使用 ABAC,我如何表达允许主体 A 与主体 B 共享资源 X 的规则?
Using ABAC, how do I express a rule that subject A is allowed to share resource X with subject B?
使用 ABAC,很容易表达如下规则:
A Subject (with position = 'Manager') is allowed to perform Action (with name = 'Write') on a Resource (with class = 'Document' and type = 'Report').
但是,在控制共享事件时,您需要指定两种类型的主题:进行共享的人和预期的接收者。
例如:经理可能希望与她所在部门的初级人员共享报告。
可以将其写成一系列涉及两种类型 Subject 的规则,但是如何表达 "directedness" 共享,例如,Manager 可以与 Junior 共享,但反之则不行?我尝试了几种方法,但由于主题->资源->主题结构,它们看起来都非常冗长,而且我不确定它们是否真正捕获了访问受控的内容共享的所有语义,例如在线社交中可能发生的情况网络。
也许这有一个基础 ABAC 'design pattern'....
您可以通过多种方式在 ABAC 中对其进行建模。在我的示例中,我将使用 ALFA 作为一种语言。 ALFA直接翻译成XACML。
使用额外的资源属性
Managers can share reports with junior staff in their department.
在伪代码中,它会变成
A user with role == "manager" can do action == "share" on object of type == "report" if user.department == recipient.department AND recipient.level == "junior"
在这个例子中,属性定义如下:
- 类别访问主题的角色,类型字符串
- 类别动作的动作,字符串类型
- 类别资源类型,字符串类型
- user.department 类别访问主题,类型字符串
- recipient.department 类别资源,类型字符串
- recipient.level 类别资源,类型字符串
使用收件人主题类别
现在,当然,您可以争辩说收件人不是资源而是……收件人。这就是为什么 XACML 发明了另一种主题类别,即接收者主题 (urn:oasis:names:tc:xacml:1.0:subject-category:recipient-subject)。
事实上,除了 standard ones 之外,XACML 还允许您定义自己的自定义类别。提醒一下,XACML 提供
- urn:oasis:names:tc:xacml:3.0:attribute-category:resource
- urn:oasis:names:tc:xacml:3.0:attribute-category:action
- urn:oasis:names:tc:xacml:3.0:attribute-category:environment
- urn:oasis:names:tc:xacml:1.0:subject-category:access-subject
- urn:oasis:names:tc:xacml:1.0:subject-category:recipient-subject
- urn:oasis:names:tc:xacml:1.0:subject-category:intermediary-subject
- urn:oasis:names:tc:xacml:1.0:subject-category:codebase
- urn:oasis:names:tc:xacml:1.0:subject-category:requesting-machine
考虑到这一点,属性变为:
- 类别访问主题的角色,类型字符串
- 类别动作的动作,字符串类型
- 类别资源类型,字符串类型
- user.department 类别访问主题,类型字符串
- recipient.department 类别 收件人主题 ,键入字符串
- recipient.level 类别 收件人主题 ,键入字符串
并且 ALFA 政策变为
/**
* Control access to reports
*/
policyset report{
target clause objectType == "report"
apply firstApplicable
/**
* Share reports
*/
policy shareReport{
target clause actionId == "share"
apply firstApplicable
/**
* Managers can share reports if...
*/
rule managers{
target clause user.role == "manager" and recipient.level == "junior"
condition user.department == recipient.department
permit
}
}
}
在 XACML 中,策略变为
<?xml version="1.0" encoding="UTF-8"?><!--This file was generated by the
ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com). --><!--Any modification to this file will
be lost upon recompilation of the source ALFA file -->
<xacml3:PolicySet
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:first-applicable"
PolicySetId="http://axiomatics.com/alfa/identifier/com.axio.report"
Version="1.0"
xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<xacml3:Description>Control access to reports</xacml3:Description>
<xacml3:PolicySetDefaults>
<xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116
</xacml3:XPathVersion>
</xacml3:PolicySetDefaults>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">report</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="com.axiomatics.objectType"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false" />
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
<xacml3:Policy
PolicyId="http://axiomatics.com/alfa/identifier/com.axio.report.shareReport"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
Version="1.0">
<xacml3:Description>Share reports</xacml3:Description>
<xacml3:PolicyDefaults>
<xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116
</xacml3:XPathVersion>
</xacml3:PolicyDefaults>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">share</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="com.axiomatics.actionId"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false" />
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
<xacml3:Rule Effect="Permit"
RuleId="com.axio.report.shareReport.managers">
<xacml3:Description>Managers can share reports if...
</xacml3:Description>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">manager</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="com.axiomatics.user.role"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false" />
</xacml3:Match>
<xacml3:Match
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">junior</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="com.axiomatics.recipient.level"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:recipient-subject"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false" />
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
<xacml3:Condition>
<xacml3:Apply
FunctionId="urn:oasis:names:tc:xacml:3.0:function:any-of-any">
<xacml3:Function
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal" />
<xacml3:AttributeDesignator
AttributeId="com.axiomatics.user.department"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false" />
<xacml3:AttributeDesignator
AttributeId="com.axiomatics.recipient.department"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:recipient-subject"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false" />
</xacml3:Apply>
</xacml3:Condition>
</xacml3:Rule>
</xacml3:Policy>
</xacml3:PolicySet>
使用 ABAC,很容易表达如下规则:
A Subject (with position = 'Manager') is allowed to perform Action (with name = 'Write') on a Resource (with class = 'Document' and type = 'Report').
但是,在控制共享事件时,您需要指定两种类型的主题:进行共享的人和预期的接收者。
例如:经理可能希望与她所在部门的初级人员共享报告。
可以将其写成一系列涉及两种类型 Subject 的规则,但是如何表达 "directedness" 共享,例如,Manager 可以与 Junior 共享,但反之则不行?我尝试了几种方法,但由于主题->资源->主题结构,它们看起来都非常冗长,而且我不确定它们是否真正捕获了访问受控的内容共享的所有语义,例如在线社交中可能发生的情况网络。
也许这有一个基础 ABAC 'design pattern'....
您可以通过多种方式在 ABAC 中对其进行建模。在我的示例中,我将使用 ALFA 作为一种语言。 ALFA直接翻译成XACML。
使用额外的资源属性
Managers can share reports with junior staff in their department.
在伪代码中,它会变成
A user with role == "manager" can do action == "share" on object of type == "report" if user.department == recipient.department AND recipient.level == "junior"
在这个例子中,属性定义如下:
- 类别访问主题的角色,类型字符串
- 类别动作的动作,字符串类型
- 类别资源类型,字符串类型
- user.department 类别访问主题,类型字符串
- recipient.department 类别资源,类型字符串
- recipient.level 类别资源,类型字符串
使用收件人主题类别
现在,当然,您可以争辩说收件人不是资源而是……收件人。这就是为什么 XACML 发明了另一种主题类别,即接收者主题 (urn:oasis:names:tc:xacml:1.0:subject-category:recipient-subject)。
事实上,除了 standard ones 之外,XACML 还允许您定义自己的自定义类别。提醒一下,XACML 提供
- urn:oasis:names:tc:xacml:3.0:attribute-category:resource
- urn:oasis:names:tc:xacml:3.0:attribute-category:action
- urn:oasis:names:tc:xacml:3.0:attribute-category:environment
- urn:oasis:names:tc:xacml:1.0:subject-category:access-subject
- urn:oasis:names:tc:xacml:1.0:subject-category:recipient-subject
- urn:oasis:names:tc:xacml:1.0:subject-category:intermediary-subject
- urn:oasis:names:tc:xacml:1.0:subject-category:codebase
- urn:oasis:names:tc:xacml:1.0:subject-category:requesting-machine
考虑到这一点,属性变为:
- 类别访问主题的角色,类型字符串
- 类别动作的动作,字符串类型
- 类别资源类型,字符串类型
- user.department 类别访问主题,类型字符串
- recipient.department 类别 收件人主题 ,键入字符串
- recipient.level 类别 收件人主题 ,键入字符串
并且 ALFA 政策变为
/**
* Control access to reports
*/
policyset report{
target clause objectType == "report"
apply firstApplicable
/**
* Share reports
*/
policy shareReport{
target clause actionId == "share"
apply firstApplicable
/**
* Managers can share reports if...
*/
rule managers{
target clause user.role == "manager" and recipient.level == "junior"
condition user.department == recipient.department
permit
}
}
}
在 XACML 中,策略变为
<?xml version="1.0" encoding="UTF-8"?><!--This file was generated by the
ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com). --><!--Any modification to this file will
be lost upon recompilation of the source ALFA file -->
<xacml3:PolicySet
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:first-applicable"
PolicySetId="http://axiomatics.com/alfa/identifier/com.axio.report"
Version="1.0"
xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<xacml3:Description>Control access to reports</xacml3:Description>
<xacml3:PolicySetDefaults>
<xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116
</xacml3:XPathVersion>
</xacml3:PolicySetDefaults>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">report</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="com.axiomatics.objectType"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false" />
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
<xacml3:Policy
PolicyId="http://axiomatics.com/alfa/identifier/com.axio.report.shareReport"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
Version="1.0">
<xacml3:Description>Share reports</xacml3:Description>
<xacml3:PolicyDefaults>
<xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116
</xacml3:XPathVersion>
</xacml3:PolicyDefaults>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">share</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="com.axiomatics.actionId"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false" />
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
<xacml3:Rule Effect="Permit"
RuleId="com.axio.report.shareReport.managers">
<xacml3:Description>Managers can share reports if...
</xacml3:Description>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">manager</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="com.axiomatics.user.role"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false" />
</xacml3:Match>
<xacml3:Match
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">junior</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="com.axiomatics.recipient.level"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:recipient-subject"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false" />
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
<xacml3:Condition>
<xacml3:Apply
FunctionId="urn:oasis:names:tc:xacml:3.0:function:any-of-any">
<xacml3:Function
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal" />
<xacml3:AttributeDesignator
AttributeId="com.axiomatics.user.department"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false" />
<xacml3:AttributeDesignator
AttributeId="com.axiomatics.recipient.department"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:recipient-subject"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false" />
</xacml3:Apply>
</xacml3:Condition>
</xacml3:Rule>
</xacml3:Policy>
</xacml3:PolicySet>