[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: WSPL-Eval Overview for TC Meeting 3 Apr 2003
Colleagues, Attached is an informal overview of my proposal for obtaining sets of Attribute values that will satisfy an XACML Policy or PolicySet. This Overview is not particularly high-level, but it does provide examples that may be helpful in coming to an understanding of the approach. At tomorrow's TC meeting I will use these examples to illustrate my proposal. Anne Anderson -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692Title: WSPL-Eval Overview
Special terms are in bold font. The first time a special term is used, it is also italicized and defined.
WSPL-Eval describes these new rules as a series of policy evaluation steps described below .
<Policy RuleCombiningAlgId="urn:...:deny-overrides> <Target> <Any> </Target> <Rule RuleId="1" Effect="Permit"> <Target> <Subjects> <Subject> subject-id = "Anne H. Anderson" </Subject> <Subject> role = "Owner" </Subject> </Subjects> <Resources> <Resource> resource-id = "Annes Web Server" protocol = "http" </Resource> </Resources> <Actions> <AnyAction/> </Actions> </Target> </Rule> <Rule RuleId="2" Effect="Permit"> <Target> <Subjects> <Subject> subject-id = "aa74233" </Subject> </Subjects> <Resources> <Resource> resource-id = "Sun Travel Reservations Server" </Resource> </Resources> <Actions> <Action> action-id = "reserve" seat-type = "window" </Action> <Action> action-id = "reserve" seat-type = "aisle" </Action> </Actions> </Target> </Rule> <Rule RuleId="3" Effect="Deny"> <Target> <Subjects> <AnySubject> </Subjects> <Resources> <Resource> resource-id = "She Who Must Be Obeyed" </Resource> </Resources> <Actions> <Action> action-id = "Refuse" </Action> </Actions> </Target> </Rule> <Rule RuleId="4" Effect="Permit"> <Target> <Subjects> <Subject> subject-id = "Anne Anderson" </Subject> </Subjects> <Resources> <AnyResource/> </Resources> <Actions> <AnyAction/> </Actions> </Target> <Condition FunctionId="not"> <Apply FunctionId="any-of-any"> <ResourceAttributeDesignator AttributeId="resource-id"/> <Apply FunctionId="string-bag"> <AttributeValue>Anne's Web Server</AttributeValue> <AttributeValue>Sun Travel Reservations Server</AttributeValue> </Apply> </Apply> </Condition> </Rule> </Policy>
This step needs to be performed only when the Outgoing Policy changes; it does NOT need to be done each time an outgoing message is generated.
The example policy can be expressed as a Boolean expression as follows:
AND( OR( # Rule 1 AND( OR( subject-id = "Anne H. Anderson", role = "Owner"), resource-id = "Anne's Web Server", protocol = "http"), # Rule 2 AND( subject-id = "aa74233", resource-id = "Sun Travel Reservations Server", OR ( AND( action-id = "reserve", seat-type = "window"), AND( action-id = "reserve", seat-type = "aisle")))), # Rule 4 AND ( subject-id = "Anne Anderson", NOT ( any-of-any( resource-id, BAG( "Anne's Web Server", "Sun Travel Reservations Server")))), # Rule 3 NOT( AND( resource-id = "She Who Must Be Obeyed", action-id = "Refuse")))
This step also needs to be done only when the Outgoing Policy changes; it does NOT need to be done each time an outgoing message is generated.
By applying the standard algorithm (manually, so I probably made some mistakes) to the policy above, we get:
OR( AND( subject-id = "Anne H. Anderson", resource-id = "Anne's Web Server", protocol = "http"), AND( role = "Owner", resource-id = "Anne's Web Server", protocol = "http"), AND( subject-id = "aa74233", resource-id = "Sun Travel Reservations Server", action-id = "reserve", seat-type = "window"), AND( subject-id = "aa74233", resource-id = "Sun Travel Reservations Server", action-id = "reserve", seat-type = "aisle"), AND( subject-id = "Anne Anderson", resource-id != "Anne's Web Server", resource-id != "Sun Travel Reservations Server", resource-id != "She Who Must Be Obeyed", action-id != "Refuse"), AND( subject-id != "She Who Must Be Obeyed", resource-id != "Refuse"))
Each of the AND clauses above specifies an acceptable set of Attributes! And they are ordered by the policy writer's preferences.
WSPL-Eval refers to the collection of Attributes specified by an AND clause above as a Satisfying Set for the Outgoing Policy.
It is not necessary to do these optimizations, but since they can be done ahead of time, it will save time when a particular piece of outgoing traffic must be generated.
Set contains subject-id = "Anne Anderson" subject-id != "Anne Anderson" Set contains attributeA > 5 attributeA < 5 Set contains subject-id = "Anne Anderson" subject-id = "Homer Simpson"(unless it is known that a single initiator could have two different identities).
For example, if a Satisfying Set contains:
Attribute A > 5 Attribute A < 10
that can be simplified to:
Attribute A > 10
{ "Anne Anderson", "Anne H. Anderson", "aa74233" }
then eliminate Sets that contain other subject-id values.
Certain attribute values for a bit of outgoing traffic are pre-determined. For example, the traffic presumably has a known resource (destination, target) and certain attributes of the action may be known. These pre-determined attribute values are used to select from the collection of Satisfying Sets.
Evaluate each Satisfying Set in turn, supplying the pre-determined Attribute values and any other Attribute values that can be retrieved. Eliminate Sets where the known Attribute values make one of the predicates FALSE until a Set is found that is not necessarily FALSE. This Set is the preferred Satisfying Set for this piece of outgoing traffic.
For example, say I want to reserve a flight via the Sun Travel Reservation Server. This pre-determines the value
resource-id = "Sun Travel Reservations Server"
I evaluate the Satisfying Sets in turn.
AND( subject-id = "Anne H. Anderson", resource-id = "Anne's Web Server", protocol = "http") AND( role = "Owner", resource-id = "Anne's Web Server", protocol = "http")
are eliminated, since the resource-id makes that predicate necessarily FALSE.
But,
AND( subject-id = "aa74233", resource-id = "Sun Travel Reservations Server", action-id = "reserve", seat-type = "window")
is not necessarily FALSE, since the predicates for which Attribute values are known evaluate to TRUE. This is my preferred Satisfying Set for this particular piece of outgoing traffic.
There is a second Satisfying Set for this piece of outgoing traffic. I do not need to evaluate past the first one unless I discover that my first Set will not work for some reason.
Additional Policies merely constrain the initial Satisfying Sets further; they can never add new Satisfying Sets. Therefore, in order to determine whether a given Satisfying Set also satisfies another Policy, it is sufficient to evaluate the other Policy using the rules in XACML Version 1.0 [4] and supplying the Attribute values in the Satisfying Set along with any other Attribute values that may be called for. If these values do not result in "Permit" decision, then the next most preferred Satisfying Set should tested. Continue until a Satisfying Set (plus additional Attribute values) results in a "Permit" decision. This will be the originator's most-preferred Satisfying Set that also satisfies the additional Policy. If no Satisfying Set also satisfies the additional Policy, then there is no mutually acceptable set of values that satisfies both Policies.
WSPL-Eval handles these situations by having the intermediary first construct its own Satisfying Sets from its own Outgoing Policy. These Sets are then evaluated against the the originator's Outgoing Policy until a Set that satisfies both is determined. The originator may send along a copy of its Outgoing Policy, possibly in the form of the collection of Satisfying Sets that apply to this traffic.
[2] A. Anderson, "Evaluating XACML as a Policy Language", Working Draft 03, 24 March 2003, http://lists.oasis-open.org/archives/xacml/200303/msg00057.html.
[3] "Solaris WBEM SDK Developer's Guide", Class "QueryExp" method "canonizeDOC" (sic), http://wbemservices.sourceforge.net/WBEMSDKDG_html/p25.html.
[4] T. Moses, et al., "OASIS eXtensible Access Control Markup Language (XACML) Version 1.0", OASIS Standard, 18 February 2003. http://www.oasis-open.org/committees/xacml/repository/oasis-xacml-1.0.pdf.
[5] T. Moses, "Web-services policy language use-cases and requirements", Working draft 03, 21 March 2003. http://www.oasis-open.org/committees/download.php/1378/wd-xacml-wspl-use-cases-03.pdf.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]