堆栈内存溢出
  简体   繁体   English

如何在XACML策略中实施这些规则?

[英]How to implement these rules in XACML policies?

 原文  2017-07-07 02:44:49       authorization/ xacml/ abac/ xacml3/ alfa

问题描述

Here is a requirement I am trying to implement via XACML/ABAC for learning purposes: 这是我出于学习目的试图通过XACML / ABAC实现的要求:

Information Model 信息模型

  • Resources: Building, Unit 资源:建筑物,单位

    • there are many buildings (ex. B1, B2, B3, ... Bn) 有很多建筑物(例如B1,​​B2,B3,... Bn)
    • each building has many units (ie unit is the child of building) (ex. B1U1, B1U2, B1U3, ...) 每个建筑物都有许多单元(即,单元是建筑物的子级)(例如B1U1,B1U2,B1U3等)

  • Subject: Housekeeping staff 事由:家政人员

Rules 规则

  • A housekeeper can "open" a "unit" if 管家可以“打开”一个“单元”,如果
    • they have "open" permission on that "unit" OR 他们对该单元具有“开放”权限,或者
    • if they have "open" permission on the "building" in which that "unit" is. 如果他们对该“单位”所在的“建筑物”具有“开放”权限。

Any pointers? 有指针吗?

Update 更新资料

Essentially here is my concern: if the requirement was something like, A housekeeper can "open" "unitX" if s/he has "open" permission on "unitX". 本质上,这是我的担忧:如果要求类似,如果管家对“ unitX”具有“打开”权限,则管家可以“打开”“ unitX”。 Here I would've just written a simple rule. 在这里,我只是写了一条简单的规则。

However, with my actual requirement, the concerns are: 但是,根据我的实际需求,需要关注的是:

  1. Since there is not one particular resource but many resources of same type, should I be writing a separate policy for each resource? 由于没有一个特定的资源,但是有许多相同类型的资源,我应该为每个资源编写一个单独的策略吗? Ex. 例如 separate policy for building "B1", another for "B2" and so on? 用于构建“ B1”的单独策略,用于“ B2”的另一个策略,依此类推?

  2. How will the policy "know" about hierarchical relationship between building and unit. 策略将如何“了解”建筑物与单元之间的层次关系。

Now that I think further about this, I think the following approach should work(?) 现在,我对此进行了进一步思考,我认为以下方法应该可行(?)

  1. Request will include the following 请求将包括以下内容

resource: /{buildingId}/{unitId} //this is how policy will know parent child relationship 资源:/ {buildingId} / {unitId} //这是政策如何知道父子关系的方式

action: open 动作:打开

subject: subjectId and probably all permissions that this subject has (still thinking on how to represent the permissions, any suggestions?) subject:subjectId以及该主题可能拥有的所有权限(仍在思考如何表示权限,有什么建议吗?)

  1. Define one policy with rule: // pseudocode if(subject.permissions include open on {buildingId} OR open on {unitId}) then permit else deny. 用以下规则定义一个策略://伪代码if(subject.permissions包括在{buildingId}上打开或在{unitId}上打开),然后允许其他拒绝。

Any suggestions? 有什么建议么?

Thanks, 谢谢,

Jatin 贾廷

1 个解决方案

解决方案1
 1 已采纳  2017-09-19 14:16:19

You need to define attributes like following on ABAC model: 您需要在ABAC模型上定义如下属性:

Resource Attribute 资源属性

Attribute - Building, Attribute Values - B1,B2,B3 属性-建筑,属性值-B1,B2,B3

Attribute - Unit, Attribute Values - B1U1, B1U2, B1U3,B2U1, B2U2, B2U3,B3U1, B3U2, B3U3 属性-单位,属性值-B1U1,B1U2,B1U3,B2U1,B2U2,B2U3,B3U1,B3U2,B3U3

Action Attribute 动作属性

Attribute - Building Action , Attribute Value - Open 属性-建立动作,属性值-开放

Subject Attribute 主题属性

Attribute - Building Resident, Attribute Values - Resident1,Resident2 属性-建筑物居民,属性值-居民1,居民2

The hierarchical relation among building and building units need to define on resource inheritance relation. 建筑和建筑单元之间的层次关系需要在资源继承关系上进行定义。

Resource Inheritance 资源继承

Beneficiary - Building:B1 , Inherited Values - Unit: B1U1 , Unit: B1U2, Unit: B1U3 受益人-建筑:B1,继承值-单位:B1U1,单位:B1U2,单位:B1U3

Beneficiary - Building:B2 , Inherited Values - Unit: B2U1 , Unit: B2U2, Unit: B2U3 受益人-建筑:B2,继承值-单位:B2U1,单位:B2U2,单位:B2U3

Beneficiary - Building:B3, Inherited Values - Unit: B3U1 , Unit: B3U2, Unit: B3U3 受益人-建筑:B3,继承值-单位:B3U1,单位:B3U2,单位:B3U3

Now you need to define rules on a ABAC policy. 现在,您需要定义关于ABAC策略的规则。 Now you can use policy automation tools so that you do not need to think of inheritance relations during rule creation.You once define those relations and later when you create rules, the automation tool will automatically remember those relations and create rules automatically for you. 现在,您可以使用策略自动化工具,以便您无需在规则创建过程中考虑继承关系。您一次定义了这些关系,然后在创建规则时,自动化工具将自动记住这些关系并自动为您创建规则。 You can download such a tool name "Security Policy Tool" . 您可以下载这样的工具名称“安全策略工具”。 This is a commercial tool but you can download free demo which also includes a full xacml editor. 这是一个商业工具,但是您可以下载免费的演示,其中包括完整的xacml编辑器。 Please check below a screen shot of your model in SPT : 请在下面查看您的模型在SPT中的屏幕截图:

在安全策略工具中定义的模型的屏幕截图

Then from this tool you can automatically convert your ABAC policies into XACML and further edit on built in xacml editor to fine tune. 然后,通过此工具,您可以将ABAC策略自动转换为XACML,并进一步在内置的xacml编辑器中进行编辑以进行微调。

XACML策略由安全策略工具自动转换

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何实施XACML政策? - How to implement XACML policies? RBAC / ABAC通过XACML策略 - RBAC/ABAC via XACML policies 如何在XACML中将两个规则组合成一个规则? - How do I can combine two rules in single one in XACML? 如何在wso2身份服务器中对自己创建的数据库实施xacml策略? - how to enforce xacml policies on self created database in wso2 identity server? XACML是否实现“ NOT EQUAL”功能? - Does XACML implement a “NOT EQUAL” function? XACML策略-将正则表达式用于条件内的属性值 - XACML policies - Using regex for attribute values inside conditions XACML-AND条件和两个规则之间的区别 - XACML - Difference between AND condition and Two Rules 如何测试XACML请求? - How to test XACML requests? 如何评估XACML政策 - How to evaluate an XACML Policy 如何在 wso2am-2.5.0 中安装 xacml 和 XACML 中介 - How to install xacml and XACML mediation in wso2am-2.5.0
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM