OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [xacml-users] Implementing UNIX file system acl using xacml


Hi Marco,

Sorry for the name typo on last email.

  Thanks,
  Rich


On 11/14/2011 12:46 PM, rich levinson wrote:
Hi Mario,

Please explain what you mean by:
  1. "Each file/directory has a specific permission/owner/group not known a priori"
  2. " the list of users/group is not known a priori"
"a priori" means "formed or conceived beforehand", at least that
is 2b in:
http://www.merriam-webster.com/dictionary/a+priori

So, my first question is that this info is not known before what?
And, in particular, not known to whom? To the user? To the policy?
To the file system?

I would like to anticipate your answer being not known to the user
or the policy, but only to the file system.

If this is the case, then I think it is necessary to conceptualize what
you mean by policy. Current file systems have policy built into
structure.

I agree, if this is the last word on the policy, then you need to have
some kind of kludge for either the pep or the pdp to go out and
get the info it needs to return an answer.

I think a much better soln is to have all file system permission grants
intercepted before updating the legacy file system and encode those
grants in the XACML Policy and only use the file system update as
legacy backend synch operation on the main policy transaction.

    Thanks,
    Rich


On 11/14/2011 11:51 AM, Marco Biagi wrote:
Hi Rich,
I'm not sure the solution you propose can fulfill requirements I had specify in the first message of this thread.
Each file/directory has a specific permission/owner/group not known a priori and the list of users/group is not known a priori too.
I had already read the document you suggest me to read and it appears to solve a different problem.

If I'm wrong, could you please explain me how to implement the logic I described before?
Thank you in advance.

Best regards.


On 11/14/2011 04:39 PM, rich levinson wrote:
Hi Marco,

I suggest using regular expressions w hierarchical profile XACML 2.0.

This should be a straight-forward solution that we have experimented
a bit with on OpenAz and is described at tutorial level in old XACML
example document:
http://lists.oasis-open.org/archives/xacml/200406/msg00033.html
doc is attached to that email:
http://lists.oasis-open.org/archives/xacml/200406/pdf00003.pdf

Basic policy looks like:

<Policy PolicyId=”PortalPolicy” RuleCombiningAlgId=”&permit-overrides;”>
<Target>
<Actions>
<Action>
<ActionMatch MatchId=”&string-is-in;”>
<AttributeValue DataType=”&string;”>read</AttributeValue>
<ActionAttributeDesignator AttributeId=”&action-id;”
DataType=”&string;”/>
</ActionMatch>
</Action>
</Actions>
</Target>
<Rule RuleId=”Descendants:of:F” Effect=”Permit”>
<Condition FunctionId=”&and;”>
<Apply FunctionId=”&string-is-in;”>
<AttributeValue DataType=”&string;”>Alice</AttributeValue>
<SubjectAttributeDesignator AttributeId=”&subject-id;”
DataType=”&string;”/>
</Apply>
<Apply FunctionId=”&anyURI-match;”>
<AttributeValue
DataType=”&string;”>http://www.example.com/F*</AttributeValue>
<Apply FunctionId=”&string-one-and-only;”>
<ResourceAttributeDesignator AttributeId=”&resource-id;”
DataType=”&string;”/>
</Apply>
</Apply>
<Apply FunctionId=”&not;”>
<Apply FunctionId=”&string-is-in;”>
<AttributeValue DataType=”&string;”>I</AttributeValue>
<ResourceAttributeDesignator AttributeId=”&resource-id;”
DataType=”&string;”/>
</Apply>
</Apply>
</Condition>
</Rule>
<Rule RuleId=”Children:of:G” Effect=”Permit”>
<Condition FunctionId=”&and;”>
<Apply FunctionId=”&string-is-in;”>
<AttributeValue DataType=”&string;”>Bob</AttributeValue>
<SubjectAttributeDesignator AttributeId=”&subject-id;”
DataType=”&string;”/>
</Apply>
<Apply FunctionId=”&anyURI-match;”>
<AttributeValue
DataType=”&string;”>http://www.example.com/F/G/*</AttributeValue>
<Apply FunctionId=”&string-one-and-only;”>
<ResourceAttributeDesignator AttributeId=”&resource-id;”
DataType=”&string;”/>
</Apply>
</Apply>
</Condition>
</Rule>
<Policy>

This note follows policy:

"Please note that this method may grant privileges to new directories and files that may be created in the
future under the existing directories. For example, if a new directory is created under directory F, then
this policy will give Alice the right to read anything in that new directory. This may or may not be the
intent of the policy writer, so caution is urged."
Thanks,
RIch


On 11/14/2011 10:02 AM, Marco Biagi wrote:
I think the best solution to the problem is to improve XACML _expression_ language.
Isn’t possible add a function to this standard every time we are not able to express something like this case study.
It would be usefull if is added in XACML a tag to define function directly in XACML.
In this way I could apply defined function in xacml direcly in "high order bag function" like the all-of:

<Apply FunctionId=”urn:oasis:names:tc:xacml:1.0:function:all-of”>
<Function FunctionId=”urn:oasis:names:tc:xacml:2.0:function:fooFunction”/>
.....
For example:

<functionDefine functionId="urn:oasis:names:tc:xacml:2.0:function:fooFunction">
<inputType dataType="...." />
<Apply ....

</Apply>
</functionDefine>

In this way could be possible refer the function by functionId and the auth logic would be expressed all in the XACML.

Thank you and best regards.

Marco

On 11/14/2011 03:03 PM, Tyson, Paul H wrote:
his is an important use case, and represents a general pattern that should be handled by XACML.  The 3.0 improvements to the hierarchical profile, and perhaps the 'access-permitted' function of XACML 3.0, might help.

I have not used XACML 2.0 in quite a while, so I would prefer to analyze this with respect to 3.0, but if you are stuck with 2.0 I will see what can be done.
  


-- 
Dott. Marco Biagi

Netfarm s.r.l.
Phone: +39 050 0981576
Fax:   +39 050 777659
Web:   http://www.netfarm.it/
Email: marco.biagi@netfarm.it 


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]