[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-users] RE: XACML ipAddress-regexp-match and how to authora policy with dynamic
Hi Chris, I think you have analyzed the situation pretty well, however, it appears to me that there is one key concept that you need to incorporate, which is the role of the context handler (XACML 2.0 lines 246-248): Context handler - The system entity that converts decision requests in the native request format to the XACML canonical form and converts authorization decisions in the XACML canonical form to the native response format.The key concept here is that the ch is responsible for converting between canonical XACML form and native forms. The 2nd key concept you need is that of "missing attributes", which is defined in several places in the spec, primarily section 7.15.3 and related sections such as 5.37 lines 2614-2617 where MustBePresent is defined, and provides further refs to relevant info in the spec. Basically, what it all boils down to is the following:
I think the general answer is that there needs to be a mapping between AttributeIds defined in XACML policies and native attributes that come from systems external to XACML that are used in evaluating XACML Policies, and that these mappings are defined by the organizations that define the Policies and attributes that are used by those Policies. Let me know if this helps or if you need any further details. Thanks, Rich Chris McKenzie wrote: 0A5B5EB4DEDAF04B9D035BA5D4FC402003618242@3b-mail.hq.local" type="cite">I've made some progress, so please let me refine my question. I can't determine how a policy might reference a source of PIP information in different formats. For example, in the below policy, the Condition's set/bag would ultimately be referencing an external PIP source of information. There's a gap in the XACML spec between where the PIP is a source of Attributes and how to reference those Attributes and how the resulting policy might reflect this. For example, my policy CAN'T list every set/bag attribute individually. It would be impractical. So what's the syntax for referencing said set/bag? I'll keep digging, and its probably spelled out in the spec, but for right now it feels like the spec doc is missing this piece. Thanks! <Policy PolicyId="urn:oasis:names:tc:policy:WebAccess"> <Description>This policy is intended to allow access to corporate web servers, except where threat hosts have been identified.</Description> <Target> <Subjects> <AnySubject/> </Subjects> <Actions> <AnyAction/> </Actions> <Resources> <Resource> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:ipAddress-regexp-match"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> ^(10)\.(10)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9])\:([80|443])$ </AttributeValue> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="urn:oasis:names:tc:xacml:2.0:data-type:ipAddress"> </ResourceAttributeDesignator> </ResourceMatch> </Resource> </Resources> </Target> <Rule RuleId="urn:oasis:names:tc:policy:ThreatRule:0" Effect="Deny"> <Description>Hosts will be conditionally granted access as long as their are not identified as a threat.</Description> <Target> <Subjects> <AnySubject/> </Subjects> <Actions> <AnyAction/> </Actions> <Resources> <AnyResource/> </Resources> </Target> <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-set-equals"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">116.14.1.95</Attribut eValue> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">65.4.89.192</Attribut eValue> </Apply> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:conformance-test:test-attr" DataType="http://www.w3.org/2001/XMLSchema#string"/> </Condition> </Rule> </Policy> -----Original Message----- From: Chris McKenzie Sent: Tuesday, May 05, 2009 10:12 AM To: 'xacml-users@lists.oasis-open.org' Subject: XACML ipAddress-regexp-match and how to author a policy with dynamic Hi. The mailing list isn't easy to search, so I thought I would pose my question while commanding the list to e-mail me the last 150 posts. I was trying to put together an XACML 2.0 policy set that captured 2 policies, which when combined, allowed for both a sort of global allow and selective deny. Essentially a Firewall access policy where hosts which have been identified as a threat would be denied access to the target resource. (say a web server) The PIP information supplying the list of threat IP Addresses could be sorted in a database. My main query that I can't gather from the literature I've read so far is how all attributes of a Subject, Action or Resource are identified. (I'm sure it's an easy answer, I'll be happy with anything really) For example, an external system identifies a point of information which the policy would use to help determine if a deny rule should be applied. In this case, how is the policy authored to reference attributes of said piece of information? For example, a SIM event (we'll just go with this for now) which contains the threatening host IP and requested resource. (say a protected portion of the corporate web site) How do I identify the PIP information in a urn? I was assuming that when the PDP gathers information from the PIP (and from the PEP's access request message?) that the Subject, Action and Resource will have things like subject-id's ipAddress attribute already populated, because the Subject in question has an IP. Maybe I'm just not there yet. So I'll leave my query here. If anyone has a bit of practical advice to enlighten me, it would be very beneficial. Thanks! Sample policy with a hole (note the ...???) where the external PIP information on threat host IPs would be referenced: <Policy PolicyId="urn:oasis:names:tc:policy:AttackerThreat"> <Description>This policy is intended to deny attacking hosts for corporate web servers.</Description> <Target/> <Rule RuleId="urn:oasis:names:tc:policy:ThreatRule:1" Effect="Deny"> <Description>All identified host threats shall not be permitted access.</Description> <Target> <Subjects> <Subject> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:ipAddress-regexp-match"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> ...??? </AttributeValue> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="urn:oasis:names:tc:xacml:2.0:data-type:ipAddress"> </SubjectAttributeDesignator> </SubjectMatch> </Subjects> <Actions> <AttributeValue></AttributeValue> </Actions> <Resources> <Resource> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:ipAddress-regexp-match"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> ^(10)\.(10)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9])\:([80|443])$ </AttributeValue> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="urn:oasis:names:tc:xacml:2.0:data-type:ipAddress"> </ResourceAttributeDesignator> </ResourceMatch> </Resource> </Resources> </Target> <Condition> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> <SubjectAttributeDesignatorAttributeId="protocol" DataType="http://www.w3.org/2001/XMLSchema#string"/> </Apply> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"/>tcp </AttributeValue> </Apply> </Condition> </Rule> </Policy> Chris McKenzie --------------------------------------------------------------------- To unsubscribe, e-mail: xacml-users-unsubscribe@lists.oasis-open.org For additional commands, e-mail: xacml-users-help@lists.oasis-open.org |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]