堆栈内存溢出
  简体   繁体   English

XACML策略 - 如何将策略设置为根策略?

[英]XACML policy - HOW to set a policy as the root policy?

 原文  2018-02-07 12:56:12       authorization/ access-control/ xacml/ abac/ authzforce

问题描述

I am trying to evaluate some requests against the following policy using Authzforce PDP engine (Web API). 我正在尝试使用Authzforce PDP引擎(Web API)评估针对以下策略的一些请求。 

<PolicySet xsi:schemaLocation="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17 http://docs.oasis-open.org/xacml/3.0/xacml-core-v3-schema-wd-17.xsd" PolicySetId="root" Version="2.0" PolicyCombiningAlgId="identifier:policy-combining-algorithm:deny-overrides">
 <Target/>
  <Policy xsi:schemaLocation="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17 http://docs.oasis-open.org/xacml/3.0/xacml-core-v3-schema-wd-17.xsd" PolicyId="urn:oasis:names:tc:xacml:3.0:example:MyPolicy" Version="1.0" RuleCombiningAlgId="identifier:rule-combining-algorithm:deny-overrides">
   <Target/>
   <Rule RuleId="urn:oasis:names:tc:xacml:3.0:example:MyRule" Effect="Permit">
     <Target>
      <AnyOf>
       <AllOf>
         <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Medical record</AttributeValue> 
            <AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
         </Match>
         <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Doctor</AttributeValue>
            <AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id-qualifier" DataType="http://www.w3.org/2001/XMLSchema#string"/>
         </Match>
        </AllOf>
       </AnyOf>
     </Target>
     <Condition>
       <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
         <AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
        </Apply>
       <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">write</AttributeValue>
      </Apply>
     </Condition>
    </Rule>
   </Policy>
</PolicySet>

However, when I want to set this policy as the root policy (to activate this policy), I get the following error. 但是,当我想将此策略设置为根策略(激活此策略)时,我收到以下错误。 

HTTP/1.1 400 Bad Request
Server: Apache-Coyote/1.1
Date: Wed, 07 Feb 2018 12:40:19 GMT
Content-Type: application/xml
Content-Length: 361
Connection: close

* Closing connection 0
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<error xmlns:ns2="http://authzforce.github.io/core/xmlns/pdp/6.0">
    <message>Failed to find a root PolicySet with id = 'root', Version=Optional.empty,EarliestVersion=Optional.empty,LatestVersion=Optional.empty: Matched PolicySet 'root' (version 2.0) is invalid or its content is unavailable</message>
</error>

I think maybe something is wrong with my policy. 我想我的政策可能有问题。 Would you please let me know what is the problem? 你能告诉我这是什么问题吗?

1 个解决方案

解决方案1
 3  2018-02-08 11:13:31

Your PolicySet is not valid XML, as David mentioned, because xsi namespace is undefined. 正如David所提到的,您的PolicySet不是有效的XML,因为未定义xsi名称空间。 To fix it, remove the xsi:schemaLocation attribute altogether (unnecessary for AuthzForce). 要修复它,请完全删除xsi:schemaLocation属性(AuthzForce不需要)。

In general, whenever you work with a XACML document (PolicySet, Request, Response, etc.), make sure it is valid XML and especially that it is valid against XACML schema . 通常,每当您使用XACML文档(PolicySet,Request,Response等)时,请确保它是有效的XML,尤其是它对XACML架构有效。 For quick validation, you can use a XML validator online (they are many, the link is just an example), or a command-line XML tool like xmllint . 为了快速验证,您可以在线使用XML验证器 (它们很多,链接只是一个示例),或者像xmllint这样的命令行XML工具。 For more thorough validation including XACML-specific semantics (eg also make sure you are using correct XACML identifiers, and XACML functions with correct arguments, etc) and XACML request validation/testing, you can use AuthzForce CLI . 要进行更彻底的验证,包括XACML特定的语义(例如,还要确保使用正确的XACML标识符,以及具有正确参数的XACML函数等)和XACML请求验证/测试,您可以使用AuthzForce CLI

Ultimately, if AuthzForce Server is still rejecting the policy, you can check AuthzForce server logs for more details in /var/log/tomcat8/authzforce-ce/error.log . 最终,如果AuthzForce Server仍然拒绝该策略,您可以在/var/log/tomcat8/authzforce-ce/error.log查看AuthzForce服务器日志以获取更多详细信息。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何评估XACML政策 - How to evaluate an XACML Policy 解决XACML策略冲突 - Resolving XACML policy conflicts 不适用的响应是XACML策略 - NotApplicable Response is XACML policy XACML策略中的分层属性 - Hierarchical attributes in XACML Policy XACML 在策略中结合 PIP - XACML combining PIPs in policy 如何将XACML 3.0请求与策略存储中存储的策略进行匹配 - how to match XACML 3.0 request against policy stored in policy store 我如何获得 XACML 政策的许可? - How do I get permit with XACML policy? XACML 策略 - 获得“不确定”响应 - XACML policy - getting "indeterminate" response 是否可以比较XACML策略中的属性? - Is it possible to compare attributes in a XACML policy? 比较XACML策略内的属性 - Compare attributes inside a XACML policy
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM