OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Implementing UNIX file system acl using xacml

Hi,
I'm trying to implement UNIX file system access control using XACML, but i have some problem. 
Access control on UNIX file system is defined as follow.
There are:
-List of users
-List of groups composed by a list of user
-Three type of action on files: READ/WRITE/EXECUTE
-Hierarchy of directories and files
Files and directories are owned by a user. The owner determines the file's owner class. Distinct permissions apply to the owner.Files and directories are assigned a group, which define the file's group class. Distinct permissions apply to members of the file's group members. The owner doesn't need to be a member of the file's group.Users who are not the owner, nor a member of the group, comprise a file's others class. Distinct permissions apply to others.The effective permissions are determined based on the user's class. For example, the user who is the owner of the file will have the permissions given to the owner class regardless of the permissions assigned to the group class or others class.permissions on a Unix-like system are not inherited. Files created within a directory will not necessarily have the same permissions as that directory.
As usual, if I want to access to a file I need access to parent directory too. For example: 

-I want to read file foo.txt
-Path file is /a/b/foo.txt
I want read foo.txt, I need read access to directories 'a', 'b' and to 'foo.txt', else access is denied.
I would like to define a policy representing this with XACML hierarchy profile. 

The request can be represented as follow (No XML resource content version):

<?xml version="1.0" encoding="UTF-8"?>
<Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os http://docs.oasis-open.org/xacml/access_control-xacml-2.0-context-schema-os.xsd";> 
<Subject>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string";> 
<AttributeValue>user1</AttributeValue>
</Attribute>
</Subject>
<Resource>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#anyURI";> 
<AttributeValue>file:/folder1/folder2/file1</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-parent" DataType="http://www.w3.org/2001/XMLSchema#anyURI";> 
<AttributeValue>file:/folder1/folder2</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-ancestor" DataType="http://www.w3.org/2001/XMLSchema#anyURI";> 
<AttributeValue>file:/folder1/folder2</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-ancestor" DataType="http://www.w3.org/2001/XMLSchema#anyURI";> 
<AttributeValue>file:/cartella1</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-ancestor-or-self" DataType="http://www.w3.org/2001/XMLSchema#anyURI";> 
<AttributeValue>file:/folder1/folder2/file1</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-ancestor-or-self" DataType="http://www.w3.org/2001/XMLSchema#anyURI";> 
<AttributeValue>file:/folder1/folder2</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-ancestor-or-self" DataType="http://www.w3.org/2001/XMLSchema#anyURI";> 
<AttributeValue>file:/folder1</AttributeValue>
</Attribute>
</Resource>
<Action>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string";> 
<AttributeValue>READ</AttributeValue>
</Attribute>
</Action>
<Environment/>
</Request>
If I would define the policy representing the problem without taking the hierarchy access and take only the access permission on a single file/directory, I could use this policy: 

<?xml version="1.0" encoding="UTF-8"?>
<Policy xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-os.xsd"; PolicyId="urn:oasis:names:tc:example:SimplePolicy1" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides"> 
<Description>
        Policy by Marco Biagi
</Description>
<Target/>
<Rule RuleId= "urn:oasis:names:tc:xacml:2.0:example:FileSystemSingleAccess" Effect="Permit"> 
<Description>
            File system policy
</Description>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> 
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> <ResourceAttributeDesignator AttributeId="urn:emc:edn:samples:xacml:resource:resource-owner" DataType="http://www.w3.org/2001/XMLSchema#string"/> 
</Apply>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> 
</Apply>
<ResourceAttributeDesignator AttributeId="urn:emc:edn:samples:xacml:resource:resource-owner-permission" DataType="http://www.w3.org/2001/XMLSchema#string"/> 
</Apply>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:group-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> 
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> <ResourceAttributeDesignator AttributeId="urn:emc:edn:samples:xacml:resource:resource-group" DataType="http://www.w3.org/2001/XMLSchema#string"/> 
</Apply>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> 
</Apply>
<ResourceAttributeDesignator AttributeId="urn:emc:edn:samples:xacml:resource:resource-group-permission" DataType="http://www.w3.org/2001/XMLSchema#string"/> 
</Apply>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> 
</Apply>
<ResourceAttributeDesignator AttributeId="urn:emc:edn:samples:xacml:resource:resource-other-permission" DataType="http://www.w3.org/2001/XMLSchema#string"/> 
</Apply>
</Apply>
</Condition>
</Rule>

</Policy>

Where:

- resource-owner
- resource-owner-permission
- resource-group
- resource-group-permission
- resource-other-permission

coming out from the context based on resource-id.

And:

-group-id

is retrieved from the context based subject-id.
In any case I continue to have problems defining the policy modeling the hierarchy problem. 
How can I check complex condition on all ancestor?
Due to the XACML structure I could check only simple condition on a bag. For example if I need to check if subject is the owner of each path elements, I could write this: 

<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:all-of">
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> 
</Apply>
<ResourceAttributeDesignator AttributeId="urn:emc:edn:samples:xacml:resource:hierarchyNode-owner" DataType="http://www.w3.org/2001/XMLSchema#string"/> 
</Apply>
Where hierarchyNode-owner is retrieved from the context based on resource-ancestor-or-self bag attribute.
But if I would check the complex condition expressed by the above rule RuleId= "urn:oasis:names:tc:xacml:2.0:example:FileSystemSingleAccess", how could I do? 

Thank you in advance, Best regards

--
Dott. Marco Biagi

Netfarm s.r.l.
Phone: +39 050 0981576
Fax:   +39 050 777659
Web:   http://www.netfarm.it/
Email: marco.biagi@netfarm.it

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]