[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: 9. Policies referring to hierarchical resources
I believe this proposal summarizes the status of this item based
on discussions at the XACML F2F on 21 Oct 2003. We split off
requests referring to multiple elements in a hierarchy as a new
Work Item #42, so I changed the work item name to make this more
clear. I have removed hierarchical subjects and hierarchical
actions from the description, since no one has introduced a
requirement for them and the proposed solution does not work with
them. If a requirement for hierarchical subjects, actions,
environment, issuers :-) is introduced, it should be a new Work
Item.
9. Policies referring to hierarchical resources
How to express policies that apply to a hierarchy of
resources. E.g. "Frank can read any file under directory
/X/Y".
TYPE: New functionality
STATUS: Open issues. Related: #25,42.
CHAMPION: Simon Godik
MOTIVATING USE-CASE AND REQUIREMENT
Many resources, such as files in a file system, are
hierarchical. A policy needs to be able to control access to
o all descendents of a particular node in a hierarchy:
"Anne can read any file under directory /home/aha"
o all immediate children of a particular node in a hierarchy:
"Frank can read any file that is an immediate child of
directory /home/aha"
o a particular node in a hierarchy:
"Frank can see that directory /home/aha exists"
XACML does not currently have syntax or semantics for
expressing such policies except where the hierarchy is an XML
document.
SUMMARY OF OPEN ISSUES
1) XACML's set of XPath functions is very limited. They will
work if the mapping makes the element names match the nodes
in the file system, but not if the mapping makes the
element values match.
2) If element names must match, then a different mapping
schema is required for every file system instance. This
seems VERY unworkable. It would be much better if a
standard mapping schema could be developed for any UFS file
system.
3) The XPath "*" syntax handles entire subtrees, but does
XPath have a syntax for indicating "immediate children"?
PROPOSED SOLUTION <# if more than one>
In order to compose policies and submit authorization decision
requests concerning elements of hierarchical resources, there
must be a mapping between the elements of the hierachical
resource and an XML document that describes those elements.
For example, the following file system directory tree
/
/aha/
/aha/home/
/aha/home/docs/
/aha/home/docs/status.txt
/aha/home/docs/plans.txt
/frank/
might be mapped to the following XML document representation
(many mappings are possible):
<root>
<aha>
<home>
<docs>
<status.txt/>
<plans.txt/>
</docs>
</home>
</aha>
<frank/>
</root>
POLICIES
The policy writer must be aware of this mapping, and must
write policies using XPath expressions on this XML document
representation. For example, to express "Anne can perform any
action on directories and files in the subtree below
/home/aha", the following Rule could be used with the
representation above:
<Rule Effect="Permit">
<Condition FunctionId="and">
<Apply FunctionId="string-equal">
<SubjectAttributeDesignator DataType="string" AttributeId="subject-id"/>
<AttributeValue DataType="string">Anne</AttributeValue>
</Apply>
<Apply FunctionId="xpath-node-match">
<AttributeSelector DataType="string" AttributeId="xpath"/>
<AttributeValue
DataType="string">/Resource/ResourceContent/root/home/aha/*</AttributeValue>
</Apply>
</Rule>
REQUESTS
Requests to access an element of a hierarchical resource must
include the XML representation of the hierarchical resource
itself in the <ResourceContent> element, just as is currently
done for accesses to elements of an XML document. For
example, to express: "Can Frank read
/home/aha/docs/Status.txt", the following Request would be
submitted:
<Request>
<Subject>
<Attribute DataType="string" AttributeId="subject-id">
<AttributeValue DataType="string">Frank</AttributeValue>
</Attribute>
</Subject>
<Resource>
<Attribute DataType="string" AttributeId="xpath">
<AttributeValue
DataType="xpath">ResourceContent/root/home/aha/docs/Status.txt</AttributeValue>
</Attribute>
<ResourceContent>
<root>
<aha>
<home>
<docs>
<status.txt/>
<plans.txt/>
</docs>
</home>
</aha>
<frank/>
</root>
</ResourceContent>
</Resource>
<Action>
<Attribute DataType="string" AttributeId="action-id">
<AttributeValue DataType="string">read</AttributeValue>
</Attribute>
</Action>
</Request>
GENERAL
1) The mapping might be done by the PEP or by the Context
Handler (Context Handler would have to have access to the
underlying file system to do this). The actual creation of
the mapped resource need never be done: the Context Handler
can simply access the underlying file system according to
its interpretation of the XPath expressions used in the
policy and in the request.
2) If the policy writer and the mapper want to ensure that
they are referring to the same mapping schema in describing
the resource, the Request could include an additional
Resource Attribute "resource-schema" with the value
representing the schema used in constructing the request.
The policy writer could include a condition like
resource-schema = "ufs1", where "ufs1" is the identity of
the schema assumed by the resource writer.
DETAILED SOLUTION
[Actual text and schema changes or additions, referencing line
numbers in the XACML 1.1 PDF Specification, required to
express this solution in the 2.0 specification.
This may be in the form of edits to the source XACML 1.1
Specification, attached to the e-mail containing the
Proposal.
Don't bother with this until the SUMMARY indicates there are
no issues that remain to be resolved, and there is consensus
on one PROPOSED SOLUTION above.]
--
Anne H. Anderson Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311 Tel: 781/442-0928
Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]