Re: [xacml-users] retrieving a list or query filter of resourcesthe caller is authorized for

["Rich.Levinson" <rich.levinson@oracle.com>]

Hi Ralf,

Some of the subsequent emails have become quite detailed, so I thought I would try to address your original email directly referencing the response that I sent yesterday:
  http://lists.oasis-open.org/archives/xacml-users/201004/msg00019.html
and the attachment to that email:
  http://lists.oasis-open.org/archives/xacml-users/201004/zip00000.zip
I will put replies in line to your original message below.

    Thanks,
    Rich


Ralf Lorenz wrote:

4BC6DCB1.1030609@mms-dresden.de" type="cite">Hey,
several months ago I was asked to introduce a powerful rules-engine to
generate authorizations into my current project. I had a look around, found XACML
and decided to try to use it.
The result is an adaptation that is based on the XACML model.
Being able to generate authorizations (spring-security ACL) one of the main
use cases is answering the question:
 What secured resources (of a given type) is the given subject authorized for?

This is precisely what the example messages in the zip file ref'd above show. The basic technique is to put each permission in its own PolicySet, with a pair of child policies, one for the permission itself, and the other that has a special resource-id that is used to enable all the policies to be applicable, which meet the criteria of Subject and Resource-Type. The "Resource-Type" used in the example is simply the name of a TestResourcePermission object, which has constructor with name and actions. The "type" of resource is simply the classname of the Permission.

The net effect of this technique is that if you submit a request with resource-id="/-", where "/-" is the "special" string used to indicate that this is a query (the string can be anything as long as both the Policy creators and the users submitting the Requests agree on the string.

In the zip file, the SampleRequestForQuery.xml contains the following for Resource, where I have bolded the relevant lines containing the AttributeId and AttributeValue for the resouirce-type and resource-id:

<Resource>
  <Attribute 
      AttributeId="urn:openaz:names:xacml:1.0:resource:resource-type" 
      DataType="http://www.w3.org/2001/XMLSchema#string" 
      Issuer="orcl-weblogic">
    <AttributeValue>test.objects.TestResourcePermission</AttributeValue> 
  </Attribute>
  <Attribute 
      AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 
      DataType="http://www.w3.org/2001/XMLSchema#string" 
      Issuer="orcl-weblogic">
    <AttributeValue>/-</AttributeValue> 
  </Attribute>
</Resource>

If you now look at the response to this query in SampleResponseToQueryRequest in the same zip file, you will find a collection of obligations that have AttributeAssignments. Note there was a bug in original message that flipped the attr-id and attr-val, which I fixed, so that the following contains the correct info:

    <Obligations>
      <Obligation ObligationId="LogSuccessfulAccess" FulfillOn="Permit">
        <AttributeAssignment 
	    AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" 
	    DataType="http://www.w3.org/2001/XMLSchema#anyURI"
	  >User1</AttributeAssignment>
        <AttributeAssignment 
	    AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 
	    DataType="http://www.w3.org/2001/XMLSchema#anyURI"
	  >http://www.example.com/A/D/.*</AttributeAssignment>
        <AttributeAssignment 
	    AttributeId="urn:openaz:names:xacml:1.0:resource:resource-type" 
	    DataType="http://www.w3.org/2001/XMLSchema#anyURI"
	  >test.objects.TestResourcePermission</AttributeAssignment>
      </Obligation>
      <Obligation ObligationId="LogSuccessfulAccess" FulfillOn="Permit">
        <AttributeAssignment 
	    AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" 
	    DataType="http://www.w3.org/2001/XMLSchema#anyURI"
	  >User1</AttributeAssignment>
        <AttributeAssignment 
	    AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 
	    DataType="http://www.w3.org/2001/XMLSchema#anyURI"
	  >http://www.example.com/A/B/.*</AttributeAssignment>
        <AttributeAssignment 
	    AttributeId="urn:openaz:names:xacml:1.0:resource:resource-type" 
	    DataType="http://www.w3.org/2001/XMLSchema#anyURI"
	  >test.objects.TestResourcePermission</AttributeAssignment>
      </Obligation>
    </Obligations>

Again, I bolded the relevant lines. Please note that both paths from the Policy were returned:

• http://www.example.com/A/B/.*

• http://www.example.com/A/D/.*

4BC6DCB1.1030609@mms-dresden.de" type="cite">This includes the question what action is allowed for which secured resource.

I think this technique can be easily extended to include action as a returned AttributeAssignment by just adding it to the Obligation.

4BC6DCB1.1030609@mms-dresden.de" type="cite">
I did not find a way to solve this problem with XACML itself.

Please let me know if you agree whether this is a possible soln.

4BC6DCB1.1030609@mms-dresden.de" type="cite">
I understand that a PDP decides if a subject is authorized to access a resource in some
way whereas the subject, the resource and the action must be given to the PDP
but in some cases this is just not appropriate in my opinion but I might be wrong;)

The PDP evaluates the attributes in the request against attribute id's and values contained in the policies. Whether these are Subject, Action, Resource etc is totally dependent on the policy that is written.

4BC6DCB1.1030609@mms-dresden.de" type="cite">
One of the basic requirements on the access control management in my current project is to
return a list of ids of secured resources of a certain type to get that list from the
related resource data store. To achieve that with XACML each request to the PDP would
include the complete list of secured resources the caller is interested in and therefore
it is necessary to always have all secured resources around which often might be more than
2000.

The approach used in the proposed solution does not require a list of resources, it just requires the special query string and the resource type. In addition, information such as user or other Action, Environment, or even Resource attributes can reduce the scope of applicable policies. The special query string only gets evaluated after all the ancestor Targets have filtered out irrelevant policies.

4BC6DCB1.1030609@mms-dresden.de" type="cite">In my project I extended the PDP to have access to the domain but this is probably not a solution
in the sense of XACML but how about being able to return a filter which can be used to query
the domain?

This is exactly what the proposed technique does. Each resource type in general will have its own semantics and hopefully those semantics can be readily processed by the XACML functions. The example I have shown should cover all hierarchical resources, which would include most file systems, XML documents, URLs, and most URIs. For those situations where things are not hierarchical, such as overlapping ranges, etc. one would need to define the semantics of the applicability criteria and come up with appropriate logic to produce the desired results. In priniciple, these semantics are probably known to some degree based on the characteristics of the resource-type being protected. Given the reqts, one can then go about defining the appropriate logic. However, in terms of this technique, what is returned is effectively a filter, in the language of the resource type, itself, so the Policy will not have to do much more than copy the logic in some form to the Obligation.

One final note, is that what is expected with a solution like this is that there will be Policy Builder tools available that can ensure that the XML for XACML gets properly produced while minimizing work for the person defining the policy.

    Thanks,
    Rich

4BC6DCB1.1030609@mms-dresden.de" type="cite">
Any help on this issue and explanations in case I got something wrong about XACML are welcome.

regards
Ralf

---------------------------------------------------------------------
To unsubscribe, e-mail: xacml-users-unsubscribe@lists.oasis-open.org
For additional commands, e-mail: xacml-users-help@lists.oasis-open.org