[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-users] retrieving a list or query filter of resourcesthe caller is authorized for
Hi Ralf, Yoichi, et al, I have been following this discussion with interest as part of the OpenAz open source effort is to provide a query capability. The intent of OpenAz is to enable XACML to be brought into enterprise environments in a seamless manner, allowing migration on an as-needed basis to enable XACML capabilities to be introduced to the enterprise. That aside, the technique we have been looking at is focused on hierarchical resources and the use of regular expressions to address scopes of those resources. This is also consistent with the notions in the XACML Multiple and Hierarchical Profiles. Basically, hierarchical permissions can be simply thought of as a regular expression containing a fixed prefix and a wildcard suffix, where any resource name that matches the prefix is within scope of the expression. Generally this expression can be applied to the resource store to get a list of the concrete resources covered by the expression. Therefore if a Policy can be defined that will return the list of applicable regular expressions contained within the policy for the specific request, then this list of expressions can be applied to the resource store in order to get the full list of concrete resources covered by the query. Therefore the trick is how to get this list of regular expressions out of the policies. The attached zip file contains a policy that provides this capability, along with sample requests and responses that were obtained by running the requests against the SunXacml PDP being used in the OpenAz project. The trick that is used is to use a PolicySet to contain a pair of Policys. One of the pair contains the actual regular expression used for access control. The other of the pair returns an Obligation containing an AttributeAssignment that contains a copy of the regular expression. The way to get the 2nd policy of the pair invoked is to query for the specific string "/-" which is simply a string used in all the "2nd policies" and so all policies that contain this resource will match the query. Note: none of this effort is focused on performance, and is intended at this time just to demonstrate capabilities. It is expected that optimizations will be need to enable scalability. Note: since SunXacml is based on XACML 1.1 there are a few 1.1 artifacts floating around, but these are rather trivial, and do not impact the overall structure of things, at least in the current phase of the OpenAz project. Comments and suggestions are welcome. Thanks, Rich Yoichi Takayama wrote: 25B99AD7-355F-4FE4-AA07-57A55426406C@gmail.com" type="cite"> |
SampleXacmlPolicyQueryWithReqRsp.zip
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]