wiki:XACML

ndg_xacml

ndg_xacml is a XACML 2.0 implementation for  CEDA (the Centre for Environmental Data Archival) STFC, Rutherford Appleton Laboratory. This is follow on work from the NERC (Natural Environment Research Council) DataGrid 3 Project.

 XACML (eXtensible Access Control Mark-up Language), is an XML based language for expressing access control policies.

Current Status

Version 0.3

  • Important fixes for equals functions, and improvement to at least one member functions.
  • Unit tests improved with wider coverage of different rule definitions and example request contexts.
  • Improved and added to support for context handler and Policy Information Point interfaces including the ability for the PDP to call back to a PIP via a Context handler to retrieve additional subject attributes.

Version 0.2

The first Alpha release to PyPI has been made 288 June 2010:

Only the parts of the specification immediately required for CEDA have been implemented in this initial release:

  • Deny overrides and Permit overrides rule combining algorithms
  • AttributeDesignators
  • various function types: see ndg.xacml.core.functions
  • and attribute types: see ndg.xacml.core.attribute
  • incomplete support for <AttributeSelector>s, <VariableReference>, <VariableDefinition>. <Obligations>
  • includes an ElementTree based parser for Policies. No support for writing out policies or read/write of XML representation of <Request> and <Response>

The software follows a modular structure to allow it to be extended easily to include new parsers, functions and attribute types.

Installation

$ easy_install ndg_xacml

Tests and Examples

See ndg.xacml.test in the distribution for unit tests and examples. Here is a brief overview of one of the examples...

The first use case for the CEDA access control policy is to restrict access based on resource URIs. Rules are defined based on regular expression based matching of these. Access is permitted to a given subject if they have an entitlement of at least one of the attributes specified in the rule.

This is the content of the test policy file:

<?xml version="1.0" encoding="UTF-8"?>
<Policy PolicyId="urn:ndg:security:1.0:authz:test:policy"
    xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:cd:04"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:cd:04 http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-cd-04.xsd"
    RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
    <Description>
        NDG XACML example for unit tests: allow access for resource URIs 
        matching given regular expressions.  The subject must have at least one
        of a set of named attributes allocated 
    </Description>
    
    <!-- 
        The Policy target(s) define which requests apply to the whole policy
    -->
    <Target>
        <Resources>
            <Resource>
                <!-- Pattern match all request URIs beginning with / -->
                <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/.*$</AttributeValue>
                    <ResourceAttributeDesignator
                        AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                        DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
                </ResourceMatch>
            </Resource>
        </Resources>
    </Target>   
    
    <!-- Deny everything by default -->
    <Rule RuleId="DenyAllRule" Effect="Deny"/>
    <!-- 
        Following rules punch holes through the deny everything rule above
        because the rule combining algorithm is set to permit overrides - see 
        Policy element above
    -->
    <Rule RuleId="ResourceBased" Effect="Permit">
        <!-- 
            Resource based restriction only
        -->
        <Target>
            <Resources>
                <Resource>
                    <!-- Match the request URI -->
                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost/resource-only-restricted</AttributeValue>
                        <ResourceAttributeDesignator
                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
                    </ResourceMatch>
                </Resource>
            </Resources>
        </Target>
    </Rule>
    
    <Rule RuleId="SingleSubjectRoleBased" Effect="Permit">
        <!-- 
            Allow access based on a single subject role
        -->
        <Target>
            <Subjects>
                <Subject>
                    <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">staff</AttributeValue>
                        <SubjectAttributeDesignator 
                            AttributeId="urn:ndg:security:authz:1.0:attr" 
                            DataType="http://www.w3.org/2001/XMLSchema#string"/>
                    </SubjectMatch>
                </Subject>
            </Subjects>
            <Resources>
                <Resource>
                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost/single-subject-role-restricted</AttributeValue>
                        <ResourceAttributeDesignator
                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
                    </ResourceMatch>
                </Resource>
            </Resources>
        </Target>
    </Rule>

    <Rule RuleId="SingleSubjectRoleBasedWithAction" Effect="Permit">
        <!-- 
            Allow access based on a single subject role and given action
        -->
        <Target>
            <Subjects>
                <Subject>
                    <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">staff</AttributeValue>
                        <SubjectAttributeDesignator 
                            AttributeId="urn:ndg:security:authz:1.0:attr" 
                            DataType="http://www.w3.org/2001/XMLSchema#string"/>
                    </SubjectMatch>
                </Subject>
            </Subjects>
            <Resources>
                <Resource>
                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost/action-and-single-subject-role-restricted</AttributeValue>
                        <ResourceAttributeDesignator
                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
                    </ResourceMatch>
                </Resource>
            </Resources>
            <Actions>
                <Action>
                    <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
                        <ActionAttributeDesignator
                            AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
                            DataType="http://www.w3.org/2001/XMLSchema#string"/>
                    </ActionMatch>
                </Action>
            </Actions>
        </Target>
    </Rule>
    
    <Rule RuleId="AtLeastOneSubjectAttributeBased" Effect="Permit">
        <!-- 
            Subject must have at least one of a group of roles
            
            Resource id is a regular expression
        -->
        <Target>
            <Resources>
                <Resource>
                    <!-- Pattern match the request URI -->
                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/at-least-of-subject-role-restricted.*$</AttributeValue>
                        <ResourceAttributeDesignator
                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
                    </ResourceMatch>
                </Resource>
            </Resources>
        </Target>
        
        <!-- 
            The condition narrows down the constraints layed down in the target to
            something more specific
            
            The user must have at least one of the roles set - in this
            case 'staff'
        -->
        <Condition>
            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
                <SubjectAttributeDesignator 
                    AttributeId="urn:ndg:security:authz:1.0:attr" 
                    DataType="http://www.w3.org/2001/XMLSchema#string"/>
                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">staff</AttributeValue>
                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">postdoc</AttributeValue>
                </Apply>
            </Apply>
        </Condition>
    </Rule>
</Policy>

In the above, the first <Target/> element filters out requests which don't apply to the rules which follow, so if the URI doesn't start with, http://localhost/ it's ignored. After this a series of rules are specified, the first rule denies accesses to all requests. However, the top-most <Policy> element specifies the so called Rule Combining Algorithm to permit overrides:

RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides"

Any rule which follows for which a match is made, grants access. For example,

  • The ResourceBased rule, restricts based on resource URI only. It overrides the previous DenyAllRule for requests to http://localhost/resource-only-restricted. No Subjects are defined here so access is open to it from any subject.
  • the rule ID'd AtLeastOneSubjectAttributeBased grants access to any URI which begins with http://localhost/at-least-of-subject-role-restricted, provided the subject (the person or entity requesting access) has at least one of the attributes, staff, admin or postdoc.

Philip Kershaw, 28 June 2010 Updated for version 0.3.1, 3 Sept 2010