如何创建 XACML 策略并请求在相同资源或不同资源中具有多个角色的单个用户
How to create XACML policy and request single user having multiple roles in same resources or different resources
为单个用户和相同资源创建具有多个角色的 XACML 策略,以及如何创建请求并仅访问角色和资源的一个规则。
数据模型
- 资源:- 公司
- 角色:- 管理员(创建和删除)、访客(读取)、租户(更新);
- 用户:- abc;
场景
如果用户使用资源 "company"
和 select "admin"
角色登录应用程序,则创建请求并验证 XACML 策略规则并允许 (create
和 delete
).
如果用户使用资源 "company"
和 select "visitor"
角色登录应用程序,则创建请求并验证 XACML 策略规则并允许 (read
).
如果用户使用资源 "company"
和 select "tenant"
角色登录应用程序,则创建请求并验证 XACML 策略规则并允许 (update
).
问题
我只想要保单样本和要求。
我们创建什么类型的 XACML 策略以及我们将以 XML 格式发送什么请求
这是您在 alfa 中寻找的保单。
namespace com.axiomatics.so.pankaj{
/**
* Company policy
*/
policyset company{
target clause resource == "company"
apply firstApplicable
/**
* Administrators can...
*/
policy administrator{
target clause role == "admin"
apply firstApplicable
/**
* Create
*/
rule create{
target clause action == "create"
permit
}
/**
* Delete
*/
rule delete{
target clause action == "delete"
permit
}
}
/**
* Visitors can...
*/
policy visitor{
target clause role == "visitor"
apply firstApplicable
/**
* read
*/
rule read{
target clause action == "read"
permit
}
}
/**
* Tenants can...
*/
policy tenant{
target clause role == "tenant"
apply firstApplicable
/**
* Update
*/
rule update{
target clause action == "update"
permit
}
}
}
}
您还需要定义您将使用策略的属性
attribute role{
category = subjectCat
id = "com.axiomatics.so.role"
type = string
}
attribute resource{
category = resourceCat
id = "com.axiomatics.so.company"
type = string
}
attribute action{
category = actionCat
id = "com.axiomatics.so.action"
type = string
}
这导致 XML
中的以下 XACML 策略
<?xml version="1.0" encoding="UTF-8"?><!--This file was generated by the
ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com). --><!--Any modification to this file will
be lost upon recompilation of the source ALFA file -->
<xacml3:PolicySet
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:first-applicable"
PolicySetId="http://axiomatics.com/alfa/identifier/com.axiomatics.so.pankaj.company"
Version="1.0"
xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<xacml3:Description>Company policy</xacml3:Description>
<xacml3:PolicySetDefaults>
<xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116
</xacml3:XPathVersion>
</xacml3:PolicySetDefaults>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">company</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="com.axiomatics.so.company"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false" />
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
<xacml3:Policy
PolicyId="http://axiomatics.com/alfa/identifier/com.axiomatics.so.pankaj.company.administrator"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
Version="1.0">
<xacml3:Description>Administrators can...</xacml3:Description>
<xacml3:PolicyDefaults>
<xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116
</xacml3:XPathVersion>
</xacml3:PolicyDefaults>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">admin</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="com.axiomatics.so.role"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false" />
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
<xacml3:Rule Effect="Permit"
RuleId="com.axiomatics.so.pankaj.company.administrator.create">
<xacml3:Description>Create</xacml3:Description>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">create</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="com.axiomatics.so.action"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false" />
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
</xacml3:Rule>
<xacml3:Rule Effect="Permit"
RuleId="com.axiomatics.so.pankaj.company.administrator.delete">
<xacml3:Description>Delete</xacml3:Description>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">delete</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="com.axiomatics.so.action"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false" />
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
</xacml3:Rule>
</xacml3:Policy>
<xacml3:Policy
PolicyId="http://axiomatics.com/alfa/identifier/com.axiomatics.so.pankaj.company.visitor"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
Version="1.0">
<xacml3:Description>Visitors can...</xacml3:Description>
<xacml3:PolicyDefaults>
<xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116
</xacml3:XPathVersion>
</xacml3:PolicyDefaults>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">visitor</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="com.axiomatics.so.role"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false" />
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
<xacml3:Rule Effect="Permit"
RuleId="com.axiomatics.so.pankaj.company.visitor.read">
<xacml3:Description>read</xacml3:Description>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">read</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="com.axiomatics.so.action"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false" />
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
</xacml3:Rule>
</xacml3:Policy>
<xacml3:Policy
PolicyId="http://axiomatics.com/alfa/identifier/com.axiomatics.so.pankaj.company.tenant"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
Version="1.0">
<xacml3:Description>Tenants can...</xacml3:Description>
<xacml3:PolicyDefaults>
<xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116
</xacml3:XPathVersion>
</xacml3:PolicyDefaults>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">tenant</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="com.axiomatics.so.role"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false" />
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
<xacml3:Rule Effect="Permit"
RuleId="com.axiomatics.so.pankaj.company.tenant.update">
<xacml3:Description>Update</xacml3:Description>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">update</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="com.axiomatics.so.action"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false" />
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
</xacml3:Rule>
</xacml3:Policy>
</xacml3:PolicySet>
示例响应和请求
{
"Request": {
"ReturnPolicyIdList": true,
"AccessSubject": {
"Attribute": [
{
"AttributeId": "com.axiomatics.so.role",
"Value": "admin"
}
]
},
"Resource": {
"Attribute": [
{
"AttributeId": "com.axiomatics.so.company",
"Value": "company"
}
]
},
"Action": {
"Attribute": [
{
"AttributeId": "com.axiomatics.so.action",
"Value": "create"
}
]
},
"Environment": {
"Attribute": []
}
}
}
以及响应
{
"Response" : {
"Decision" : "Permit",
"Status" : {
"StatusCode" : {
"Value" : "urn:oasis:names:tc:xacml:1.0:status:ok",
"StatusCode" : {
"Value" : "urn:oasis:names:tc:xacml:1.0:status:ok"
}
}
},
"PolicyIdentifierList" : {
"PolicyIdReference" : {
"Id" : "http://axiomatics.com/alfa/identifier/com.axiomatics.so.pankaj.company.administrator",
"Version" : "1.0"
},
"PolicySetIdReference" : {
"Id" : "http://axiomatics.com/alfa/identifier/com.axiomatics.so.pankaj.company",
"Version" : "1.0"
}
}
}
}
为单个用户和相同资源创建具有多个角色的 XACML 策略,以及如何创建请求并仅访问角色和资源的一个规则。
数据模型
- 资源:- 公司
- 角色:- 管理员(创建和删除)、访客(读取)、租户(更新);
- 用户:- abc;
场景
如果用户使用资源
"company"
和 select"admin"
角色登录应用程序,则创建请求并验证 XACML 策略规则并允许 (create
和delete
).如果用户使用资源
"company"
和 select"visitor"
角色登录应用程序,则创建请求并验证 XACML 策略规则并允许 (read
).如果用户使用资源
"company"
和 select"tenant"
角色登录应用程序,则创建请求并验证 XACML 策略规则并允许 (update
).
问题
我只想要保单样本和要求。 我们创建什么类型的 XACML 策略以及我们将以 XML 格式发送什么请求
这是您在 alfa 中寻找的保单。
namespace com.axiomatics.so.pankaj{
/**
* Company policy
*/
policyset company{
target clause resource == "company"
apply firstApplicable
/**
* Administrators can...
*/
policy administrator{
target clause role == "admin"
apply firstApplicable
/**
* Create
*/
rule create{
target clause action == "create"
permit
}
/**
* Delete
*/
rule delete{
target clause action == "delete"
permit
}
}
/**
* Visitors can...
*/
policy visitor{
target clause role == "visitor"
apply firstApplicable
/**
* read
*/
rule read{
target clause action == "read"
permit
}
}
/**
* Tenants can...
