloud based – zero Jul 09 '19 at 09:01
  • 1
    Key-value (EAV) design pattern sucks when you try to scale it beyond toy implementations. How many GB of data do you anticipate? Do you anticipate that all processing can be done in a single server, without hitting the disk (other than to initially load cache and to persist changes)? How many Queries per second do you anticipate? – Rick James Jul 10 '19 at 23:39
  • 1
    @DavidBrossard after some rethinking, I'm interested in AuthZForce and OPA. can either of these frameworks support a UI that allows end users to create policies? My Main concern is that users need to be able to create policies for their resources on the fly – zero Jul 13 '19 at 11:44
  • 1
    @DavidBrossard I'm trying to create a UI that abstracts away any semblance of coding. essentially the UI would allow users to create policies with dropdowns and fields – zero Jul 13 '19 at 11:46
  • You can do that with either Axiomatics or AuthZForce – David Brossard Jul 13 '19 at 13:10
  • @DavidBrossard when you mention authzforce, is it because authzforce has a server version that is responsible for policy CRUD (which I could abstract into a UI)? – zero Jul 15 '19 at 12:02
  • @DavidBrossard If that is the case, does that mean OPA doesn't? – zero Jul 15 '19 at 12:05
  • @DavidBrossard or is it because OPA is cached based? – zero Jul 15 '19 at 12:29
  • Did you see this package? https://www.npmjs.com/package/node-abac – yeya Jul 15 '19 at 13:43
  • @yeya although that library seems like a nice starting point, it's version is low (still at 0.0.7) and hasn't been updated in 2+ years. It doesn't support dynamic policies and handles policy enforcement one resource at a time (performance may suffer greatly when needing to get a list of resources) – zero Jul 15 '19 at 14:49

1 Answers1

0

First of all, the problem you are trying to solve is complex and one that will need constant updating and could get you in trouble in the future. Interpreting the policy without using any policy engine on the db will waste your time and may force you to maintain it. To answer according to the tech stack, the OPA Rest API https://www.openpolicyagent.org/docs/latest/rest-api/ will help you manage and enforce your policies.

OPA RBAC Policy Example

package app.abac

default allow = false

allow {
   user_is_owner
}

allow {
   user_is_in_sales_department
   user_is_senior
}

user_is_owner {
   input.user.id == input.resource.owner_id
}

user_is_in_sales_department {
   input.user.attributes.department == "sales"
}

user_is_senior {
   input.user.attributes.tenure > 8
}

As in the example above, you can compare user attributes and resource attributes with opa.

this will return you a result about whether the user should do this event or not.

There are various options about how you can implement it, you can access it from this link https://www.openpolicyagent.org/docs/latest/integration/

I usually use golang in my projects. I thought it was unreasonable to include policy management in my core business logic and I created a different service to manage policies myself with OPA's go library.

Tolga Ozen
  • 1
  • 1
  • 1
  • As it’s currently written, your answer is unclear. Please [edit] to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Feb 20 '22 at 13:18