[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml] <ContextPrincipal>/<AttributeDesignator> proposal
Michiharu suggested the following outline for such proposals.
I think it is excellent, so I will follow it and encourage others
to do the same.
- Access request description in English
- XACML Context specification of the above
- Sample J2SE policy in English
- XACML policy specification of the above
(not exact one, simplified description is enough)
- How XACML policy specification refers to each attribute in XACML Context
- Desirable final decision
- ...
NOTE: I have specified a complete context and policy below,
although my current proposal is addressed to the ContextPrincipal
syntax.
EXAMPLE ACCESS REQUEST DESCRIPTION IN ENGLISH
Read access has been requested for the file
"/net/saguaro/home/zoe/status.txt".
The user executing the thread from which the access request was
generated was authenticated as both
o "cn=Anne,ou=SunLabs,o=Sun,c=US", and as
o "Anne.Anderson@Sun.COM"
The executing code for the thread that generated the access
request was downloaded from "http://java.sun.com/jdk1.4/classes";.
The code was signed by two certificates with subject names
o "cn=J2SESigner,ou=JavaSoft,o=Sun,c=US", and
o "cn=SunSigner,o=Sun,c=US".
PROPOSED XACML CONTEXT SPECIFICATION OF THE ABOVE
<xacml:RequestContext>
<xacml:ContextPrincipals>
<xacml:SimplePrincipal PrincipalType="j2se:RequestingUser">
<xacml:NameIdentifier Format="itu:X500DistinguishedName">
"cn=Anne,ou=SunLabs,o=Sun,c=US"
</xacml:NameIdentifier>
</xacml:SimplePrincipal>
<xacml:SimplePrincipal PrincipalType="j2se:RequestingUser">
<xacml:NameIdentifier Format="ietf:RFC822Name">
"Anne.Anderson@Sun.COM"
</xacml:NameIdentifier>
</xacml:SimplePrincipal>
<xacml:SimplePrincipal PrincipalType="j2se:CodeSource">
<xacml:NameIdentifier Format="ietf:URL">
"http://java.sun.com/jdk1.4/classes";
</xacml:NameIdentifier>
<xacml:Attribute AttributeName="SignedBy"
AttributeFamily="j2se:Policy"
Issuer="j2se:com.sun.labs.isrg.ClassLoader"
IssueInstant="2002-05-28T00:00:00Z">
<xacml:AttributeValue>
"cn=J2SESigner,ou=JavaSoft,o=Sun,c=US"
</xacml:AttributeValue>
<xacml:AttributeValue>
"cn=SunSigner,o=Sun,c=US"
</xacml:AttributeValue>
</xacml:Attribute>
</xacml:SimplePrincipal>
</xacml:ContextPrincipals>
<xacml:ContextResource>
<xacml:ResourceSpecifier ResourceURI="file:/net/saguaro/home/zoe/status.txt"/>
</xacml:ContextResource>
<xacml:ContextAction>
<xacml:Action>
"read"
</xacml:Action>
</xacml:ContextAction>
</xacml:RequestContext>
SAMPLE POLICY IN ENGLISH
Grant read access to resource "file:/net/saguaro/home/zoe/*" if
the requesting user is "Zoe@Sun.COM" or if the executing code
was signed by "cn=J2SESigner,ou=JavaSoft,o=Sun,c=US".
XACML POLICY SPECIFICATION OF THE ABOVE
The following two rules are included in an xacml:policyStatement
where the ruleCombiningAlgId allows access if any rule allows
access.
<xacml:rule ruleId="sunlabs:rule9" effect="Permit">
<xacml:target>
<xacml:subjects>
<xacml:Attribute AttributeName=
"RequestContext/ContextPrincipals
/SimplePrincipal[@PrincipalType="j2se:RequestingUser"]
/NameIdentifier[@Format="ietf:RFC822Name"]">
<xacml:AttributeValue>
"Zoe@Sun.COM"
</xacml:AttributeValue>
</xacml:Attribute>
</xacml:subjects>
<xacml:resources>
<xacml:Attribute AttributeName=
"RequestContext/ContextResource
/ResourceSpecifier[@ResourceURI="file:/net/saguaro/home/zoe/*"]"
</xacml:Attribute>
</xacml:resources>
<xacml:actions>
<xacml:Attribute AttributeName=
"RequestContext/contextAction/Action">
<xacml:AttributeValue>
"read"
</xacml:AttributeValue>
</xacml:Attribute>
</xacml:actions>
</xacml:target>
</xacml:rule>
<xacml:rule ruleId="sunlabs:rule10" effect="Permit">
<xacml:target>
<xacml:subjects>
<xacml:Attribute AttributeName=
"RequestContext/ContextPrincipals
/SimplePrincipal[@PrincipalType="j2se:CodeBase"]
/Attribute[@AttributeName="SignedBy" and
@AttributeFamily="j2se:Policy"]">
<xacml:AttributeValue>
"cn=J2SESigner,ou=JavaSoft,o=Sun,c=US"
</xacml:AttributeValue>
</xacml:Attribute>
</xacml:subjects>
<xacml:resources>
<xacml:Attribute AttributeName=
"RequestContext/ContextResource
/ResourceSpecifier[@ResourceURI="file:/net/saguaro/home/zoe/*"]"
</xacml:Attribute>
</xacml:resources>
<xacml:actions>
<xacml:Attribute AttributeName=
"RequestContext/contextAction/Action">
<xacml:AttributeValue>
"read"
</xacml:AttributeValue>
</xacml:Attribute>
</xacml:actions>
</xacml:target>
</xacml:rule>
HOW XACML POLICY SPECIFICATION REFERS TO EACH ATTRIBUTE IN XACML CONTEXT
In the example above, I have used full XPATH expressions (to the
best of my ability) starting from RequestContext to refer to
attributes in the request context.
Under the xacml:rule/target/subjects section of a rule, it should be
possible to assume the root is RequestContext/ContextPrincipals,
and then use an XPATH expression to navigate from there.
Similarly, it should be possible to assume under
xacml:target/resources that the root of the XPATH is
RequestContext/ContextResource.
In the xacml:rule/conditions sections of a rule, it would be
necessary to specify the root explicitly (as I did in my
examples), since there is no context to narrow it.
DESIRABLE FINAL DECISION
1. Support multiple SimplePrincipal (or ComplexPrincipal? Not
sure we need multiple elements here) elements under
ResourceContext.
2. Each SimplePrincipal has an associated xml attribute named
"PrincipalType" that is a URI. This is used to indicate the
role the SimplePrincipal plays in this particular request
(requesting user, delegating user, requesting machine,
requesting process ID, requesting code source location, etc.).
Communities of users, such as J2SE, would specify the
PrincipalTypes that apply to them. Standards groups could
specify PrincipalTypes that apply to multiple communities of
users.
3. An xacml:Attribute that applies to a particular
SimplePrincipal is included as a subelement under the
SimplePrincipal to which it applies. This means the Attribute
does not need to include Holder, since the Holder will be the
xacml:NameIdentifier of the SimplePrincipal.
QUESTION
1. Why can't AttributeName be a URL, and use the namespace
identifier to indicate the AttributeFamily? E.g., instead of
<xacml:Attribute AttributeName="SignedBy"
AttributeFamily="j2se:Policy"
Issuer="j2se:com.sun.labs.isrg.ClassLoader"
IssueInstant="2002-05-28T00:00:00Z">
use
<xacml:Attribute AttributeName="j2sePolicy:SignedBy"
Issuer="j2se:com.sun.labs.isrg.ClassLoader"
IssueInstant="2002-05-28T00:00:00Z">
--
Anne H. Anderson Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311 Tel: 781/442-0928
Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC