Changes between Version 7 and Version 8 of XACML


Ignore:
Timestamp:
03/09/10 17:09:10 (9 years ago)
Author:
pjkersha
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • XACML

    v7 v8  
    66 
    77== Current Status == 
     8=== Version 0.3 === 
     9 * Important fixes for equals functions, and improvement to at least one member functions.   
     10 * Unit tests improved with wider coverage of different rule definitions and example request contexts. 
     11 * Improved and added to support for context handler and Policy Information Point interfaces including the ability for the PDP to call back to a PIP via a Context handler to retrieve additional subject attributes. 
     12 
    813=== Version 0.2 === 
    914The first Alpha release to PyPI has been made 288 June 2010: 
     
    5358                <!-- Pattern match all request URIs beginning with / --> 
    5459                <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match"> 
     60                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/.*$</AttributeValue> 
    5561                    <ResourceAttributeDesignator 
    5662                        AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 
    5763                        DataType="http://www.w3.org/2001/XMLSchema#anyURI"/> 
    58                     <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/.*$</AttributeValue> 
    5964                </ResourceMatch> 
    6065            </Resource> 
     
    6368     
    6469    <!-- Deny everything by default --> 
    65     <Rule RuleId="urn:ndg:security1.0:authz:test:DenyAllRule" Effect="Deny"/> 
     70    <Rule RuleId="DenyAllRule" Effect="Deny"/> 
    6671    <!--  
    6772        Following rules punch holes through the deny everything rule above 
     
    6974        Policy element above 
    7075    --> 
    71     <Rule RuleId="urn:ndgsecurity:secured-uri-rule" Effect="Permit"> 
    72         <!--  
    73             Rule target(s) define which requests apply to the particular rule 
     76    <Rule RuleId="ResourceBased" Effect="Permit"> 
     77        <!--  
     78            Resource based restriction only 
     79        --> 
     80        <Target> 
     81            <Resources> 
     82                <Resource> 
     83                    <!-- Match the request URI --> 
     84                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal"> 
     85                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost/resource-only-restricted</AttributeValue> 
     86                        <ResourceAttributeDesignator 
     87                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 
     88                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/> 
     89                    </ResourceMatch> 
     90                </Resource> 
     91            </Resources> 
     92        </Target> 
     93    </Rule> 
     94     
     95    <Rule RuleId="SingleSubjectRoleBased" Effect="Permit"> 
     96        <!--  
     97            Allow access based on a single subject role 
     98        --> 
     99        <Target> 
     100            <Subjects> 
     101                <Subject> 
     102                    <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> 
     103                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">staff</AttributeValue> 
     104                        <SubjectAttributeDesignator  
     105                            AttributeId="urn:ndg:security:authz:1.0:attr"  
     106                            DataType="http://www.w3.org/2001/XMLSchema#string"/> 
     107                    </SubjectMatch> 
     108                </Subject> 
     109            </Subjects> 
     110            <Resources> 
     111                <Resource> 
     112                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal"> 
     113                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost/single-subject-role-restricted</AttributeValue> 
     114                        <ResourceAttributeDesignator 
     115                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 
     116                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/> 
     117                    </ResourceMatch> 
     118                </Resource> 
     119            </Resources> 
     120        </Target> 
     121    </Rule> 
     122 
     123    <Rule RuleId="SingleSubjectRoleBasedWithAction" Effect="Permit"> 
     124        <!--  
     125            Allow access based on a single subject role and given action 
     126        --> 
     127        <Target> 
     128            <Subjects> 
     129                <Subject> 
     130                    <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> 
     131                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">staff</AttributeValue> 
     132                        <SubjectAttributeDesignator  
     133                            AttributeId="urn:ndg:security:authz:1.0:attr"  
     134                            DataType="http://www.w3.org/2001/XMLSchema#string"/> 
     135                    </SubjectMatch> 
     136                </Subject> 
     137            </Subjects> 
     138            <Resources> 
     139                <Resource> 
     140                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal"> 
     141                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost/action-and-single-subject-role-restricted</AttributeValue> 
     142                        <ResourceAttributeDesignator 
     143                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 
     144                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/> 
     145                    </ResourceMatch> 
     146                </Resource> 
     147            </Resources> 
     148            <Actions> 
     149                <Action> 
     150                    <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> 
     151                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue> 
     152                        <ActionAttributeDesignator 
     153                            AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" 
     154                            DataType="http://www.w3.org/2001/XMLSchema#string"/> 
     155                    </ActionMatch> 
     156                </Action> 
     157            </Actions> 
     158        </Target> 
     159    </Rule> 
     160     
     161    <Rule RuleId="AtLeastOneSubjectAttributeBased" Effect="Permit"> 
     162        <!--  
     163            Subject must have at least one of a group of roles 
     164             
     165            Resource id is a regular expression 
    74166        --> 
    75167        <Target> 
     
    78170                    <!-- Pattern match the request URI --> 
    79171                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match"> 
    80                         <ResourceAttributeDesignator 
    81                             AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 
    82                             DataType="http://www.w3.org/2001/XMLSchema#anyURI"/> 
    83                         <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/test_securedURI.*$</AttributeValue> 
     172                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/at-least-of-subject-role-restricted.*$</AttributeValue> 
     173                        <ResourceAttributeDesignator 
     174                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 
     175                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/> 
    84176                    </ResourceMatch> 
    85177                </Resource> 
     
    92184             
    93185            The user must have at least one of the roles set - in this 
    94             case 'urn:siteA:security:authz:1.0:attr:staff' 
     186            case 'staff' 
    95187        --> 
    96188        <Condition> 
     
    107199        </Condition> 
    108200    </Rule> 
    109     <Rule RuleId="urn:ndgsecurity:secured-uri-rule2" Effect="Permit"> 
    110         <Target> 
    111             <Resources> 
    112                 <Resource> 
    113                     <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match"> 
    114                         <ResourceAttributeDesignator 
    115                             AttributeId="urn:siteA:security:authz:1.0:attr:resourceURI" 
    116                             DataType="http://www.w3.org/2001/XMLSchema#anyURI"/> 
    117                         <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/test_securedURI2$</AttributeValue> 
    118                     </ResourceMatch> 
    119                 </Resource> 
    120             </Resources> 
    121         </Target> 
    122         <Condition> 
    123             <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> 
    124                 <SubjectAttributeDesignator  
    125                     AttributeId="urn:ndg:security:authz:1.0:attr"  
    126                     DataType="http://www.w3.org/2001/XMLSchema#string"/> 
    127                 <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> 
    128                     <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">restricted</AttributeValue> 
    129                     <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">privileged</AttributeValue> 
    130                 </Apply> 
    131             </Apply> 
    132         </Condition> 
    133     </Rule> 
    134201</Policy> 
    135202}}} 
     
    139206RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides" 
    140207}}} 
    141 Any rule which follows for which a match is made grants access.  For example, the second rule grants access to any URI which begins with `http://localhost/test_securedURI`, provided the subject (the person or entity requesting access) has at least one of the attributes, `staff`, `admin` or `postdoc`. 
     208Any rule which follows for which a match is made, grants access.  For example,  
     209 * The `ResourceBased` rule, restricts based on resource URI only.  It overrides the previous `DenyAllRule` for requests to `http://localhost/resource-only-restricted`.  
     210 * the rule ID'd `AtLeastOneSubjectAttributeBased` grants access to any URI which begins with `http://localhost/at-least-of-subject-role-restricted`, provided the subject (the person or entity requesting access) has at least one of the attributes, `staff`, `admin` or `postdoc`. 
    142211 
    143212---- 
    144213Philip Kershaw, 28 June 2010 
     214Updated for version 0.3.1, 3 Sept 2010