缺失属性在 XACML 中如何工作?
How does missing-attribute work in XACML?
我正在使用 XACML 做一个访问控制应用程序,特别是 PDP 的 Balana 实现。
在此应用中,特定类型的用户帐户只能访问确定的资源。
这是政策的简化版本:
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="NormalMode" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="1.0">
<Description>Medical Records access control policy in Normal operational Mode</Description>
<Target />
<Rule Effect="Deny" RuleId="doctors">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">PersonalData</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" />
</Match>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">DOCTOR</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" />
</Match>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" />
</Match>
</AllOf>
</AnyOf>
</Target>
<AdviceExpressions>
<AdviceExpression AdviceId="doctors_advice" AppliesTo="Deny">
<AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:2.0:example:attribute:text">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Doctors are not allowed to see Personal Data</AttributeValue>
</AttributeAssignmentExpression>
</AdviceExpression>
</AdviceExpressions>
</Rule>
<Rule RuleId="permit-rule" Effect="Permit" />
</Policy>
实际上还有更多规则涵盖所有帐户类型和所有资源类型,但它们都具有相同的结构:目标是主题 ID(帐户类型),试图访问一个 [或多个] 资源 [s] 通过行动。所有规则都具有“拒绝”效果,因为组合算法是“拒绝覆盖”。
在所有规则的末尾,有一个通用规则,允许每个人访问任何内容并执行任何操作(我知道这不是最好的方法,将来我会切换到“最小权限”方法)。
如果请求匹配任何拒绝规则(以及最后一个“允许”规则),最终决定将是“拒绝”,否则只有最后一个规则匹配并且决定将是“允许”。
以下是 PEP 向 Balana PDP 生成的请求:
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false">
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">DOCTOR</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">NameSurname</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
</Attribute>
</Attributes>
</Request>
具有此特定请求的 PDP 的决定应该是“允许”,因为由于请求的资源 ID,它不匹配第一条规则,并且它只会匹配最后一条允许规则。
现在的问题是,无论我发送什么请求,PDP 决定的结果如下:
<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<Result>
<Decision>Indeterminate</Decision>
<Status>
<StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:missing-attribute" />
<StatusMessage>Couldn't find AttributeDesignator attribute</StatusMessage>
<StatusDetail>
<MissingAttributeDetail AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:access-subject"></MissingAttributeDetail>
</StatusDetail>
</Status>
</Result>
</Response>
我不知道为什么。
https://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-cd-1-en.html
XACML 文档说这是由于“在请求上下文中缺少策略中找到的任何属性指示器属性或选择器的匹配属性”,但我不明白为什么,因为上次规则应始终匹配。
(此策略“格式”由官方 Balana Github 存储库采用:
https://github.com/wso2/balana/blob/master/modules/balana-samples/kmarket-trading-sample/resources/kmarket-blue-policy.xml)
首先提供的保单不完整。它缺少结束标记和 Permit 规则。在我的测试中,我添加了这些并且它“对我有用”,但由于我们不确切知道你有什么,所以你可能还有其他错误。
您的问题似乎是您 copy/pasted 策略中的属性并且使用了错误的 subject-id 类别。应该是:
urn:oasis:names:tc:xacml:1.0:subject-category:access-subject
而不是:
urn:oasis:names:tc:xacml:3.0:subject-category:access-subject
所以是的,请求缺少必需的 subject-id 属性,因为请求使用的 subject-id 类别与策略中定义的类别不同。
当我使用以下更正后的政策并提出申请时,我确实获得了许可。请注意,我没有使用 Balana,但您应该会看到相同的结果。
政策:
<xacml3:Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="NormalMode" Version="1" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides">
<xacml3:Description>Medical Records access control policy in Normal operational Mode</xacml3:Description>
<xacml3:PolicyDefaults>
<xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion>
</xacml3:PolicyDefaults>
<xacml3:Target/>
<xacml3:Rule RuleId="doctors" Effect="Deny">
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">PersonalData</xacml3:AttributeValue>
<xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</xacml3:Match>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">DOCTOR</xacml3:AttributeValue>
<xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
</xacml3:Match>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</xacml3:AttributeValue>
<xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
<xacml3:AdviceExpressions>
<xacml3:AdviceExpression AdviceId="doctors_advice" AppliesTo="Deny">
<xacml3:AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:2.0:example:attribute:text" Category="http://axiomatics.com/ObligationAndAdvice/DefaultCategory">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Doctors are not allowed to see Personal Data</xacml3:AttributeValue>
</xacml3:AttributeAssignmentExpression>
</xacml3:AdviceExpression>
</xacml3:AdviceExpressions>
</xacml3:Rule>
<xacml3:Rule RuleId="d3a90374-79e6-47e6-9cfd-f3e23f737c99" Effect="Permit">
<xacml3:Description>Rule description</xacml3:Description>
<xacml3:Target/>
</xacml3:Rule>
</xacml3:Policy>
要求:
<xacml-ctx:Request ReturnPolicyIdList="true" CombinedDecision="false" xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<xacml-ctx:RequestDefaults>
<xacml-ctx:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml-ctx:XPathVersion>
</xacml-ctx:RequestDefaults>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">NameSurname</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">DOCTOR</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
</xacml-ctx:Request>
我正在使用 XACML 做一个访问控制应用程序,特别是 PDP 的 Balana 实现。
在此应用中,特定类型的用户帐户只能访问确定的资源。 这是政策的简化版本:
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="NormalMode" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="1.0">
<Description>Medical Records access control policy in Normal operational Mode</Description>
<Target />
<Rule Effect="Deny" RuleId="doctors">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">PersonalData</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" />
</Match>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">DOCTOR</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" />
</Match>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" />
</Match>
</AllOf>
</AnyOf>
</Target>
<AdviceExpressions>
<AdviceExpression AdviceId="doctors_advice" AppliesTo="Deny">
<AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:2.0:example:attribute:text">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Doctors are not allowed to see Personal Data</AttributeValue>
</AttributeAssignmentExpression>
</AdviceExpression>
</AdviceExpressions>
</Rule>
<Rule RuleId="permit-rule" Effect="Permit" />
</Policy>
实际上还有更多规则涵盖所有帐户类型和所有资源类型,但它们都具有相同的结构:目标是主题 ID(帐户类型),试图访问一个 [或多个] 资源 [s] 通过行动。所有规则都具有“拒绝”效果,因为组合算法是“拒绝覆盖”。 在所有规则的末尾,有一个通用规则,允许每个人访问任何内容并执行任何操作(我知道这不是最好的方法,将来我会切换到“最小权限”方法)。 如果请求匹配任何拒绝规则(以及最后一个“允许”规则),最终决定将是“拒绝”,否则只有最后一个规则匹配并且决定将是“允许”。
以下是 PEP 向 Balana PDP 生成的请求:
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false">
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">DOCTOR</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">NameSurname</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
</Attribute>
</Attributes>
</Request>
具有此特定请求的 PDP 的决定应该是“允许”,因为由于请求的资源 ID,它不匹配第一条规则,并且它只会匹配最后一条允许规则。
现在的问题是,无论我发送什么请求,PDP 决定的结果如下:
<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<Result>
<Decision>Indeterminate</Decision>
<Status>
<StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:missing-attribute" />
<StatusMessage>Couldn't find AttributeDesignator attribute</StatusMessage>
<StatusDetail>
<MissingAttributeDetail AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:access-subject"></MissingAttributeDetail>
</StatusDetail>
</Status>
</Result>
</Response>
我不知道为什么。
https://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-cd-1-en.html
XACML 文档说这是由于“在请求上下文中缺少策略中找到的任何属性指示器属性或选择器的匹配属性”,但我不明白为什么,因为上次规则应始终匹配。 (此策略“格式”由官方 Balana Github 存储库采用: https://github.com/wso2/balana/blob/master/modules/balana-samples/kmarket-trading-sample/resources/kmarket-blue-policy.xml)
首先提供的保单不完整。它缺少结束标记和 Permit 规则。在我的测试中,我添加了这些并且它“对我有用”,但由于我们不确切知道你有什么,所以你可能还有其他错误。
您的问题似乎是您 copy/pasted 策略中的属性并且使用了错误的 subject-id 类别。应该是:
urn:oasis:names:tc:xacml:1.0:subject-category:access-subject
而不是:
urn:oasis:names:tc:xacml:3.0:subject-category:access-subject
所以是的,请求缺少必需的 subject-id 属性,因为请求使用的 subject-id 类别与策略中定义的类别不同。
当我使用以下更正后的政策并提出申请时,我确实获得了许可。请注意,我没有使用 Balana,但您应该会看到相同的结果。
政策:
<xacml3:Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="NormalMode" Version="1" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides">
<xacml3:Description>Medical Records access control policy in Normal operational Mode</xacml3:Description>
<xacml3:PolicyDefaults>
<xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion>
</xacml3:PolicyDefaults>
<xacml3:Target/>
<xacml3:Rule RuleId="doctors" Effect="Deny">
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">PersonalData</xacml3:AttributeValue>
<xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</xacml3:Match>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">DOCTOR</xacml3:AttributeValue>
<xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
</xacml3:Match>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</xacml3:AttributeValue>
<xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
<xacml3:AdviceExpressions>
<xacml3:AdviceExpression AdviceId="doctors_advice" AppliesTo="Deny">
<xacml3:AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:2.0:example:attribute:text" Category="http://axiomatics.com/ObligationAndAdvice/DefaultCategory">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Doctors are not allowed to see Personal Data</xacml3:AttributeValue>
</xacml3:AttributeAssignmentExpression>
</xacml3:AdviceExpression>
</xacml3:AdviceExpressions>
</xacml3:Rule>
<xacml3:Rule RuleId="d3a90374-79e6-47e6-9cfd-f3e23f737c99" Effect="Permit">
<xacml3:Description>Rule description</xacml3:Description>
<xacml3:Target/>
</xacml3:Rule>
</xacml3:Policy>
要求:
<xacml-ctx:Request ReturnPolicyIdList="true" CombinedDecision="false" xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<xacml-ctx:RequestDefaults>
<xacml-ctx:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml-ctx:XPathVersion>
</xacml-ctx:RequestDefaults>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">NameSurname</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">DOCTOR</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
</xacml-ctx:Request>