OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: WI#9 Proposal: policies referring to hierarchical resources

Contents
========
Problem statement
Schema for describing hierarchies
DataType for describing nodepaths
Functions for operating on hierarchies
Issues

Problem statement
=================

XACML 2.0 Work Item #9 addresses the problem of a policy writer
who wants to control access to elements in a hierarchical
resource.  The writer does not want to have to specify access
conditions on each element in the resource individually.  For
example, the writer wants to say:

  grant read access to any element in the hierarchy below
  /a/b/c"

and not

  grant read access to /a/b/c/d
  grant read access to /a/b/c/e
  grant read access to /a/b/c/d/f
  ....

Schema for describing hierarchies
=================================

Whenever a policy writer uses any of the special functions for
matching hierarchical resources, the Request Context MUST
(notionally) contain a "urn:oasis:names:tc:xacml:1.0:recource:resource-content"
Attribute that contains a Hierarchy element instance.  The schema
for describing a Hierarchy element follows.

<?xml version="1.0" encoding="UTF-8"?>
<xs:schema targetNamespace="urn:oasis:names:tc:xacml:2.0:hierarchy-schema" xmlns:xs="http://www.w3.org/2001/XMLSchema";; xmlns:hs="urn:oasis:names:tc:xacml:2.0:hierarchy-schema" elementFormDefault="qualified" attributeFormDefault="unqualified">
  <!-- -->
  <xs:element name="Hierarchy" type="hs:HierarchyType"/>
  <xs:complexType name="HierarchyType">
    <xs:sequence>
      <xs:element ref="hs:Node" minOccurs="0" maxOccurs="unlimited"/>
      <xs:element ref="xacml-context:Attribute" minOccurs="0" maxOccurs="unlimited"/>
    </xs:sequence>
    <xs:attribute name="Root" type="xs:anyURI"/>
  </xs:complexType>
  <!--  -->
  <xs:element name="Node" type="hs:NodeType"/>
  <xs:complexType name="NodeType">
    <xs:sequence>
      <xs:element ref="hs:Node" minOccurs="0" maxOccurs="unlimited"/>
      <xs:element ref="xacml-context:Attribute" minOccurs="0" maxOccurs="unlimited"/>
    </xs:sequence>
    <xs:attribute name="NodeName" type="xs:string"/>
  </xs:complexType>
</xs:schema>

The RootName and NodeName attribute values MUST not contain a "/"
character unless it is escaped using "\/".  If a RootName or
NodeName attribute contains a "\" character, then that character
MUST be escaped using "\\".

Alternatives considered:
a. NetBeans Filesystem DTD
     http://www.netbeans.org/dtds/filesystem-1_0.dtd
     http://openide.netbeans.org/nonav/fs/Library.html
   X Has no query syntax associated
b. XML schema in which each node in the hierarchy is an element
   A Requires a new schema to be constructed for each hierarchy
     instance
c. WS-ResourceDescriptionFramework
   X Does not help handle recursive hierarchies
     (e.g. root/container/container/container; it handles
     hierarchies in which each element is a unique name, although
     multiple elements may share sub-components).  Also, it is so
     rich that an XACML profile would strip out almost everything
     in the schema.

DataType for describing nodepaths
=================================

DataType="urn:oasis:names:tc:xacml:2.0:data-type:nodepath"

  A "nodepath" is a string representing the path from the root of
  a Hierarchy instance to a particular Node in the Hierarchy
  instance.  A nodepath is constructed by concatenating the value
  of the Hierarchy "RootName" attribute with the value of each
  "Node" element's "NodeName" attribute along the path leading to
  the node being specified.  RootName and NodeNames are separated
  from each other using the "/" character.

Alternatives considered:
a. XPath
   X Operates on paths of node tags, not on paths of node values,
     so would require creations of a separate schema for each new
     hierarchy instance.

Functions for operating on hierarchies
======================================

All return "Indeterminate" if arg2 is not a valid nodepath in the
resource-content Attribute.
   
- Match any descendant of a given node

  Function name: descendant-match
  Arguments:  1. nodepath to be tested against descendants of arg2
              2. nodepath at root of the subtree in the
                 resource-content Attribute
  Returns:    Boolean: True if arg1 string-equals the nodepath of
              any descendant of arg2 in the resource-content
              Attribute

  Function name: descendant-or-self-match
  Arguments:  1. nodepath to be tested against descendants of arg2
              2. nodepath at root of the subtree in the
                 resource-content Attribute
  Returns:    Boolean: True if arg1 string-equals arg2 or the
              nodepath of any descendant of arg2 in the
              resource-content Attribute

- Match any ancestor of a given node

  Function name: ancestor-match
  Arguments:  1. nodepath to be tested against ancestors of arg2
              2. nodepath in the resource-content Attribute
  Returns:    Boolean: True if arg1 string-equals the nodepath of
              any ancestor of arg2 in the resource-content
              Attribute

  Function name: ancestor-or-self-match
  Arguments:  1. nodepath to be tested against ancestors of arg2
              2. nodepath in the resource-content Attribute
  Returns:    Boolean: True if arg1 string-equals arg2 or the
              nodepath of any ancestor of arg2 in the
              resource-content Attribute


- Match any specific node

  Function name: node-match
  Arguments:  1. nodepath to be tested against arg2
              2. nodepath in the resource-content Attribute
  Returns:    Boolean: True if arg1 string-equals arg2

- Match attributes of a given node

  Function name: node-attribute-match
  Arguments:  1. Attribute or AttributeDesignator
              2. nodepath in the resource-content Attribute
  Returns:    Boolean: True if arg1 type-equals an Attribute of
              arg2 in the resource-content Attribute

  * This can be used to test that arg 2 has an "owner" Attribute
    that matches a specified value.

- Match attributes of ancestors of a given node

  Function name: ancestor-attribute-match
  Arguments:  1. Attribute or AttributeDesignator
              2. nodepath in the resource-content Attribute
  Returns:    Boolean: True if arg1 type-equals an Attribute of
              each ancestor of arg2 in the resource-content
              Attribute

  * This can be used to test that arg 2 has a "can execute"
     Attribute that matches the value of the Attribute in Arg1

Issues
======

1. This does not directly address the issue of expressing "in
order to read node x, the subject must have execute rights to
every ancestor of x."  I think this can be addressed in XACML
using "deny" rules as described in my previous e-mail.

2. I'm not sure the "ancestor-attribute-match" function buys us
much.  For example, it requires a notional "can-execute"
Attribute on each ancestor that contains explicit Subject
identities in order to be use this to solve the problem in
Issue#1.

3. Can we possibly be the first group to run up against this
problem?  Why aren't there suitable XML schemas and functions
already available in some other standard?  I have Google'd and
asked, but have not found anything so far.

Anne
-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]