使用MongoDB for Authzforce将XACML文件存储在JSON中
[英]Storing XACML file in JSON using MongoDB for Authzforce
问题描述
I would like to implement a PDP engine using the authzforce-ce-core-pdp-engine jar file like you mentioned in the README, but with exception of the policy files in XML should be dynamic. 
我想使用README中提到的authzforce-ce-core-pdp-engine jar文件来实现PDP引擎,但是XML中的策略文件应该是动态的。 The main idea is similar to file sharing system as one user could share multiple files to other user with each file may have different policy. 主要思想类似于文件共享系统,因为一个用户可以与另一个用户共享多个文件,每个文件可能具有不同的策略。 I was thinking to store the policy files in some sort of DB like MySQL or MongoDB and PDP will refer to it and make a decision to grant or deny the access based on the request. 我当时正在考虑将策略文件存储在某种数据库中,例如MySQL或MongoDB,而PDP将引用该文件,并根据请求决定是否授予访问权限。
I found that the pdp core engine supports MongoDB as mentioned here . 我发现pdp核心引擎支持这里提到的MongoDB。
Here is my pdp configuration file: 这是我的pdp配置文件:
<?xml version="1.0" encoding="UTF-8"?>
<!-- Testing parameter 'maxPolicySetRefDepth' -->
<pdp xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://authzforce.github.io/core/xmlns/pdp/6.0" xmlns:ext="http://authzforce.github.io/core/xmlns/test/3" version="6.0.0">
<refPolicyProvider id="refPolicyProvider" xsi:type="ext:MongoDBBasedPolicyProvider" serverHost="localhost" serverPort="27017" dbName="testXACML" collectionName="policies" />
<rootPolicyProvider id="rootPolicyProvider" xsi:type="StaticRefBasedRootPolicyProvider">
<policyRef>root-rbac-policyset</policyRef>
</rootPolicyProvider>
</pdp>
So now the question is that how can I store the policy XML files as it needs to be stored in JSON with MongoDB? 所以现在的问题是,由于需要将策略XML文件存储在MongoDB中的JSON中,我该如何存储呢? I tried to convert XML to JSON using JSON maven dependency , but I have a problem of converting back to XML. 我尝试使用JSON maven依赖项将XML转换为JSON,但是我有一个转换回XML的问题。 For example with the policy XML file like this it will create the JSON file something like this: 例如,使用这样的策略XML文件,它将创建类似以下内容的JSON文件:
{"Policy": {
"xmlns": "urn:oasis:names:tc:xacml:3.0:core:schema:wd-17",
"Target": "",
"Description": "Policy for Conformance Test IIA001.",
"Version": 1,
"xmlns:xsi": "http://www.w3.org/2001/XMLSchema-instance",
"RuleCombiningAlgId": "urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides",
"Rule": {
"Target": {"AnyOf": [
{"AllOf": {"Match": {
"AttributeValue": {
"DataType": "http://www.w3.org/2001/XMLSchema#string",
"content": "Julius Hibbert"
},
"AttributeDesignator": {
"Category": "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject",
"AttributeId": "urn:oasis:names:tc:xacml:1.0:subject:subject-id",
"MustBePresent": false,
"DataType": "http://www.w3.org/2001/XMLSchema#string"
},
"MatchId": "urn:oasis:names:tc:xacml:1.0:function:string-equal"
}}},
{"AllOf": {"Match": {
"AttributeValue": {
"DataType": "http://www.w3.org/2001/XMLSchema#anyURI",
"content": "http://medico.com/record/patient/BartSimpson"
},
"AttributeDesignator": {
"Category": "urn:oasis:names:tc:xacml:3.0:attribute-category:resource",
"AttributeId": "urn:oasis:names:tc:xacml:1.0:resource:resource-id",
"MustBePresent": false,
"DataType": "http://www.w3.org/2001/XMLSchema#anyURI"
},
"MatchId": "urn:oasis:names:tc:xacml:1.0:function:anyURI-equal"
}}},
{"AllOf": [
{"Match": {
"AttributeValue": {
"DataType": "http://www.w3.org/2001/XMLSchema#string",
"content": "read"
},
"AttributeDesignator": {
"Category": "urn:oasis:names:tc:xacml:3.0:attribute-category:action",
"AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
"MustBePresent": false,
"DataType": "http://www.w3.org/2001/XMLSchema#string"
},
"MatchId": "urn:oasis:names:tc:xacml:1.0:function:string-equal"
