复杂的XACML,包的组合和依赖
Complex XACML, combination and dependencies of bags
我有一个像这样的 XACML 请求(伪 xacml):
<Request>
<Attributes Category="resource">
<Attribute AttributeId="product">
<AttributeValue>A</AttributeValue>
</Attribute>
<Attribute AttributeId="market">
<AttributeValue>M2</AttributeValue>
<AttributeValue>M3</AttributeValue>
</Attribute>
<Attribute AttributeId="slice">
<AttributeValue>fus</AttributeValue>
<AttributeValue>do</AttributeValue>
<AttributeValue>rah</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="subject">
<Attribute AttributeId="product-market-slice-access">
<AttributeValue>A:::M2:::fus</AttributeValue>
<AttributeValue>A:::M2:::do</AttributeValue>
<AttributeValue>A:::M2:::rah</AttributeValue>
<AttributeValue>A:::M3:::fus</AttributeValue>
<AttributeValue>A:::M3:::do</AttributeValue>
<!--<AttributeValue>A:::M3:::rah</AttributeValue>--> <!-- Missing attribute, permission denied! -->
</Attribute>
</Attributes>
</Request>
我希望创建一个策略来拒绝上述请求的访问,并在主题被赋予缺失属性(注释掉)时允许访问。
有没有办法在 XACML/ALFA 政策中表达这一点?
如果 XACML 中有一个函数可以 "join" 包(想想 sql-join)那将会很有帮助。这样我就可以组合使用函数 "AnyOfAll" 和 "String-Equal".
所需函数的伪xml:
<WantedFunction>
<Input>
<Separator>:::</Separator>
<Bag>
<AttributeValue>A</AttributeValue>
<AttributeValue>B</AttributeValue>
</Bag>
<Bag>
<AttributeValue>M2</AttributeValue>
<AttributeValue>M3</AttributeValue>
</Bag>
<Bag>
<AttributeValue>fus</AttributeValue>
<AttributeValue>do</AttributeValue>
<AttributeValue>rah</AttributeValue>
</Bag>
</Input>
<Output>
<Bag>
<AttributeValue>A:::M2:::fus</AttributeValue>
<AttributeValue>A:::M2:::do</AttributeValue>
<AttributeValue>A:::M2:::rah</AttributeValue>
<AttributeValue>A:::M3:::fus</AttributeValue>
<AttributeValue>A:::M3:::do</AttributeValue>
<AttributeValue>A:::M3:::rah</AttributeValue>
<AttributeValue>B:::M2:::fus</AttributeValue>
<AttributeValue>B:::M2:::do</AttributeValue>
<AttributeValue>B:::M2:::rah</AttributeValue>
<AttributeValue>B:::M3:::fus</AttributeValue>
<AttributeValue>B:::M3:::do</AttributeValue>
<AttributeValue>B:::M3:::rah</AttributeValue>
</Bag>
</Output>
</WantedFunction>
这是一个很好的问题,我很高兴看到您也在使用 ALFA。让我来解释一下。
要求
首先,在 XACML 请求中,将属性作为两个单独的属性发送与将其作为单个属性发送是相同的。比如下面两个请求是一样的
Can Alice the customer who is also an employee view insurance policy 123?
请求示例 1
<?xml version="1.0" encoding="UTF-8"?><xacml-ctx:Request ReturnPolicyIdList="true" CombinedDecision="false" xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" >
<xacml-ctx:Attribute AttributeId="com.axiomatics.user.type" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">customer</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
<xacml-ctx:Attribute AttributeId="com.axiomatics.user.type" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">employee</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
<xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">alice</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" >
<xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">view</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" >
<xacml-ctx:Attribute AttributeId="com.axiomatics.resource.type" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">insurance policy</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
<xacml-ctx:Attribute AttributeId="com.axiomatics.policy.polId" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">123</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
</xacml-ctx:Request>
请求示例 2
<?xml version="1.0" encoding="UTF-8"?><xacml-ctx:Request ReturnPolicyIdList="true" CombinedDecision="false" xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" >
<xacml-ctx:Attribute AttributeId="com.axiomatics.user.type" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">customer</xacml-ctx:AttributeValue>
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">employee</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
<xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">alice</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" >
<xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">view</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" >
<xacml-ctx:Attribute AttributeId="com.axiomatics.resource.type" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">insurance policy</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
<xacml-ctx:Attribute AttributeId="com.axiomatics.policy.polId" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">123</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
</xacml-ctx:Request>
属性是袋子
在 XACML 中,属性始终是一个包。它始终是多值的,即使它包含零值或一个值。这意味着如果你想对属性进行操作,你需要记住它是一个包。例如,如果您想将 market 与 slice 连接起来,您要么必须将其转换为单个值(并且仅当它确实是单个值时才有效)或使用高阶函数。高阶函数是将另一个函数作为参数的函数,例如全部。
串联多值属性
一个选项是使用 stringConcatenate,但该函数仅对原子值起作用。您可以使用 map 将其应用于一个包,但不幸的是,在您的情况下,您需要一个能够处理多个包的 map。
解决方案:使用多个决策请求
您可以使用 Multiple Decision Profile (MDP) 来一次性发送多个请求,而不是一次性发送所有值:
Can Alice view, edit, delete record 1,2,3?
答案将包含与组合乘积一样多的决定(在本例中为 1x3x3)。
在您的情况下,您会将所有决定合并为一个决定。如果全部允许,则允许,否则拒绝。 MDP 中有一个参数可以做到这一点。它被称为 CombinedDecision。
考虑到这一点,政策将如下所示(使用 ALFA 表示法):
namespace com.axiomatics{
attribute product{
category = resourceCat
id = "product"
type = string
}
attribute market{
category = resourceCat
id = "market"
type = string
}
attribute slice{
category = resourceCat
id = "slice"
type = string
}
attribute productMarketSliceAccess{
category = subjectCat
id = "product-market-slice-access"
type = string
}
policy userAccessProductMarketSlice{
apply firstApplicable
rule allowAccess{
permit
condition stringIsIn(stringOneAndOnly(product)+
stringOneAndOnly(market)+
stringOneAndOnly(slice),productMarketSliceAccess)
}
}
}
示例请求 - MDP
{
"Request": {
"CombinedDecision": true,
"AccessSubject": {
"Attribute": [
{
"AttributeId": "product-market-slice-access",
"Value": "BAC"
},
{
"AttributeId": "product-market-slice-access",
"Value": "DEF"
}
]
},
"Resource": [{
"Attribute": [
{
"AttributeId": "market",
"Value": "A"
},
{
"AttributeId": "product",
"Value": "B"
},
{
"AttributeId": "slice",
"Value": "C"
}
]
},{
"Attribute": [
{
"AttributeId": "market",
"Value": "E"
},
{
"AttributeId": "product",
"Value": "D"
},
{
"AttributeId": "slice",
"Value": "F"
}
]
}],
"Action": {
"Attribute": []
},
"Environment": {
"Attribute": []
}
}
}
我有一个像这样的 XACML 请求(伪 xacml):
<Request>
<Attributes Category="resource">
<Attribute AttributeId="product">
<AttributeValue>A</AttributeValue>
</Attribute>
<Attribute AttributeId="market">
<AttributeValue>M2</AttributeValue>
<AttributeValue>M3</AttributeValue>
</Attribute>
<Attribute AttributeId="slice">
<AttributeValue>fus</AttributeValue>
<AttributeValue>do</AttributeValue>
<AttributeValue>rah</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="subject">
<Attribute AttributeId="product-market-slice-access">
<AttributeValue>A:::M2:::fus</AttributeValue>
<AttributeValue>A:::M2:::do</AttributeValue>
<AttributeValue>A:::M2:::rah</AttributeValue>
<AttributeValue>A:::M3:::fus</AttributeValue>
<AttributeValue>A:::M3:::do</AttributeValue>
<!--<AttributeValue>A:::M3:::rah</AttributeValue>--> <!-- Missing attribute, permission denied! -->
</Attribute>
</Attributes>
</Request>
我希望创建一个策略来拒绝上述请求的访问,并在主题被赋予缺失属性(注释掉)时允许访问。
有没有办法在 XACML/ALFA 政策中表达这一点?
如果 XACML 中有一个函数可以 "join" 包(想想 sql-join)那将会很有帮助。这样我就可以组合使用函数 "AnyOfAll" 和 "String-Equal".
所需函数的伪xml:
<WantedFunction>
<Input>
<Separator>:::</Separator>
<Bag>
<AttributeValue>A</AttributeValue>
<AttributeValue>B</AttributeValue>
</Bag>
<Bag>
<AttributeValue>M2</AttributeValue>
<AttributeValue>M3</AttributeValue>
</Bag>
<Bag>
<AttributeValue>fus</AttributeValue>
<AttributeValue>do</AttributeValue>
<AttributeValue>rah</AttributeValue>
</Bag>
</Input>
<Output>
<Bag>
<AttributeValue>A:::M2:::fus</AttributeValue>
<AttributeValue>A:::M2:::do</AttributeValue>
<AttributeValue>A:::M2:::rah</AttributeValue>
<AttributeValue>A:::M3:::fus</AttributeValue>
<AttributeValue>A:::M3:::do</AttributeValue>
<AttributeValue>A:::M3:::rah</AttributeValue>
<AttributeValue>B:::M2:::fus</AttributeValue>
<AttributeValue>B:::M2:::do</AttributeValue>
<AttributeValue>B:::M2:::rah</AttributeValue>
<AttributeValue>B:::M3:::fus</AttributeValue>
<AttributeValue>B:::M3:::do</AttributeValue>
<AttributeValue>B:::M3:::rah</AttributeValue>
</Bag>
</Output>
</WantedFunction>
这是一个很好的问题,我很高兴看到您也在使用 ALFA。让我来解释一下。
要求
首先,在 XACML 请求中,将属性作为两个单独的属性发送与将其作为单个属性发送是相同的。比如下面两个请求是一样的
Can Alice the customer who is also an employee view insurance policy 123?
请求示例 1
<?xml version="1.0" encoding="UTF-8"?><xacml-ctx:Request ReturnPolicyIdList="true" CombinedDecision="false" xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" >
<xacml-ctx:Attribute AttributeId="com.axiomatics.user.type" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">customer</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
<xacml-ctx:Attribute AttributeId="com.axiomatics.user.type" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">employee</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
<xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">alice</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" >
<xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">view</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" >
<xacml-ctx:Attribute AttributeId="com.axiomatics.resource.type" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">insurance policy</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
<xacml-ctx:Attribute AttributeId="com.axiomatics.policy.polId" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">123</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
</xacml-ctx:Request>
请求示例 2
<?xml version="1.0" encoding="UTF-8"?><xacml-ctx:Request ReturnPolicyIdList="true" CombinedDecision="false" xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" >
<xacml-ctx:Attribute AttributeId="com.axiomatics.user.type" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">customer</xacml-ctx:AttributeValue>
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">employee</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
<xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">alice</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" >
<xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">view</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" >
<xacml-ctx:Attribute AttributeId="com.axiomatics.resource.type" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">insurance policy</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
<xacml-ctx:Attribute AttributeId="com.axiomatics.policy.polId" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">123</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
</xacml-ctx:Request>
属性是袋子
在 XACML 中,属性始终是一个包。它始终是多值的,即使它包含零值或一个值。这意味着如果你想对属性进行操作,你需要记住它是一个包。例如,如果您想将 market 与 slice 连接起来,您要么必须将其转换为单个值(并且仅当它确实是单个值时才有效)或使用高阶函数。高阶函数是将另一个函数作为参数的函数,例如全部。
串联多值属性
一个选项是使用 stringConcatenate,但该函数仅对原子值起作用。您可以使用 map 将其应用于一个包,但不幸的是,在您的情况下,您需要一个能够处理多个包的 map。
解决方案:使用多个决策请求
您可以使用 Multiple Decision Profile (MDP) 来一次性发送多个请求,而不是一次性发送所有值:
Can Alice view, edit, delete record 1,2,3?
答案将包含与组合乘积一样多的决定(在本例中为 1x3x3)。
在您的情况下,您会将所有决定合并为一个决定。如果全部允许,则允许,否则拒绝。 MDP 中有一个参数可以做到这一点。它被称为 CombinedDecision。
考虑到这一点,政策将如下所示(使用 ALFA 表示法):
namespace com.axiomatics{
attribute product{
category = resourceCat
id = "product"
type = string
}
attribute market{
category = resourceCat
id = "market"
type = string
}
attribute slice{
category = resourceCat
id = "slice"
type = string
}
attribute productMarketSliceAccess{
category = subjectCat
id = "product-market-slice-access"
type = string
}
policy userAccessProductMarketSlice{
apply firstApplicable
rule allowAccess{
permit
condition stringIsIn(stringOneAndOnly(product)+
stringOneAndOnly(market)+
stringOneAndOnly(slice),productMarketSliceAccess)
}
}
}
示例请求 - MDP
{
"Request": {
"CombinedDecision": true,
"AccessSubject": {
"Attribute": [
{
"AttributeId": "product-market-slice-access",
"Value": "BAC"
},
{
"AttributeId": "product-market-slice-access",
"Value": "DEF"
}
]
},
"Resource": [{
"Attribute": [
{
"AttributeId": "market",
"Value": "A"
},
{
"AttributeId": "product",
"Value": "B"
},
{
"AttributeId": "slice",
"Value": "C"
}
]
},{
"Attribute": [
{
"AttributeId": "market",
"Value": "E"
},
{
"AttributeId": "product",
"Value": "D"
},
{
"AttributeId": "slice",
"Value": "F"
}
]
}],
"Action": {
"Attribute": []
},
"Environment": {
"Attribute": []
}
}
}