1. 首页
  2. 问答
  3. 如何在XACML中将单个规则中的两条规则结合起来?

如何在XACML中将单个规则中的两条规则结合起来?

2017-03-04 126 views
1

我如何结合这两个规则如何在XACML中将单个规则中的两条规则结合起来?

(1)任何用户都可以访问(读,写等)的资源http://www.example.com/info1http://www.example.com/info2

(2)任何读操作(读取)至任何资源只能由属于组管理员和管理员的用户访问。

在一个单一的一个

我迄今所做的是这样的:

<?xml version="1.0" encoding="UTF-8"?> 
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="1" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0"> 
    <Description>Policy 1</Description> 
    <Target /> 
    <!--Punto d.1,2--> 
    <Rule Effect="Permit" RuleId="Rule Permit #1" > 
     <Target> 
      <AnyOf> 
       <AllOf> 
        <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"> 
         <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://www.example.com/info2</AttributeValue> 
         <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" /> 
        </Match> 
       </AllOf> 
       <AllOf> 
        <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"> 
         <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://www.example.com/info2</AttributeValue> 
         <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" /> 
        </Match> 
       </AllOf> 
       <AllOf> 
        <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> 
         <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue> 
         <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" /> 
        </Match> 
       </AllOf> 
      </AnyOf> 
     </Target> 
     <Condition> 
      <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> 
       <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> 
        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue> 
        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">manager</AttributeValue> 
       </Apply> 
       <AttributeDesignator AttributeId="group" Category="urn:oasis:names:tc:xacml:3.0:group" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" /> 
      </Apply> 
     </Condition> 
    </Rule> 
    <Rule Effect="Deny" RuleId="Rule Deny #1" /> 
</Policy>

我如何作出Condition选购时任何动作 - 读取任何用户,写等 - ,尝试访问任何两个网址?

而且,我该如何验证时的读操作的访问请求时,它只能在用户(主题)所属的组,或管理员访问?

来源

2017-03-04 InfZero

回答

2

有几种方法可以实现您的方案。最简单的可能是为您的政策创建一个结构。例如,你可能会说,你有http://www.example.com/info1http://www.example.com/info2政策另一个。每个策略可以有读,写,删除的规则......或者如果你不想指定任何动作,那么你可以跳过它。在你的情况下,你想限制阅读管理员和经理。

使用ALFA语法,这给你:

namespace so{ 
    attribute group{ 
     category = subjectCat 
     id = "group" 
     type = string 
    } 
    // Standard XACML attributes e.g. resource-id 
    import Attributes.* 

    policyset resources{ 
     apply firstApplicable 
     policy info1{    
      target clause resourceId == "http://www.example.com/info1" 
      apply firstApplicable 
      rule read{ 
       target clause Attributes.actionId=="read" 
         clause group=="admin" or group=="manager" 
       permit 
      } 
      // Add other rules for other actions here 
     } 
     policy info2{ 
      target clause resourceId == "http://www.example.com/info2" 
      apply firstApplicable 
      rule read{ 
       target clause Attributes.actionId=="read" 
         clause group=="admin" or group=="manager" 
       permit 
      } 
      // Add other rules for other actions here 
     } 
    } 
}

认为这并不完全回答你的问题。首先,它是不是在一个单一的规则组合(这样做是不是很大顺便说一句,我不会做它 - 定义一个好的结构,更易于管理)。在我的方法中,您必须明确列出所有其他操作。

下面是另一种方法

policy allowAccess{ 
    target clause resourceId == "http://www.example.com/info1" or resourceId == "http://www.example.com/info2" 
    apply firstApplicable 
    rule allowRead{ 
     target clause group=="admin" and group=="manager" and Attributes.actionId=="read" 
     permit 
    } 
    rule allowOtherActions{ 
     condition not(Attributes.actionId=="read") 
     permit 
    } 
}

最终浓缩版本将是

policy allowAccess2{ 
    apply firstApplicable 
    rule allow{ 
     target clause resourceId == "http://www.example.com/info1" or resourceId == "http://www.example.com/info2" 
     condition (group=="admin" && group=="manager" && Attributes.actionId=="read") || (not(Attributes.actionId=="read")) 
     permit 
    } 
}

的XACML输出是:

<?xml version="1.0" encoding="UTF-8"?> 
<!--This file was generated by the ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com). 
Any modification to this file will be lost upon recompilation of the source ALFA file--> 
<xacml3:Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" 
    PolicyId="http://axiomatics.com/alfa/identifier/so.allowAccess2" 
    RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" 
    Version="1.0"> 
    <xacml3:Description /> 
    <xacml3:PolicyDefaults> 
     <xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion> 
    </xacml3:PolicyDefaults> 
    <xacml3:Target /> 
    <xacml3:Rule 
      Effect="Permit" 
      RuleId="http://axiomatics.com/alfa/identifier/so.allowAccess2.allow"> 
     <xacml3:Description /> 
     <xacml3:Target> 
      <xacml3:AnyOf> 
       <xacml3:AllOf> 
        <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> 
         <xacml3:AttributeValue 
          DataType="http://www.w3.org/2001/XMLSchema#string">http://www.example.com/info1</xacml3:AttributeValue> 
         <xacml3:AttributeDesignator 
          AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 
          DataType="http://www.w3.org/2001/XMLSchema#string" 
          Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" 
          MustBePresent="false" 
         /> 
        </xacml3:Match> 
       </xacml3:AllOf> 
       <xacml3:AllOf> 
        <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> 
         <xacml3:AttributeValue 
          DataType="http://www.w3.org/2001/XMLSchema#string">http://www.example.com/info2</xacml3:AttributeValue> 
         <xacml3:AttributeDesignator 
          AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 
          DataType="http://www.w3.org/2001/XMLSchema#string" 
          Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" 
          MustBePresent="false" 
         /> 
        </xacml3:Match> 
       </xacml3:AllOf> 
      </xacml3:AnyOf> 
     </xacml3:Target> 
     <xacml3:Condition> 
      <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or"> 
       <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> 
        <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of"> 
         <xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/> 
         <xacml3:AttributeValue 
          DataType="http://www.w3.org/2001/XMLSchema#string">admin</xacml3:AttributeValue> 
         <xacml3:AttributeDesignator 
          AttributeId="group" 
          DataType="http://www.w3.org/2001/XMLSchema#string" 
          Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" 
          MustBePresent="false" 
         /> 
        </xacml3:Apply> 
        <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> 
         <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of"> 
          <xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/> 
          <xacml3:AttributeValue 
           DataType="http://www.w3.org/2001/XMLSchema#string">manager</xacml3:AttributeValue> 
          <xacml3:AttributeDesignator 
           AttributeId="group" 
           DataType="http://www.w3.org/2001/XMLSchema#string" 
           Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" 
           MustBePresent="false" 
          /> 
         </xacml3:Apply> 
         <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of"> 
          <xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/> 
          <xacml3:AttributeValue 
           DataType="http://www.w3.org/2001/XMLSchema#string">read</xacml3:AttributeValue> 
          <xacml3:AttributeDesignator 
           AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" 
           DataType="http://www.w3.org/2001/XMLSchema#string" 
           Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" 
           MustBePresent="false" 
          /> 
         </xacml3:Apply> 
        </xacml3:Apply> 
       </xacml3:Apply> 
       <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not" > 
        <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of"> 
         <xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/> 
         <xacml3:AttributeValue 
          DataType="http://www.w3.org/2001/XMLSchema#string">read</xacml3:AttributeValue> 
         <xacml3:AttributeDesignator 
          AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" 
          DataType="http://www.w3.org/2001/XMLSchema#string" 
          Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" 
          MustBePresent="false" 
         /> 
        </xacml3:Apply> 
       </xacml3:Apply> 
      </xacml3:Apply> 
     </xacml3:Condition> 
    </xacml3:Rule> 
</xacml3:Policy>

来源

2017-03-05 17:39:34

相关问题

 相关问题