我有这样的XACML请求(pseudo-xacml):
<Request>
<Attributes Category="resource">
<Attribute AttributeId="product">
<AttributeValue>A</AttributeValue>
</Attribute>
<Attribute AttributeId="market">
<AttributeValue>M2</AttributeValue>
<AttributeValue>M3</AttributeValue>
</Attribute>
<Attribute AttributeId="slice">
<AttributeValue>fus</AttributeValue>
<AttributeValue>do</AttributeValue>
<AttributeValue>rah</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="subject">
<Attribute AttributeId="product-market-slice-access">
<AttributeValue>A:::M2:::fus</AttributeValue>
<AttributeValue>A:::M2:::do</AttributeValue>
<AttributeValue>A:::M2:::rah</AttributeValue>
<AttributeValue>A:::M3:::fus</AttributeValue>
<AttributeValue>A:::M3:::do</AttributeValue>
<!--<AttributeValue>A:::M3:::rah</AttributeValue>--> <!-- Missing attribute, permission denied! -->
</Attribute>
</Attributes>
</Request>
我希望创建一个策略来拒绝上述请求的访问,并在主题被赋予缺少属性(注释掉)的情况下允许访问。
有没有一种方法可以在XACML / ALFA政策中表达出来?
如果XACML中有一个可以“连接”包的函数(请考虑sql-join),将很有帮助。这样,我可以结合使用功能“ AnyOfAll”和“ String-Equal”。
所需函数的伪xml:
<WantedFunction>
<Input>
<Separator>:::</Separator>
<Bag>
<AttributeValue>A</AttributeValue>
<AttributeValue>B</AttributeValue>
</Bag>
<Bag>
<AttributeValue>M2</AttributeValue>
<AttributeValue>M3</AttributeValue>
</Bag>
<Bag>
<AttributeValue>fus</AttributeValue>
<AttributeValue>do</AttributeValue>
<AttributeValue>rah</AttributeValue>
</Bag>
</Input>
<Output>
<Bag>
<AttributeValue>A:::M2:::fus</AttributeValue>
<AttributeValue>A:::M2:::do</AttributeValue>
<AttributeValue>A:::M2:::rah</AttributeValue>
<AttributeValue>A:::M3:::fus</AttributeValue>
<AttributeValue>A:::M3:::do</AttributeValue>
<AttributeValue>A:::M3:::rah</AttributeValue>
<AttributeValue>B:::M2:::fus</AttributeValue>
<AttributeValue>B:::M2:::do</AttributeValue>
<AttributeValue>B:::M2:::rah</AttributeValue>
<AttributeValue>B:::M3:::fus</AttributeValue>
<AttributeValue>B:::M3:::do</AttributeValue>
<AttributeValue>B:::M3:::rah</AttributeValue>
</Bag>
</Output>
</WantedFunction>
答案 0 :(得分:0)
这是一个很好的问题,很高兴看到您也在使用ALFA。让我阐明一下。
首先,在XACML请求中,将属性作为两个单独的属性发送与将其作为单个属性发送相同。例如,以下两个请求是相同的。
爱丽丝同时还是雇员的客户可以查看保险单123吗?
<?xml version="1.0" encoding="UTF-8"?><xacml-ctx:Request ReturnPolicyIdList="true" CombinedDecision="false" xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" >
<xacml-ctx:Attribute AttributeId="com.axiomatics.user.type" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">customer</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
<xacml-ctx:Attribute AttributeId="com.axiomatics.user.type" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">employee</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
<xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">alice</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" >
<xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">view</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" >
<xacml-ctx:Attribute AttributeId="com.axiomatics.resource.type" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">insurance policy</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
<xacml-ctx:Attribute AttributeId="com.axiomatics.policy.polId" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">123</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
</xacml-ctx:Request>
<?xml version="1.0" encoding="UTF-8"?><xacml-ctx:Request ReturnPolicyIdList="true" CombinedDecision="false" xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" >
<xacml-ctx:Attribute AttributeId="com.axiomatics.user.type" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">customer</xacml-ctx:AttributeValue>
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">employee</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
<xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">alice</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" >
<xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">view</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" >
<xacml-ctx:Attribute AttributeId="com.axiomatics.resource.type" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">insurance policy</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
<xacml-ctx:Attribute AttributeId="com.axiomatics.policy.polId" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">123</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
</xacml-ctx:Request>
在XACML中,属性始终是袋子。即使它包含零个或一个值,它始终是多值的。这意味着,如果要对属性进行操作,则需要记住它是一个袋子。例如,如果您想将市场与切片连接起来,则必须将其转换为单个值(并且仅在确实是单个值时才有效)或使用高阶函数。高阶函数是将另一个函数作为参数的函数,例如全部。
一个选项是使用stringConcatenate,但是该函数仅对原子值起作用。您可以使用地图将其应用到袋子上,但是不幸的是,您需要一个能够处理多个袋子的地图。
您可以使用Multiple Decision Profile(MDP)而不是一次性发送所有值,例如,可以一次性发送多个请求:
爱丽丝可以查看,编辑,删除记录1,2,3吗?
答案包含的决定与组合的乘积一样多(在这种情况下为1x3x3)。
在您的情况下,您会将所有决策合并为一个决策。如果全部允许,则允许,否则拒绝。 MDP中有一个参数可以做到这一点。称为CombinedDecision。
请牢记这一点,这就是政策的样子(使用ALFA表示法):
namespace com.axiomatics{
attribute product{
category = resourceCat
id = "product"
type = string
}
attribute market{
category = resourceCat
id = "market"
type = string
}
attribute slice{
category = resourceCat
id = "slice"
type = string
}
attribute productMarketSliceAccess{
category = subjectCat
id = "product-market-slice-access"
type = string
}
policy userAccessProductMarketSlice{
apply firstApplicable
rule allowAccess{
permit
condition stringIsIn(stringOneAndOnly(product)+
stringOneAndOnly(market)+
stringOneAndOnly(slice),productMarketSliceAccess)
}
}
}
{
"Request": {
"CombinedDecision": true,
"AccessSubject": {
"Attribute": [
{
"AttributeId": "product-market-slice-access",
"Value": "BAC"
},
{
"AttributeId": "product-market-slice-access",
"Value": "DEF"
}
]
},
"Resource": [{
"Attribute": [
{
"AttributeId": "market",
"Value": "A"
},
{
"AttributeId": "product",
"Value": "B"
},
{
"AttributeId": "slice",
"Value": "C"
}
]
},{
"Attribute": [
{
"AttributeId": "market",
"Value": "E"
},
{
"AttributeId": "product",
"Value": "D"
},
{
"AttributeId": "slice",
"Value": "F"
}
]
}],
"Action": {
"Attribute": []
},
"Environment": {
"Attribute": []
}
}
}