[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml-users] inconsistency in XACMl policies - avoiding ruleconflicts
On Tue, 2004-10-12 at 17:51, Kuketayev, Argyn wrote: > I don't think there could be a "formal" solution to this problem. I mean > that it's impossible to write a program which would say that your > policies are inconsistent, if they are. The reason is that if you grant > access in some place, then deny it in the other, how would such a > validator know that it was not intended? I think you're jumping to an "ideal" tool too quickly. Speaking for myself, I'm not trying to solve all policy problems right off. But, there are some easy things that tools can catch. For instance, consider this policy: <Target> <Subjects><AnySubject/></Subjects> <Resources><AnyResource/></Resources> <Actions><AnyAction/></Actions> </Target> <Rule RuleId="AlwaysPermit" Effect="Permit"/> <Rule RuleId="AlwaysDeny" Effect="Deny"/> Using the ordered permit overrides combining algorithm, the second Rule will never be evaluated. This is still a valid XACML policy, but it has some problems that can be detected. For fun, I've attached a more complex policy. It first requires that you be a member of either role1 or role2, but not both. Then it has separate policies for role1 and role2 membership (without specifics about access for those two roles). What's the catch? The top-level combining algorithm should have used permit overrides instead of deny-overrides. This is a valid XACML policy, but it will _always_ return Deny. True, maybe I intended this behavior, but in general I probably don't intentionally write verbose policies that can't result in any Decision except Deny. So, a verification tool would be helpful here. You raise the issue of inconsistency, which is another interesting problem. You're right that this is genrally harder to deal with. But I wouldn't mind a tool that alerted me to a possible mistake (and yes, I make lots of mistakes <g>). The other approach here is one that is common in the languages world. You can use another formal language to describe valid behavior of a policy. For instance, you can say "the policy must always deny access to users of a particular server." Then there are formal methods for analyzing the policy and ensuring that these conditions are, provably, always met. Of course, you need to make sure that you got the description right to begin with, but that's often easier. > [...] So, until other > smart people are thinking about this issue, I wrote a bunch of tests to > check that my policies are correct. I execute them every time I change > policies. That's absolutely the right approach. There are no good solutions now, and it's unclear when/if they will exist. So, for now, your tests are a very good idea, in my opinion. seth
<?xml version="1.0" encoding="UTF-8"?> <PolicySet xmlns="urn:oasis:names:tc:xacml:1.0:policy" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" PolicySetId="Policy1" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:ordered-deny-overrides"> <Target> <Subjects><AnySubject/></Subjects> <Resources><AnyResource/></Resources> <Actions><AnyAction/></Actions> </Target> <Policy PolicyId="OnlyAllowRole1OrRole2" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:ordered-deny-overrides"> <Target> <Subjects><AnySubject/></Subjects> <Resources><AnyResource/></Resources> <Actions><AnyAction/></Actions> </Target> <Rule RuleId="MayNotHaveBothRoles" Effect="Deny"> <Target> <Subjects> <Subject> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">role1</AttributeValue> <SubjectAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="urn:example:roles"/> </SubjectMatch> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">role2</AttributeValue> <SubjectAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="urn:example:roles"/> </SubjectMatch> </Subject> </Subjects> <Resources><AnyResource/></Resources> <Actions><AnyAction/></Actions> </Target> </Rule> <Rule RuleId="MustHaveOneRole" Effect="Permit"> <Target> <Subjects> <Subject> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">role1</AttributeValue> <SubjectAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="urn:example:roles"/> </SubjectMatch> </Subject> <Subject> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">role2</AttributeValue> <SubjectAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="urn:example:roles"/> </SubjectMatch> </Subject> </Subjects> <Resources><AnyResource/></Resources> <Actions><AnyAction/></Actions> </Target> </Rule> <Rule RuleId="DenyIfNeitherRoleIsPresent" Effect="Deny"/> </Policy> <Policy PolicyId="PolicyForRole1" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:ordered-permit-overrides"> <Target> <Subjects><AnySubject/></Subjects> <Resources><AnyResource/></Resources> <Actions><AnyAction/></Actions> </Target> <Rule RuleId="PermitRole1" Effect="Permit"> <Target> <Subjects> <Subject> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">role1</AttributeValue> <SubjectAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="urn:example:roles"/> </SubjectMatch> </Subject> </Subjects> <Resources><AnyResource/></Resources> <Actions><AnyAction/></Actions> </Target> <!-- Fill in Condition here for rule1 membership --> </Rule> <Rule RuleId="DenyOthers" Effect="Deny"/> </Policy> <Policy PolicyId="PolicyForRole2" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:ordered-permit-overrides"> <Target> <Subjects><AnySubject/></Subjects> <Resources><AnyResource/></Resources> <Actions><AnyAction/></Actions> </Target> <Rule RuleId="PermitRole2" Effect="Permit"> <Target> <Subjects> <Subject> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">role2</AttributeValue> <SubjectAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="urn:example:roles"/> </SubjectMatch> </Subject> </Subjects> <Resources><AnyResource/></Resources> <Actions><AnyAction/></Actions> </Target> <!-- Fill in Condition here for rule2 membership --> </Rule> <Rule RuleId="DenyOthers" Effect="Deny"/> </Policy> </PolicySet>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]