Housecarl
Documentation News Console

PRE-RELEASE INFORMATION: SUBJECT TO CHANGE

AuthZ Algorithm

Housecarl AuthZ

Algorithm

The Housecarl AuthZ algorithm is a robust and flexible authorization system designed to handle complex access control scenarios. This section explains the key components and concepts of the algorithm in a somewhat formal way; it assumes some background with authenication, authorization and some mathematical fluency for the set theoretic treatment. See the Dev cookbook for a less vertical flightpath for developers, and the Policy cookbook for policy work.

Core Components

1. Resource

A Resource represents a hierarchical resource identifier with three main components:

  • Scheme: A system-wide or tenant-wide identifier (e.g., "hc") reminescent of schemes in a URL.
  • Noun: Typically represents a domain or resource type
  • Segments: A vector of path segments

Example: hc://domain/segment1/segment2

2. Request

A Request encapsulates the context of an access attempt, including:

  • Subject: Who is attempting the access
  • Action: What operation is being attempted
  • Object: The resource being accessed (as a Resource)
  • Additional context: Key-value pairs for extra information

3. Policy

A Policy defines rules for access control. It consists of:

  • Name and description
  • Evaluation engine type
  • Statements: A vector of key-value pair rules
  • Deny and invert flags

4. Domain

A Domain represents a logical grouping of resources and policies. It contains:

  • Name and ID
  • Superior domains (for inheritance)
  • Associated policies
  • Tenant ID

Algorithm Flow

  1. Request Initialization:

    • Parse the incoming request into a Request object
    • Validate the request structure, syntactically.

  2. Domain Resolution:

    • Identify the relevant domain(s) based on the resource in the request
    • Load the domain and its superior domains

  3. Policy Collection:

    • Gather all policies associated with the domain and its superior domains entirely.

  4. Policy Evaluation:

    • For each policy:
      • Match the request against policy statements
      • Apply the evaluation engine (Fixed, Prefix, RegEx, etc.)
      • Consider deny and invert flags

  5. Authorization Decision:

    • Combine the results of all policy evaluations
    • Determine the final authorization decision

Key Features

Multi-factor Evaluation

The algorithm supports various evaluation engines:

  • Fixed: Exact string matching
  • Prefix: String prefix matching
  • RegEx: Regular expression matching

Policy Inheritance

Domains can inherit policies from superior domains, allowing for hierarchical policy structures.

Flexible Context

The system can consider various contextual factors beyond just subject, action, and object, such as time, location, device type, etc.

Deny and Invert Flags

Policies can be set to explicitly deny access or invert their evaluation result, providing fine-grained control.

Usage Examples

  1. Role-Based Access Control (RBAC): <

    let rbac_policy = Policy {
    name: "RBAC Policy",
    engine: EvaluationEngine::RegEx,
    statements: vec![
        [("role", "admin"), ("action", ".*"), ("object", "hc://.*")].into_iter().collect(),
        [("role", "user"), ("action", "read"), ("object", "hc://public/.*")].into_iter().collect(),
    ],
    deny: false,
    invert: false,
};

  2. Time-Based Access:

    let time_policy = Policy {
    name: "Working Hours Policy",
    engine: EvaluationEngine::RegEx,
    statements: vec![
        [("action", ".*"), ("time", "^(0[9-9]|1[0-7]):[0-5][0-9]$")].into_iter().collect(), <!-- TZ? -->
    ],
    deny: false,
    invert: false,
};

  3. Geolocation Restrictions:

    let geo_policy = Policy {
    name: "Geo Policy",
    engine: EvaluationEngine::RegEx,
    statements: vec![
        [("action", ".*"), ("country_code", "^(US|CA)$")].into_iter().collect(),
    ],
    deny: false,
    invert: false,
};

Conclusion

The Housecarl AuthZ algorithm provides a powerful and flexible framework for implementing complex authorization scenarios. By combining structured resources, context-rich requests, and multi-faceted policies, it can address a wide range of access control requirements in modern applications.

Appendix: Mathematical and Set Theoretic Framing

This appendix provides a formal mathematical and set theoretic representation of the Housecarl AuthZ algorithm.

