堆栈内存溢出
  简体   繁体   English

解决XACML策略冲突

[英]Resolving XACML policy conflicts

 原文  2015-07-04 15:00:44       authorization/ access-control/ xacml/ abac

问题描述

How does XACML handle policy conflicts? XACML如何处理策略冲突? If the PAP (policy administration point) has two different <policy> elements in two policy.xml files included where two policies have the same Target , which one will be evaluated? 如果PAP(策略管理点)在包含的两个policy.xml文件中具有两个不同的<policy>元素,其中两个策略具有相同的Target ,将评估哪个? Both policies are self-contained in <policy> in different files. 两种策略均独立包含在<policy>中的不同文件中。

If both <policy> elements are inside a <PolicySet> it would use PolicyCombiningAlgId . 如果两个<policy>元素都在<PolicySet> ,则将使用PolicyCombiningAlgId But as they exist isolate how does a XACML engine handle this? 但是当它们独立存在时,XACML引擎如何处理呢?

1 个解决方案

解决方案1
 2 已采纳  2015-07-05 15:36:24

(note: I cleaned your question up because you had quite a few XACML inaccuracies). (注意:我清理了您的问题,因为您有很多XACML错误)。

There are 2 ways to resolve conflicts in XACML. 解决XACML中的冲突有两种方法。 These are: 这些是:

  • policy combining algorithms. 策略组合算法。 These are set inside PolicySet elements and are used to combine the results of PolicySet children (a mix of Policy and PolicySet elements). 这些设置在PolicySet元素内部,用于合并PolicySet子级的结果(Policy和PolicySet元素的混合)。
  • rule combining algorithms. 规则组合算法。 These are set inside Policy elements are used to combine the results of Rule children. 这些设置在Policy元素内部,用于合并Rule子元素的结果。

Your question relates most specifically to the case you have configured a Policy Decision Point (PDP) (and not a PAP as you wrote) with several policies. 您的问题最具体地涉及您配置了带有多个策略的策略决策点(PDP)(而不是您编写的PAP)的情况。 Which one wins? 哪一个赢了? Since none of them are wrapped, there aren't any combining algorithms to choose from. 由于它们都没有包装,因此没有任何组合算法可供选择。 This behavior is not defined in the XACML standard and will depend on the XACML engine you use. XACML标准中未定义此行为,并且将取决于您使用的XACML引擎。

The Axiomatics XACML engine, for instance, forces you to always choose a root policy (set), ie a policy (set) which the engine will consider as its entry point. 例如, Axiomatics XACML引擎迫使您始终选择一个根策略(集合),即该引擎将其视为入口点的策略(集合)。 Any other policies passed to the PDP will only be used if the root policy references them. 传递给PDP的任何其他策略仅在根策略引用它们的情况下使用。

If you want to learn more about combining algorithms, check out this blog post I recently wrote. 如果您想了解有关组合算法的更多信息,请查看我最近写的这篇博客文章

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 不适用的响应是XACML策略 - NotApplicable Response is XACML policy XACML策略中的分层属性 - Hierarchical attributes in XACML Policy XACML 在策略中结合 PIP - XACML combining PIPs in policy 如何评估XACML政策 - How to evaluate an XACML Policy XACML策略 - 如何将策略设置为根策略? - XACML policy - HOW to set a policy as the root policy? 比较XACML策略内的属性 - Compare attributes inside a XACML policy XACML 策略 - 获得“不确定”响应 - XACML policy - getting "indeterminate" response 是否可以比较XACML策略中的属性? - Is it possible to compare attributes in a XACML policy? 想要动态创建XACML策略 - want to create XACML policy dynamically 不适用XACML策略语义错误 - Not Applicable XACML policy semantic error
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM