Blog

Getting Access Control List Details with Pandas

October 22, 2020 · by Sharol Pereira ·
Categories:

“Zero Trust is a network security model, based on a strict identity verification process. The framework dictates that only authenticated and authorized users and devices can access applications and data. At the same time, it protects those applications and users from advanced threats on the internet.”Akamai Zero Trust Security

Akamai’s Enterprise Application Access (EAA) is a unique offering which incorporates Zero Trust by allowing only authorized users and devices access to internal applications. One of the key elements of Zero Trust is authorization, ensuring appropriate access to applications and their data to prevent a security breach. 

The EAA Access Control List (ACL) allows you to extract permission details for internal applications. In this blog, we will show you how to get the ACL information for all of the applications configured in your EAA portal with the help of Pandas, an open source data analysis tool built on Python. Using the base logic in this blog will give you a wealth of information about your applications. 

What is an ACL?

An ACL is a set of rules or policies that dedicate conditions where access is denied to an application. Let’s take a simple rule as an example: Deny John if he accesses the application from anywhere other than the US. This rule would look like the following in EAA:

Rule Name: Deny John 

Criteria: User is john@example.com AND Region is NOT United States.

deny

Why Use Pandas?

Pandas is a Python package that provides fast, flexible, and expressive data structures designed to make working with structured (tabular, multidimensional, potentially heterogeneous) and time-series data both easy and intuitive.

Using Pandas, we will be able to iterate through the data in a more optimized manner. In our specific scenario, the API results produce structured data. With Pandas, data manipulation becomes more efficient. 

Getting Started with APIs 

To get started, set up the EAA API credentials by following the instructions in the link below: 

https://developer.akamai.com/api/enterprise_security/enterprise_application_access_configuration/v1.html#getstarted 

Next:

1. Import all the necessary libraries. 

from urllib.parse import urljoin

from akamai.edgegrid import EdgeGridAuth

from akamai.edgegrid import EdgeRc

import requests

import json

import pandas as pd

 

2. Run the commands to validate your credentials. 

papiconfigFilePath = "/path-to-file/.edgerc"

edgerc = EdgeRc(papiconfigFilePath)

section = 'sectionname' 

baseurl = 'https://%s' % edgerc.get(section, 'host')

s = requests.Session()

s.auth = EdgeGridAuth.from_edgerc(edgerc, section)

Now that you have the credentials set up, the next step is getting all the application details. 

Fetch Application Details Using APIs 

1. To start off, let’s get the number of applications. 

contractId = "XXXX"

offset = 0

limit = 1

expand = "true"

expand_sdk = "true"

 

pcreate_path = "/crux/v1/mgmt-pop/apps?contractId={0}&offset={1}&limit={2}&expand={3}&expand_sdk={4}".format(contractId, offset, limit, expand, expand_sdk)

pcreate_res = s.get(urljoin(baseurl, pcreate_path))

limitapp = json.loads(pcreate_res.text)

actuallimit = limitapp['meta']['total_count']

 

print("Total number of applications: " + str(actuallimit))

2. Now let’s iterate through the list to get all the application details. 

pcreate_path = "/crux/v1/mgmt-pop/apps?contractId={0}&offset={1}&limit={2}&expand={3}&expand_sdk={4}".format(contractId, offset, actuallimit, expand, expand_sdk)

pcreate_res = s.get(urljoin(baseurl, pcreate_path))

3. Once we have all the applications, let’s use the Pandas DataFrame to hold this information.

app = json.loads(pcreate_res.text)

df = pd.json_normalize(app)

fullappdf = pd.json_normalize(df['objects'][0])

4. The “fullappdf” DataFrame contains a lot of information. Let’s preserve the main DataFrame and create a secondary one with fields of interest. This is an optional step since it consumes space. In this blog, we will use a second DataFrame (appsdf) that contains two columns — name and ACL  — based on the name of the application and the ACL, which is a result of manipulation of data contained in the “Services” column. 

appsdf = fullappdf.loc[:,['name','Services']]

5. Now that we have the two columns of interest, let’s create a function which manipulates the raw data in the “Services” column. Essentially, it iterates over the data in that column and extracts only the access control rules from the list. The different rules in the list are separated by a “||” to indicate an “OR” operation. Rules within the same ruleset are separated by a “,” or comma. An example is given in the results. For each rule, we extract the name and the settings.

Note: There will be an “OR” at the end due to below logic which is easy to remove. 

def getACLInfo(val):

    lencon = len(val)

    aclvalue=""

 

    for i in range(lencon):

        if val[i]['service']['name']=="Access Control":

            for j in range (len(val[i]['access_rules'])):

                aclvalue+= str(val[i]['access_rules'][j]['name']) + " " + str(val[i]['access_rules'][j]['settings']) + " || "

    return aclvalue

6. Finally, we apply this function to create a new column called “ACL” and drop the “Services” column. 

appsdf['ACL']=appsdf['Services'].apply(getACLInfo)

appsdf=appsdf.drop(['Services'],axis=1)

That's it! The end result is a DataFrame with the two columns of interest. For all applications that have ACL rules, the result is displayed as shown in the following example.

Example result:

Name

ACL

AppName1

Deny non-US [{'operator': '!=', 'type': 'country', 'value': 'US'}] || Deny Jane [{'operator': '==', 'type': 'user', 'value': jane@test.com'}

] || 

AppName2

Test [] || DenyRuleCombo [{'operator': '==', 'type': 'url', 'value': 'GRF.aspx'}, {'operator': '!=', 'type': 'group', 'value': 'testgroup'}] || 

AppName3

 

In the example, there are three applications in this tenant. Out of which, two have ACLs, hence the last one is empty. 

The first application name is “AppName1.” There are two ACL rules, “Deny Non-US” and “Deny Jane”. The first ACL says to deny all countries which are not US and the second says to deny if the user is jane@test.com. There is an “OR” between the two rules. 

The second application name is AppName2. There are two ACL rules, “Test” and “DenyRuleCombo”. The first ACL is empty and the second says to deny if the URL is “GRF.aspx” AND group is not “testgroup”. There is an “OR” between the two rules. 

The third application name is AppName3. There are no ACL rules for this application.

Delivering on Zero Trust 

Akamai’s ACL capability helps you deliver on a Zero Trust security approach by allowing only authorized users and devices to access applications configured in your EAA portal. Using Pandas is a fast and easy way to retrieve ACL details and create rules that keep your applications safe. Learn more about Akamai’s EAA solution