[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml-users] RE: XACML ipAddress-regexp-match and how to author a policy with dynamic
Ok, I think I've got the general idea and syntax. AttributeDesignator can return multiple values for an attribute and is generally handled as a typed bag, and even if only one value is set/returned. So by simply making an attribute MustBePresent, the -is-in function can be used to determine if one attribute is contained in an external bag. <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in"> <AttributeValue AttributeId="urn:oasis:names:tc:xacml:1.0:security:threats:badIpAddresses" MustBePresent="true" DataType="http://www.w3.org/2001/XMLSchema#string"/> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:ipAddress" MustBePresent="true" DataType="http://www.w3.org/2001/XMLSchema#string"/> </Condition> Am I close? ;-) Thanks. -Chris -----Original Message----- From: Chris McKenzie Sent: Wednesday, May 06, 2009 11:54 AM To: 'Rich.Levinson' Cc: xacml-users@lists.oasis-open.org Subject: RE: [xacml-users] RE: XACML ipAddress-regexp-match and how to author a policy with dynamic Thanks for the quick reply Rich! I was aware of the Context Handler, but the policy XML syntax sort of eluded me. The Data Flow diagram was also pretty clear but how the PIP tied into the policy XML syntax was also unclear. Thanks for filling in my blank that it's the Context Handler's job to populate any unknown Attributes by AttributeId, and that the Context Handler or PIP implementation is required to interpret the requested AttributeId to something we expect the policy to use. (like a set or string, etc...) So the policy syntax for external PIP Attributes for a mock policy (without any real implementation) could be anything representative. E.g. urn:oasis:names:tc:xacml:2.0:resource:target-namespace The only unanswered question is how would the syntax to request a set/bag of Attributes work? There isn't a Data Type for set/bag, more that the string-bag/string-set functions can enumerate a list of strings in the policy. So how would I externally reference an Attribute list? For example, here's a Condition where the bag is created from a policy included list: <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-set-equals"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">116.14.1.95</AttributeValue> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">65.4.89.192</AttributeValue> </Apply> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:ipAddress" DataType="http://www.w3.org/2001/XMLSchema#string"/> </Condition> How would I externally reference an Attribute value that needs to be a list? Something like this: <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-set-equals"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="urn:oasis:names:tc:xacml:2.0:resource:badIpAddresses"/> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:ipAddress" DataType="http://www.w3.org/2001/XMLSchema#string"/> </Condition> Or am I completely off and I should be interoperating the PIP response as XML based, and look at the XPATH functions? This is just one of those cases where an example is either missing, or I'm just again not familiar with the terminology and its right in front of me. Thanks again! -Chris From: Rich.Levinson [mailto:rich.levinson@oracle.com] Sent: Tuesday, May 05, 2009 6:48 PM To: Chris McKenzie Cc: xacml-users@lists.oasis-open.org Subject: Re: [xacml-users] RE: XACML ipAddress-regexp-match and how to author a policy with dynamic Hi Chris, I think you have analyzed the situation pretty well, however, it appears to me that there is one key concept that you need to incorporate, which is the role of the context handler (XACML 2.0 lines 246-248): Context handler - The system entity that converts decision requests in the native request format to the XACML canonical form and converts authorization decisions in the XACML canonical form to the native response format. The key concept here is that the ch is responsible for converting between canonical XACML form and native forms. The 2nd key concept you need is that of "missing attributes", which is defined in several places in the spec, primarily section 7.15.3 and related sections such as 5.37 lines 2614-2617 where MustBePresent is defined, and provides further refs to relevant info in the spec. Basically, what it all boils down to is the following: 1. If an attribute defined in a Policy has MustBePresent set to true, then if that attribute is not present in the Request, then the ch is invoked as described in section 7.2.5 lines 3313-3315: o "The PDP SHALL reference the attributes as if they were in a physical request context document, but the context handler is responsible for obtaining and supplying the requested values by whatever means it deems appropriate." 2. The "appropriate means" is described, for example, in section 3.1 lines 584-592, steps 5-10, which is basically, as in steps 6 and 7, that the ch tells the PIP what it wants and gets it. We can assume that the ch translated the XACML AttributeId of the missing attribute to whatever native format the PIP uses to access the attribute and return it to the ch. The 3rd and final key concept that is required is that one must assume that all attributes come from outside the XACML domain in some sense and there must be a mapping of the XACML AttributeId to the native attribute access mechanism. This is really true for attributes submitted to the PEP as well, since those attributes will be in some native format, and something must associate that native format with a XACML AttributeId and DataFormat in the process of submitting the request. I think the general answer is that there needs to be a mapping between AttributeIds defined in XACML policies and native attributes that come from systems external to XACML that are used in evaluating XACML Policies, and that these mappings are defined by the organizations that define the Policies and attributes that are used by those Policies. Let me know if this helps or if you need any further details. Thanks, Rich Chris McKenzie wrote: I've made some progress, so please let me refine my question. I can't determine how a policy might reference a source of PIP information in different formats. For example, in the below policy, the Condition's set/bag would ultimately be referencing an external PIP source of information. There's a gap in the XACML spec between where the PIP is a source of Attributes and how to reference those Attributes and how the resulting policy might reflect this. For example, my policy CAN'T list every set/bag attribute individually. It would be impractical. So what's the syntax for referencing said set/bag? I'll keep digging, and its probably spelled out in the spec, but for right now it feels like the spec doc is missing this piece. Thanks! <Policy PolicyId="urn:oasis:names:tc:policy:WebAccess"> <Description>This policy is intended to allow access to corporate web servers, except where threat hosts have been identified.</Description> <Target> <Subjects> <AnySubject/> </Subjects> <Actions> <AnyAction/> </Actions> <Resources> <Resource> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:ipAddress-regexp-match"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> ^(10)\.(10)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9])\:([80|443])$ </AttributeValue> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="urn:oasis:names:tc:xacml:2.0:data-type:ipAddress"> </ResourceAttributeDesignator> </ResourceMatch> </Resource> </Resources> </Target> <Rule RuleId="urn:oasis:names:tc:policy:ThreatRule:0" Effect="Deny"> <Description>Hosts will be conditionally granted access as long as their are not identified as a threat.</Description> <Target> <Subjects> <AnySubject/> </Subjects> <Actions> <AnyAction/> </Actions> <Resources> <AnyResource/> </Resources> </Target> <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-set-equals"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">116.14.1.95</Attribut eValue> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">65.4.89.192</Attribut eValue> </Apply> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:conformance-test:test-attr" DataType="http://www.w3.org/2001/XMLSchema#string"/> </Condition> </Rule> </Policy> -----Original Message----- From: Chris McKenzie Sent: Tuesday, May 05, 2009 10:12 AM To: 'xacml-users@lists.oasis-open.org' Subject: XACML ipAddress-regexp-match and how to author a policy with dynamic Hi. The mailing list isn't easy to search, so I thought I would pose my question while commanding the list to e-mail me the last 150 posts. I was trying to put together an XACML 2.0 policy set that captured 2 policies, which when combined, allowed for both a sort of global allow and selective deny. Essentially a Firewall access policy where hosts which have been identified as a threat would be denied access to the target resource. (say a web server) The PIP information supplying the list of threat IP Addresses could be sorted in a database. My main query that I can't gather from the literature I've read so far is how all attributes of a Subject, Action or Resource are identified. (I'm sure it's an easy answer, I'll be happy with anything really) For example, an external system identifies a point of information which the policy would use to help determine if a deny rule should be applied. In this case, how is the policy authored to reference attributes of said piece of information? For example, a SIM event (we'll just go with this for now) which contains the threatening host IP and requested resource. (say a protected portion of the corporate web site) How do I identify the PIP information in a urn? I was assuming that when the PDP gathers information from the PIP (and from the PEP's access request message?) that the Subject, Action and Resource will have things like subject-id's ipAddress attribute already populated, because the Subject in question has an IP. Maybe I'm just not there yet. So I'll leave my query here. If anyone has a bit of practical advice to enlighten me, it would be very beneficial. Thanks! Sample policy with a hole (note the ...???) where the external PIP information on threat host IPs would be referenced: <Policy PolicyId="urn:oasis:names:tc:policy:AttackerThreat"> <Description>This policy is intended to deny attacking hosts for corporate web servers.</Description> <Target/> <Rule RuleId="urn:oasis:names:tc:policy:ThreatRule:1" Effect="Deny"> <Description>All identified host threats shall not be permitted access.</Description> <Target> <Subjects> <Subject> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:ipAddress-regexp-match"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> ...??? </AttributeValue> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="urn:oasis:names:tc:xacml:2.0:data-type:ipAddress"> </SubjectAttributeDesignator> </SubjectMatch> </Subjects> <Actions> <AttributeValue></AttributeValue> </Actions> <Resources> <Resource> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:ipAddress-regexp-match"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> ^(10)\.(10)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9])\:([80|443])$ </AttributeValue> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="urn:oasis:names:tc:xacml:2.0:data-type:ipAddress"> </ResourceAttributeDesignator> </ResourceMatch> </Resource> </Resources> </Target> <Condition> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> <SubjectAttributeDesignatorAttributeId="protocol" DataType="http://www.w3.org/2001/XMLSchema#string"/> </Apply> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"/>tcp </AttributeValue> </Apply> </Condition> </Rule> </Policy> Chris McKenzie --------------------------------------------------------------------- To unsubscribe, e-mail: xacml-users-unsubscribe@lists.oasis-open.org For additional commands, e-mail: xacml-users-help@lists.oasis-open.org
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]