OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml-users] RE: XACML ipAddress-regexp-match and how to authora policy with dynamic

Hi Chris,

I think you have analyzed the situation pretty well, however, it appears to me that there is one key concept that you need to incorporate, which is the role of the context handler (XACML 2.0 lines 246-248):
Context handler - The system entity that converts decision requests in the native request format to the XACML canonical form and converts authorization decisions in the XACML canonical form to the native response format.
The key concept here is that the ch is responsible for converting between canonical XACML form and native forms.

The 2nd key concept you need is that of "missing attributes", which is defined in several places in the spec, primarily section 7.15.3 and related sections such as 5.37 lines 2614-2617 where MustBePresent is defined, and provides further refs to relevant info in the spec.

Basically, what it all boils down to is the following:
  1. If an attribute defined in a Policy has MustBePresent set to true, then if that attribute is not present in the Request, then the ch is invoked as described in section 7.2.5 lines 3313-3315:
    • "The PDP SHALL reference the attributes as if they were in a physical request context document, but the context handler is responsible for obtaining and supplying the requested values by whatever means it deems appropriate."
  2. The "appropriate means" is described, for example, in section 3.1 lines 584-592, steps 5-10, which is basically, as in steps 6 and 7, that the ch tells the PIP what it wants and gets it. We can assume that the ch translated the XACML AttributeId of the missing attribute to whatever native format the PIP uses to access the attribute and return it to the ch.
The 3rd and final key concept that is required is that one must assume that all attributes come from outside the XACML domain in some sense and there must be a mapping of the XACML AttributeId to the native attribute access mechanism. This is really true for attributes submitted to the PEP as well, since those attributes will be in some native format, and something must associate that native format with a XACML AttributeId and DataFormat in the process of submitting the request.

I think the general answer is that there needs to be a mapping between AttributeIds defined in XACML policies and native attributes that come from systems external to XACML that are used in evaluating XACML Policies, and that these mappings are defined by the organizations that define the Policies and attributes that are used by those Policies.

Let me know if this helps or if you need any further details.

    Thanks,
    Rich


Chris McKenzie wrote:
0A5B5EB4DEDAF04B9D035BA5D4FC402003618242@3b-mail.hq.local" type="cite"> 
I've made some progress, so please let me refine my question.

I can't determine how a policy might reference a source of PIP
information in different formats. For example, in the below policy, the
Condition's set/bag would ultimately be referencing an external PIP
source of information. There's a gap in the XACML spec between where the
PIP is a source of Attributes and how to reference those Attributes and
how the resulting policy might reflect this.

For example, my policy CAN'T list every set/bag attribute individually.
It would be impractical. So what's the syntax for referencing said
set/bag? I'll keep digging, and its probably spelled out in the spec,
but for right now it feels like the spec doc is missing this piece.

Thanks!

<Policy PolicyId="urn:oasis:names:tc:policy:WebAccess">
  <Description>This policy is intended to allow access to corporate web
servers, except where threat hosts have been identified.</Description>
  <Target>
   <Subjects>
     <AnySubject/>
   </Subjects>
   <Actions>
    <AnyAction/>
   </Actions>
   <Resources>
    <Resource>
     <ResourceMatch
MatchId="urn:oasis:names:tc:xacml:2.0:function:ipAddress-regexp-match">
      <AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">
        ^(10)\.(10)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9])\:([80|443])$
      </AttributeValue>
      <ResourceAttributeDesignator
        AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
        DataType="urn:oasis:names:tc:xacml:2.0:data-type:ipAddress">
      </ResourceAttributeDesignator>
     </ResourceMatch>
    </Resource>
   </Resources>
  </Target>
  <Rule RuleId="urn:oasis:names:tc:policy:ThreatRule:0" Effect="Deny">
   <Description>Hosts will be conditionally granted access as long as
their are not identified as a threat.</Description>
    <Target>
     <Subjects>
      <AnySubject/>
     </Subjects>
     <Actions>
      <AnyAction/>
     </Actions>
     <Resources>
      <AnyResource/>
     </Resources>
    </Target>

    <Condition
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-set-equals">
     <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
      <AttributeValue 
 
DataType="http://www.w3.org/2001/XMLSchema#string">116.14.1.95</Attribut
eValue>
      <AttributeValue 
 
DataType="http://www.w3.org/2001/XMLSchema#string">65.4.89.192</Attribut
eValue>
     </Apply>
     <SubjectAttributeDesignator
 
AttributeId="urn:oasis:names:tc:xacml:1.0:conformance-test:test-attr"
      DataType="http://www.w3.org/2001/XMLSchema#string"/>
    </Condition>

  </Rule>
 </Policy>



-----Original Message-----
From: Chris McKenzie 
Sent: Tuesday, May 05, 2009 10:12 AM
To: 'xacml-users@lists.oasis-open.org'
Subject: XACML ipAddress-regexp-match and how to author a policy with
dynamic 

Hi.

The mailing list isn't easy to search, so I thought I would pose my
question while commanding the list to e-mail me the last 150 posts.

I was trying to put together an XACML 2.0 policy set that captured 2
policies, which when combined, allowed for both a sort of global allow
and selective deny. Essentially a Firewall access policy where hosts
which have been identified as a threat would be denied access to the
target resource. (say a web server) The PIP information supplying the
list of threat IP Addresses could be sorted in a database.

My main query that I can't gather from the literature I've read so far
is how all attributes of a Subject, Action or Resource are identified.
(I'm sure it's an easy answer, I'll be happy with anything really) For
example, an external system identifies a point of information which the
policy would use to help determine if a deny rule should be applied. In
this case, how is the policy authored to reference attributes of said
piece of information?

For example, a SIM event (we'll just go with this for now) which
contains the threatening host IP and requested resource. (say a
protected portion of the corporate web site) How do I identify the PIP
information in a urn? I was assuming that when the PDP gathers
information from the PIP (and from the PEP's access request message?)
that the Subject, Action and Resource will have things like subject-id's
ipAddress attribute already populated, because the Subject in question
has an IP.

Maybe I'm just not there yet. So I'll leave my query here. If anyone has
a bit of practical advice to enlighten me, it would be very beneficial.

Thanks!

Sample policy with a hole (note the ...???) where the external PIP
information on threat host IPs would be referenced:

<Policy PolicyId="urn:oasis:names:tc:policy:AttackerThreat">
  <Description>This policy is intended to deny attacking hosts for
corporate web servers.</Description>
  <Target/>
  <Rule RuleId="urn:oasis:names:tc:policy:ThreatRule:1" Effect="Deny">
   <Description>All identified host threats shall not be permitted
access.</Description>
    <Target>
     <Subjects>
      <Subject>
       <SubjectMatch
MatchId="urn:oasis:names:tc:xacml:2.0:function:ipAddress-regexp-match">
        <AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">
          ...???
        </AttributeValue>
        <SubjectAttributeDesignator
          AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
          DataType="urn:oasis:names:tc:xacml:2.0:data-type:ipAddress">
        </SubjectAttributeDesignator>
       </SubjectMatch>
     </Subjects>
     <Actions>
      <AttributeValue></AttributeValue>
     </Actions>
     <Resources>
       <Resource>
         <ResourceMatch
MatchId="urn:oasis:names:tc:xacml:2.0:function:ipAddress-regexp-match">
          <AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">
 
^(10)\.(10)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9])\:([80|443])$
          </AttributeValue>
          <ResourceAttributeDesignator
 
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
            DataType="urn:oasis:names:tc:xacml:2.0:data-type:ipAddress">
          </ResourceAttributeDesignator>
         </ResourceMatch>
       </Resource>
     </Resources>
    </Target>
    <Condition>
      <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
        <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
          <SubjectAttributeDesignatorAttributeId="protocol"
            DataType="http://www.w3.org/2001/XMLSchema#string"/>
        </Apply>
        <AttributeValue
          DataType="http://www.w3.org/2001/XMLSchema#string"/>tcp
        </AttributeValue>
      </Apply>
    </Condition>
  </Rule>
 </Policy>




Chris McKenzie


---------------------------------------------------------------------
To unsubscribe, e-mail: xacml-users-unsubscribe@lists.oasis-open.org
For additional commands, e-mail: xacml-users-help@lists.oasis-open.org

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]