如何在 XACML 中将两条规则合二为一? [英] How do I can combine two rules in single one in XACML?
本文介绍了如何在 XACML 中将两条规则合二为一?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
如何结合这两个规则
(1) 任何用户都可以访问(读、写等)资源http://www.example.com/info1 和 http://www.example.com/info2
(1) Any user can access (read, write, etc.) to the resources http://www.example.com/info1 and http://www.example.com/info2
(2) 对任何资源的任何读取操作(read)只能由属于组 admin 和 manager 的用户访问.
(2) Any reading action (read) to any resource can only be accessed by users which belong to the group admin and manager.
一个人?
到目前为止我所做的是:
What I have done so far is this:
<?xml version="1.0" encoding="UTF-8"?>
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="1" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">
<Description>Policy 1</Description>
<Target />
<!--Punto d.1,2-->
<Rule Effect="Permit" RuleId="Rule Permit #1" >
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://www.example.com/info2</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" />
</Match>
</AllOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://www.example.com/info2</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" />
</Match>
</AllOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" />
</Match>
</AllOf>
</AnyOf>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">manager</AttributeValue>
</Apply>
<AttributeDesignator AttributeId="group" Category="urn:oasis:names:tc:xacml:3.0:group" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" />
</Apply>
</Condition>
</Rule>
<Rule Effect="Deny" RuleId="Rule Deny #1" />
</Policy>
当任何具有任何操作(读取、写入等)的用户尝试访问两个 URL 中的任何一个时,我如何使 Condition 成为可选?
How do I made the Condition optional when any user with any action -read, write, etc.-, try to access any of the two URLs?
而且,我如何验证何时具有读取操作的访问请求,它只能在用户(主题)属于组或管理员时访问?
And, how do I validate when an access request with read action, it can only be accessed when user (subject) belongs to the groups, or admin?
推荐答案
您可以通过多种方式实现您的场景.最简单的方法可能是为您的策略创建一个结构.例如,您可能会说您有一个关于 http://www.example.com/info1 和另一个用于 http://www.example.com/info2.每个策略都可以有读取、写入、删除的规则……或者,如果您不想指定任何操作,则可以跳过它.在您的情况下,您希望将读取权限限制为管理员和经理.
There are several ways you can achieve your scenario. The easiest might yet be to create a structure for your policies. For instance, you might say that you have a policy for http://www.example.com/info1 and another for http://www.example.com/info2. Each policy could have rules for read, write, delete... Or if you do not want to specify any action then you could skip it. In your case, you want to restrict read to administrators and managers.
使用 ALFA 语法,您可以:
Using the ALFA syntax, this gives you:
namespace so{
attribute group{
category = subjectCat
id = "group"
type = string
}
// Standard XACML attributes e.g. resource-id
import Attributes.*
policyset resources{
apply firstApplicable
policy info1{
target clause resourceId == "http://www.example.com/info1"
apply firstApplicable
rule read{
target clause Attributes.actionId=="read"
clause group=="admin" or group=="manager"
permit
}
// Add other rules for other actions here
}
policy info2{
target clause resourceId == "http://www.example.com/info2"
apply firstApplicable
rule read{
target clause Attributes.actionId=="read"
clause group=="admin" or group=="manager"
permit
}
// Add other rules for other actions here
}
}
}
也就是说,这并不能完全回答您的问题.首先,它没有结合在一个单一的规则中(顺便说一句,这样做不是很好,我不会这样做 - 定义一个好的结构,它更易于管理).在我的方法中,您必须明确列出所有其他操作.
That said this does not answer your question exactly. Firstly it is not combined in a single rule (doing that is not great BTW, I wouldn't do it - define a good structure, it is more manageable). And in my approach, you have to explicitly list all other actions.
这是另一种方法
policy allowAccess{
target clause resourceId == "http://www.example.com/info1" or resourceId == "http://www.example.com/info2"
apply firstApplicable
rule allowRead{
target clause group=="admin" and group=="manager" and Attributes.actionId=="read"
permit
}
rule allowOtherActions{
condition not(Attributes.actionId=="read")
permit
}
}
最终的精简版是
policy allowAccess2{
apply firstApplicable
rule allow{
target clause resourceId == "http://www.example.com/info1" or resourceId == "http://www.example.com/info2"
condition (group=="admin" && group=="manager" && Attributes.actionId=="read") || (not(Attributes.actionId=="read"))
permit
}
}
XACML 输出是:
<?xml version="1.0" encoding="UTF-8"?>
<!--This file was generated by the ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com).
Any modification to this file will be lost upon recompilation of the source ALFA file-->
<xacml3:Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
PolicyId="http://axiomatics.com/alfa/identifier/so.allowAccess2"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
Version="1.0">
<xacml3:Description />
<xacml3:PolicyDefaults>
<xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion>
</xacml3:PolicyDefaults>
<xacml3:Target />
<xacml3:Rule
Effect="Permit"
RuleId="http://axiomatics.com/alfa/identifier/so.allowAccess2.allow">
<xacml3:Description />
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">http://www.example.com/info1</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
MustBePresent="false"
/>
</xacml3:Match>
</xacml3:AllOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">http://www.example.com/info2</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
MustBePresent="false"
/>
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
<xacml3:Condition>
<xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
<xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
<xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">admin</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="group"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
MustBePresent="false"
/>
</xacml3:Apply>
<xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
<xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">manager</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="group"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
MustBePresent="false"
/>
</xacml3:Apply>
<xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
<xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">read</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
MustBePresent="false"
/>
</xacml3:Apply>
</xacml3:Apply>
</xacml3:Apply>
<xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not" >
<xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
<xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">read</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
MustBePresent="false"
/>
</xacml3:Apply>
</xacml3:Apply>
</xacml3:Apply>
</xacml3:Condition>
</xacml3:Rule>
</xacml3:Policy>
这篇关于如何在 XACML 中将两条规则合二为一?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
