ABAC属性解析
[英]ABAC Attributes Resolution
问题描述
We have a subject, object(resource) and operation(action) in the ABAC. 
我们在ABAC中有一个主题,对象(资源)和操作(动作)。 Subject and object have attributes that will be used to execute rules. 主题和客体具有将用于执行规则的属性。
We can have multiple subjects of different types, as well as resources.
我们可以有多个不同类型的主题以及资源。 Some attributes are relevant for some types of resources and some don't have any meaning in context of another. 有些属性与某些类型的资源相关,而某些属性在另一种上下文中没有任何意义。 In this case how correct attributes model should be implemented? 在这种情况下,应如何实施正确的属性模型? Example, we have resource of type A and B . 例如,我们拥有类型A和B的资源。 For type A attribute isPublic is relevant, and for B is not. A型属性isPublic是相关的,并且对于B不是。 In case if PIP will receive request to get isPublic attribute for B what should it do? 如果PIP将收到获取B的 isPublic属性的请求,该怎么办? Return nothing or something that will lead to negative rule resolution? 不返回任何东西或会导致否定规则解决的东西? The same question for subject. 主题相同。 How correct attributes model should be defined and resolved as well? 如何正确定义和解析正确的属性模型? On request to PDP shall we pass all possible attributes that we are having?
应PDP要求,我们是否应传递所拥有的所有可能的属性? As far as I understood this will increase performance as it will allow to filter out by policy's target a lot of policies. 据我了解,这将提高性能,因为它将允许根据策略目标过滤掉许多策略。
2 个解决方案
解决方案1
2 2018-07-25 14:39:01
Regarding your first question, sending additional attributes that are not necessary to a rule's decision will NOT affect the decision. 关于第一个问题,发送规则决策不需要的其他属性不会影响该决策。 Take a look at this XACML decision by a PDP: 看一下PDP的XACML决定:
<EvaluationEvent xmlns="http://www.axiomatics.com/v1/EvaluationEvent" xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<GroupId>ddc4a53f-1c98-403c-81ce-938c97645d7d</GroupId>
<GroupVersion>6</GroupVersion>
<Timestamp>2018-07-24T02:39:21.907Z</Timestamp>
<EvaluationTimeMillis>0</EvaluationTimeMillis>
<ClientIdentity>User+username%3D%22pdp-user%22%2C+roles%3D%22pdp-user%22</ClientIdentity>
<ClientSource>127.0.0.1:49502</ClientSource>
<InterfaceType>SOAP</InterfaceType>
<PdpIdentity>f6a721ba-058e-44df-9434-ec1505e99ddc</PdpIdentity>
<xacml-ctx:Request ReturnPolicyIdList="false" CombinedDecision="false" xmlns:xacml- ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<xacml-ctx:RequestDefaults>
<xacml-ctx:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml- ctx:XPathVersion>
</xacml-ctx:RequestDefaults>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject- category:access-subject" >
<xacml-ctx:Attribute AttributeId="com.axiomatics.seniority" IncludeInResult="false">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">1</xacml- ctx:AttributeValue>
</xacml-ctx:Attribute>
<xacml-ctx:Attribute AttributeId="role" IncludeInResult="false">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ADMIN</xacml- ctx:AttributeValue>
</xacml-ctx:Attribute>
<xacml-ctx:Attribute AttributeId="com.axiomatics.emailAddress" IncludeInResult="false">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">userone@user.com</xacml- ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute- category:resource" >
<xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">secretmessage</xacml- ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
</xacml-ctx:Request>
<ResultEntries>
<ResultEntry>
<xacml-ctx:Result>
<xacml-ctx:Decision>Deny</xacml-ctx:Decision>
<xacml-ctx:Status>
<xacml-ctx:StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
</xacml-ctx:Status>
</xacml-ctx:Result>
<EvaluationComplexity>21</EvaluationComplexity>
</ResultEntry>
</ResultEntries>
</EvaluationEvent>
In a sample project on my localhost, the only attribute I'm looking for in subject in a specific rule is whether or not the attribute com.axiomatics.seniority is equal to 1 or 2. This means the ADMIN is an extra attribute that is provided. 在本地主机上的示例项目中,我要在特定规则的主题中查找的唯一属性是com.axiomatics.seniority属性是否等于1或2。这意味着ADMIN是一个额外的属性,即提供。 However, it does not affect the decision making. 但是,它不会影响决策。
In regards to your second question, I'm not if I understand completely but I do gather that you are concerned about the PDP's performance. 关于您的第二个问题,我不是说我是否完全理解,但是我确实认为您担心PDP的性能。 In general, the performance of the PDP's decision making - putting memory and software implementation of XACML aside - is based on your policies. 通常,PDP决策的性能-不考虑XACML的内存和软件实现-是基于您的策略的。 You'll want to get a "DENY" as soon as possible in your policies if one will occur. 如果您想在政策中尽快获得“拒绝”。
In regards to setting attributes in a PEP, I've found it helpful to use a function that sets the default attributes based on the type of decision that will occur, like so: 关于在PEP中设置属性,我发现使用一个函数会很有用,该函数根据将要发生的决策类型来设置默认属性,例如:
@Override
public void uiDecisionSetDefaultAttributes() {
Authentication auth =
SecurityContextHolder.getContext().getAuthentication();
attrCatAry.add("SUBJECT");
attrTypeAry.add("INTEGER");
attrIdAry.add("com.axiomatics.seniority");
Integer userId = null;
try {
userId = userRepository.findByEmail(auth.getName()).getSeniority();
} catch (Exception e) {
log.info(e.toString());
}
attrValAry.add(userId);
}
Full disclosure - I work for Axiomatics and my answers are based on a software that is fully compliant with the XACML standard, such as Axiomatics software. 完全公开-我为Axiomatics工作,我的答案基于完全符合XACML标准的软件,例如Axiomatics软件。
解决方案2
1 已采纳 2018-07-26 13:24:17
On request to PDP shall we pass all possible attributes that we are having?
In ABAC, you can choose to pass all attributes from the PEP to the PDP up-front. 在ABAC中,您可以选择将所有属性从PEP预先传递到PDP。 For instance you could say: 例如,您可以说:
- Can Alice the manager in sales approve record #123 in draft in sales? 销售经理Alice可以批准销售草稿中的记录#123吗?
In the above question, we pass in Alice's role and department as well as the record's status and department. 在上述问题中,我们传递了爱丽丝的角色和部门以及记录的状态和部门。 We assume this is all the policies will need to reach a decision. 我们认为这是达成决策所需的所有政策。 This introduces a tight coupling between the PEP (or the application) and the PDP but it makes the PDP extremely fast given it will not need to go out to external sources (PIP). 这在PEP(或应用程序)和PDP之间引入了紧密的耦合,但是由于PDP不需要连接到外部源(PIP),因此它使PDP变得非常快。
The extreme opposite is to send in the "key" attributes only eg 极端相反的是仅发送“键”属性,例如
- Can Alice approve record #123? 爱丽丝可以批准记录#123吗?
In that case the PDP will need to call a PIP for the user's attributes and the resource's attributes leading to a total of 4 possible calls. 在那种情况下,PDP将需要为用户的属性和资源的属性调用PIP,从而导致总共4个可能的调用。 You may think it sounds bad. 您可能认为这听起来很糟糕。 But it's not. 但事实并非如此。 First of all 首先
- querying data sources is very efficient nowadays 如今查询数据源非常高效
- you can cache values in the PDP so you don't have to go fetch Alice's role all the time 您可以在PDP中缓存值,因此您不必一直获取爱丽丝的角色
- you only fetch an attribute if you really need it. 仅在确实需要时才获取属性。 If for instance, you've determined that Alice is not a manager, we won't even go fetch her department or the resource attributes. 例如,如果您确定爱丽丝不是经理,那么我们甚至都不会获取她的部门或资源属性。
Like Mike, I work for Axiomatics. 像迈克一样,我为公理学工作。 We've put algorithms in place to optimize policy evaluation and attribute retrieval. 我们已采用适当的算法来优化策略评估和属性检索。 This makes our PDP extremely fast. 这使我们的PDP非常快。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.