简体繁体 English

FIWARE Idm 中的高级 XACML 规则示例

[英]Example of advanced XACML rule in FIWARE Idm

原文 2018-08-20 13:46:08 9 1 fiware

I have issues when creating dynamic resources in IDM, question about that was answered here .我在 IDM 中创建动态资源时遇到问题，有关的问题已在此处回答。

But i was not able to find clear example of creating advanced policy using costume XCAML.但是我找不到使用服装 XCAML 创建高级策略的明确示例。 Documentation on this topic is very unclear and hard to understand, without some examples.关于此主题的文档非常不清楚且难以理解，没有一些示例。

So my question is if some was able to create some dynamic resources using methods i described above.所以我的问题是，是否有人能够使用我上面描述的方法创建一些动态资源。

1 个解决方案

For an Advanced XACML Rule, you can start from the XACML Rule template in the IDM source code as example, which is used to generate a basic Rule (for a static resource path);对于Advanced XACML Rule，可以从IDM源码中的XACML Rule模板开始作为例子，用于生成基本Rule（对于静态资源路径）； then you can customize it (besides removing/replacing the template code <%...%> ) but beware that in the Rule, you can only use XACML attributes that can be retrieved by the PEP.然后您可以自定义它（除了删除/替换模板代码<%...%> ），但请注意，在规则中，您只能使用可由 PEP 检索的 XACML 属性。 If you use FIWARE PEP proxy Wilma as PEP, you can check the list of usable XACML attributes by looking at thePep's Authzforce client code (search for AttributeId ).如果您使用 FIWARE PEP 代理 Wilma 作为 PEP，您可以通过查看Pep 的 Authzforce 客户端代码（搜索AttributeId ）来检查可用 XACML 属性的列表。 Currently, they are the following (names shortened for conciseness): resource-id, sub-resource-id, action-id, subject-role (check the code for the full attribute names).目前，它们是以下（为简洁起见而缩短的名称）：resource-id、sub-resource-id、action-id、subject-role（查看代码以获取完整的属性名称）。 Therefore, if you want to use XACML subject-id attribute based on user-id in your Rule for example, you have to modify the Pep code I just mentioned, ie extract the user ID from the userInfo variable and add the corresponding XACML Attribute (subject-id) in the Request.因此，如果你想在你的规则中使用基于用户 ID 的 XACML 主题 ID 属性，你必须修改我刚才提到的 Pep 代码，即从userInfo变量中提取用户 ID 并添加相应的 XACML 属性（请求中的主题 ID）。