XACML 3.0 中同一类别中的多个属性
Multiple attributes in the same category in XACML 3.0
我正在学习 XACML 3.0 并想问一下,如果我有两个具有不同 ID 的属性但在同一类别中,即 (Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"),此解释为同一类别的两个不同属性或者作为具有单个属性的两个单独请求。
谢谢。
看来我的回答是错误的。然而,我把它留在这里,因为它讨论了多个决策请求的相关问题。
XACML 3.0 Multiple Decision Profile 对此很清楚:
Such a request context SHALL be interpreted as a request for access to all situations specified
in the
individual
elements. Each
element SHALL represent one Individual
Resource, subject, or another category unless that element utilizes the other mechanisms described in
this Profile.
For each combination of repeated
elements, one Individual Decision Request SHALL be
created. This Individual Request SHALL be identical to the original request context with one exception:
only one
element of each repeated category SHALL be present. If such a
element contains a “scope” attribute having any value other than “Immediate”, then the
Individual Request SHALL be further processed according to the processing model specified in Section
5
.
This processing may involve dec
omposing the one Individual Decision Request into other Individual
Decision Requests before evaluation by the PDP
所以我们的请求被解释为两个不同的请求,每个请求都具有您提到的类别中的一个属性。当然,这是假设您的 PDP 确实实施了多重决策配置文件。
如果您创建具有 4 个不同类别(例如主题、操作、资源和环境)的 XACML 请求,并为每个类别添加一个或多个属性,那么您将始终获得一个请求,因此将始终获得一个响应。
示例:
<xacml-ctx:Request ReturnPolicyIdList="true" CombinedDecision="false" xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" >
<xacml-ctx:Attribute AttributeId="action-id" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">view</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" >
</xacml-ctx:Attributes>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" >
<xacml-ctx:Attribute AttributeId="resource-type" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">medical record</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
<xacml-ctx:Attribute AttributeId="resource-id" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">doc#123</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" >
<xacml-ctx:Attribute AttributeId="user.role" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">manager</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
<xacml-ctx:Attribute AttributeId="user.identifier" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Alice</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
</xacml-ctx:Request>
上述XACML请求的意思是
Can Alice the manager view medical record doc#123?
如果您创建 XACML 请求并多次重复某个类别,则您正在构建多重决策请求。例如我们可以问
Can Alice the manager view and edit medical record doc#123?
在 XACML 中,这将变为:
<xacml-ctx:Request ReturnPolicyIdList="true" CombinedDecision="false" xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" >
<xacml-ctx:Attribute AttributeId="action-id" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">view</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" >
<xacml-ctx:Attribute AttributeId="resource-type" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">medical record</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
<xacml-ctx:Attribute AttributeId="resource-id" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">doc#123</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" >
<xacml-ctx:Attribute AttributeId="user.role" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">manager</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
<xacml-ctx:Attribute AttributeId="user.identifier" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Alice</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" >
<xacml-ctx:Attribute AttributeId="action-id" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">edit</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" >
</xacml-ctx:Attributes>
</xacml-ctx:Request>
请注意,类别的顺序无关紧要。您还可以为您的类别提供 XML 标识符并通过引用创建 XACML 多重决策请求,但这并不常用。
您会发现一篇关于该主题和 Axiomatics SDK 的有趣文章 here。
我正在学习 XACML 3.0 并想问一下,如果我有两个具有不同 ID 的属性但在同一类别中,即 (Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"),此解释为同一类别的两个不同属性或者作为具有单个属性的两个单独请求。
谢谢。
看来我的回答是错误的。然而,我把它留在这里,因为它讨论了多个决策请求的相关问题。
XACML 3.0 Multiple Decision Profile 对此很清楚:
Such a request context SHALL be interpreted as a request for access to all situations specified in the individual elements. Each element SHALL represent one Individual Resource, subject, or another category unless that element utilizes the other mechanisms described in this Profile. For each combination of repeated elements, one Individual Decision Request SHALL be created. This Individual Request SHALL be identical to the original request context with one exception: only one element of each repeated category SHALL be present. If such a element contains a “scope” attribute having any value other than “Immediate”, then the Individual Request SHALL be further processed according to the processing model specified in Section 5 .
This processing may involve dec omposing the one Individual Decision Request into other Individual Decision Requests before evaluation by the PDP
所以我们的请求被解释为两个不同的请求,每个请求都具有您提到的类别中的一个属性。当然,这是假设您的 PDP 确实实施了多重决策配置文件。
如果您创建具有 4 个不同类别(例如主题、操作、资源和环境)的 XACML 请求,并为每个类别添加一个或多个属性,那么您将始终获得一个请求,因此将始终获得一个响应。
示例:
<xacml-ctx:Request ReturnPolicyIdList="true" CombinedDecision="false" xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" >
<xacml-ctx:Attribute AttributeId="action-id" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">view</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" >
</xacml-ctx:Attributes>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" >
<xacml-ctx:Attribute AttributeId="resource-type" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">medical record</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
<xacml-ctx:Attribute AttributeId="resource-id" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">doc#123</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" >
<xacml-ctx:Attribute AttributeId="user.role" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">manager</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
<xacml-ctx:Attribute AttributeId="user.identifier" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Alice</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
</xacml-ctx:Request>
上述XACML请求的意思是
Can Alice the manager view medical record doc#123?
如果您创建 XACML 请求并多次重复某个类别,则您正在构建多重决策请求。例如我们可以问
Can Alice the manager view and edit medical record doc#123?
在 XACML 中,这将变为:
<xacml-ctx:Request ReturnPolicyIdList="true" CombinedDecision="false" xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" >
<xacml-ctx:Attribute AttributeId="action-id" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">view</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" >
<xacml-ctx:Attribute AttributeId="resource-type" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">medical record</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
<xacml-ctx:Attribute AttributeId="resource-id" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">doc#123</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" >
<xacml-ctx:Attribute AttributeId="user.role" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">manager</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
<xacml-ctx:Attribute AttributeId="user.identifier" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Alice</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" >
<xacml-ctx:Attribute AttributeId="action-id" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">edit</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" >
</xacml-ctx:Attributes>
</xacml-ctx:Request>
请注意,类别的顺序无关紧要。您还可以为您的类别提供 XML 标识符并通过引用创建 XACML 多重决策请求,但这并不常用。
您会发现一篇关于该主题和 Axiomatics SDK 的有趣文章 here。