XACML 政策和请求 [英] XACML Policy and Request

问题描述

首先我想提一下，这当然是一个新手问题，但我现在找了几个小时，但没有答案.

first I would like to mention that this certainly a novice question, but I was looking for hours now and I do not have an answer.

我刚开始尝试 XACML 用于学术目的.我使用 wso2-is 提供的编辑器来编写一些策略并根据一些请求评估它们.

I just started trying XACML for academic purposes. I use the editor provided with wso2-is to write some policies and to evaluate them against some requests.

我创建此政策是为了表示主题u可以读取或写入资源d

I created this policy to express that the subject u can read or write from a resource d

     <Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="test-bis" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="1.0">
   <Target/>
   <Rule Effect="Permit" RuleId="read-or-write">
      <Target>
         <AnyOf>
            <AllOf>
               <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                  <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">d</AttributeValue>
                  <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
               </Match>
            </AllOf>
         </AnyOf>
      </Target>
      <Condition>
         <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
               <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
                  <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
                  <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">write</AttributeValue>
               </Apply>
               <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
            </Apply>
            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
               <Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
               <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">u</AttributeValue>
               <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
            </Apply>
         </Apply>
      </Condition>
   </Rule>
   <Rule Effect="Deny" RuleId="deny"/>
</Policy>

虽然匹配这个简单的请求Can u read from d"，结果我不适用！这是请求:

While matching to this simple request "Can u read from d" I got not applicable as result ! Here is the request:

 <Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false">
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">u</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">d</AttributeValue>
</Attribute>
</Attributes>
</Request> 

谁能帮助我理解我做错了什么?

Anyone can help me on understanding what I'm doing wrong?

谢谢大家！

推荐答案

当您收到Not Applicable"时，您的策略似乎未在 WSO2 IS 中启用或未升级到 PDP 进行测试.只需检查策略是否已启用并升级到 PDP 进行测试.您也可以在不升级到 PDP 的情况下测试策略，但在这两种情况下，它都应处于启用模式.

As you are getting "Not Applicable" it seems that your policy is either not enabled in WSO2 IS or not promoted to PDP for testing. Just check if the policy is enabled and promoted to PDP for test. You may also test the policy without promoting to PDP but in both the cases it should be in enabled mode.

我在 WSo2 IS 4.0.0 中尝试了您的策略，并给出了拒绝".是的，正如大卫所提到的，因为您的策略组合算法是拒绝覆盖"，根据您的默认规则，它总是会得到拒绝"，如下所示:

I tried your policy in WSo2 IS 4.0.0 and its giving "Deny". And yes as David mentioned its because your policy combining algorithm is "deny-overrides" which is always getting "Deny" as per your default rule as below:

<Rule Effect="Deny" RuleId="deny"/>

因此，您要么需要将策略组合算法设为permit-overrides"，要么删除最后一条规则.

So either you need to make your policy combining algorithm as "permit-overrides" or drop the last rule.

这篇关于XACML 政策和请求的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！