[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [xacml] instance of "second proposal for hierarchical resources"
Bill Parducci asked about how to deal with links. I checked for how java.io.FilePermission handles them, and it just checks to be sure the "pattern" path is a prefix of the requested path - i.e. it is doing a syntactic check only and is never actually checking the file system. So links are treated just like regular files and directories - java.io.FilePermission never even knows whether the requested path exists - it just knows that it matches the syntactic pattern for this type of hierarchy. I think this makes sense. The PDP may not even have access to the hierarchical resource for which it is evaluating policy, and thus may not be able to check for the file type. The XACML Policy won't override any permissions that the file system itself may impose when the file is actually accessed. Some day, perhaps some Unix File Systems will use XACML rather than ACLs to specify their permissions. In that case, the Policy would be definitive, but for now the XACML Policy is imposed in addition to permissions imposed by the file system itself. I'll wait a bit for more comments, and then re-write the proposal to treat the match as a syntactic match of file and directory names rather than a subset match of actual files and directories. Anne ------- start of forwarded message ------- From: Anne Anderson <Anne.Anderson@sun.com> To: XACML TC <xacml@lists.oasis-open.org> Subject: [xacml] instance of "second proposal for hierarchical resources" Date: Thu, 15 May 2003 13:15:23 -0400 HIERARCHICAL RESOURCE: UFS Following are three proposed additions - one new DataType and two new functions - for XACML 1.1 for stating policies where the resource is a Unix File System (UFS) file, directory, or directory subtree. An example of a policy using this DataType and one of the new functions is at the bottom. 1. DataType: urn:oasis:names:tc:xacml:1.0:data-type:ufs-path Description: attribute values having this DataType represent a set of Unix File System (UFS) files and directories. This DataType derives from "xs:anyType" and is a primitive type. The string representation of this type is a URL with scheme "file" as specified in IETF RFC 1738, plus some additions stated later: A file URL takes the form: file://<host>/<path> where <host> is the fully qualified domain name of the system on which the <path> is accessible, and <path> is a hierarchical directory path of the form <directory>/<directory>/.../<name>. As a special case, <host> can be the string "localhost" or the empty string; this is interpreted as `the machine from which the URL is being interpreted'. The URL <path> syntax is interpreted strictly. Each <directory> and <name> SHALL be an actual directory or file name. The following are NOT supported in a ufs-path value: ".." meaning parent directory, "." meaning current directory, "//", or <path> terminating with the character "/". An attribute value of this DataType is treated as a set. When the attribute value follows the syntax above, the set contains exactly one element: the file or directory specified by <path> on the system specified by <host>. In addition to the standard file URL syntax above, this DataType supports the following extended syntax: - A <path> followed by "/**" represents the set of all subdirectories and files under the directory indicated by <path>. - A <path> followed by "/*" represents the set of all directories and files that are immediate children of of the directory indicated by <path>. - A <path> followed by "/++" represents the set of all subdirectories and files under and including the directory indicated by <path>. - A <path> followed by "/+" represents a set including the directory indicated by <path> and all directories and files that are immediate children of of the directory indicated by <path>. 2. FunctionId: urn:oasis:names:tc:xacml:1.0:function:ufs-path-equal Description: Used to specify an exact match between two instances of the DataType "urn:oasis:names:tc:xacml:1.0:data-type:ufs-path" This function SHALL take two arguments of type "urn:oasis:names:tc:xacml:1.0:data-type:ufs-path" and SHALL return a value of type "http://www.w3.org/2001/XMLSchema#boolean". The expression SHALL evaluate to "True" if the set of directories and files specified by the first argument is exactly equal to the set of directories and files specified by the second argument. Otherwise, the expression SHALL evaluate to "False". 3. FunctionId: urn:oasis:names:tc:xacml:1.0:function:ufs-path-superset Description: Used to test whether the first argument is a set of files and directories that includes the files and directories specified in the second argument. This function SHALL take two arguments of type "urn:oasis:names:tc:xacml:1.0:data-type:ufs-path" and SHALL return a value of type "http://www.w3.org/2001/XMLSchema#boolean". The expression SHALL evaluate to "True" if the set of directories and files specified by the first argument contains the set of directories and files specified by the second argument. EXAMPLE Note that action matches for resources of this DataType have no special semantics: they apply to exactly the set of directories and files specified by the resource. There is no attempt to match the semantics of UNIX ACLs. For example, there is no requirement that a policy granting "read" access to a particular set of files and directories must also grant "search" access to all directories above this set in the file hierarchy. There is also no implied "search" access granted to all directories above a file or directory to which "read" access has been granted. Example Policy in English: Anne has read, write, and execute/search permission for all files and subdirectories in her home directory subtree. Corresponding Rule in XACML: <Rule RuleId="Permissions on Anne's home directory" Effect="Permit"> <Target> <Subjects> <Subject> <SubjectMatch MatchId="string-equal"> <AttributeValue DataType="string">Anne</AttributeValue> <SubjectAttributeDesignator AttributeId="subject-id" DataType="string"/> </SubjectMatch> </Subject> </Subjects> <Resources> <Resource> <ResourceMatch MatchId="ufs-path-superset" <AttributeValue DataType="ufs-path">file://sydney.east.sun.com/home/aa74233/++</AttributeValue> <ResourceAttributeDesignator AttributeId="resource-id" DataType="ufs-path"/> </ResourceMatch> </Resource> </Resources> <Actions> <Action> <ActionMatch MatchId="string-equal"> <AttributeValue DataType="string">read</AttributeValue> <ActionAttributeDesignator AttributeId="action-id" DataType="string"/> </ActionMatch> <ActionMatch MatchId="string-equal"> <AttributeValue DataType="string">write</AttributeValue> <ActionAttributeDesignator AttributeId="action-id" DataType="string"/> </ActionMatch> <ActionMatch MatchId="string-equal"> <AttributeValue DataType="string">execute</AttributeValue> <ActionAttributeDesignator AttributeId="action-id" DataType="string"/> </ActionMatch> </Action> </Actions> </Target> </Rule> -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692 ------- end of forwarded message ------- -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]