如何创建XACML策略并请求在同一资源或不同资源中具有多个角色的单个用户

时间:2019-01-22 16:35:11

标签: authorization wso2is xacml abac alfa

为单个用户和相同资源创建一个具有多个角色的XACML策略,以及如何创建请求和访问仅一个角色和资源的规则。

数据模型

  • 资源:-公司
  • 角色:-管理员(创建和删除),访问者(读取),租户(更新);
  • 用户:-abc;

场景

  1. 如果用户使用资源"company"登录应用程序并选择"admin"角色,然后创建请求并验证XACML策略规则并允许(createdelete

  2. 如果用户使用资源"company"登录应用程序并选择"visitor"角色,然后创建请求并验证XACML策略规则并允许(read)。

    < / li>
  3. 如果用户使用资源"company"登录应用程序并选择"tenant"角色,然后创建请求并验证XACML策略规则并允许(update)。

    < / li>

问题

我只想要政策和要求的样本。 我们创建哪种类型的XACML策略以及以XML格式发送什么请求

1 个答案:

答案 0 :(得分:0)

这是您要使用编写的政策。

namespace com.axiomatics.so.pankaj{    
/**
 * Company policy
 */
policyset company{
    target clause resource == "company"
    apply firstApplicable
    /**
     * Administrators can...
     */
    policy administrator{
        target clause role == "admin"
        apply firstApplicable
        /**
         * Create
         */
        rule create{
            target clause action == "create"
            permit
        }
        /**
         * Delete
         */
        rule delete{
            target clause action == "delete"
            permit
        }
    }
    /**
     * Visitors can...
     */
    policy visitor{
        target clause role == "visitor"
        apply firstApplicable
        /**
         * read
         */
        rule read{
            target clause action == "read"
            permit
        }
    }
    /**
     * Tenants can...
     */
    policy tenant{
        target clause role == "tenant"
        apply firstApplicable
        /**
         * Update
         */
        rule update{
            target clause action == "update"
            permit
        }
    }
}

}

您还需要定义将使用该策略的属性

attribute role{
    category = subjectCat
    id = "com.axiomatics.so.role"
    type = string
}
attribute resource{
    category = resourceCat
    id = "com.axiomatics.so.company"
    type = string
}
attribute action{
    category = actionCat
    id = "com.axiomatics.so.action"
    type = string
}

这导致以下XML XACML策略

<?xml version="1.0" encoding="UTF-8"?><!--This file was generated by the 
    ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com). --><!--Any modification to this file will 
    be lost upon recompilation of the source ALFA file -->
<xacml3:PolicySet
    PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:first-applicable"
    PolicySetId="http://axiomatics.com/alfa/identifier/com.axiomatics.so.pankaj.company"
    Version="1.0"
    xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
    <xacml3:Description>Company policy</xacml3:Description>
    <xacml3:PolicySetDefaults>
        <xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116
        </xacml3:XPathVersion>
    </xacml3:PolicySetDefaults>
    <xacml3:Target>
        <xacml3:AnyOf>
            <xacml3:AllOf>
                <xacml3:Match
                    MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                    <xacml3:AttributeValue
                        DataType="http://www.w3.org/2001/XMLSchema#string">company</xacml3:AttributeValue>
                    <xacml3:AttributeDesignator
                        AttributeId="com.axiomatics.so.company"
                        Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
                        DataType="http://www.w3.org/2001/XMLSchema#string"
                        MustBePresent="false" />
                </xacml3:Match>
            </xacml3:AllOf>
        </xacml3:AnyOf>
    </xacml3:Target>
    <xacml3:Policy
        PolicyId="http://axiomatics.com/alfa/identifier/com.axiomatics.so.pankaj.company.administrator"
        RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
        Version="1.0">
        <xacml3:Description>Administrators can...</xacml3:Description>
        <xacml3:PolicyDefaults>
            <xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116
            </xacml3:XPathVersion>
        </xacml3:PolicyDefaults>
        <xacml3:Target>
            <xacml3:AnyOf>
                <xacml3:AllOf>
                    <xacml3:Match
                        MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        <xacml3:AttributeValue
                            DataType="http://www.w3.org/2001/XMLSchema#string">admin</xacml3:AttributeValue>
                        <xacml3:AttributeDesignator
                            AttributeId="com.axiomatics.so.role"
                            Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
                            DataType="http://www.w3.org/2001/XMLSchema#string"
                            MustBePresent="false" />
                    </xacml3:Match>
                </xacml3:AllOf>
            </xacml3:AnyOf>
        </xacml3:Target>
        <xacml3:Rule Effect="Permit"
            RuleId="com.axiomatics.so.pankaj.company.administrator.create">
            <xacml3:Description>Create</xacml3:Description>
            <xacml3:Target>
                <xacml3:AnyOf>
                    <xacml3:AllOf>
                        <xacml3:Match
                            MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                            <xacml3:AttributeValue
                                DataType="http://www.w3.org/2001/XMLSchema#string">create</xacml3:AttributeValue>
                            <xacml3:AttributeDesignator
                                AttributeId="com.axiomatics.so.action"
                                Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
                                DataType="http://www.w3.org/2001/XMLSchema#string"
                                MustBePresent="false" />
                        </xacml3:Match>
                    </xacml3:AllOf>
                </xacml3:AnyOf>
            </xacml3:Target>
        </xacml3:Rule>
        <xacml3:Rule Effect="Permit"
            RuleId="com.axiomatics.so.pankaj.company.administrator.delete">
            <xacml3:Description>Delete</xacml3:Description>
            <xacml3:Target>
                <xacml3:AnyOf>
                    <xacml3:AllOf>
                        <xacml3:Match
                            MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                            <xacml3:AttributeValue
                                DataType="http://www.w3.org/2001/XMLSchema#string">delete</xacml3:AttributeValue>
                            <xacml3:AttributeDesignator
                                AttributeId="com.axiomatics.so.action"
                                Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
                                DataType="http://www.w3.org/2001/XMLSchema#string"
                                MustBePresent="false" />
                        </xacml3:Match>
                    </xacml3:AllOf>
                </xacml3:AnyOf>
            </xacml3:Target>
        </xacml3:Rule>
    </xacml3:Policy>
    <xacml3:Policy
        PolicyId="http://axiomatics.com/alfa/identifier/com.axiomatics.so.pankaj.company.visitor"
        RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
        Version="1.0">
        <xacml3:Description>Visitors can...</xacml3:Description>
        <xacml3:PolicyDefaults>
            <xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116
            </xacml3:XPathVersion>
        </xacml3:PolicyDefaults>
        <xacml3:Target>
            <xacml3:AnyOf>
                <xacml3:AllOf>
                    <xacml3:Match
                        MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        <xacml3:AttributeValue
                            DataType="http://www.w3.org/2001/XMLSchema#string">visitor</xacml3:AttributeValue>
                        <xacml3:AttributeDesignator
                            AttributeId="com.axiomatics.so.role"
                            Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
                            DataType="http://www.w3.org/2001/XMLSchema#string"
                            MustBePresent="false" />
                    </xacml3:Match>
                </xacml3:AllOf>
            </xacml3:AnyOf>
        </xacml3:Target>
        <xacml3:Rule Effect="Permit"
            RuleId="com.axiomatics.so.pankaj.company.visitor.read">
            <xacml3:Description>read</xacml3:Description>
            <xacml3:Target>
                <xacml3:AnyOf>
                    <xacml3:AllOf>
                        <xacml3:Match
                            MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                            <xacml3:AttributeValue
                                DataType="http://www.w3.org/2001/XMLSchema#string">read</xacml3:AttributeValue>
                            <xacml3:AttributeDesignator
                                AttributeId="com.axiomatics.so.action"
                                Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
                                DataType="http://www.w3.org/2001/XMLSchema#string"
                                MustBePresent="false" />
                        </xacml3:Match>
                    </xacml3:AllOf>
                </xacml3:AnyOf>
            </xacml3:Target>
        </xacml3:Rule>
    </xacml3:Policy>
    <xacml3:Policy
        PolicyId="http://axiomatics.com/alfa/identifier/com.axiomatics.so.pankaj.company.tenant"
        RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
        Version="1.0">
        <xacml3:Description>Tenants can...</xacml3:Description>
        <xacml3:PolicyDefaults>
            <xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116
            </xacml3:XPathVersion>
        </xacml3:PolicyDefaults>
        <xacml3:Target>
            <xacml3:AnyOf>
                <xacml3:AllOf>
                    <xacml3:Match
                        MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        <xacml3:AttributeValue
                            DataType="http://www.w3.org/2001/XMLSchema#string">tenant</xacml3:AttributeValue>
                        <xacml3:AttributeDesignator
                            AttributeId="com.axiomatics.so.role"
                            Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
                            DataType="http://www.w3.org/2001/XMLSchema#string"
                            MustBePresent="false" />
                    </xacml3:Match>
                </xacml3:AllOf>
            </xacml3:AnyOf>
        </xacml3:Target>
        <xacml3:Rule Effect="Permit"
            RuleId="com.axiomatics.so.pankaj.company.tenant.update">
            <xacml3:Description>Update</xacml3:Description>
            <xacml3:Target>
                <xacml3:AnyOf>
                    <xacml3:AllOf>
                        <xacml3:Match
                            MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                            <xacml3:AttributeValue
                                DataType="http://www.w3.org/2001/XMLSchema#string">update</xacml3:AttributeValue>
                            <xacml3:AttributeDesignator
                                AttributeId="com.axiomatics.so.action"
                                Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
                                DataType="http://www.w3.org/2001/XMLSchema#string"
                                MustBePresent="false" />
                        </xacml3:Match>
                    </xacml3:AllOf>
                </xacml3:AnyOf>
            </xacml3:Target>
        </xacml3:Rule>
    </xacml3:Policy>
</xacml3:PolicySet>

示例响应和请求

{
"Request": {
    "ReturnPolicyIdList": true,
    "AccessSubject": {
        "Attribute": [
            {
                "AttributeId": "com.axiomatics.so.role",
                "Value": "admin"
            }
        ]
    },
    "Resource": {
        "Attribute": [
            {
                "AttributeId": "com.axiomatics.so.company",
                "Value": "company"
            }
        ]
    },
    "Action": {
        "Attribute": [
            {
                "AttributeId": "com.axiomatics.so.action",
                "Value": "create"
            }
        ]
    },
    "Environment": {
        "Attribute": []
    }
}
}

还有回应

{
  "Response" : {
    "Decision" : "Permit",
    "Status" : {
      "StatusCode" : {
        "Value" : "urn:oasis:names:tc:xacml:1.0:status:ok",
        "StatusCode" : {
          "Value" : "urn:oasis:names:tc:xacml:1.0:status:ok"
        }
      }
    },
    "PolicyIdentifierList" : {
      "PolicyIdReference" : {
        "Id" : "http://axiomatics.com/alfa/identifier/com.axiomatics.so.pankaj.company.administrator",
        "Version" : "1.0"
      },
      "PolicySetIdReference" : {
        "Id" : "http://axiomatics.com/alfa/identifier/com.axiomatics.so.pankaj.company",
        "Version" : "1.0"
      }
    }
  }
}