Kraken DOM

DOM stands for Domain Object Model which means common data entities for security management. There are various API service interfaces and message bus plugins.

Authors

•  xeraph@nchovy.com
•  stania@nchovy.com
•  delmitz@nchovy.com

Entity Event Model

Kraken DOM is a core model, and other domain entities may reference DOM entities. Since database is logically separated, you cannot use foreign key constraint from other domain models. For example, MyOwnEntity refer to organization id, but cannot use foreign key constraint. Because MyOwnEntity resides at other database. Instead, you can use entity event callbacks to implement virtual constraint. You can commit or reject domain object changes.

• Entity Event Provider
  • All API services provide domain entity life cycle events.

    public interface EntityEventProvider<T> {
    	void addEntityEventListener(EntityEventListener<T> listener);
    
    	void removeEntityEventListener(EntityEventListener<T> listener);
    }
    

• Entity Event Listener
  • You can receive entity events using EntityEventListener callback.

    public interface EntityEventListener<T> {
    	void entityAdded(T obj);
    
    	void entityUpdated(T obj);
    
    	// called just before deletion, you can reject deletion by throwing exception.
    	void entityRemoving(T obj);
    
    	void entityRemoved(T obj);
    }
    

Programming API

Organization API

Organization is a domain boundary. Almost all domain entities belong to an organization. At least, one organization should exists by default.

public interface OrganizationApi {
	Collection<Organization> getOrganizations();

	Organization getOrganization(int id);

	Organization getOrganizationForUser(int userId);

	void createOrganization(Organization organization);

	void updateOrganization(Organization organization);

	void removeOrganization(int id);
}

Organization Parameter API

OrganizationParameter manages organization-specific configuration parameters.

public interface OrganizationParameterApi {
	Collection<OrganizationParameter> getOrganizationParameters(int orgId);

	OrganizationParameter getOrganizationParameter(int orgId, String name);

	OrganizationParameter getOrganizationParameter(int orgId, int organizationParameterId);

	void createOrganizationParameter(int orgId, OrganizationParameter orgParameter);

	void updateOrganizationParameter(int orgId, OrganizationParameter orgParameter);

	void removeOrganizationParameter(int orgId, int orgParameterId);
}

Organization Unit API

OrganizationUnit contains user (and admin) entities and other organization units. Any user can be member of an organization unit.

public interface OrganizationUnitApi {
	Collection<OrganizationUnit> getOrganizationUnits();

	Collection<OrganizationUnit> getOrganizationUnits(Organization org);

	OrganizationUnit getOrganizationUnit(int id);

	void createOrganizationUnit(OrganizationUnit orgUnit);

	void updateOrganizationUnit(OrganizationUnit orgUnit);

	void removeOrganizationUnit(int id);
}

Organization Unit members:

property	type	description
id	int	identifier
organization	Organization
organizationUnits	List<Organization>	children units
name	String
domainController	String	Domain Controller (e.g. office.nchovy.net)
fromLdap	boolean	Synchronized by LDAP
createDateTime	Date

Localization API

Localization API provides localization templates and format functions:

public interface LocalizationApi {
	String get(ResourceKey key);

	String format(ResourceKey key, Object... args);

	void register(ResourceKey key, String template);

	void unregister(ResourceKey key);
}

ResourceKey is consists of group, key, and locale. You can think group as a namespace.

Localization Resource Files

Localization API reads embedded resource files from bundle and register localization resources automatically. If you embeds /OSGI-INF/kraken-dom/localization.en.properties and /OSGI-INF/kraken-dom/localization.ko.properties files, localization templates will be loaded when you start bundle, and unloaded when you stop bundle.

group=[group name]
[key]=[template message]

For example:

• localization.en.properties

  group=siem
  rpc-error=RPC operation failed
  

Role API

Kraken DOM uses role-based access control. Admin has a role, and role is mapped to many permissions. There are 4 roles by default: master, admin, member, and guest. Master can manage all organization and administrators. Admin can manage domain entities in its own organization. Member can monitor various data, but cannot edit configurations in general. Guest has very limited privileges. (i.e. public data)

public interface RoleApi {
	Role getRole(int id);
	
	Role getRole(String name);

	List<Role> getGrantableRoles(int organizationId, int userId);

	boolean checkPermission(int organizationId, int userId, String name);
}

User API

User API provides user management functions. Admin is a kind of user. User and Admin can be sync'ed with LDAP servers. See KrakenLdap for details.

public interface UserApi {
	Collection<User> getUsers();
	
	Collection<User> getUsers(Organization org);
	
	Collection<User> getUsers(String ldapAuthProfile);

	User getUser(int id);

	void createUser(User user);

	void updateUser(User user);

	void removeUser(int id);
	
	String hashPassword(String text);
}

User members:

property	type	description
id	int
organization	Organization
organizationUnit	OrganizationUnit
loginName	String
name	String
description	String
password	String
title	String
email	String
phone	String
ldapAuthProfile	String
createDateTIme	Date
updateDateTime	Date
admin	Admin

Admin API

Admin API manages administrators.

public interface AdminApi extends EntityEventProvider<Admin> {
	Admin login(String nick, String hash, String nonce) throws AdminNotFoundException, InvalidPasswordException;

	List<Admin> getAdmins(int organizationId);

	Admin getAdmin(int organizationId, int adminId);

	void createAdmin(int organizationId, Integer requestAdminId, Admin admin);

	void updateAdmin(int organizationId, Integer requestAdminId, Admin admin);

	void removeAdmin(int organizationId, Integer requestAdminId, int adminId);

	boolean matchPassword(int organizationId, int adminId, String password);

	String hash(String text);

	String hashPassword(String text);
}

Admin members:

AdminSetting API

Area API

Host API

LDAP Organizational Unit API

Application API

Network Address API

Timetable API

Push API

You can use server push technique using push api like this:

@Requires 
private PushApi pushApi;

pushApi.push([organization id], [YOUR_CALLBACK_METHOD_NAME], [data map]);

When some one subscribe YOUR_CALLBACK_METHOD_NAME in same organization, he will receive trap message immediately. It's very useful when you want to update several webconsole data in real-time.

• Subscribe

Suppose that you want to receive siem-event in real-time. Then you should call subscribe method:

org.krakenapps.dom.msgbus.PushPlugin.subscribe { "callback" : "siem-event" }

• Unsubscribe

When you want to stop receive specific trap messages, do this:

org.krakenapps.dom.msgbus.PushPlugin.unsubscribe { "callback" : "siem-event" }

• Session clean-up

In bad case, user can terminate session without unsubscribe call. Don't panic! To prevent resource leak, PushPlugin receive session closed event and clear all related data automatically.

Message Bus Plugin

Maven POM Configuration

• Maven Repository:  http://download.krakenapps.org

  <project>
    <dependencies>
      <dependency>
        <groupId>org.krakenapps</groupId>
        <artifactId>kraken-dom</artifactId>
        <version>1.0.0</version>
      </dependency>
    </dependency>
  </project>