OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: AW: [xacml] RE: XACML's limitations in the access control for XML documents use case - AW: AW: [xacml] CD-1 issue #11: strictness of xpath definition

HI Paul,
see comments inline and the edited attached files.
Best Regards

Von: Tyson, Paul H [mailto:PTyson@bellhelicopter.textron.com] 
Gesendet: Donnerstag, 24. September 2009 21:01
An: Jan Herrmann; Erik Rissanen; Rich.Levinson
Cc: xacml@lists.oasis-open.org
Betreff: [xacml] RE: XACML's limitations in the access control for XML
documents use case - AW: AW: [xacml] CD-1 issue #11: strictness of xpath

>1. Given this use case, are we agreed that we want to get book-response
>when we send book-request?  (Please correct any content errors in these
>documents--I have not been using Content and xpath features of XACML.)

Yes, a book-request implies a book-response. In our use case we have xml
based Web Service requests and response. Thus you have two options when to
enforce your access rights - either on the web service request or on the
response. Lets follow the later case (i.e post-processing access control) in
the following.

>2. Do we agree that current XACML 3.0 drafts (core, hier, multi) do not
>provide features to achieve (1)?

Depending on how much expressiveness you need, some large parts can already
be done with the specs. In order to enhance expressiveness little extensions
are needed.
>  If anyone has such a solution, please post.  Jan's "Approach 2" uses
>xpath predicate, based on simplicity of this example, but that is not a
>general solution.

I attached a doc showing another example in another geospatial scenario
(c.p. Apendix A). Note that the approach 2 was just for explanation purposes
(demonstrating the probs) and is not what I recommend to do.
>3. book-policy.xml illustrates the xpath "offset" feature that has been
>discussed [1] as a solution. (Again, please correct any errors.)
>4. Where do the specs define the return value for an
>xpathExpression resource-id?  In my example, I have:
>    Request: resource-id=ns1:objects/ns1:book

Following the multiple and hierarchical resource profile, there is a first
global decision request with an resource-id and scope pair. Both together
describe a set of nodes.

The resource-id value you proposed can only be a value in a GLOBAL decision
request. In an individual decision request (that is derived automatically by
the PDP following the guidelines in the mult. & hier. resource profile) the
resource-id value must refer to exactly one node. This must be one node that
was originally specified by the resource-id and scope value of the global
decision request. Thus example values of the individual resource-id values
in the different decision requests are e.g.:
derived decision request one:
derived decision request two:

if you go down the book trees depends on the chosen scope value. e.g. in
case of dependants you would do that.

>    Response: resource-id=ns1:objects/ns1:book[1], ns1:objects/ns1:book[2]

if your decision requests asks for multiple responses (one for each node)
than you get back n individual decision responses. The resource-id values
will therefore also be:
resource-id in decision response 1:	resource-id =ns1:objects/ns1:book[1]
resource-id in decision response 2:	resource-id =ns1:objects/ns1:book[2]
>Many other trivial, but equivalent, variations could have been returned. 
>But I only guessed at these from an example Erik gave, not from anything I
>read in the specs.  I would expect to find it in multi section 2.2.

The question here is if it is sufficient to say that the resource-id value
of an individual request has to match exactly one node (as the spec
currently says) or whether it makes sense to specify a certain form.
Depending on how you write the Target Match part a certain form may be

If you match like this you are free to define the exact syntax of your
resource-id values.
In the Rule Target:
xpath-node-equal(resource-id, /objects/book)

If you match like this a certain form must be defined in order to ensure
In the Rule Target:
reg-exp-string-match(resource-id, /objects\[\d+\]/book\[\d+\])

Note that these are two equivalent options and whether option 1 is better
than option 2 still needs to be discussed. Performance might be an issue in
case 1 and favour option 2. On the other side option 2 has to deal
explicitly with the namespace prefix prob.

Attached I edited your examples in the way how I would do it. Note that I
was in a rush so I hope I got them mostly right.

Best regards 

[1] http://lists.oasis-open.org/archives/xacml/200909/msg00023.html

From: Jan Herrmann [mailto:herrmanj@in.tum.de] 
Sent: Thursday, September 24, 2009 07:00
To: Tyson, Paul H; 'Erik Rissanen'; 'Rich.Levinson'
Cc: xacml@lists.oasis-open.org
Subject: XACML's limitations in the access control for XML documents use
case - AW: AW: [xacml] CD-1 issue #11: strictness of xpath definition
Hi Paul, all 

in the following I try to explain some limitations of the current version of
the multiple and hierarchical resource profile and the core-spec in the
xml-resource use case. Then through an example I will show how the proposed
extensions could enhance the capabilities and expressiveness significantly.

- you are trying to control access to xml resources on a fine-grained level
- contend dependant rules should be supported. i.e. it must be possible to
express access rights for a node that are dependant on the value of other
- filtering should be supported. I.e. in case access to one (or some)
node(s) in the xml resource is denied, it should be possible to filter out
these nodes and return the accessible part of the xml-resource to the user 

Example Scenario:
To simplify the discussion assume the following situation:
You have xml docs looking like this one:
    <book-content>…..</book-content >
    <book-content >…..</book-content >

This resource is included in a global decision request which looks like
            <content>…the xml resource </content>

Further assume you try to define a rule, that denies access to book nodes,
if the book’s price is higher than 50$ and the author OF THIS BOOK is the
requesting subject.

A first try to define the needed rule could look like this:
Approach 1:
<Rule effect=Deny>
…Any-Of(less-than, 50, AttributeSelector(/objects/book/price/text()) ) AND
Any-Of(string-equals, string-one-and-only(AttributeDesignator(subject-id)),
AttributeSelector(/objects/book/author/text()) )

Unfortunately this rule doesn’t implement the intended behaviour. 

Prob 1: filtering is not possible
The XACML decision request & response refers to the XML resource as a whole.
What you actually need to allow filtering are access decision request and
responses for each individual node.

Prob 2: The use of two and-ed Any-Of expressions destroys the semantical
relationships between the nodes
If e.g. Bob is the requesting subject, than the rule will match and deny
access although Bob should be allowed to access the first and second book

Note that this problem could be solved, if you would allow the following
type of xpath expression in the AttributeSelector:
Approach 2:
AND author/text() = AttributeDesignator(subject-id)])), 0).
This is not possible as XACML constructs like the AttributeDesignator can’t
be used inside the XPATH predicate. 

Another approach that is XPath conformant could therefore be:
Approach 3:
<Rule effect=Deny>
…Any-Of(string-equals, string-one-and-only(AttributeDesignator(subject-id)),
AttributeSelector(/objects/book[ price/text() > 50]/author/text()) )

This rule should implement the intended access semantics but still has its
1. The problem was solved through a mix of XACML constructs and XPath
predicates. To overcome the limitations parts of the XACML constructs were
shifted into the XPath predicate. Note that this worked in the example, as a
less-than or higher-than function is allowed in XPath predicates.
Unfortunately this means that XACML’s functions are not eXtensible below the
functions supported by XPath.
E.g. in the OGC GeoXACML use case we have added functions like within,
touches, disjoint and so on. As these functions are not supported by XPath
they can only be used in the extened form of XACML and this introduces
strong limitations in the expressiveness.
2. Assume you want to change the intended rule semantics to:
deny access to a book node, if the book’s price is higher than an XACML
Attribute A and the author OF THIS BOOK is the requesting subject
This will prevent you from shifting the semantics into the XPath predicate
and thus will cause limited expressiveness.

From my understanding using the xpath-match functions doesn’t help solving
the problems mentioned above.
Filtering will still not be possible and the problem that pointers to XACML
decision request data are not allowed inside an XPath predicate and the
problem that only predicates supported by XPath can be used still apply.

The good news is that with very little changes to the profiles the problems
above can be solved.

A solution could look like this:

1. A PDP receives a global decision request with
    <content>… the xml resource </content>

    The resource-id and scope Attribute specifies a set of nodes that are
the individual resources for which the access rights have to be checked.

2. Based on this global decision request the PDP generates individual
decision requests. – one for each individual node.
    Thus the PDP generates the following decision requests:
            <content>…the xml resource </content>
            <content>…the xml resource </content>
            <content>…the xml resource </content>
            <content>…the xml resource </content>
            <content>…the xml resource </content>

            <content>…the xml resource 

3. Having these decision requests allows you to define very powerful rule
semantics and filtering is supported too.
    e.g. the rule in the example above would look like this
    <Rule effect=Deny>
                        AttributeSelector(concat(resource-id, /price/text())
> 50 and 
       AttributeSelector(concat(resource-id, /author/text()) =

Note that all the problems mentioned above are solved. 
Filtering is possible as resource-id always refers to exactly one node in
the xml resource and thus we get individual access decisions for each node
in the xml resource. As resource-id is included in the decision response the
PEP can (e.g. through a simple xslt) filter out the nodes for which the
decision was deny.
Further the problem of defining content dependant rights without reducing
the possible authorization semantics is solved, thanks to an
AttributeSelector that uses a concatenation of the resource-id attribute
value and an arbitrary offset as its RequestContextPath value.

Note that the explanations above are simplified and try to focus the core
aspects of the idea only. I hope that I could nevertheless make clear where
the limitations are and how they could be solved.
Let me know if you have problems understanding the ideas and I will try to
explain in more detail. Further, more detailed information can be found in
the comments I submitted during the public review period.

Best regards 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE Request [
<!ENTITY xacml10 "urn:oasis:names:tc:xacml:1.0:">
<!ENTITY xacml20 "urn:oasis:names:tc:xacml:2.0:">
<!ENTITY xacml30 "urn:oasis:names:tc:xacml:3.0:">
<!ENTITY xs "http://www.w3.org/2001/XMLSchema#";>
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-07"
  <Attributes Category="&xacml10;subject-category:subject">
    <Attribute AttributeId="&xacml10;subject-id"
      <AttributeValue DataType="&xs;string">Bob</AttributeValue>
  <Attributes Category="&xacml30;attribute-category:resource">
      <objects xmlns="http://example.org";>
	  <book-content>bar</book-content >
	<!-- it is very important to note that this is a global deciosn request and the individual decision requests that will be derived from this one will be equal to this one with two exeptions: 1. scope will be absent. 2. resource-id in each individual decsion request will point to exactly one book element (e.g. ns1:objects/ns1:book[1]) --> 
    <Attribute AttributeId="&xacml10;resource-id"
      <AttributeValue DataType="&xacml30;data-type:xpathExpression">ns1:objects/ns1:book</AttributeValue>
	<Attribute AttributeId="&xacml20;resource:scope"
      <AttributeValue DataType="&xs;string">XPath-expression</AttributeValue>
	<!-- this attribute is actualle not needed -->
    <Attribute AttributeId="&xacml10;resource:xpath"
      <AttributeValue DataType="&xacml30;data-type:xpathExpression">ns1:objects/ns1:book</AttributeValue>
<?xml version="1.0" encoding="UTF-8"?>
<!-- NOTE: This example uses a proposed AttributeSelector/@ResourceContextPath
     attribute to select nodes starting from an XML node on which a 
     decision is requested.  This is not a conformant XACML 3.0 Policy. -->
<!DOCTYPE Policy [
<!ENTITY rule_algorithm10 "urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:">
<!ENTITY xacml10 "urn:oasis:names:tc:xacml:1.0:">
<!ENTITY xacml30 "urn:oasis:names:tc:xacml:3.0:">
<!ENTITY xs "http://www.w3.org/2001/XMLSchema#";>
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-07" 
	Version="1.0" PolicyId="book-policy"
  <Description>Example book policy</Description>
  <Rule RuleId="deny-expensive-author" Effect="Deny">
			<!-- this is the first way how to do the resource-id match directly below you find the redundant alternative -->
			<Match MatchId="&xacml30;function:xpath-node-match">
			<!-- the redundant alternative -->
			<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:regexp-string-match">
				<!-- note here that it need to be specified how the exact syntax of the individual resource-id values are and where they start -->
				<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>/Request[1]/Resource[1]/ResourceContent[1]/wfs:FeatureCollection\[\d+\]/gml:featureMember\[\d+\]$</AttributeValue>
				<ResourceAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"/>
		<Apply FunctionId="&xacml10;function:AND">
			<Match MatchId="&xacml10;function:integer-less-than">
				<AttributeValue	DataType="&xs;integer">50</AttributeValue>
				<!-- integer one and only should be added...-->
				<ExtendedAttributeSelector  DataType="&xs;integer" MustBePresent="false" Category="&xacml30;attribute-category:resource">
						<AttributeDesignator Category="&xacml30;attribute-category:resource" AttributeId="&xacml10;resource:resource-id" 	      DataType="&xacml30;data-type:xpathExpression" MustBePresent="true"/>
						<AttributeValue	DataType="&xs;string">/price/text()</AttributeValue>
			<Function FunctionId="&xacml10;function:string-equal"/>
				<Apply FunctionId="&xacml10;function:string-one-and-only">
					<AttributeDesignator AttributeId="&xacml10;subject-id" DataType="&xs;string" MustBePresent="true" Category="&xacml10;subject-category:access-subject"/>
				<ExtendedAttributeSelector  DataType="&xs;string" MustBePresent="false" Category="&xacml30;attribute-category:resource">
						<AttributeDesignator Category="&xacml30;attribute-category:resource" AttributeId="&xacml10;resource:resource-id" 	      DataType="&xacml30;data-type:xpathExpression" MustBePresent="true"/>
						<AttributeValue	DataType="&xs;string">/author/text()</AttributeValue>
  <Rule RuleId="permit-otherwise" Effect="Permit"/>


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]