如何对 XACML 的规则组合进行逻辑 AND
[英]How to do logical AND for Rule combining for XACML
问题描述
My scenario is I have a Policy with several rules and all the rules need to be true for the policy to be true.
我的情况是我有一个包含多个规则的策略,并且所有规则都必须是真实的,策略才能为真。 For example:例如:
Policy A
- Rule 1
- Rule 2
- Rule 3
For Policy A to be applicable, i need all three Rules to return true, and if even one of them return false, It should go check the other policies in my policyset要使Policy A适用,我需要所有三个规则都返回 true,如果其中一个返回 false,则应该检查我的策略集中的其他策略
What i have right now is我现在拥有的是
<!-- shortened for brevity -->
<Policy RuleCombiningAlgId="...:deny-overrides">
<Rule id="1" Effect="Permit">
...
</Rule>
<Rule id="2" Effect="Permit">
...
</Rule>
<Rule id="3" Effect="Permit">
...
</Rule>
</Policy>
I think my problem is that the none of my rules return "Deny" but i initially thought that if it's not permit, it should be deny.我认为我的问题是我的规则都没有返回“拒绝”,但我最初认为如果不允许,则应该拒绝。 I thought of putting a not on all of my rules but that would make it inelegant.我想不在我所有的规则上加上一个,但这会使它变得不优雅。
If it's relevant, I am using the Authzforce library.如果相关,我正在使用 Authzforce 库。
1 个解决方案
解决方案1
4 已采纳 2020-03-30 09:34:45
all the rules need to be true for the policy to be true
In terms of XACML, I guess you mean: Policy must return Permit if and only if all Rules inside return Permit.就 XACML 而言,我猜您的意思是:当且仅当所有规则都返回 Permit 时,策略必须返回 Permit。 I can't think of any rule combining algorithm in XACML standard that simply does that.我想不出 XACML 标准中的任何规则组合算法可以简单地做到这一点。 So I suggest two options:所以我建议两种选择:
Option A: Wrap each Rule in a deny-unless-permit Policy, and use permit-unless-deny at the top-level (Policy A becomes PolicySet A).选项A:将每个Rule 包装在一个deny-unless-permit策略中,并在顶层使用permit-unless-deny (策略A 变为PolicySet A)。
<?xml version="1.0" encoding="utf-8"?>
<PolicySet PolicySetId="A" PolicyCombiningAlgId="...:permit-unless-deny">
<Policy RuleCombiningAlgId="...:deny-unless-permit">
<Rule id="1" Effect="Permit">
...
</Rule>
</Policy>
<Policy RuleCombiningAlgId="...:deny-unless-permit">
<Rule id="2" Effect="Permit">
...
</Rule>
</Policy>
<Policy RuleCombiningAlgId="...:deny-unless-permit">
<Rule id="3" Effect="Permit">
...
</Rule>
</Policy>
</PolicySet>
In this case, PolicySet A returns Permit if and only if ( iff ) no Policy returns Deny (by definition of permit-unless-deny algorithm).在这种情况下,PolicySet A 返回 Permit 当且仅当( iff )没有 Policy 返回 Deny (根据 permit-unless-deny 算法的定义)。 Since each Policy returns Permit iff the Rule returns Permit, else Deny (by definition of deny-unless-permit algorithm), this is equivalent to: Policy A returns Permit iff all Policies return Permit, ie iff all Rules return Permit.由于如果规则返回许可,则每个策略返回许可,否则拒绝(根据拒绝除非许可算法的定义),这等效于:策略 A 返回许可 当所有策略返回许可时,即当所有规则返回许可时。
Option B: Implement a new Combining Algorithm extension for AuthzForce .选项 B: 为 AuthzForce实现一个新的组合算法扩展。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.