26. Securing AMPS¶

One of the most important considerations when using AMPS in production is keeping your data safe. This means both ensuring that subscribers only have access to the data that they are allowed to have and that only authorized publishers are allowed to publish messages into the system. This chapter describes the mechanisms within AMPS to protect access to AMPS resources through client, administrative, and replication connections.

In this chapter, we describe the AMPS security infrastructure and present general information about securing an AMPS installation. AMPS uses a plugin model for providing authentication and entitlement, and allows a great deal of freedom in how the a given module implements security checks. This chapter discusses the concepts, principles, and guarantees that AMPS provides. The specific steps and configuration you use to secure an installation of AMPS depend on the plugin you use to secure AMPS.

There are three aspects to securing connections to AMPS:

Authentication assigns an identity to a connection and verifies that identity
Entitlement enforces permission to access AMPS and read or write AMPS resources based on the identity assigned to a connection
The AMPS process may also need to provide credentials to another AMPS instance (for example, to secure outgoing replication)

AMPS installations typically create custom plugins for securing AMPS. These plugins integrate with the enterprise authentication and entitlement system, and are designed to enforce the policies for the specific site. For more information on developing modules for use with AMPS, contact 60East support for the AMPS Server SDK.

The AMPS distribution includes an auxiliary module that contacts a web service for authentication and entitlement. This module is described in the section Authentication and Entitlement using a Web Service.

The AMPS distribution also contains an entitlement module that can be used to restrict access to specific topics for all users. This module is described in the section Entitlement with the Simple Access Module.

Authentication¶

The first part of securing AMPS is developing a strategy to verify the identity of connected clients. AMPS maintains an identity for each client connection, and uses that identity for entitlement requests. Once an identity is assigned to a connection, that identity stays the same for the lifetime of the connection. If an application needs to use different identities to work with AMPS, that application needs to make a separate connection for each identity.

There are two ways that AMPS assigns an identity to a client:

When an application explicitly sends a logon command, AMPS uses the credentials in the message for the authentication process. If authentication is successful, AMPS associates the user name provided in the initial logon with the connection. If authentication fails, AMPS closes the connection.
When an application issues any other command after connecting but before sending a logon command, AMPS treats this as an implicit logon and begins the authentication process with an empty user name and password. If authentication is successful, AMPS associates an empty user name with the connection. If authentication fails, AMPS closes the connection. AMPS does not allow implicit logon by default in 5.0 and later versions. However, you can enable implicit logon as described below.

In both cases, authentication occurs through the AMPS security infrastructure.

When authenticating a client, AMPS locates the authentication module in use for client’s transport (or, for the admin interface, the special amps-admin transport). If there is an authentication module specified for that Transport, AMPS uses that module. Otherwise, the transport uses an instance of the authentication module specified for the instance. When the configuration for the instance doesn’t include an instance level authentication module, the default module for the transport is amps-default-authentication-module, which requires a logon, but accepts any user name and password provided and sets the authenticated user name to an empty string.

Once AMPS has located the module instance, AMPS provides the user name and the password to that instance of the module. The module can accept the credentials, reject the credentials, or return a challenge that the application must respond to. When the module returns a challenge, the connection remains unauthenticated until the application requesting authentication responds to the challenge and the module accepts the response.

For most production systems, AMPS security is integrated with the overall security fabric of the organization. 60East provides the AMPS Server SDK to help developers create authentication modules that implement the unique policies and procedures required by a particular organization.

Simple Authentication Modules¶

AMPS includes three simple authentication modules in the AMPS distribution. These modules provide very simple policies for authentication, and are most useful in testing and development environments.

Module	Description
`amps-default-authentication-module`	Allows any user name and password. Does not allow implicit logon by default. Does not provide the user name to AMPS by default.
`amps-implicit-authentication-module`	Allows any user name and password. Allows implicit logon by default. Does not provide the user name to AMPS by default.
`amps-default-no-authentication-module`	Does not allow authentication regardless of the username and password provided. This can be useful for testing application behavior when logon is denied, or for setting a policy for the instance that individual transports must override.

Table 26.1: Simple Authentication Modules

Enabling Implicit Logon¶

60East recommends using explicit logon commands in your applications wherever possible, and the default authentication module disallows implicit logons. For backward compatibility with older versions of AMPS, AMPS includes the amps-implicit-authentication-module which allows implicit logon to restore the behavior of the previous AMPS versions. To use the amps-implicit-authentication-module for all of the transports in the instance, set the instance-level Authentication to use this module, as shown below:

<AMPSConfig>
  ...
  <Authentication>
     <Module>amps-implicit-authentication-module</Module>
  </Authentication>
  ...
</AMPSConfig>

Entitlement¶

The AMPS entitlement system controls access to individual resources in AMPS. Each entitlement request consists of a user, a specific action, and, where applicable, the type of resource and the resource name. For example, an entitlement request might arrive for the user Janice to write (that is, publish) to the topic named /orders/northamerica. Another entitlement request might be for the user Phil to logon to the instance. A third request might be for the user Jill to read (that is, subscribe or run a SOW query) from the topic named /orders/pacific/palau.

When checking entitlements, AMPS locates the entitlement module in use for the Transport that the client is connecting on (or, for the Admin interface, the special amps-admin transport). If there is an entitlement module specified for the Transport, AMPS uses that module. Otherwise, AMPS uses an instance of the entitlement module specified for the instance. When the configuration file for the instance doesn’t specify an instance-level entitlement module, the default module for the transport is amps-default-entitlement-module, which allows all permissions for any user.

