我正在使用Authzforce 8.1.0,并且已经基于Users' and Programmers Guider中给出的示例创建了两个RBAC策略方案,但是我想创建一个简单的ABAC场景。
作为XACML语言的新手,我尝试遵循here中的一些示例。更具体地说,我正在尝试实施类似于 4.1.1示例政策的政策。
我要创建的政策
假设名为Medi Corp(由其域名:med.example.com标识)的公司具有使用英语声明的访问控制策略:
在“ med.example.com”命名空间中具有电子邮件名称的任何用户都是 允许对任何资源执行任何操作。
<?xml version="1.0" encoding="UTF-8"?>
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:oasis:names:tc:xacml:3.0:schema:os
http://docs.oasis-open.org/xacml/FIXME.xsd"
PolicyId="urn:oasis:names:tc:xacml:3.0:example:SimplePolicy1"
Version="1.0"
RuleCombiningAlgId="identifier:rule-combining-algorithm:deny-overrides">
<Description>
Medi Corp access control policy
</Description>
<Target/>
<Rule
RuleId= "urn:oasis:names:tc:xacml:3.0:example:SimpleRule1"
Effect="Permit">
<Description>
Any subject with an e-mail name in the med.example.com domain
can perform any action on any resource.
</Description>
<Target>
<AnyOf>
<AllOf>
<Match
MatchId="urn:oasis:names:tc:xacml:1.0:function:rfc822Name-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">med.example.com</AttributeValue>
<AttributeDesignator
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name"/>
</Match>
</AllOf>
</AnyOf>
</Target>
</Rule>
</Policy>
当我尝试在POST上{ip}:{port}/authzforce-ce/domains/{domainId}/pap/policies使用此政策时
我收到以下错误
错误
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<error xmlns:ns2="http://authzforce.github.io/core/xmlns/pdp/6.0">
<message>Invalid parameters: cvc-elt.1: Cannot find the declaration of element 'Policy'.</message>
</error>
到目前为止,我在authzforce中看到的所有示例均以<PolicySet>声明开始(在该声明中,我们可以声明多个<Policy>块,因此我认为这可能是个问题,因此尝试包括policySet中的政策,如下所示:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<PolicySet
xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
PolicySetId="first_policyset_id"
Version="1.0"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:permit-unless-deny">
<Description>Policy for Github</Description>
<Target />
<Policy
PolicyId="urn:oasis:names:tc:xacml:3.0:example:SimplePolicy1"
Version="1.0"
RuleCombiningAlgId="identifier:rule-combining-algorithm:deny-overrides">
<Description>
Medi Corp access control policy
</Description>
<Target/>
<Rule
RuleId= "urn:oasis:names:tc:xacml:3.0:example:SimpleRule1"
Effect="Permit">
<Description>
Any subject with an e-mail name in the med.example.com domain
can perform any action on any resource.
</Description>
<Target>
<AnyOf>
<AllOf>
<Match
MatchId="urn:oasis:names:tc:xacml:1.0:function:rfc822Name-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">med.example.com</AttributeValue>
<AttributeDesignator
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
MustBePresent="false"
DataType="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name"/>
</Match>
</AllOf>
</AnyOf>
</Target>
</Rule>
</Policy>
</PolicySet>
但是现在我得到以下信息:
回复
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<error xmlns:ns2="http://authzforce.github.io/core/xmlns/pdp/6.0">
<message>Failed to find a root PolicySet with id = 'first_policyset_id', Version=1.0,EarliestVersion=*,LatestVersion=*: Matched PolicySet 'first_policyset_id' (version 1.0) is invalid or its content is unavailable</message>
</error>
采用哪种XACML请求的正确格式来制作这种简单的ABAC策略方案? 与此有关的
答案 0 :(得分:2)
不幸的是,来自4.1.1节的示例已经知道了一些问题,我在xacml-comment mailing list上报告了其中的一些问题。应该在XACML规范的下一版本中对其进行修复。同时,您需要解决以下问题:
xsi:schemaLocation。因为位置http://docs.oasis-open.org/xacml/FIXME.xsd错误,并且AuthzForce已经将其自己的位置用于XACML模式。identifier:rule-combining-algorithm:deny-overrides错误。替换为urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides。我还确认AuthzForce Server的REST API仅接受PolicySet作为/pap/policies端点上的输入,因此您必须像执行操作一样将Policy包装在PolicySet中。但是,如果您希望PolicySet的结果等于Policy,则应将PolicyCombiningAlgId更改为urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:only-one-applicable。
-编辑2020-04-06-
因此固定的PolicySet是这样的:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<PolicySet
xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
PolicySetId="PolicySet_1"
Version="1.0"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:only-one-applicable">
<Description>Sample PolicySet</Description>
<Target />
<Policy
PolicyId="urn:oasis:names:tc:xacml:3.0:example:SimplePolicy1"
Version="1.0"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides">
<Description>Medi Corp access control policy</Description>
<Target/>
<Rule
RuleId= "urn:oasis:names:tc:xacml:3.0:example:SimpleRule1"
Effect="Permit">
<Description>Any subject with an e-mail name in the med.example.com domain can perform any action on any resource.</Description>
<Target>
<AnyOf>
<AllOf>
<Match
MatchId="urn:oasis:names:tc:xacml:1.0:function:rfc822Name-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">med.example.com</AttributeValue>
<AttributeDesignator
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name"
MustBePresent="true"/>
</Match>
</AllOf>
</AnyOf>
</Target>
</Rule>
</Policy>
</PolicySet>