[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-users] retrieving a list or query filter of resourcesthe caller is authorized for
Hi Ralf, Some of the subsequent emails have become quite detailed, so I thought I would try to address your original email directly referencing the response that I sent yesterday: http://lists.oasis-open.org/archives/xacml-users/201004/msg00019.html and the attachment to that email: http://lists.oasis-open.org/archives/xacml-users/201004/zip00000.zip I will put replies in line to your original message below. Thanks, Rich Ralf Lorenz wrote: 4BC6DCB1.1030609@mms-dresden.de" type="cite">Hey,This is precisely what the example messages in the zip file ref'd above show. The basic technique is to put each permission in its own PolicySet, with a pair of child policies, one for the permission itself, and the other that has a special resource-id that is used to enable all the policies to be applicable, which meet the criteria of Subject and Resource-Type. The "Resource-Type" used in the example is simply the name of a TestResourcePermission object, which has constructor with name and actions. The "type" of resource is simply the classname of the Permission. The net effect of this technique is that if you submit a request with resource-id="/-", where "/-" is the "special" string used to indicate that this is a query (the string can be anything as long as both the Policy creators and the users submitting the Requests agree on the string. In the zip file, the SampleRequestForQuery.xml contains the following for Resource, where I have bolded the relevant lines containing the AttributeId and AttributeValue for the resouirce-type and resource-id: <Resource> <Attribute AttributeId="urn:openaz:names:xacml:1.0:resource:resource-type" DataType="http://www.w3.org/2001/XMLSchema#string" Issuer="orcl-weblogic"> <AttributeValue>test.objects.TestResourcePermission</AttributeValue> </Attribute> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string" Issuer="orcl-weblogic"> <AttributeValue>/-</AttributeValue> </Attribute> </Resource>If you now look at the response to this query in SampleResponseToQueryRequest in the same zip file, you will find a collection of obligations that have AttributeAssignments. Note there was a bug in original message that flipped the attr-id and attr-val, which I fixed, so that the following contains the correct info: <Obligations> <Obligation ObligationId="LogSuccessfulAccess" FulfillOn="Permit"> <AttributeAssignment AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#anyURI" >User1</AttributeAssignment> <AttributeAssignment AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#anyURI" >http://www.example.com/A/D/.*</AttributeAssignment> <AttributeAssignment AttributeId="urn:openaz:names:xacml:1.0:resource:resource-type" DataType="http://www.w3.org/2001/XMLSchema#anyURI" >test.objects.TestResourcePermission</AttributeAssignment> </Obligation> <Obligation ObligationId="LogSuccessfulAccess" FulfillOn="Permit"> <AttributeAssignment AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#anyURI" >User1</AttributeAssignment> <AttributeAssignment AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#anyURI" >http://www.example.com/A/B/.*</AttributeAssignment> <AttributeAssignment AttributeId="urn:openaz:names:xacml:1.0:resource:resource-type" DataType="http://www.w3.org/2001/XMLSchema#anyURI" >test.objects.TestResourcePermission</AttributeAssignment> </Obligation> </Obligations>Again, I bolded the relevant lines. Please note that both paths from the Policy were returned: 4BC6DCB1.1030609@mms-dresden.de" type="cite">This includes the question what action is allowed for which secured resource.I think this technique can be easily extended to include action as a returned AttributeAssignment by just adding it to the Obligation. 4BC6DCB1.1030609@mms-dresden.de" type="cite">Please let me know if you agree whether this is a possible soln. 4BC6DCB1.1030609@mms-dresden.de" type="cite">The PDP evaluates the attributes in the request against attribute id's and values contained in the policies. Whether these are Subject, Action, Resource etc is totally dependent on the policy that is written. 4BC6DCB1.1030609@mms-dresden.de" type="cite">The approach used in the proposed solution does not require a list of resources, it just requires the special query string and the resource type. In addition, information such as user or other Action, Environment, or even Resource attributes can reduce the scope of applicable policies. The special query string only gets evaluated after all the ancestor Targets have filtered out irrelevant policies. 4BC6DCB1.1030609@mms-dresden.de" type="cite">In my project I extended the PDP to have access to the domain but this is probably not a solutionThis is exactly what the proposed technique does. Each resource type in general will have its own semantics and hopefully those semantics can be readily processed by the XACML functions. The example I have shown should cover all hierarchical resources, which would include most file systems, XML documents, URLs, and most URIs. For those situations where things are not hierarchical, such as overlapping ranges, etc. one would need to define the semantics of the applicability criteria and come up with appropriate logic to produce the desired results. In priniciple, these semantics are probably known to some degree based on the characteristics of the resource-type being protected. Given the reqts, one can then go about defining the appropriate logic. However, in terms of this technique, what is returned is effectively a filter, in the language of the resource type, itself, so the Policy will not have to do much more than copy the logic in some form to the Obligation. One final note, is that what is expected with a solution like this is that there will be Policy Builder tools available that can ensure that the XML for XACML gets properly produced while minimizing work for the person defining the policy. Thanks, Rich 4BC6DCB1.1030609@mms-dresden.de" type="cite"> |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]