*/
policy tenant{
target clause role == "tenant"
apply firstApplicable
/**
* Update
*/
rule update{
target clause action == "update"
permit
}
}
}
}
您还需要定义您将使用策略的属性
attribute role{
category = subjectCat
id = "com.axiomatics.so.role"
type = string
}
attribute resource{
category = resourceCat
id = "com.axiomatics.so.company"
type = string
}
attribute action{
category = actionCat
id = "com.axiomatics.so.action"
type = string
}
这导致 XML
中的以下 XACML 策略<?xml version="1.0" encoding="UTF-8"?><!--This file was generated by the
ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com). --><!--Any modification to this file will
be lost upon recompilation of the source ALFA file -->
<xacml3:PolicySet
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:first-applicable"
PolicySetId="http://axiomatics.com/alfa/identifier/com.axiomatics.so.pankaj.company"
Version="1.0"
xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<xacml3:Description>Company policy</xacml3:Description>
<xacml3:PolicySetDefaults>
<xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116
</xacml3:XPathVersion>
</xacml3:PolicySetDefaults>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">company</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="com.axiomatics.so.company"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false" />
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
<xacml3:Policy
PolicyId="http://axiomatics.com/alfa/identifier/com.axiomatics.so.pankaj.company.administrator"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
Version="1.0">
<xacml3:Description>Administrators can...</xacml3:Description>
<xacml3:PolicyDefaults>
<xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116
</xacml3:XPathVersion>
</xacml3:PolicyDefaults>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">admin</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="com.axiomatics.so.role"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false" />
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
<xacml3:Rule Effect="Permit"
RuleId="com.axiomatics.so.pankaj.company.administrator.create">
<xacml3:Description>Create</xacml3:Description>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">create</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="com.axiomatics.so.action"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false" />
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
</xacml3:Rule>
<xacml3:Rule Effect="Permit"
RuleId="com.axiomatics.so.pankaj.company.administrator.delete">
<xacml3:Description>Delete</xacml3:Description>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">delete</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="com.axiomatics.so.action"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false" />
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
</xacml3:Rule>
</xacml3:Policy>
<xacml3:Policy
PolicyId="http://axiomatics.com/alfa/identifier/com.axiomatics.so.pankaj.company.visitor"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
Version="1.0">
<xacml3:Description>Visitors can...</xacml3:Description>
<xacml3:PolicyDefaults>
<xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116
</xacml3:XPathVersion>
</xacml3:PolicyDefaults>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">visitor</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="com.axiomatics.so.role"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false" />
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
<xacml3:Rule Effect="Permit"
RuleId="com.axiomatics.so.pankaj.company.visitor.read">
<xacml3:Description>read</xacml3:Description>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">read</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="com.axiomatics.so.action"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false" />
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
</xacml3:Rule>
</xacml3:Policy>
<xacml3:Policy
PolicyId="http://axiomatics.com/alfa/identifier/com.axiomatics.so.pankaj.company.tenant"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
Version="1.0">
<xacml3:Description>Tenants can...</xacml3:Description>
<xacml3:PolicyDefaults>
<xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116
</xacml3:XPathVersion>
</xacml3:PolicyDefaults>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">tenant</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="com.axiomatics.so.role"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false" />
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
<xacml3:Rule Effect="Permit"
RuleId="com.axiomatics.so.pankaj.company.tenant.update">
<xacml3:Description>Update</xacml3:Description>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">update</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="com.axiomatics.so.action"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false" />
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
</xacml3:Rule>
</xacml3:Policy>
</xacml3:PolicySet>
示例响应和请求
{
"Request": {
"ReturnPolicyIdList": true,
"AccessSubject": {
"Attribute": [
{
"AttributeId": "com.axiomatics.so.role",
"Value": "admin"
}
]
},
"Resource": {
"Attribute": [
{
"AttributeId": "com.axiomatics.so.company",
"Value": "company"
}
]
},
"Action": {
"Attribute": [
{
"AttributeId": "com.axiomatics.so.action",
"Value": "create"
}
]
},
"Environment": {
"Attribute": []
}
}
}
以及响应
{
"Response" : {
"Decision" : "Permit",
"Status" : {
"StatusCode" : {
"Value" : "urn:oasis:names:tc:xacml:1.0:status:ok",
"StatusCode" : {
"Value" : "urn:oasis:names:tc:xacml:1.0:status:ok"
}
}
},
"PolicyIdentifierList" : {
"PolicyIdReference" : {
"Id" : "http://axiomatics.com/alfa/identifier/com.axiomatics.so.pankaj.company.administrator",
"Version" : "1.0"
},
"PolicySetIdReference" : {
"Id" : "http://axiomatics.com/alfa/identifier/com.axiomatics.so.pankaj.company",
"Version" : "1.0"
}
}
}
}