AMPS caches the results of the entitlement check. You can clear the entitlement cache for all users using the AMPS Administrative Actions. You can clear the entitlement cache for a single user using the AMPS external API. When the entitlement cache is cleared, AMPS disconnects the user. This ensures that, when the user reconnects, the user only has access to resources that match the current set of entitlements.

AMPS checks entitlements for a command when processing the command, and does not recheck permissions after the command is processed. For example, when Jill subscribes to /orders/pacific/palau, AMPS checks entitlements when creating the subscription. If the entitlement check returns an entitlement content filter, AMPS includes that entitlement filter on the subscription. Once the subscription has been created, AMPS applies the filter as a part of the standard filtering process, but AMPS does not check entitlements for the subscription as further messages arrive.

The following table lists the resource types that AMPS provides:

Resource Type	Description
`logon`	Permission to log on to the AMPS instance
`replication_logon`	Permission to log on to the AMPS instance as a replication source
`topic`	Permission to receive from or publish to a specific topic
`admin`	Permission to read admin statistics or peform admin functions from the web interface

Table 26.2: AMPS Entitlement Resource Types

For the topic and admin resource types, AMPS also provides the name of the resource and whether the request is to read the resource or write to the resource.

The table below shows how AMPS commands translate to entitlement types:

AMPS Command Entitlement Type

delta_subscribe,

sow, sow_and_subscribe,

subscribe, sow_and_delta_subscribe

read

delta_publish, publish,

sow_delete

write

commands received over replication replication allowed

Table 26.3: Entitlement Types for Commands

Entitlement Caching¶

AMPS does not present a request to the entitlement module each time that an entitlement check is needed. Instead, AMPS presents the request the first time the entitlement is needed, and then caches the results from the module for subsequent entitlement checks. This improves performance, although it also means that when a module that reads entitlements from an external source (such as a central directory of permissions) that may change without requiring a restart of the AMPS instance, that module will need to establish a policy for resetting the entitlement cache.

Regular Expression Subscriptions¶

Each request from AMPS is for a specific resource name. When a client requests a regular expression subscription, AMPS makes a request for each topic that matches the subscription at the point that AMPS has a message to deliver for that topic. For example, if the user Nina enters a subscription for /parts/(mechanical|electrical), AMPS will make a request to the entitlement module for /parts/mechanical when there is a message to deliver for that topic, and will make a separate request for /parts/electrical when there is a message to deliver for that topic.

Content Filtered Entitlements¶

The entitlement system offers the ability to enforce content restrictions on subscriptions. When AMPS requests read access to a topic, the module that performs entitlement can also return a filter to AMPS. This filter is evaluated independently of any filter on the subscription, and messages must match both the subscription filter and the filter provided by the entitlement to be returned to the application. If a message does not match the entitlement filter, the message is not delivered, regardless of whether the message matches the filters provided by the application.

AMPS also offers the ability to enforce content restrictions on publish commands. When AMPS requests write access to a topic, the module that performs entitlement can return a filter to AMPS. This filter is then evaluated against messages published to that topic by that user. If the message being published matches the filter, AMPS allows the message. Otherwise, AMPS rejects the message.

Message Queues¶

Message queues, since they are implemented as views over topics in the transaction log, present a special situation for the AMPS entitlement system in two ways. First, receiving a message from a queue implies that the subscriber has the ability to modify the contents of the queue. Second, a queue can specify a DefaultPublishTopic to receive publishes.

The AMPS entitlement system treats queues differently than other topics as follows:

read entitlement on a queue also grants a user the ability to delete messages from the queue that are leased to that user. No other write permissions are implied.
write entitlement on a queue grants the ability to publish to the queue, even in cases where AMPS translates that publish to the DefaultPublishTopic configured for the queue. No other permissions are implied. In particular, granting the write entitlement on a queue does not grant any entitlements on the DefaultPublishTopic directly: even though the message is delivered to the DefaultPublishTopic, the publish command must publish to the queue topic.

In all other respects, entitlements for message queues behave in the same way as entitlements for any other topic.

Providing an Identity for Outbound Connections (Authenticator)¶

For outgoing replication connections, AMPS may need to provide an identity and credentials to the replication destination. AMPS uses a module type called an authenticator to provide those credentials and handle any challenge/response protocol required by the authentication module in the remote system.

AMPS provides a default authenticator module, amps-default-authenticator-module, that is automatically configured as the Authenticator for the instance if no other instance Authenticator is provided. This module provides a user name with no password. To determine the user provided to AMPS, the module uses the value of the User option to the module if one is provided. Otherwise, the module uses the current user of the AMPS process: if the current user cannot be determined by the system, the module falls back to the value of the USER environment variable..

The Authenticator used for a replication Destination must provide credentials that are accepted by the Transport of the remote instance that the Destination is connecting to. See the AMPS Configuration Reference for information on configuring the Authenticator for a Destination.

Protecting Data in Transit Using SSL¶

AMPS provides the ability to use Secure Sockets Layer (SSL) connections for communication with AMPS clients. See the AMPS Configuration Reference and the documentation for the AMPS clients for details.

AMPS uses SSL to encrypt network traffic between clients and servers. No information about the transport is passed to the AMPS authentication and entitlement system. Encryption at the network level is completely independent of the AMPS authentication and entitlement system, and these features can be used independently.

Table Of Contents

Related Topics