Context Navigation

source: TI12-security/trunk/ndg_xacml/ndg/xacml/test/esgf1.xml @ 7661

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg-security/TI12-security/trunk/ndg_xacml/ndg/xacml/test/esgf1.xml@7661

Visit:

Revision 7661, 3.9 KB checked in by pjkersha, 10 years ago (diff)

ndg_xacml:

added support for custom AttributeValue? DataTypes? - this means that the ESGF GroupRole? attribute type can be added directly into XACML policies.
TODO: add support for adding custom functions so that a PDP can correctly apply rules based on custom types like the ESGF GroupRole?.

Line
1	<?xml version="1.0" encoding="UTF-8"?>
2	<Policy PolicyId="urn:ndg:security:1.0:authz:test:esgf-policy"
3	xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:cd:04"
4	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
5	xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:cd:04 http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-cd-04.xsd"
6	xmlns:esg="http://www.earthsystemgrid.org/"
7	RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
8	<Description>
9	NDG XACML example for unit tests: add custom ESG Group/Role Attribute Value type
10	</Description>
11
12	<!--
13	The Policy target(s) define which requests apply to the whole policy
14	-->
15	<Target>
16	<Resources>
17	<Resource>
18	<!-- Pattern match all request URIs beginning with / -->
19	<ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
20	<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/.*$</AttributeValue>
21	<ResourceAttributeDesignator
22	AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
23	DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
24	</ResourceMatch>
25	</Resource>
26	</Resources>
27	</Target>
28
29	<!-- Deny everything by default -->
30	<Rule RuleId="DenyAllRule" Effect="Deny"/>
31	<!--
32	Following rules punch holes through the deny everything rule above
33	because the rule combining algorithm is set to permit overrides - see
34	Policy element above
35	-->
36	<Rule RuleId="AtLeastOneSubjectAttributeBased" Effect="Permit">
37	<!--
38	Subject must have at least one of a group of roles
39
40	Resource id is a regular expression
41	-->
42	<Target>
43	<Resources>
44	<Resource>
45	<!-- Pattern match the request URI -->
46	<ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
47	<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/at-least-of-subject-role-restricted.*$</AttributeValue>
48	<ResourceAttributeDesignator
49	AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
50	DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
51	</ResourceMatch>
52	</Resource>
53	</Resources>
54	</Target>
55
56	<!--
57	The condition narrows down the constraints layed down in the target to
58	something more specific
59
60	The user must have at least one of the roles set - in this
61	case 'staff'
62	-->
63	<Condition>
64	<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
65	<SubjectAttributeDesignator
66	AttributeId="urn:ndg:security:authz:1.0:attr"
67	DataType="http://www.w3.org/2001/XMLSchema#string"/>
68	<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
69	<AttributeValue DataType="urn:esgf:pcmdi:grouprole">
70	<esg:groupRole>
71	<esg:group>CMIP5_Research</esg:group>
72	<esg:role>default</esg:role>
73	</esg:groupRole>
74	</AttributeValue>
75	<AttributeValue DataType="urn:esgf:pcmdi:grouprole">
76	<esg:groupRole>
77	<esg:group>CMIP5_Commercial</esg:group>
78	<esg:role>default</esg:role>
79	</esg:groupRole>
80	</AttributeValue>
81	</Apply>
82	</Apply>
83	</Condition>
84	</Rule>
85	</Policy>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: