使用ABAC,如何表达允许主体A与主体B共享资源X的规则?

时间:2018-08-14 18:36:31

标签: design-patterns xacml abac

使用ABAC,可以很容易地表达如下规则:

A Subject (with position = 'Manager') is allowed to perform Action (with name = 'Write') on a Resource (with class = 'Document' and type = 'Report').

但是,在控制共享事件时,您需要指定两种类型的主题:进行共享的人和预期的收件人。

例如:经理可能希望与所在部门的初级人员共享报告。

可以将这写成一系列涉及两种主题的规则,但是您如何表达共享的“方向性”,例如,管理者可以与初级者共享却不能与之共享?我已经尝试了几种方法,但是由于Subject-> Resource-> Subject结构,它们似乎都非常冗长,而且我不确定它们是否真正捕获了访问控制的内容共享的所有语义,例如在线社交中可能发生的情况网络。

也许为此存在一个潜在的ABAC“设计模式”。

1 个答案:

答案 0 :(得分:2)

您可以使用多种方法在ABAC中对此进行建模。在我的示例中,我将使用ALFA作为语言。 ALFA直接转换为XACML。

使用其他资源属性

  

经理可以与所在部门的下级员工共享报告。

在伪代码中,它将变成

  

具有角色==“ manager”的用户可以对类型==“ report”的对象执行以下操作==“ share”,前提是user.department == receiver.department AND receiver.level ==“ junior”

在此示例中,属性定义如下:

  • 类别访问主题的角色,键入字符串
  • 类别操作,输入字符串
  • 类别资源的类型,键入字符串
  • 类别访问主题的user.department,键入字符串
  • 类别资源的收件人。部门,键入字符串
  • 类别资源的收件人级别,键入字符串

使用收件人主题类别

现在,您当然可以争辩说接收者不是资源,而是……接收者。这就是XACML发明另一种主题类别的原因,即收件人主题(urn:oasis:names:tc:xacml:1.0:subject-category:recipient-subject)。

事实上,除了standard ones之外,XACML还允许您定义自己的自定义类别。提醒一下,XACML提供了

  • 缸:绿洲:名称:tc:xacml:3.0:属性类别:资源
  • ur:绿洲:名称:tc:xacml:3.0:属性类别:动作
  • ur:绿洲:名称:tc:xacml:3.0:属性类别:环境
  • ur:绿洲:名称:tc:xacml:1.0:主题类别:访问主题
  • ur:绿洲:名称:tc:xacml:1.0:主题类别:收件人主题
  • ur:绿洲:名称:tc:xacml:1.0:主题类别:中介主题
  • 缸:绿洲:名称:tc:xacml:1.0:主题类别:代码库
  • 缸:绿洲:名称:tc:xacml:1.0:主题类别:请求机

牢记这一点,属性变为:

  • 类别访问主题的角色,键入字符串
  • 类别操作,输入字符串
  • 类别资源的类型,键入字符串
  • 类别访问主题的user.department,键入字符串
  • recipient.department类别为 recipient-subject ,键入字符串
  • recipient-subject 类别的
  • recipient.level,键入字符串

并且ALFA政策成为

/**
 * Control access to reports
 */
policyset report{
    target clause objectType == "report"
    apply firstApplicable
    /**
     * Share reports
     */
    policy shareReport{
        target clause actionId == "share"
        apply firstApplicable
        /**
         * Managers can share reports if...
         */
        rule managers{
            target clause user.role == "manager" and recipient.level == "junior"
            condition user.department == recipient.department
            permit
        }
    }
}

在XACML中,策略变为

<?xml version="1.0" encoding="UTF-8"?><!--This file was generated by the 
    ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com). --><!--Any modification to this file will 
    be lost upon recompilation of the source ALFA file -->
<xacml3:PolicySet
    PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:first-applicable"
    PolicySetId="http://axiomatics.com/alfa/identifier/com.axio.report"
    Version="1.0"
    xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
    <xacml3:Description>Control access to reports</xacml3:Description>
    <xacml3:PolicySetDefaults>
        <xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116
        </xacml3:XPathVersion>
    </xacml3:PolicySetDefaults>
    <xacml3:Target>
        <xacml3:AnyOf>
            <xacml3:AllOf>
                <xacml3:Match
                    MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                    <xacml3:AttributeValue
                        DataType="http://www.w3.org/2001/XMLSchema#string">report</xacml3:AttributeValue>
                    <xacml3:AttributeDesignator
                        AttributeId="com.axiomatics.objectType"
                        Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
                        DataType="http://www.w3.org/2001/XMLSchema#string"
                        MustBePresent="false" />
                </xacml3:Match>
            </xacml3:AllOf>
        </xacml3:AnyOf>
    </xacml3:Target>
    <xacml3:Policy
        PolicyId="http://axiomatics.com/alfa/identifier/com.axio.report.shareReport"
        RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
        Version="1.0">
        <xacml3:Description>Share reports</xacml3:Description>
        <xacml3:PolicyDefaults>
            <xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116
            </xacml3:XPathVersion>
        </xacml3:PolicyDefaults>
        <xacml3:Target>
            <xacml3:AnyOf>
                <xacml3:AllOf>
                    <xacml3:Match
                        MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        <xacml3:AttributeValue
                            DataType="http://www.w3.org/2001/XMLSchema#string">share</xacml3:AttributeValue>
                        <xacml3:AttributeDesignator
                            AttributeId="com.axiomatics.actionId"
                            Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
                            DataType="http://www.w3.org/2001/XMLSchema#string"
                            MustBePresent="false" />
                    </xacml3:Match>
                </xacml3:AllOf>
            </xacml3:AnyOf>
        </xacml3:Target>
        <xacml3:Rule Effect="Permit"
            RuleId="com.axio.report.shareReport.managers">
            <xacml3:Description>Managers can share reports if...
            </xacml3:Description>
            <xacml3:Target>
                <xacml3:AnyOf>
                    <xacml3:AllOf>
                        <xacml3:Match
                            MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                            <xacml3:AttributeValue
                                DataType="http://www.w3.org/2001/XMLSchema#string">manager</xacml3:AttributeValue>
                            <xacml3:AttributeDesignator
                                AttributeId="com.axiomatics.user.role"
                                Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
                                DataType="http://www.w3.org/2001/XMLSchema#string"
                                MustBePresent="false" />
                        </xacml3:Match>
                        <xacml3:Match
                            MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                            <xacml3:AttributeValue
                                DataType="http://www.w3.org/2001/XMLSchema#string">junior</xacml3:AttributeValue>
                            <xacml3:AttributeDesignator
                                AttributeId="com.axiomatics.recipient.level"
                                Category="urn:oasis:names:tc:xacml:1.0:subject-category:recipient-subject"
                                DataType="http://www.w3.org/2001/XMLSchema#string"
                                MustBePresent="false" />
                        </xacml3:Match>
                    </xacml3:AllOf>
                </xacml3:AnyOf>
            </xacml3:Target>
            <xacml3:Condition>
                <xacml3:Apply
                    FunctionId="urn:oasis:names:tc:xacml:3.0:function:any-of-any">
                    <xacml3:Function
                        FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal" />
                    <xacml3:AttributeDesignator
                        AttributeId="com.axiomatics.user.department"
                        Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
                        DataType="http://www.w3.org/2001/XMLSchema#string"
                        MustBePresent="false" />
                    <xacml3:AttributeDesignator
                        AttributeId="com.axiomatics.recipient.department"
                        Category="urn:oasis:names:tc:xacml:1.0:subject-category:recipient-subject"
                        DataType="http://www.w3.org/2001/XMLSchema#string"
                        MustBePresent="false" />
                </xacml3:Apply>
            </xacml3:Condition>
        </xacml3:Rule>
    </xacml3:Policy>
</xacml3:PolicySet>
相关问题
最新问题