如何使用自定义属性编写XACML策略
[英]How to write XACML Policy using Custom Attributes
问题描述
I'm trying to write an XACML policy that will utilize a custom attribute. 
我正在尝试编写将利用自定义属性的XACML策略。 I'm thinking of something like: 我在想类似的东西:
<?xml version="1.0" encoding="UTF-8"?>
<Policy xmlns="urn:oasis:names:tc:xacml:1.0:policy"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" PolicyId="deny-demo100"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
<Description> </Description>
<Target>
<Subjects>
<AnySubject/>
</Subjects>
<Resources>
<AnyResource/>
</Resources>
<Actions>
<AnyAction/>
</Actions>
</Target>
<Rule Effect="Deny" RuleId="rule-deny-demo100">
<Target>
<Subjects>
<AnySubject/>
</Subjects>
<Resources>
<Resource>
<AnyResource/>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">customAttribute</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action- id" MustBePresent="false" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
</Rule>
<Rule RuleId="deny-demo100-catch-all" Effect="Permit" />
</Policy>
(We're using Fedora's XACML implementation). (我们正在使用Fedora的XACML实现)。
I'm sure I'm missing something really simple and fundamental here, but cannot figure out what. 我确定我在这里遗漏了一些非常简单和基本的东西,但是无法弄清楚是什么。 Could someone point me in the right direction please? 有人可以指出我正确的方向吗?
3 个解决方案
解决方案1
5 2012-10-06 01:57:10
What do you mean by custom attribute? 自定义属性是什么意思? What is it you want to express in 'plain old English'? 您想用“普通英语”表达什么?
In XACML you can use any attribute you like such as role, citizenship, clearance, resource classification, time of day... Of course the availability of the attribute depends on the type of app you are protecting. 在XACML中,您可以使用喜欢的任何属性,例如角色,公民身份,权限,资源分类,时间等。当然,该属性的可用性取决于您所保护的应用程序的类型。 How are you using the Fedora implementation? 您如何使用Fedora实现? Is it for access control within Fedora Linux OS? 它用于Fedora Linux OS中的访问控制吗?
If you want to compare an attribute to a value eg citizenship == Canadian, then use a <Target/> . 如果要将属性与值进行比较(例如,citizenship == Canadian),请使用<Target/> 。 If you want to compare 2 attributes together eg clearance > classification, then use a <Condition> . 如果要一起比较2个属性(例如,间隙>分类),请使用<Condition> 。
解决方案2
1 2012-10-05 05:30:49
I am not sure what you are actually looking for, but I guess you need to do some attribute-based access control. 我不确定您实际上在寻找什么,但是我想您需要做一些基于属性的访问控制。
In XACML there is a component called PIP (Policy Information Point), where you can retrieve attributes from external sources and check authorization. 在XACML中,有一个称为PIP(策略信息点)的组件,您可以在其中从外部源检索属性并检查授权。
This may help you: Understanding PIP (Policy Information Point) . 这可能对您有帮助: 了解PIP(策略信息点) 。
If you need to create XACML policies in a easier way, you can follow this: XACML Policy Editor in WSO2 Identity Server . 如果需要以更简单的方式创建XACML策略,则可以遵循以下步骤: WSO2 Identity Server中的XACML策略编辑器 。
解决方案3
0 2013-05-06 14:30:35
I have to admit I'm kinda new to XACML and Fedora's implementation of it, but my understanding is you should be able to query any value that appears when checking the user object. 我必须承认我对XACML和Fedora的实现有点陌生,但是我的理解是,您应该能够查询检查用户对象时出现的任何值。 The URL on a default Fedora Commons install should be "localhost:8080/fedora/user" and yields the following object on my server after logging in a previously created LDAP user called "Joe User": 在默认的Fedora Commons安装中,URL应为“ localhost:8080 / fedora / user”,并在登录先前创建的名为“ Joe User”的LDAP用户后,在我的服务器上产生以下对象:
<user id="Joe User">
<attribute name="uid">
<value>userj</value>
</attribute>
<attribute name="mail">
<value>UserJ@ldap.test.user.uconn.edu</value>
</attribute>
<attribute name="sn">
<value>User</value>
</attribute>
<attribute name="ou">
<value>DPT</value>
</attribute>
<attribute name="cn">
<value>Joe User</value>
</attribute>
<attribute name="description">
<value>sample user</value>
</attribute>
<attribute name="role"/>
<attribute name="fedoraRole"/>
<attribute name="objectClass">
<value>organizationalPerson</value>
<value>person</value>
<value>inetOrgPerson</value>
<value>top</value>
</attribute>
<attribute name="displayName">
<value>Joe User (LDAP)</value>
</attribute>
</user>
Once a value has been injected into the user object via some JAAS authentication module (as in the above case using the LDAP module) or even an environment variable you should be able to query it. 一旦通过某个JAAS身份验证模块(如在上述情况下使用LDAP模块)或环境变量将值注入到用户对象中,您就应该能够对其进行查询。 In the example policy below I've set Fedora to grant fedoraAdmin like access to API-M calls if a user has an OU set to "DPT": 在下面的示例策略中,如果用户的OU设置为“ DPT”,我已将Fedora设置为授予fedoraAdmin之类的对API-M调用的访问权限:
<?xml version="1.0" encoding="UTF-8"?>
<Policy xmlns="urn:oasis:names:tc:xacml:1.0:policy"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
PolicyId="permit-apim-to-ldap-ou"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
>
<!-- test policy to approve API-M operations if a specific LDAP OU exists -->
<!-- make sure access to API-M in premitted from the current client IP address first (check "deny-apim-if-not-in-list.xml" or "deny-apim-if-not-localhost.xml" ) -->
<Description>note that other policies may provide exceptions to this broad policy. This policy assumes api-m users have to be authenticated</Description>
<Target>
<Subjects>
<Subject>
<!-- specific OU - need to get this working with a range of values -->
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">DPT</AttributeValue>
<SubjectAttributeDesignator AttributeId="ou" MustBePresent="false" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
<Resources>
<AnyResource/>
</Resources>
<Actions>
<AnyAction/>
</Actions>
</Target>
<Rule RuleId="1" Effect="Permit"/>
</Policy>
Custom attributes can even be added the Fedora XML User file (not the Tomcat user file) rather than using LDAP. 甚至可以使用Fedora XML用户文件(而不是Tomcat用户文件)添加自定义属性,而不是使用LDAP。 Likely there is a better way to do this, but as I stated before I'm rather new to XACML and don't fully understand it. 可能有一种更好的方法来执行此操作,但是正如我之前所说的那样,我对XACML并不陌生,并且还没有完全理解它。 This rule works on my localhost test server based on the other rules also in place. 该规则基于其他规则在我的localhost测试服务器上也有效。 Your mileage may vary. 你的旅费可能会改变。
Also, as stated in the sample policy file, make sure that the client you are testing from can both be permitted and then later denied API-M access before you put a rule like this in place as debugging XACML policies in Fedora seems to be extremely difficult with little data being written to the log file even in Debug mode (you will see an operation passed or failed but never the name of the rule that caused the pass/fail result to happen). 另外,如样本策略文件中所述,在放置像这样的规则之前,请确保先允许从中测试的客户端都可以被允许,然后又拒绝了API-M访问,因为在Fedora中调试XACML策略看起来非常极端即使在调试模式下,也很难将很少的数据写入日志文件(您将看到操作已通过或失败,但是从未出现导致通过/失败结果发生的规则的名称)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.