1. Definitions

Let:

  • S be the set of all subjects
  • A be the set of all actions
  • R be the set of all resources
  • C be the set of all possible context key-value pairs
  • D be the set of all domains
  • P be the set of all policies

2. Resource

A Resource r ∈ R is defined as a tuple:

r = (prefix, noun, segments)

where:

  • prefix ∈ Σ* (Σ being the alphabet of valid characters)
  • noun ∈ Σ*
  • segments ∈ (Σ*)*

3. Request

A Request q is defined as:

q = (s, a, r, c)

where:

  • s ∈ S (subject)
  • a ∈ A (action)
  • r ∈ R (resource)
  • c ⊆ C (context)

4. Policy

A Policy p ∈ P is defined as:

p = (name, E, Σ, δ, ι)

where:

  • name ∈ Σ*
  • E is the evaluation engine function
  • Σ is a set of statements, where each statement σ ∈ Σ is a set of key-value pairs
  • δ ∈ {true, false} is the deny flag
  • ι ∈ {true, false} is the invert flag

5. Domain

A Domain d ∈ D is defined as:

d = (id, name, S, P, t)

where:

  • id is a unique identifier
  • name ∈ Σ*
  • S ⊆ D is the set of superior domains
  • P ⊆ P is the set of policies associated with the domain
  • t is the tenant ID

6. Evaluation Function

Let eval be the evaluation function:

eval: P × Q → {true, false}

where Q is the set of all possible Requests.

For a policy p and request q:

eval(p, q) = E(Σ, q) ⊕ ι

where ⊕ is the XOR operation, and E is the policy's evaluation engine function.

7. Domain Evaluation

For a domain d and request q, the domain evaluation function D is:

D(d, q) = ⋀_{p ∈ P_d} eval(p, q)

where P_d is the set of all policies associated with d and its superior domains.

8. Authorization Decision

The final authorization decision for a request q in domain d is given by:

Auth(d, q) = D(d, q) ∧ ¬(⋁_{p ∈ P_d | p.δ = true} eval(p, q))

This formula states that authorization is granted if all non-deny policies evaluate to true AND no deny policy evaluates to true.

9. Policy Inheritance

For a domain d, its effective policy set P_eff(d) is defined recursively as:

P_eff(d) = P_d ∪ (⋃_{s ∈ S_d} P_eff(s))

where P_d is the set of policies directly associated with d, and S_d is the set of superior domains of d.

10. Resource Matching

For a Resource r and a pattern ρ, the matching function M is defined as:

M(r, ρ) = E_ρ(r.prefix ++ r.noun ++ r.segments, ρ)

where E_ρ is the pattern matching function (e.g., regex, prefix, or exact matching), and ++ denotes string concatenation.

This mathematical and set theoretic framing provides a formal basis for understanding and analyzing the Housecarl AuthZ algorithm. It defines the core components as mathematical objects and expresses the key operations as functions and set operations.

11. Superior Domain Removal

When a superior domain is removed from a domain's hierarchy, it affects the policy inheritance and potentially the authorization decisions. Let's formalize this process:

Let d ∈ D be a domain, and s ∈ S_d be a superior domain that is to be removed.

11.1 Updated Superior Domain Set

The new set of superior domains S'_d for domain d after removal of s is defined as:

S'_d = S_d \ {s}

where \ denotes set difference.

11.2 Updated Effective Policy Set

The updated effective policy set P'_eff(d) for domain d after removal of s is defined recursively as:

P'eff(d) = P_d ∪ (⋃{s' ∈ S'_d} P'_eff(s'))

This means that the policies from the removed superior domain s and its superiors (unless they are also superiors of other remaining superior domains) are no longer included in the effective policy set of d.

11.3 Impact on Authorization Decisions

The impact on authorization decisions can be expressed as the difference between the old and new authorization functions:

ΔAuth(d, q) = Auth(d, q) - Auth'(d, q)

where Auth(d, q) is the original authorization decision function and Auth'(d, q) is the authorization decision function after the removal of the superior domain.

If ΔAuth(d, q) ≠ 0 for any q, then the removal of the superior domain has changed the authorization behavior for domain d.

11.4 Consistency Preservation

To preserve consistency in the authorization system after removing a superior domain, the following condition should hold for all requests q:

∀q ∈ Q, Auth'(d, q) ⊆ Auth(d, q)

This condition ensures that removing a superior domain does not grant any new permissions that weren't previously allowed.

11.5 Policy Reevaluation

After the removal of a superior domain, all cached or pre-computed policy decisions for the affected domain d and its subordinate domains should be invalidated and reevaluated using the updated effective policy set P'_eff(d).

In practice, this means:

  1. Updating the domain hierarchy by removing the link to the superior domain.
  2. Recomputing the effective policy set for the affected domain and all its subordinate domains.
  3. Clearing any cached authorization decisions for these domains.
  4. Reevaluating any standing authorizations that were based on policies from the removed superior domain.

This formal treatment of superior domain removal ensures that the impact of such an operation is well-defined and its effects on the authorization system are clearly understood. It provides a basis for implementing this operation in a way that maintains the integrity and consistency of the authorization system.