多个策略文件中的 XACML Authzforce PDP 配置
[英]XACML Authzforce PDP configuration in multiple policy files
问题描述
I'm running XACML using the Authzforce PDP engine and a configuration pdp.xml file, that looks like:
我正在使用 Authzforce PDP 引擎和配置 pdp.xml 文件运行 XACML,如下所示:
<?xml version="1.0" encoding="UTF-8"?>
<pdp xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://authzforce.github.io/core/xmlns/pdp/6.0"
version="6.0.0">
<rootPolicyProvider id="rootPolicyProvider"
xsi:type="StaticRootPolicyProvider" policyLocation="${PARENT_DIR}/policy.xml" />
</pdp>
Now, the file ${PARENT_DIR}/policy.xml , that is read by the PDP engine through the rootPolicyProvider contains the actual XACML policies and is becoming fairly large.现在,由 PDP 引擎通过 rootPolicyProvider 读取的文件${PARENT_DIR}/policy.xml包含实际的 XACML 策略并且变得相当大。 So, I would like to divide the XACML policies in multiple files policy1.xml, policy2.xml, policy3.xml, etc. These files then need to be read by the PDP engine.所以,我想将XACML 策略分成多个文件policy1.xml、policy2.xml、policy3.xml 等。然后这些文件需要被PDP 引擎读取。
Does anyone know whether the PDP engine configuration xml-file is able to specify this using multiple policyProviders or otherwise?有谁知道 PDP 引擎配置 xml 文件是否能够使用多个 policyProviders 或其他方式指定它? It shouldn't be too difficult, but I have not found any solution yet after a few hours of search on the web.应该不会太难,但是在网上搜索了几个小时后,我还没有找到任何解决方案。
Looking forward to your replies.期待您的回复。
Thx, Jack.谢谢,杰克。
1 个解决方案
解决方案1
0 2019-12-27 02:16:57
For this use case, I recommend to upgrade to AuthzForce Core 14.0.0 or later.对于这个用例,我建议升级到 AuthzForce Core 14.0.0或更高版本。 Then you have two options (beware the XML schema and namespace have changed a bit):然后你有两个选择(注意 XML 模式和命名空间已经改变了一点):
- Multiple 'policyLocation' elements, for example:多个“policyLocation”元素,例如:
<?xml version="1.0" encoding="UTF-8"?>
<pdp xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://authzforce.github.io/core/xmlns/pdp/7.0" version="7.0.0">
<policyProvider id="refPolicyprovider" xsi:type="StaticPolicyProvider">
<policyLocation>${PARENT_DIR}/policy1.xml</policyLocation>
<policyLocation>${PARENT_DIR}/policy2.xml</policyLocation>
</policyProvider>
<rootPolicyRef>policy1</rootPolicyRef>
</pdp>
- Use a wildcard pattern as 'policyLocation', for example (including all policy files with '.xml' extension):例如,使用通配符模式作为“policyLocation”(包括所有带有“.xml”扩展名的策略文件):
<?xml version="1.0" encoding="UTF-8"?>
<pdp xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://authzforce.github.io/core/xmlns/pdp/7.0" version="7.0.0">
<policyProvider id="refPolicyprovider" xsi:type="StaticPolicyProvider">
<policyLocation>${PARENT_DIR}/*.xml</policyLocation>
</policyProvider>
<rootPolicyRef>policy1</rootPolicyRef>
</pdp>
In both cases, the 'rootPolicyRef' identifies the root policy (where the PDP evaluation starts).在这两种情况下,“rootPolicyRef”标识根策略(PDP 评估开始的地方)。 In this case, the root policy is supposed to combine the other policies, ie be a XACML PolicySet with a defined PolicyCombiningAlgId and one or more PolicyIdReferences or PolicySetIdReferences to the other policies.在这种情况下,根策略应该组合其他策略,即是一个 XACML 策略集,具有定义的 PolicyCombiningAlgId 和一个或多个 PolicyIdReferences 或其他策略的 PolicySetIdReferences。
You can find a full example using the wildcard option on authzforce github .您可以在authzforce github上找到使用通配符选项的完整示例。
Also you can find more info about the PDP configuration format (latest version) in the XML schema .您还可以在XML 模式中找到有关 PDP 配置格式(最新版本)的更多信息。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.