[英]Is it possible to compare attributes in a XACML policy?
The following rule says subjects with role "acme_manager" can perform any action on the resource "/acme/widgets": 以下规则表示,角色为“ acme_manager”的主体可以对资源“ / acme / widgets”执行任何操作:
<Rule Effect="Permit" RuleId="PermitRule">
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/acme/widgets</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">acme_manager</AttributeValue>
<AttributeDesignator AttributeId="http://wso2.org/claims/role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Apply>
</Apply>
</Condition>
</Rule>
Would it be possible to create a more dynamic rule that says something like: "subjects with the role X_manager can perform any action on the resource /Y/widgets, if X equals Y" 是否有可能创建一条更动态的规则,例如:“如果X等于Y,具有X_manager角色的对象可以对资源/ Y / widgets执行任何操作”
So I could use the same policy to enforce: 所以我可以使用相同的策略来执行:
without creating multiple, similar policies. 而无需创建多个类似的政策。
Yes of course, this is in fact one of the key benefits of XACML over other authorization frameworks and definitely over RBAC. 是的,当然,这实际上是XACML相对于其他授权框架(当然也优于RBAC)的主要优势之一。
In XACML, there are 2 elements you can use to define the applicability of the authorization. 在XACML中,可以使用2个元素来定义授权的适用性。 These are: 这些是:
I recommend you use ALFA to write your policies. 我建议您使用ALFA编写策略。 It's much easier than plain old XACML. 它比普通的旧XACML容易得多。 ALFA is a free tool developed by Axiomatics (disclaimer: I work for Axiomatics). ALFA是由Axiomatics开发的免费工具(免责声明:我为Axiomatics工作)。 It is also in the process of being standardized at the OASIS XACML Technical Committee. OASIS XACML技术委员会也在对其进行标准化。
I think there're 2 ways to do this: 我认为有两种方法可以做到这一点:
Define two "VariableDefinition"s in your policy: one to get the part before the underscore character, the other to get the the part between the last two slash character. 在您的策略中定义两个“ VariableDefinition”:一个用于获取下划线字符之前的部分,另一个用于获取最后两个斜杠字符之间的部分。 [i wonder if XACML's core spec has defined such function] then you can use the two "VariableDefinition"s under the "Rule". [我想知道XACML的核心规范是否定义了这样的功能],那么您可以在“规则”下使用两个“ VariableDefinition”。 then use a standart string-equal function to compare them. 然后使用标准的字符串等于函数对其进行比较。
just define a new function of your own, and add that to your FunctionFactory that your PDP uses. 只需定义一个自己的新函数,然后将其添加到PDP使用的FunctionFactory中即可。 These two approach is the same, your need to apply a specified funtion on some attribute instead of using the raw attributevalue directly. 这两种方法是相同的,您需要在某些属性上应用指定的功能,而不是直接使用raw属性值。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.