XACML 策略中的分层属性 [英] Hierarchical attributes in XACML Policy
问题描述
我们使用的是 WSO2 身份服务器 5.1.0.
We are using WSO2 Identity Server 5.1.0 .
我们有一个像 Plant1->Area1->unit1 这样的位置层次结构.现在,如果用户拥有 Plant1 的属性,他也应该可以访问 unit1(树中父级的所有子级).
We have a location hierarchy like Plant1->Area1->unit1. Now if a user is having attribute for the Plant1, he should get access to unit1 as well (all children of the parent in a tree).
我们可以在 XACML 中指定它吗?我们将层次结构存储在 DB 中.如果需要,我们也可以提供分层元素列表作为属性列表.
Can we specify this in XACML? We have the hierarchy stored in DB. We can provide the list of hierarchical elements as a list of attributes also if so required.
示例中说明的问题:用户 bob 已被授予对 area2 的访问权限,如下所示:
Problem explained in sample : A user bob has been given access to area2 as shown below :
植物 1
|--Area1
|--Unit1
|--区域2
|--Unit2
我们想在 XACML 策略中指定 Area2 位置.现在,如果来自 area2 或 unit2 的请求应该被允许,而如果来自 factory1、area1 或 unit1 的请求应该被拒绝.
We want to specify the Area2 location in XACML policy. Now if the request with area2 or unit2 comes that should be permitted while if the request with plant1, area1 or unit1 comes that should get denied.
我需要 XACML 策略的结构.
I need the structure for XACML policy.
推荐答案
您可以在 XACML 实现(如 AuthzForce.我不太了解 WSO2 IS,但根据文档,它也可以通过 自定义 PIP,所以我认为这应该可以解决问题.
You can implement this with a custom PIP (Policy Information Point, aka Attribute Provider) in XACML implementations like AuthzForce. I don't know WSO2 IS as much but according to the doc, it is also extensible with custom PIPs, so I assume this should do the trick.
这个想法是,在 XACML 策略中,您使用带有自定义 AttributeId 的 AttributeDesignator 来指示请求某个属性层次结构中的最高父值,例如AttributeId = resource-id-parent 为 resource-id 属性值的父值.
The idea is that in the XACML Policy, you use an AttributeDesignator with a custom AttributeId to indicate that the top parent value in the hierarchy of some attribute is requested, e.g. AttributeId = resource-id-parent for the parent value of resource-id attribute value.
您的自定义 PIP 的作用:当请求此自定义属性 id resource-id-parent 时,PIP 从请求中获取属性 resource-id 的值,即area2"或unit2",然后从您的数据库中获取层次结构中相应的最高值(或以上所有值,如果您愿意)并将其作为包返回.然后,在 XACML 策略中,您可以在 Match 中使用 string-equal 或在 Condition 中使用 string-at-least-one-member-of 来将 AttributeDesignator 与area2"匹配(请记住,AttributeDesignator 始终评估为包).
What your custom PIP does: when this custom attribute id resource-id-parent is requested, the PIP gets the value of the attribute resource-id from the request, i.e. "area2" or "unit2", then gets the corresponding top value in the hierarchy from your DB (or all the values above if you will) and return it as bag. Then, in the XACML Policy, you can use string-equal in a Match or string-at-least-one-member-of in a Condition to match the AttributeDesignator with "area2" (remember an AttributeDesignator always evaluate to a bag).
这篇关于XACML 策略中的分层属性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
