OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [xacml-users] RE: XACML ipAddress-regexp-match and how to author a policy with dynamic


Ok, I think I've got the general idea and syntax.

AttributeDesignator can return multiple values for an attribute and is generally handled as a typed bag, and even if only one value is set/returned. So by simply making an attribute MustBePresent, the -is-in function can be used to determine if one attribute is contained in an external bag.

<Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
 <AttributeValue
   AttributeId="urn:oasis:names:tc:xacml:1.0:security:threats:badIpAddresses"
   MustBePresent="true"
   DataType="http://www.w3.org/2001/XMLSchema#string"/>
 <SubjectAttributeDesignator
   AttributeId="urn:oasis:names:tc:xacml:1.0:subject:ipAddress"
   MustBePresent="true"
   DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Condition>

Am I close? ;-)

Thanks.

-Chris

-----Original Message-----
From: Chris McKenzie 
Sent: Wednesday, May 06, 2009 11:54 AM
To: 'Rich.Levinson'
Cc: xacml-users@lists.oasis-open.org
Subject: RE: [xacml-users] RE: XACML ipAddress-regexp-match and how to author a policy with dynamic

Thanks for the quick reply Rich!

I was aware of the Context Handler, but the policy XML syntax sort of eluded me. The Data Flow diagram was also pretty clear but how the PIP tied into the policy XML syntax was also unclear.

Thanks for filling in my blank that it's the Context Handler's job to populate any unknown Attributes by AttributeId, and that the Context Handler or PIP implementation is required to interpret the requested AttributeId to something we expect the policy to use. (like a set or string, etc...)

So the policy syntax for external PIP Attributes for a mock policy (without any real implementation) could be anything representative. E.g. urn:oasis:names:tc:xacml:2.0:resource:target-namespace

The only unanswered question is how would the syntax to request a set/bag of Attributes work? There isn't a Data Type for set/bag, more that the string-bag/string-set functions can enumerate a list of strings in the policy. So how would I externally reference an Attribute list?

For example, here's a Condition where the bag is created from a policy included list:

<Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-set-equals">
 <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
  <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>116.14.1.95</AttributeValue>
   <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>65.4.89.192</AttributeValue>
 </Apply>
 <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:ipAddress"   DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Condition>

How would I externally reference an Attribute value that needs to be a list? Something like this:

<Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-set-equals">
 <AttributeValue
   DataType="http://www.w3.org/2001/XMLSchema#string";
   AttributeId="urn:oasis:names:tc:xacml:2.0:resource:badIpAddresses"/>
 <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:ipAddress"
   DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Condition>

Or am I completely off and I should be interoperating the PIP response as XML based, and look at the XPATH functions?

This is just one of those cases where an example is either missing, or I'm just again not familiar with the terminology and its right in front of me.

Thanks again!

-Chris


From: Rich.Levinson [mailto:rich.levinson@oracle.com] 
Sent: Tuesday, May 05, 2009 6:48 PM
To: Chris McKenzie
Cc: xacml-users@lists.oasis-open.org
Subject: Re: [xacml-users] RE: XACML ipAddress-regexp-match and how to author a policy with dynamic

Hi Chris,

I think you have analyzed the situation pretty well, however, it appears to me that there is one key concept that you need to incorporate, which is the role of the context handler (XACML 2.0 lines 246-248):
Context handler - The system entity that converts decision requests in the native request format to the XACML canonical form and converts authorization decisions in the XACML canonical form to the native response format.
The key concept here is that the ch is responsible for converting between canonical XACML form and native forms. 

The 2nd key concept you need is that of "missing attributes", which is defined in several places in the spec, primarily section 7.15.3 and related sections such as 5.37 lines 2614-2617 where MustBePresent is defined, and provides further refs to relevant info in the spec.

Basically, what it all boils down to is the following:
1. If an attribute defined in a Policy has MustBePresent set to true, then if that attribute is not present in the Request, then the ch is invoked as described in section 7.2.5 lines 3313-3315:
o "The PDP SHALL reference the attributes as if they were in a physical request context document, but the context handler is responsible for obtaining and supplying the requested values by whatever means it deems appropriate."
2. The "appropriate means" is described, for example, in section 3.1 lines 584-592, steps 5-10, which is basically, as in steps 6 and 7, that the ch tells the PIP what it wants and gets it. We can assume that the ch translated the XACML AttributeId of the missing attribute to whatever native format the PIP uses to access the attribute and return it to the ch.
The 3rd and final key concept that is required is that one must assume that all attributes come from outside the XACML domain in some sense and there must be a mapping of the XACML AttributeId to the native attribute access mechanism. This is really true for attributes submitted to the PEP as well, since those attributes will be in some native format, and something must associate that native format with a XACML AttributeId and DataFormat in the process of submitting the request.

I think the general answer is that there needs to be a mapping between AttributeIds defined in XACML policies and native attributes that come from systems external to XACML that are used in evaluating XACML Policies, and that these mappings are defined by the organizations that define the Policies and attributes that are used by those Policies.

Let me know if this helps or if you need any further details.

    Thanks,
    Rich


Chris McKenzie wrote: 
I've made some progress, so please let me refine my question.

I can't determine how a policy might reference a source of PIP
information in different formats. For example, in the below policy, the
Condition's set/bag would ultimately be referencing an external PIP
source of information. There's a gap in the XACML spec between where the
PIP is a source of Attributes and how to reference those Attributes and
how the resulting policy might reflect this.

For example, my policy CAN'T list every set/bag attribute individually.
It would be impractical. So what's the syntax for referencing said
set/bag? I'll keep digging, and its probably spelled out in the spec,
but for right now it feels like the spec doc is missing this piece.

Thanks!

<Policy PolicyId="urn:oasis:names:tc:policy:WebAccess">
  <Description>This policy is intended to allow access to corporate web
servers, except where threat hosts have been identified.</Description>
  <Target>
   <Subjects>
     <AnySubject/>
   </Subjects>
   <Actions>
    <AnyAction/>
   </Actions>
   <Resources>
    <Resource>
     <ResourceMatch
MatchId="urn:oasis:names:tc:xacml:2.0:function:ipAddress-regexp-match">
      <AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>
        ^(10)\.(10)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9])\:([80|443])$
      </AttributeValue>
      <ResourceAttributeDesignator
        AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
        DataType="urn:oasis:names:tc:xacml:2.0:data-type:ipAddress">
      </ResourceAttributeDesignator>
     </ResourceMatch>
    </Resource>
   </Resources>
  </Target>
  <Rule RuleId="urn:oasis:names:tc:policy:ThreatRule:0" Effect="Deny">
   <Description>Hosts will be conditionally granted access as long as
their are not identified as a threat.</Description>
    <Target>
     <Subjects>
      <AnySubject/>
     </Subjects>
     <Actions>
      <AnyAction/>
     </Actions>
     <Resources>
      <AnyResource/>
     </Resources>
    </Target>

    <Condition
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-set-equals">
     <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
      <AttributeValue 
 
DataType="http://www.w3.org/2001/XMLSchema#string";>116.14.1.95</Attribut
eValue>
      <AttributeValue 
 
DataType="http://www.w3.org/2001/XMLSchema#string";>65.4.89.192</Attribut
eValue>
     </Apply>
     <SubjectAttributeDesignator
 
AttributeId="urn:oasis:names:tc:xacml:1.0:conformance-test:test-attr"
      DataType="http://www.w3.org/2001/XMLSchema#string"/>
    </Condition>

  </Rule>
 </Policy>



-----Original Message-----
From: Chris McKenzie 
Sent: Tuesday, May 05, 2009 10:12 AM
To: 'xacml-users@lists.oasis-open.org'
Subject: XACML ipAddress-regexp-match and how to author a policy with
dynamic 

Hi.

The mailing list isn't easy to search, so I thought I would pose my
question while commanding the list to e-mail me the last 150 posts.

I was trying to put together an XACML 2.0 policy set that captured 2
policies, which when combined, allowed for both a sort of global allow
and selective deny. Essentially a Firewall access policy where hosts
which have been identified as a threat would be denied access to the
target resource. (say a web server) The PIP information supplying the
list of threat IP Addresses could be sorted in a database.

My main query that I can't gather from the literature I've read so far
is how all attributes of a Subject, Action or Resource are identified.
(I'm sure it's an easy answer, I'll be happy with anything really) For
example, an external system identifies a point of information which the
policy would use to help determine if a deny rule should be applied. In
this case, how is the policy authored to reference attributes of said
piece of information?

For example, a SIM event (we'll just go with this for now) which
contains the threatening host IP and requested resource. (say a
protected portion of the corporate web site) How do I identify the PIP
information in a urn? I was assuming that when the PDP gathers
information from the PIP (and from the PEP's access request message?)
that the Subject, Action and Resource will have things like subject-id's
ipAddress attribute already populated, because the Subject in question
has an IP.

Maybe I'm just not there yet. So I'll leave my query here. If anyone has
a bit of practical advice to enlighten me, it would be very beneficial.

Thanks!

Sample policy with a hole (note the ...???) where the external PIP
information on threat host IPs would be referenced:

<Policy PolicyId="urn:oasis:names:tc:policy:AttackerThreat">
  <Description>This policy is intended to deny attacking hosts for
corporate web servers.</Description>
  <Target/>
  <Rule RuleId="urn:oasis:names:tc:policy:ThreatRule:1" Effect="Deny">
   <Description>All identified host threats shall not be permitted
access.</Description>
    <Target>
     <Subjects>
      <Subject>
       <SubjectMatch
MatchId="urn:oasis:names:tc:xacml:2.0:function:ipAddress-regexp-match">
        <AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>
          ...???
        </AttributeValue>
        <SubjectAttributeDesignator
          AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
          DataType="urn:oasis:names:tc:xacml:2.0:data-type:ipAddress">
        </SubjectAttributeDesignator>
       </SubjectMatch>
     </Subjects>
     <Actions>
      <AttributeValue></AttributeValue>
     </Actions>
     <Resources>
       <Resource>
         <ResourceMatch
MatchId="urn:oasis:names:tc:xacml:2.0:function:ipAddress-regexp-match">
          <AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>
 
^(10)\.(10)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9])\:([80|443])$
          </AttributeValue>
          <ResourceAttributeDesignator
 
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
            DataType="urn:oasis:names:tc:xacml:2.0:data-type:ipAddress">
          </ResourceAttributeDesignator>
         </ResourceMatch>
       </Resource>
     </Resources>
    </Target>
    <Condition>
      <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
        <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
          <SubjectAttributeDesignatorAttributeId="protocol"
            DataType="http://www.w3.org/2001/XMLSchema#string"/>
        </Apply>
        <AttributeValue
          DataType="http://www.w3.org/2001/XMLSchema#string"/>tcp
        </AttributeValue>
      </Apply>
    </Condition>
  </Rule>
 </Policy>




Chris McKenzie


---------------------------------------------------------------------
To unsubscribe, e-mail: xacml-users-unsubscribe@lists.oasis-open.org
For additional commands, e-mail: xacml-users-help@lists.oasis-open.org

  


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]