堆栈内存溢出
  简体   繁体   English

匹配多个多值属性的评估

[英]match evaluation of multiple multi-valued attributes

 原文  2018-02-20 14:32:36       authorization/ xacml/ abac/ xacml3/ alfa

问题描述

The XACML 3.0 specs state that for <Match> evaluation "the MatchId function SHALL be applied between the <AttributeValue> and each element of the bag returned from the <AttributeDesignator> or <AttributeSelector> element." XACML 3.0规范指出,对于<Match>评估,“必须在<AttributeValue>和从<AttributeDesignator><AttributeSelector>元素返回的包的每个元素之间应用MatchId函数。 7.6 Match evaluation 7.6比赛评估

In the case that, for example, the attribute access-subject / subject-id returns a bag with more than one value, one should iterate over these members until the matching function returns true. 例如,在属性access-subject / subject-id返回一个包中包含多个值的情况下,应该对这些成员进行迭代,直到匹配函数返回true。 This is clear and obvious. 这是显而易见的。 Now in case the <AllOf> element has two <Match> es as in conformance test IIA007Policy.xml (see below). 现在,如果<AllOf>元素具有两个<Match> <AllOf>元素(如一致性测试IIA007Policy.xml所示),请参见下文。 It has a Match on access-subject / subject-id being equal to "Julius Hibbert" and access-subject / some-attribute being equal to "riddle me this". 它有一个Match ,access-subject / subject-id等于“ Julius Hibbert”,access-subject / some-attribute等于“让我困惑”。

Now assume that in a request, there are two attributes having multiple members, how should the match be evaluated now? 现在假设在一个请求中,有两个属性具有多个成员,现在应该如何评估匹配? Attribute1 has bag [1, 2, 3] and attribute2 has bag [a, b]. 属性1具有袋[1、2、3],属性2具有袋[a,b]。 One can start processing the members from the first attribute until a true is returned and than continue with processing the next attribute etc, but that would not cover all possible outcomes. 可以从第一个属性开始处理成员,直到返回true,然后再继续处理下一个属性,等等,但这将无法涵盖所有​​可能的结果。 Or, should the matching functions be simultaneously applied to all combinations of the members from the two bags [{1,a},{1,b},{2,a},{2,b},{3,a},{3,b}] ? 或者,应将匹配函数同时应用于两个包[{1,a},{1,b},{2,a},{2,b},{3,a},{3,b}]中的成员的所有组合[{1,a},{1,b},{2,a},{2,b},{3,a},{3,b}] With large bags and/or many attributes, this will lead to a large set of combinations to process! 具有大袋子和/或许多属性,这将导致要处理的大量组合!

The specs, as far as I know, give no clue how the situation is handled in case two or more attributes return bags with multiple members within the same <AllOf> element. 据我所知,如果两个或多个属性返回在同一个<AllOf>元素中具有多个成员的包,该规范不提供任何处理方法。 My questions are: 我的问题是:

  • did I miss something in the specs, 我是否错过了某些规格,
  • is my interpretation correct? 我的解释正确吗?
  • how is this handled in real implementations? 在实际的实现中该如何处理? 
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" PolicyId="urn:oasis:names:tc:xacml:2.0:conformance-test:IIA007:policy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="1.0" xsi:schemaLocation="urn:oasis:names:tc:xacml:3.0:policy:schema:os         access_control-xacml-2.0-policy-schema-os.xsd">
    <Description>
        Policy for Conformance Test IIA007.
    </Description>
    <Target/>
    <Rule Effect="Permit" RuleId="urn:oasis:names:tc:xacml:2.0:conformance-test:IIA007:rule">
        <Description>
            Julius Hibbert can read or write Bart Simpson's medical record.
        </Description>
        <Target>
            <AnyOf>
                <AllOf>
                    <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Julius Hibbert</AttributeValue>
                        <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
                    </Match>
                    <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">riddle me this</AttributeValue>
                        <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:some-attribute" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
                    </Match>
                </AllOf>
            </AnyOf>
            <AnyOf>
                <AllOf>
                    <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://medico.com/record/patient/BartSimpson</AttributeValue>
                        <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#anyURI" MustBePresent="true"/>
                    </Match>
                </AllOf>
            </AnyOf>
            <AnyOf>
                <AllOf>
                    <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
                        <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
                    </Match>
                </AllOf>
                <AllOf>
                    <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">write</AttributeValue>
                        <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
                    </Match>
                </AllOf>
            </AnyOf>
        </Target>
    </Rule>
</Policy>

2 个解决方案

解决方案1
 2  2018-02-21 21:42:24

No, the Match does not apply to all combinations from the two attribute bags, because they have different AttributeId s. 不可以,该匹配不适用于两个属性包中的所有组合,因为它们具有不同的AttributeId A Match applies only to the one AttributeId (and Category and Datatype and optional Issuer) specified in the AttributeDesignator . 一个Match只适用于一个AttributeId指定(和类别和数据类型和可选的发行人) AttributeDesignator If the AttributeDesignator in the Match has AttributeId='attribute1', it only applies to attribute 'attribute1', it does not care about the others. 如果比赛中的AttributeDesignator具有AttributeId ='attribute1',则仅适用于属性'attribute1',而不关心其他属性。 Then, a Match always evaluates to True (if and only if any of the attribute value matched), or False, or Indeterminate. 然后,“匹配”始终求值为“真”(如果且仅当任何一个属性值匹配时),“假”或“不确定”。

Then, what the AllOf combines is just the Trues/Falses/Indeterminates returned by the Match es. 然后, AllOf的只是Match es返回的True / Falses / Indeterminates。 The combination algorithm is defined in section 7.7 (Target evaluation) of the XACML spec. 组合算法在XACML规范的7.7节(目标评估)中定义。 In the tables, it says "Match" for True, and "No Match" for False (don't ask me why they didn't just say True or False, I am not one of the authors). 在表中,它对True表示“匹配”,对于False表示“不匹配”(不要问我为什么他们不只是说True或False,我不是作者之一)。 So for example, if all Matches return True, then AllOf returns True. 因此,例如,如果所有Matchs返回True,则AllOf返回True。 But if at least one Match returns False, then AllOf returns False. 但是,如果至少有一个Match返回False,则AllOf返回False。 (And you have the special case for Indeterminate.) So you may understand that the combination is actually more basic than what you had in mind, I guess. (而且您有Indeterminate的特殊情况。)因此,您可能会理解,这种组合实际上比您所想的更基本。

解决方案2
 2 已采纳  2018-02-22 17:20:31

If you have a policy that states (using ALFA notation): 如果您有一项规定(使用ALFA表示法)的政策: 

 policy example{
     target clause role == "manager" and department == "sales"
     apply firstApplicable
     rule allow{
         permit
     }
 }

If the request you send contains 2 values for role ("manager" and "employee") and 3 values for department ("sales", "engineering", "finance"), then the response will be Permit. 如果您发送的请求包含2个角色值(“经理”和“员工”)和3个值部门(“销售”,“工程”,“财务”),则响应为“允许”。 In plain old English, your question would be "Can the user who happens to be a manager and an employee and who belongs to the sales, engineering, and finance departments do X?" 用通俗的英语来说,您的问题是“碰巧是经理和雇员并且属于销售,工程和财务部门的用户可以X吗?”

The way the policy will be evaluated is that each match will be handled one after the other, independently: 评估策略的方式是,每个匹配项将一个接一个地独立处理:

  1. Is there at least one value equal to manager? 是否至少有一个等于经理的值? Yes there is. 就在这里。 The first match is true. 第一场比赛是对的。
  2. Is there at least one value equal to sales? 是否至少有一个等于销售的价值? Yes there is. 就在这里。 The second match is true. 第二场比赛是正确的。

It does not matter that there is an AllOf (or an AnyOf). 有一个AllOf(或一个AnyOf)并不重要。 Each match is first handled independently. 每次比赛都首先独立处理。 The spec is quite clear on that. 规范对此很明确。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 评估 XACML 2.0 策略中的多值属性 - Evaluating multi-valued Attribute in XACML 2.0 policy XACML 3.0中同一类别中的多个属性 - Multiple attributes in the same category in XACML 3.0 使用Ninject的BindFilter时,相同类型的多个属性会失败<T> - Multiple attributes of same type fail when using Ninject's BindFilter<T> WSO2 Identity Server-将请求中的多个属性发送到WSO2IS中的自定义策略信息点(PIP) - WSO2 Identity Server - Sending Multiple Attributes in the Request to a Custom Policy Info Point (PIP) in WSO2IS Okta组属性 - Okta Group Attributes XACML策略中的分层属性 - Hierarchical attributes in XACML Policy ALFA无法识别属性字词 - ALFA not recognising Attributes term 处理自定义属性 - Handling custom attributes PHP多级授权 - PHP multi level authorization 结合全局AuthorizeAttribute和操作属性 - Combine global AuthorizeAttribute with action attributes
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM