FIWARE AuthZForce不检查同一PolicySet中的第二条规则
[英]FIWARE AuthZForce doesn't check the second rule inside the same PolicySet
问题描述
I have created two roles, on the KeyRock, and for each of them I have linked a different permission 
我在KeyRock上创建了两个角色,并且为每个角色链接了不同的权限
User1->Role1->Perm1(access to Res1) User1-> Role1-> Perm1(访问Res1)
User2->Role2->Perm2(access to Res2) User2-> Role2-> Perm2(访问Res2)
After saved, I see on AuthZforce's file system a new domain that it has 3 policies. 保存后,我在AuthZforce的文件系统上看到一个具有3个策略的新域。
The first policy is cm9vdA/. 第一个策略是cm9vdA /。 It has a <PolicySet> , a <Policy> and a <Rule Effect="Permit" RuleId="permit-all" /> The last policy has a <PolicySet>, two <Policy> and two rules (one for each permission) The domain's pdp.xml contains a <policyRef> that aims to the last created policy (<policyRef>331409a9-6014-4cfd-9180-f04bb22481f4</policyRef>). 它具有<PolicySet>,<Policy>和<Rule Effect =“ Permit” RuleId =“ permit-all” />最后一个策略具有<PolicySet>,两个<Policy>和两个规则(每个许可一个)域的pdp.xml包含一个<policyRef>,其目标是最后创建的策略(<policyRef> 331409a9-6014-4cfd-9180-f04bb22481f4 </ policyRef>)。
Following there is the policy's xml file. 接下来是该策略的xml文件。
<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicySetId="331409a9-6014-4cfd-9180-f04bb22481f4" Version="1.0" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit">
<Description>Policy Set for application 3829292cdc25477dace68f376ef79d8b</Description>
<Target/>
<Policy PolicyId="" Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit">
<Description>Role 9d2ebfde53044d2a8c22df3fe753b630 from application 3829292cdc25477dace68f376ef79d8b</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">3829292cdc25477dace68f376ef79d8b</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule RuleId="fe8f4ebb98054feeb26bfc01eb93cce1" Effect="Permit">
<Description>res1</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">res1</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:thales:xacml:2.0:resource:sub-resource-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Match>
</AllOf>
</AnyOf>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">GET</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Match>
</AllOf>
</AnyOf>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:3.0:function:any-of">
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">9d2ebfde53044d2a8c22df3fe753b630</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
</Apply>
</Condition>
</Rule>
</Policy>
<Policy PolicyId="" Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit">
<Description>Role 729019b1a9d44380b8b74dc788053dde from application 3829292cdc25477dace68f376ef79d8b</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">3829292cdc25477dace68f376ef79d8b</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule RuleId="1d9bce94aaf04127b7ec8cfc63d17622" Effect="Permit">
<Description>res2</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">res2</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:thales:xacml:2.0:resource:sub-resource-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Match>
</AllOf>
</AnyOf>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">GET</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Match>
</AllOf>
</AnyOf>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:3.0:function:any-of">
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">729019b1a9d44380b8b74dc788053dde</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
</Apply>
</Condition>
</Rule>
</Policy>
When the User1 tries to access (by Wilma PeP Proxy) to the res1, the matching is true, the condition is satisfied and the Decision is "Permit". 当User1尝试(通过Wilma PeP代理)访问res1时,匹配为true,满足条件,并且决策为“允许”。
If User1 tries to access to the res2... the Decision is "Deny". 如果User1尝试访问res2,则决策为“拒绝”。
But.... 但....
When the User2 tries to access (by Wilma PeP Proxy) to the res2... the Decision is "Deny". 当User2尝试(通过Wilma PeP代理)访问res2时,决策为“拒绝”。
Looking the AuthZforce's log file, I see that the PolicySetId="331409a9-6014-4cfd-9180-f04bb22481f4" is correctly identified but the check stops to the first rule. 查看AuthZforce的日志文件,我看到正确标识了PolicySetId =“ 331409a9-6014-4cfd-9180-f04bb22481f4”,但检查将停止在第一条规则上。 Infact, it compares the requested resource "res2" with "res1" and denies because they don't match. 实际上,它将请求的资源“ res2”与“ res1”进行比较,并因为它们不匹配而拒绝。 The check doesn't continue to evaluate the next rule where there is "res2" and the comparison should be true. 该检查不会继续评估存在“ res2”的下一条规则,并且比较结果应该为true。
Which is the problem? 哪有问题
Thanks for cooperation. 谢谢合作。
1 个解决方案
解决方案1
0 2017-02-10 09:45:05
根据FIWARE问题SEC-1043 ,此问题已通过升级到KeyRock v5.4.1和AuthzForce Server v5.4.1来解决。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.