[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml-users] Implementing UNIX file system acl using xacml
Roberto,
This particular problem has a solution in standard XACML (see attached). It is not pretty, and probably not very general.
But to your point about adding user-defined functions to the XACML expression language: that question hasn't come before the TC since I have been a member. As a policy author I have never run into a situation where the business rules required something that wasn't available in the existing language. And if I did, I would probably lean toward putting such functions in the host implementation and simply calling them with a FunctionId. This is the extension mechanism currently defined by the XACML spec.
Marco mentioned that he wanted the function logic to be visible in the XACML policy itself. I understand the motivation for that, but the spec must draw the line somewhere between business understandability and usefulness on the one hand, and computer science power and complexity on the other. My feeling, based on my policy writing experience, is that while the 3.0 spec has some limitations it is solidly a 95-98% solution for business access control purposes. I would prefer to see it evolve incrementally based on demonstrated need--for example, your case would be helped with a "map-filter" function that returned a bag of values matching a given condition. Being able to get individual values from a bag would also be a general-purpose capability that is missing from the current expression language.
Getting back to the original topic of implementing Unix file system permissions in XACML: I think that might also point to some deficiencies that could be remedied without resorting to user functions defined in the policy language. I will post separately on that topic.
Regards,
--Paul
-----Original Message-----
From: Roberto Guanciale [mailto:guancio@netfarm.it]
Sent: Friday, 18 November, 2011 11:40
To: xacml-users@lists.oasis-open.org
Subject: Re: [xacml-users] Implementing UNIX file system acl using xacml
Hi,
I try to simplify our scenario in order to identify if the issues we
encountered depends on our misunderstanding of XACML or on its
expressiveness.
Let me suppose to check a request that has the (integer-bag) attribute
for the resource context defined as follows:
<Resource>
<Attribute AttributeId="attribute01"
DataType="http://www.w3.org/2001/XMLSchema#integer";>
<AttributeValue>2</AttributeValue>
</Attribute>
<Attribute AttributeId="attribute01"
DataType="http://www.w3.org/2001/XMLSchema#integer";>
<AttributeValue>4</AttributeValue>
</Attribute>
<Attribute AttributeId="attribute01"
DataType="http://www.w3.org/2001/XMLSchema#integer";>
<AttributeValue>2</AttributeValue>
</Attribute>
<Attribute AttributeId="attribute01"
DataType="http://www.w3.org/2001/XMLSchema#integer";>
<AttributeValue>5</AttributeValue>
</Attribute>
</Resource>
Can I express a policy requiring that all element of the bag must be 2
or greater than 4?
Namely I want to express a condition that is true if and only if for
each x in the attribute holds x == 2 or x > 4.
Exploiting higher order functions this property can be expressed in
several ways, for example:
all-of(
boolean-equal
True,
map (
def f(x) {
return (x == 2) or (x > 4)
},
ResourceAttributeDesignator("attribute01")
)
)
Our problem is that even if XACML supports higher order functions, We
cannot express a function definition inside the policy XML.
Clearly, we do not want to define an external function (e.g. using
java) that implements the function "f", since this approach breaks that
capability of configure the policy without changing the java code.
Are my considerations correct? Since XACML language is inspired by
functional languages I think that a mechanism to
define functions inside the policy should be a desiderata.
Roberto Guanciale
Netfarm s.r.l.
---------------------------------------------------------------------
To unsubscribe, e-mail: xacml-users-unsubscribe@lists.oasis-open.org
For additional commands, e-mail: xacml-users-help@lists.oasis-open.org
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE Policy [
<!ENTITY function10 "urn:oasis:names:tc:xacml:1.0:function:">
<!ENTITY rule_algorithm10
"urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:">
<!ENTITY xs "http://www.w3.org/2001/XMLSchema#";>
]>
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
Version="1.0" PolicyId="complex-bag-condition-example"
RuleCombiningAlgId="&rule_algorithm10;first-applicable">
<Description>Evaluate complex conditions on bag of values.</Description>
<Target/>
<VariableDefinition VariableId="test-bag">
<Apply FunctionId="&function10;integer-bag">
<AttributeValue DataType="&xs;integer">2</AttributeValue>
<AttributeValue DataType="&xs;integer">4</AttributeValue>
<AttributeValue DataType="&xs;integer">2</AttributeValue>
<AttributeValue DataType="&xs;integer">5</AttributeValue>
</Apply>
</VariableDefinition><!-- test-bag -->
<Rule RuleId="rule-1" Effect="Permit">
<Condition>
<Apply FunctionId="&function10;integer-equal">
<Apply FunctionId="&function10;integer-bag-size">
<VariableReference VariableId="test-bag"/>
</Apply>
<Apply FunctionId="&function10;integer-add">
<Apply FunctionId="&function10;boolean-bag-size">
<Apply FunctionId="&function10;map">
<Function FunctionId="&function10;integer-equal"/>
<AttributeValue DataType="&xs;integer">2</AttributeValue>
<VariableReference VariableId="test-bag"/>
</Apply>
</Apply>
<Apply FunctionId="&function10;boolean-bag-size">
<Apply FunctionId="&function10;map">
<Function FunctionId="&function10;integer-greater-than"/>
<VariableReference VariableId="test-bag"/>
<AttributeValue DataType="&xs;integer">4</AttributeValue>
</Apply>
</Apply>
</Apply>
</Apply>
</Condition>
</Rule>
</Policy>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]