如何在企业应用中使用 XACML 处理深层粒度化 [英] How to deal with deep level granularization with XACML in enterprise application
问题描述
我使用 IS WSO2 进行 XACML 授权.我能够获得静态资源的授权.但我不确定在粒度方面的设计.
示例:如果我有像 getCarDetails(Object User) 这样的方法,我应该只获取分配给这个特定用户的那些汽车,那么如何用 XACMl 处理这个问题?
Wso2 提供对 PIP 的支持,我们可以使用自定义类从数据库中获取数据.但我不确定我们是否应该在 PDP 端制作原始数据库的副本,或者将原始数据库交给 PIP 以使用实时数据进行更新.
因为汽车对于应用程序来说是动态的,例如.目前有 10 辆车分配给用户 Alice.突然主管在他的列表中添加了 20 辆汽车,这些汽车将位于应用程序级数据库中.然后如何在 PDP 级别的策略中自动分配其他 20 辆车,直到它也有最新的信息.
我可能在理解上犯了一些错误.但我不确定如何处理这个问题,因为在整个应用程序中,我们可以有很多这种复杂的场景,有时我们会从 4 或 5 个以上的表中获取一个用户的数据,那么如何处理这种场景?
您的问题很好,答案将突出 XACML 和外部化授权作为一个整体的主要优势.
在 XACML 中,您定义通用的、全局的规则,关于什么是允许的,什么是不使用的,我称之为高级属性,例如车辆(在您的情况下)或用户(角色、部门、...)的属性
例如,一个简单的规则可以是(使用 ALFA 语法):
policy viewCars{目标子句 actionId=="view" 和 resourceType=="car"先申请适用规则 allowSameRegion{允许条件 user.region==car.region}}用户的区域和汽车的区域都保存在应用程序的数据库中.使用 PIP 或策略信息点读取值(详细信息 并且您可以在此处观看教程.
I am using IS WSO2 for authorization with XACML. I am am able to achieve authorization for static resource. But I am not sure with the design when it comes to granularization.
Example : if I have method like getCarDetails(Object User) where I should get only those cars which are assigned to this particular user, then how to deal this with XACMl?
Wso2 provides support for PIP where we can use custom classes which can fetch data from database. But I am not sure if we should either make copy of original database at PDP side or give the original database to PIP to get updated with live data.
Because Cars would be dynamic for the application eg. currently 10 cars assigned to user Alice. suddenly supervisor add 20 more car in his list which will be in application level database. Then how these other 20 cars will be automatically assigned in policy at PDP level until it also have this latest information.
I may making some mistake in understanding. But I am not sure how to deal with this as in whole application we can have lots of this kind of complex scenario where some times we will get data for one user from more than 4 or 5 tables then how to handle that scenario?
Your question is a great and the answer will highlight the key benefits of XACML and externalized authorization as a whole.
In XACML, you define generic, global rules, about what is allowed and what isn't using what I would call high-level attributes e.g. attributes of the vehicle (in your case) or the user (role, department, ...)
For instance a simple rule could be (using the ALFA syntax):
policy viewCars{
target clause actionId=="view" and resourceType=="car"
apply firstApplicable
rule allowSameRegion{
permit
condition user.region==car.region
}
}
Both the user's region and the car's region are maintained inside the application's database. The values are read using a PIP or Policy Information Point (details here).
In your example, you talk about direct assignment, i.e. a user has been directly assigned to a vehicle. In that case, the rule would become:
policy viewCars{
target clause actionId=="view" and resourceType=="car"
apply firstApplicable
rule allowAssignedVehicle{
permit
condition user.employeeId==car.assignedUser
}
}
This means that the assigned user information must be kept somewhere, in the application database, a CSV file, a web service, or another source of information. It means that from a management perspective, an administrator would add / remove vehicles from a user's assigned list (or perhaps the other way around: add / remove assigned users from a vehicle's assigned user list).
The XACML rule itself will not change. If the supervisor adds 20 more cars to the employee's list (maintained in the application-level database), then the PDP will be able to use that information via the PIP and access will be granted or denied accordingly.
The key benefit of XACML is that you could add a second rule that would state a supervisor can see the cars he/she is assigned to (the normal rule) as well as the cars assigned to his/her subordinates (a new proxy-delegate rule).
This diagram, taken from the Axiomatics blog, summarizes the XACML flow:
HTH, let me know if you have further questions. You can download ALFA here and you can watch tutorials here.
这篇关于如何在企业应用中使用 XACML 处理深层粒度化的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
