1. 首頁
  2. 問答
  3. 如何在XACML中將單個規則中的兩條規則結合起來?

如何在XACML中將單個規則中的兩條規則結合起來?

2017-03-04 84 views
1

我如何結合這兩個規則如何在XACML中將單個規則中的兩條規則結合起來?

(1)任何用戶都可以訪問(讀,寫等)的資源http://www.example.com/info1http://www.example.com/info2

(2)任何讀操作(讀取)至任何資源只能由屬於組管理員和管理員的用戶訪問。

在一個單一的一個

我迄今所做的是這樣的:

<?xml version="1.0" encoding="UTF-8"?> 
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="1" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0"> 
    <Description>Policy 1</Description> 
    <Target /> 
    <!--Punto d.1,2--> 
    <Rule Effect="Permit" RuleId="Rule Permit #1" > 
     <Target> 
      <AnyOf> 
       <AllOf> 
        <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"> 
         <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://www.example.com/info2</AttributeValue> 
         <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" /> 
        </Match> 
       </AllOf> 
       <AllOf> 
        <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"> 
         <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://www.example.com/info2</AttributeValue> 
         <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" /> 
        </Match> 
       </AllOf> 
       <AllOf> 
        <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> 
         <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue> 
         <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" /> 
        </Match> 
       </AllOf> 
      </AnyOf> 
     </Target> 
     <Condition> 
      <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> 
       <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> 
        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue> 
        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">manager</AttributeValue> 
       </Apply> 
       <AttributeDesignator AttributeId="group" Category="urn:oasis:names:tc:xacml:3.0:group" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" /> 
      </Apply> 
     </Condition> 
    </Rule> 
    <Rule Effect="Deny" RuleId="Rule Deny #1" /> 
</Policy>

我如何作出Condition選購時任何動作 - 讀取任何用戶,寫等 - ,嘗試訪問任何兩個網址?

而且,我該如何驗證時的讀操作的訪問請求時,它只能在用戶(主題)所屬的組,或管理員訪問?

來源

2017-03-04 InfZero

回答

2

有幾種方法可以實現您的方案。最簡單的可能是爲您的政策創建一個結構。例如,你可能會說,你有http://www.example.com/info1http://www.example.com/info2政策另一個。每個策略可以有讀,寫,刪除的規則......或者如果你不想指定任何動作,那麼你可以跳過它。在你的情況下,你想限制閱讀管理員和經理。

使用ALFA語法,這給你:

namespace so{ 
    attribute group{ 
     category = subjectCat 
     id = "group" 
     type = string 
    } 
    // Standard XACML attributes e.g. resource-id 
    import Attributes.* 

    policyset resources{ 
     apply firstApplicable 
     policy info1{    
      target clause resourceId == "http://www.example.com/info1" 
      apply firstApplicable 
      rule read{ 
       target clause Attributes.actionId=="read" 
         clause group=="admin" or group=="manager" 
       permit 
      } 
      // Add other rules for other actions here 
     } 
     policy info2{ 
      target clause resourceId == "http://www.example.com/info2" 
      apply firstApplicable 
      rule read{ 
       target clause Attributes.actionId=="read" 
         clause group=="admin" or group=="manager" 
       permit 
      } 
      // Add other rules for other actions here 
     } 
    } 
}

認爲這並不完全回答你的問題。首先,它是不是在一個單一的規則組合(這樣做是不是很大順便說一句,我不會做它 - 定義一個好的結構,更易於管理)。在我的方法中,您必須明確列出所有其他操作。

下面是另一種方法

policy allowAccess{ 
    target clause resourceId == "http://www.example.com/info1" or resourceId == "http://www.example.com/info2" 
    apply firstApplicable 
    rule allowRead{ 
     target clause group=="admin" and group=="manager" and Attributes.actionId=="read" 
     permit 
    } 
    rule allowOtherActions{ 
     condition not(Attributes.actionId=="read") 
     permit 
    } 
}

最終濃縮版本將是

policy allowAccess2{ 
    apply firstApplicable 
    rule allow{ 
     target clause resourceId == "http://www.example.com/info1" or resourceId == "http://www.example.com/info2" 
     condition (group=="admin" && group=="manager" && Attributes.actionId=="read") || (not(Attributes.actionId=="read")) 
     permit 
    } 
}

的XACML輸出是:

<?xml version="1.0" encoding="UTF-8"?> 
<!--This file was generated by the ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com). 
Any modification to this file will be lost upon recompilation of the source ALFA file--> 
<xacml3:Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" 
    PolicyId="http://axiomatics.com/alfa/identifier/so.allowAccess2" 
    RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" 
    Version="1.0"> 
    <xacml3:Description /> 
    <xacml3:PolicyDefaults> 
     <xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion> 
    </xacml3:PolicyDefaults> 
    <xacml3:Target /> 
    <xacml3:Rule 
      Effect="Permit" 
      RuleId="http://axiomatics.com/alfa/identifier/so.allowAccess2.allow"> 
     <xacml3:Description /> 
     <xacml3:Target> 
      <xacml3:AnyOf> 
       <xacml3:AllOf> 
        <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> 
         <xacml3:AttributeValue 
          DataType="http://www.w3.org/2001/XMLSchema#string">http://www.example.com/info1</xacml3:AttributeValue> 
         <xacml3:AttributeDesignator 
          AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 
          DataType="http://www.w3.org/2001/XMLSchema#string" 
          Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" 
          MustBePresent="false" 
         /> 
        </xacml3:Match> 
       </xacml3:AllOf> 
       <xacml3:AllOf> 
        <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> 
         <xacml3:AttributeValue 
          DataType="http://www.w3.org/2001/XMLSchema#string">http://www.example.com/info2</xacml3:AttributeValue> 
         <xacml3:AttributeDesignator 
          AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 
          DataType="http://www.w3.org/2001/XMLSchema#string" 
          Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" 
          MustBePresent="false" 
         /> 
        </xacml3:Match> 
       </xacml3:AllOf> 
      </xacml3:AnyOf> 
     </xacml3:Target> 
     <xacml3:Condition> 
      <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or"> 
       <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> 
        <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of"> 
         <xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/> 
         <xacml3:AttributeValue 
          DataType="http://www.w3.org/2001/XMLSchema#string">admin</xacml3:AttributeValue> 
         <xacml3:AttributeDesignator 
          AttributeId="group" 
          DataType="http://www.w3.org/2001/XMLSchema#string" 
          Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" 
          MustBePresent="false" 
         /> 
        </xacml3:Apply> 
        <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> 
         <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of"> 
          <xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/> 
          <xacml3:AttributeValue 
           DataType="http://www.w3.org/2001/XMLSchema#string">manager</xacml3:AttributeValue> 
          <xacml3:AttributeDesignator 
           AttributeId="group" 
           DataType="http://www.w3.org/2001/XMLSchema#string" 
           Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" 
           MustBePresent="false" 
          /> 
         </xacml3:Apply> 
         <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of"> 
          <xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/> 
          <xacml3:AttributeValue 
           DataType="http://www.w3.org/2001/XMLSchema#string">read</xacml3:AttributeValue> 
          <xacml3:AttributeDesignator 
           AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" 
           DataType="http://www.w3.org/2001/XMLSchema#string" 
           Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" 
           MustBePresent="false" 
          /> 
         </xacml3:Apply> 
        </xacml3:Apply> 
       </xacml3:Apply> 
       <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not" > 
        <xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of"> 
         <xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/> 
         <xacml3:AttributeValue 
          DataType="http://www.w3.org/2001/XMLSchema#string">read</xacml3:AttributeValue> 
         <xacml3:AttributeDesignator 
          AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" 
          DataType="http://www.w3.org/2001/XMLSchema#string" 
          Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" 
          MustBePresent="false" 
         /> 
        </xacml3:Apply> 
       </xacml3:Apply> 
      </xacml3:Apply> 
     </xacml3:Condition> 
    </xacml3:Rule> 
</xacml3:Policy>

來源

2017-03-05 17:39:34

相關問題

 相關問題