}},
{"Match": {
"AttributeValue": {
"DataType": "http://www.w3.org/2001/XMLSchema#string",
"content": "write"
},
"AttributeDesignator": {
"Category": "urn:oasis:names:tc:xacml:3.0:attribute-category:action",
"AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
"MustBePresent": false,
"DataType": "http://www.w3.org/2001/XMLSchema#string"
},
"MatchId": "urn:oasis:names:tc:xacml:1.0:function:string-equal"
}}
]}
]},
"Description": "Julius Hibbert can read or write Bart Simpson's medical record.",
"RuleId": "urn:oasis:names:tc:xacml:2.0:conformance-test:IIA1:rule",
"Effect": "Permit"
},
"PolicyId": "urn:oasis:names:tc:xacml:2.0:conformance-test:IIA1:policy"
}}
but when I try to convert it back to XML it becomes entirely different XML file. 但是当我尝试将其转换回XML时,它将变成完全不同的XML文件。 So now how can I store the XML file in MongoDB? 那么,现在如何将XML文件存储在MongoDB中? Also how to ensure that pdp engine core could find the correct policy to be compared? 另外,如何确保pdp引擎核心可以找到要比较的正确策略? I saw there is a mentioned about the json adapter in README like this but I am not sure how to implement it normally. 我看到有一个关于在像README的JSON适配器提到的这个 ,但我不知道如何正常执行。
2 个解决方案
解决方案1
2 已采纳 2018-07-06 22:16:55
I answered this question on AuthzForce's github . 我在AuthzForce的github上回答了这个问题。 In a nutshell, David is mostly right about the format (xml content stored as JSON string). 简而言之,David对格式(XML内容存储为JSON字符串)大体上是正确的。 More precisely, for AuthzForce MongoDB policy Provider, you have to store policies as shown by the part of the unit test class 's setupBeforeClass method that populates the database with test policies. 更准确地说,对于AuthzForce MongoDB策略提供程序,您必须存储策略,如单元测试类的setupBeforeClass方法的一部分所示,该方法用测试策略填充数据库。 You'll see that we use the Jongo library (using Jackson object mapping behind the curtains) to map PolicyPOJO Java objects to JSON in the Mongodb collection. 您会看到我们使用Jongo库(在幕后使用Jackson映射)将PolicyPOJO Java对象映射到Mongodb集合中的JSON。 So from the PolicyPOJO class, you can pretty much guess the storage format of policies in JSON: it is a JSON object with the following fields (key-value pairs): 因此,从PolicyPOJO类中,您几乎可以猜出JSON中策略的存储格式:它是具有以下字段(键值对)的JSON对象:
- "id" (string): the Policy(Set) ID “ id”(字符串):策略(设置)ID
- "version" (string): the Policy(Set) version “版本”(字符串):Policy(Set)版本
- "type" (string): the Policy(Set) type, ie '{urn:oasis:names:tc:xacml:3.0:core:schema:wd-17}Policy' (resp. '{urn:oasis:names:tc:xacml:3.0:core:schema:wd-17}PolicySet') for XACML 3.0 Policy (resp. PolicySet) “ type”(字符串):策略(设置)类型,即'{urn:oasis:names:tc:xacml:3.0:core:schema:wd-17} Policy'(分别为'{urn:oasis:names:针对XACML 3.0策略的tc:xacml:3.0:core:schema:wd-17} PolicySet')(分别是PolicySet)
- "content" (string): the actual Policy(Set)'s XML document as string (plain text) “内容”(字符串):实际的Policy(Set)的XML文档为字符串(纯文本)
The xml content is automatically escaped properly by the Java library (Jongo/Jackson) to fit in a JSON string. xml内容会由Java库(Jongo / Jackson)自动正确地转义以适合JSON字符串。 But if you use another library/language, make sure it is the case as well. 但是,如果您使用其他库/语言,请确保也是如此。
解决方案2
0 2018-06-28 13:13:07
There currently isn't a JSON format for XACML policies. XACML策略目前没有JSON格式。 That's currently under consideration by the OASIS XACML Technical Committee. OASIS XACML技术委员会目前正在考虑这一点。 Bernard Butler at Waterford Institute of Technology did do some initial translation which might be of value to you. 沃特福德理工学院的伯纳德·巴特勒做了一些初步的翻译,可能对您有价值。
The only other option I could think of for the time being is to create a JSON wrapper around the policies eg 我目前唯一想到的另一个选择是围绕策略创建JSON包装器,例如
{
"policy":"the xml policy contents escaped as valid json value or in base64"
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.