[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml-users] inconsistency in XACMl policies - avoiding ruleconflicts
On Tue, 2004-10-12 at 17:51, Kuketayev, Argyn wrote:
> I don't think there could be a "formal" solution to this problem. I mean
> that it's impossible to write a program which would say that your
> policies are inconsistent, if they are. The reason is that if you grant
> access in some place, then deny it in the other, how would such a
> validator know that it was not intended?
I think you're jumping to an "ideal" tool too quickly. Speaking for
myself, I'm not trying to solve all policy problems right off. But,
there are some easy things that tools can catch. For instance, consider
this policy:
<Target>
<Subjects><AnySubject/></Subjects>
<Resources><AnyResource/></Resources>
<Actions><AnyAction/></Actions>
</Target>
<Rule RuleId="AlwaysPermit" Effect="Permit"/>
<Rule RuleId="AlwaysDeny" Effect="Deny"/>
Using the ordered permit overrides combining algorithm, the second Rule
will never be evaluated. This is still a valid XACML policy, but it has
some problems that can be detected.
For fun, I've attached a more complex policy. It first requires that you
be a member of either role1 or role2, but not both. Then it has separate
policies for role1 and role2 membership (without specifics about access
for those two roles). What's the catch? The top-level combining
algorithm should have used permit overrides instead of deny-overrides.
This is a valid XACML policy, but it will _always_ return Deny. True,
maybe I intended this behavior, but in general I probably don't
intentionally write verbose policies that can't result in any Decision
except Deny. So, a verification tool would be helpful here.
You raise the issue of inconsistency, which is another interesting
problem. You're right that this is genrally harder to deal with. But I
wouldn't mind a tool that alerted me to a possible mistake (and yes, I
make lots of mistakes <g>).
The other approach here is one that is common in the languages world.
You can use another formal language to describe valid behavior of a
policy. For instance, you can say "the policy must always deny access to
users of a particular server." Then there are formal methods for
analyzing the policy and ensuring that these conditions are, provably,
always met. Of course, you need to make sure that you got the
description right to begin with, but that's often easier.
> [...] So, until other
> smart people are thinking about this issue, I wrote a bunch of tests to
> check that my policies are correct. I execute them every time I change
> policies.
That's absolutely the right approach. There are no good solutions now,
and it's unclear when/if they will exist. So, for now, your tests are a
very good idea, in my opinion.
seth
<?xml version="1.0" encoding="UTF-8"?>
<PolicySet xmlns="urn:oasis:names:tc:xacml:1.0:policy"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
PolicySetId="Policy1"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:ordered-deny-overrides">
<Target>
<Subjects><AnySubject/></Subjects>
<Resources><AnyResource/></Resources>
<Actions><AnyAction/></Actions>
</Target>
<Policy PolicyId="OnlyAllowRole1OrRole2" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:ordered-deny-overrides">
<Target>
<Subjects><AnySubject/></Subjects>
<Resources><AnyResource/></Resources>
<Actions><AnyAction/></Actions>
</Target>
<Rule RuleId="MayNotHaveBothRoles" Effect="Deny">
<Target>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>role1</AttributeValue>
<SubjectAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string";
AttributeId="urn:example:roles"/>
</SubjectMatch>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>role2</AttributeValue>
<SubjectAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string";
AttributeId="urn:example:roles"/>
</SubjectMatch>
</Subject>
</Subjects>
<Resources><AnyResource/></Resources>
<Actions><AnyAction/></Actions>
</Target>
</Rule>
<Rule RuleId="MustHaveOneRole" Effect="Permit">
<Target>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>role1</AttributeValue>
<SubjectAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string";
AttributeId="urn:example:roles"/>
</SubjectMatch>
</Subject>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>role2</AttributeValue>
<SubjectAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string";
AttributeId="urn:example:roles"/>
</SubjectMatch>
</Subject>
</Subjects>
<Resources><AnyResource/></Resources>
<Actions><AnyAction/></Actions>
</Target>
</Rule>
<Rule RuleId="DenyIfNeitherRoleIsPresent" Effect="Deny"/>
</Policy>
<Policy PolicyId="PolicyForRole1" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:ordered-permit-overrides">
<Target>
<Subjects><AnySubject/></Subjects>
<Resources><AnyResource/></Resources>
<Actions><AnyAction/></Actions>
</Target>
<Rule RuleId="PermitRole1" Effect="Permit">
<Target>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>role1</AttributeValue>
<SubjectAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string";
AttributeId="urn:example:roles"/>
</SubjectMatch>
</Subject>
</Subjects>
<Resources><AnyResource/></Resources>
<Actions><AnyAction/></Actions>
</Target>
<!-- Fill in Condition here for rule1 membership -->
</Rule>
<Rule RuleId="DenyOthers" Effect="Deny"/>
</Policy>
<Policy PolicyId="PolicyForRole2" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:ordered-permit-overrides">
<Target>
<Subjects><AnySubject/></Subjects>
<Resources><AnyResource/></Resources>
<Actions><AnyAction/></Actions>
</Target>
<Rule RuleId="PermitRole2" Effect="Permit">
<Target>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>role2</AttributeValue>
<SubjectAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string";
AttributeId="urn:example:roles"/>
</SubjectMatch>
</Subject>
</Subjects>
<Resources><AnyResource/></Resources>
<Actions><AnyAction/></Actions>
</Target>
<!-- Fill in Condition here for rule2 membership -->
</Rule>
<Rule RuleId="DenyOthers" Effect="Deny"/>
</Policy>
</PolicySet>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]