Authzforce - 简单的 ABAC 策略创建失败
Authzforce - Simple ABAC policy creation fails
我正在使用 Authzforce 8.1.0,并且我已经根据 Users' and Programmers Guider 中给出的示例创建了几个 RBAC 策略方案,但我想创建一个简单的 ABAC场景
作为 XACML 语言的新手,我正在尝试遵循 here 中的一些示例。更具体地说,我正在尝试实施类似于 4.1.1 示例政策.
的政策
我要创建的策略
Assume that a corporation named Medi Corp (identified by its domain name: med.example.com) has an access control policy that states, in English:
Any user with an e-mail name in the "med.example.com" namespace is
allowed to perform any action on any resource.
<?xml version="1.0" encoding="UTF-8"?>
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:oasis:names:tc:xacml:3.0:schema:os
http://docs.oasis-open.org/xacml/FIXME.xsd"
PolicyId="urn:oasis:names:tc:xacml:3.0:example:SimplePolicy1"
Version="1.0"
RuleCombiningAlgId="identifier:rule-combining-algorithm:deny-overrides">
<Description>
Medi Corp access control policy
</Description>
<Target/>
<Rule
RuleId= "urn:oasis:names:tc:xacml:3.0:example:SimpleRule1"
Effect="Permit">
<Description>
Any subject with an e-mail name in the med.example.com domain
can perform any action on any resource.
</Description>
<Target>
<AnyOf>
<AllOf>
<Match
MatchId="urn:oasis:names:tc:xacml:1.0:function:rfc822Name-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">med.example.com</AttributeValue>
<AttributeDesignator
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name"/>
</Match>
</AllOf>
</AnyOf>
</Target>
</Rule>
</Policy>
当我在 {ip}:{port}/authzforce-ce/domains/{domainId}/pap/policies 上尝试 POST 此政策时
我收到以下错误
错误
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<error xmlns:ns2="http://authzforce.github.io/core/xmlns/pdp/6.0">
<message>Invalid parameters: cvc-elt.1: Cannot find the declaration of element 'Policy'.</message>
</error>
到目前为止,我在 authzforce 中看到的所有示例都以 <PolicySet> 声明开始(我们可以在其中声明多个 <Policy> 块,所以我认为这可能是个问题并尝试了将策略包含在 policySet 中,如下所示:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<PolicySet
xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
PolicySetId="first_policyset_id"
Version="1.0"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:permit-unless-deny">
<Description>Policy for Github</Description>
<Target />
<Policy
PolicyId="urn:oasis:names:tc:xacml:3.0:example:SimplePolicy1"
Version="1.0"
RuleCombiningAlgId="identifier:rule-combining-algorithm:deny-overrides">
<Description>
Medi Corp access control policy
</Description>
<Target/>
<Rule
RuleId= "urn:oasis:names:tc:xacml:3.0:example:SimpleRule1"
Effect="Permit">
<Description>
Any subject with an e-mail name in the med.example.com domain
can perform any action on any resource.
</Description>
<Target>
<AnyOf>
<AllOf>
<Match
MatchId="urn:oasis:names:tc:xacml:1.0:function:rfc822Name-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">med.example.com</AttributeValue>
<AttributeDesignator
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
MustBePresent="false"
DataType="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name"/>
</Match>
</AllOf>
</AnyOf>
</Target>
</Rule>
</Policy>
</PolicySet>
但现在我得到以下信息:
回应
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<error xmlns:ns2="http://authzforce.github.io/core/xmlns/pdp/6.0">
<message>Failed to find a root PolicySet with id = 'first_policyset_id', Version=1.0,EarliestVersion=*,LatestVersion=*: Matched PolicySet 'first_policyset_id' (version 1.0) is invalid or its content is unavailable</message>
</error>
创建如此简单的 ABAC 策略方案的 XACML 请求的正确格式是什么? 关于此的策略访问请求的示例也将非常感谢,提前致谢!
不幸的是,第 4.1.1 节中的这个示例存在已知问题,我已经在 xacml-comment mailing list 上报告了其中一些问题。它应该在下一版本的 XACML 规范中得到修复。与此同时,您需要解决这些问题:
- 完全删除
xsi:schemaLocation。因为位置 http://docs.oasis-open.org/xacml/FIXME.xsd 是错误的并且 AuthzForce 已经将它自己的位置用于 XACML 模式。
- RuleCombiningAlgId
identifier:rule-combining-algorithm:deny-overrides 错误。替换为 urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides.
我还确认 AuthzForce 服务器的 REST API 仅接受 PolicySet 作为 /pap/policies 端点上的输入,因此您必须像您一样将 Policy 包装在 PolicySet 中。但是,如果您希望 PolicySet 的结果等同于 Policy,则应将 PolicyCombiningAlgId 更改为 urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:only-one-applicable。
--编辑 2020-04-06--
所以固定的PolicySet是这样的:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<PolicySet
xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
PolicySetId="PolicySet_1"
Version="1.0"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:only-one-applicable">
<Description>Sample PolicySet</Description>
<Target />
<Policy
PolicyId="urn:oasis:names:tc:xacml:3.0:example:SimplePolicy1"
Version="1.0"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides">
<Description>Medi Corp access control policy</Description>
<Target/>
<Rule
RuleId= "urn:oasis:names:tc:xacml:3.0:example:SimpleRule1"
Effect="Permit">
<Description>Any subject with an e-mail name in the med.example.com domain can perform any action on any resource.</Description>
<Target>
<AnyOf>
<AllOf>
<Match
MatchId="urn:oasis:names:tc:xacml:1.0:function:rfc822Name-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">med.example.com</AttributeValue>
<AttributeDesignator
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name"
MustBePresent="true"/>
</Match>
</AllOf>
</AnyOf>
</Target>
</Rule>
</Policy>
</PolicySet>
我正在使用 Authzforce 8.1.0,并且我已经根据 Users' and Programmers Guider 中给出的示例创建了几个 RBAC 策略方案,但我想创建一个简单的 ABAC场景
作为 XACML 语言的新手,我正在尝试遵循 here 中的一些示例。更具体地说,我正在尝试实施类似于 4.1.1 示例政策.
的政策我要创建的策略
Assume that a corporation named Medi Corp (identified by its domain name: med.example.com) has an access control policy that states, in English:
Any user with an e-mail name in the "med.example.com" namespace is allowed to perform any action on any resource.
<?xml version="1.0" encoding="UTF-8"?>
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:oasis:names:tc:xacml:3.0:schema:os
http://docs.oasis-open.org/xacml/FIXME.xsd"
PolicyId="urn:oasis:names:tc:xacml:3.0:example:SimplePolicy1"
Version="1.0"
RuleCombiningAlgId="identifier:rule-combining-algorithm:deny-overrides">
<Description>
Medi Corp access control policy
</Description>
<Target/>
<Rule
RuleId= "urn:oasis:names:tc:xacml:3.0:example:SimpleRule1"
Effect="Permit">
<Description>
Any subject with an e-mail name in the med.example.com domain
can perform any action on any resource.
</Description>
<Target>
<AnyOf>
<AllOf>
<Match
MatchId="urn:oasis:names:tc:xacml:1.0:function:rfc822Name-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">med.example.com</AttributeValue>
<AttributeDesignator
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name"/>
</Match>
</AllOf>
</AnyOf>
</Target>
</Rule>
</Policy>
当我在 {ip}:{port}/authzforce-ce/domains/{domainId}/pap/policies 上尝试 POST 此政策时
我收到以下错误
错误
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<error xmlns:ns2="http://authzforce.github.io/core/xmlns/pdp/6.0">
<message>Invalid parameters: cvc-elt.1: Cannot find the declaration of element 'Policy'.</message>
</error>
到目前为止,我在 authzforce 中看到的所有示例都以 <PolicySet> 声明开始(我们可以在其中声明多个 <Policy> 块,所以我认为这可能是个问题并尝试了将策略包含在 policySet 中,如下所示:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<PolicySet
xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
PolicySetId="first_policyset_id"
Version="1.0"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:permit-unless-deny">
<Description>Policy for Github</Description>
<Target />
<Policy
PolicyId="urn:oasis:names:tc:xacml:3.0:example:SimplePolicy1"
Version="1.0"
RuleCombiningAlgId="identifier:rule-combining-algorithm:deny-overrides">
<Description>
Medi Corp access control policy
</Description>
<Target/>
<Rule
RuleId= "urn:oasis:names:tc:xacml:3.0:example:SimpleRule1"
Effect="Permit">
<Description>
Any subject with an e-mail name in the med.example.com domain
can perform any action on any resource.
</Description>
<Target>
<AnyOf>
<AllOf>
<Match
MatchId="urn:oasis:names:tc:xacml:1.0:function:rfc822Name-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">med.example.com</AttributeValue>
<AttributeDesignator
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
MustBePresent="false"
DataType="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name"/>
</Match>
</AllOf>
</AnyOf>
</Target>
</Rule>
</Policy>
</PolicySet>
但现在我得到以下信息:
回应
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<error xmlns:ns2="http://authzforce.github.io/core/xmlns/pdp/6.0">
<message>Failed to find a root PolicySet with id = 'first_policyset_id', Version=1.0,EarliestVersion=*,LatestVersion=*: Matched PolicySet 'first_policyset_id' (version 1.0) is invalid or its content is unavailable</message>
</error>
创建如此简单的 ABAC 策略方案的 XACML 请求的正确格式是什么? 关于此的策略访问请求的示例也将非常感谢,提前致谢!
不幸的是,第 4.1.1 节中的这个示例存在已知问题,我已经在 xacml-comment mailing list 上报告了其中一些问题。它应该在下一版本的 XACML 规范中得到修复。与此同时,您需要解决这些问题:
- 完全删除
xsi:schemaLocation。因为位置http://docs.oasis-open.org/xacml/FIXME.xsd是错误的并且 AuthzForce 已经将它自己的位置用于 XACML 模式。 - RuleCombiningAlgId
identifier:rule-combining-algorithm:deny-overrides错误。替换为urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides.
我还确认 AuthzForce 服务器的 REST API 仅接受 PolicySet 作为 /pap/policies 端点上的输入,因此您必须像您一样将 Policy 包装在 PolicySet 中。但是,如果您希望 PolicySet 的结果等同于 Policy,则应将 PolicyCombiningAlgId 更改为 urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:only-one-applicable。
--编辑 2020-04-06--
所以固定的PolicySet是这样的:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<PolicySet
xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
PolicySetId="PolicySet_1"
Version="1.0"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:only-one-applicable">
<Description>Sample PolicySet</Description>
<Target />
<Policy
PolicyId="urn:oasis:names:tc:xacml:3.0:example:SimplePolicy1"
Version="1.0"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides">
<Description>Medi Corp access control policy</Description>
<Target/>
<Rule
RuleId= "urn:oasis:names:tc:xacml:3.0:example:SimpleRule1"
Effect="Permit">
<Description>Any subject with an e-mail name in the med.example.com domain can perform any action on any resource.</Description>
<Target>
<AnyOf>
<AllOf>
<Match
MatchId="urn:oasis:names:tc:xacml:1.0:function:rfc822Name-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">med.example.com</AttributeValue>
<AttributeDesignator
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name"
MustBePresent="true"/>
</Match>
</AllOf>
</AnyOf>
</Target>
</Rule>
</Policy>
</PolicySet>